Switch to CodeQL "advanced" setup so it can run on all PRs #2194
+107
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Because the basic configuration doesn't run on PRs from forks. So far this is just the advanced configuration workflow file written automatically when enabling it through the GitHub interface for doing so, with no customizations. This should already be sufficient to let it run on PRs from forks, but the immediately forthcoming commits shall apply some customizations.
- Give the workflow a shorter name - Also trigger on "run-ci" branches (in addition to main) - Also allow to be triggered from Actions tab - Comment out currently unneeded permissions - Use v5 of actions/checkout (rather than v4) - Don't persist auth token after checkout (see GitoxideLabs#2187)
EliahKagan
changed the title
EliahKagan
commented
Sep 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2193
See the individual commits for details, and #2193 for rationale.
This intentionally does not make or recommend that the CodeQL checks be made blocking for PR auto-merge, just as we have deliberately not blocked PRs on the dynamic CodeQL checks from the default setup. (We may of course sometimes wait to see what the outcome is before merging a PR about which there is concern, or which is substantial in ways relevant to something we hope CodeQL to check.)
Testing: I've tested this in EliahKagan#107, and temporarily on the main branch of my fork (since rewound). Of course, that doesn't test it with a PR originating from outside of my fork. I'll revisit this configuration later to verify that it is working properly with such PRs.
Outscoped: I think we should enable more CodeQL queries such as extended queries, and possibly also make it so forks whose operators want to run CodeQL within the fork can use this configuration rather than overriding it while still changing what queries are run, such as by adjusting per-repo variable. But this PR deliberately does not include any of that. To be clear, the CodeQL configuration introduced here does scan with all the queries that were in use previously in this upstream repository (just not all the ones I had been testing out in my fork).
This is a draft while I wait for the CodeQL checks in this PR itself to complete.Done.