Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add actions analysis to code scanning #2725

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add actions analysis to code scanning #2725

wants to merge 1 commit into from
+26 −2

Conversation

aeisenberg
Copy link
Contributor

This enables the new actions analysis queries for this repository.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

@Copilot Copilot bot review requested due to automatic review settings January 24, 2025 21:07
@aeisenberg aeisenberg requested a review from a team as a code owner January 24, 2025 21:07
Copilot
Copilot AI reviewed Jan 24, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more

.github/workflows/codeql.yml Outdated Show resolved Hide resolved
@aeisenberg aeisenberg changed the title Add actions analysis to code scannign Add actions analysis to code scanning Jan 24, 2025
@aeisenberg aeisenberg force-pushed the aeisenberg/enable-actions-analysis branch from 09c5825 to 80fe55a Compare January 24, 2025 21:16
@aeisenberg aeisenberg force-pushed the aeisenberg/enable-actions-analysis branch from 80fe55a to 7a4427f Compare January 24, 2025 22:22
@angelapwen
Copy link
Contributor

angelapwen commented Jan 24, 2025
edited
Loading

I'm actually a little confused by this workflow file but I think we actually need to add the matrixed language variable in the 2nd build job rather than the first check-codeql-versions job:

codeql-action/.github/workflows/codeql.yml

Line 93 in e7c0c9d

languages: javascript
and maybe

codeql-action/.github/workflows/codeql.yml

Line 102 in e7c0c9d

category: "/language:javascript"
to update the category?

We can see that currently the build job only runs with javascript: https://github.com/github/codeql-action/actions/runs/12958590934/job/36149344474

I'm not sure we care about the languages specified in check-codeql-versions job but maybe it doesn't hurt to include both actions and javascript there too.

@aeisenberg
Copy link
Contributor Author

Hmmm...I think you're right. I was just being lazy, making changes, and hoping it would work out. I should be thinking deeper about this.

It might just be easier to create a separate job for the actions run. I don't think we need to matrix it over multiple OSes.

@aeisenberg
Add actions analysis to code scannign
de4457e 
Create a new job to run actions since we don't need to
matrix the runs across multiple OSes.
@aeisenberg aeisenberg force-pushed the aeisenberg/enable-actions-analysis branch from 7a4427f to de4457e Compare January 24, 2025 23:14
@github-advanced-security
Copy link
Contributor

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@aeisenberg
Copy link
Contributor Author

Seems like it worked!

angelapwen
angelapwen reviewed Jan 24, 2025
View reviewed changes
.github/workflows/codeql.yml


analyze-actions:
runs-on: ubuntu-latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also want this job to depend on check-codeql-versions? I guess it's not necessary, as long as one of them depends on it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking that we don't need it.

This workflow is matrixed on multiple versions of CodeQL mainly as an integration test. Since we're using the different versions for analyzing JavaScript, I was thinking that we don't need to do the same for actios. Though, if you can think of a reason, we can change this.

@aeisenberg
Copy link
Contributor Author

I changed the name of the job from build to analyze. So, there are still 12 expected checks. If we want to get this through, then I'll update the required jobs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@angelapwen angelapwen angelapwen left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aeisenberg @angelapwen