Skip to content

ci: move CodeQL to advanced setup, analyses gated on relevant changes#498

Draft
samuelburnham wants to merge 1 commit into
mainfrom
sb/codeql-warp
Draft

ci: move CodeQL to advanced setup, analyses gated on relevant changes#498
samuelburnham wants to merge 1 commit into
mainfrom
sb/codeql-warp

Conversation

@samuelburnham

Copy link
Copy Markdown
Member

Replace default-setup CodeQL with an advanced-setup workflow with the same triggers (main pushes + PRs) and languages (rust + actions), but each analysis now runs only when its inputs changed, via a dorny/paths-filter gate:

  • rust (the ~16 min analysis) runs on *.rs, Cargo manifest/lock, rust-toolchain.toml, or workflow-file changes — most pushes in this Lean-dominant repo touch none of them. It also moves to warp-ubuntu-latest-x64-8x with dependency caching, off default setup's stock 4-core runner.
  • actions runs on workflow or composite-action YAML changes.

The gates are job-level ifs rather than workflow-level on.paths (or a dynamically-built matrix): a required check that never triggers sticks at "Expected", while a skipped job satisfies it.

Default setup must be disabled in the repo's Code security settings before merging, or the workflow's SARIF uploads are rejected.

Replace default-setup CodeQL with an advanced-setup workflow with the
same triggers (main pushes + PRs) and languages (rust + actions), but
each analysis now runs only when its inputs changed, via a
dorny/paths-filter gate:

- rust (the ~16 min analysis) runs on *.rs, Cargo manifest/lock,
  rust-toolchain.toml, or workflow-file changes — most pushes in this
  Lean-dominant repo touch none of them. It also moves to
  warp-ubuntu-latest-x64-8x with dependency caching, off default
  setup's stock 4-core runner.
- actions runs on workflow or composite-action YAML changes.

The gates are job-level ifs rather than workflow-level on.paths (or a
dynamically-built matrix): a required check that never triggers sticks
at "Expected", while a skipped job satisfies it.

Default setup must be disabled in the repo's Code security settings
before merging, or the workflow's SARIF uploads are rejected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant