Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@
# dependencies.
# cspell:ignore SARIF autofixers pipefail pyproject Pipfile noninteractive sarif venv mapfile

name: "CodeQL Advanced"

Check warning on line 29 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

29:1 [document-start] missing document start "---"

Check warning on line 29 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

29:1 [document-start] missing document start "---"

on:

Check warning on line 31 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

31:1 [truthy] truthy value should be one of [false, true]

Check warning on line 31 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

31:1 [truthy] truthy value should be one of [false, true]
push:
branches: ["main"]
paths-ignore:
Expand Down Expand Up @@ -123,7 +123,7 @@
git fetch --no-tags --depth=1 origin "$BASE_REF" || true
files=$(git diff --name-only "origin/$BASE_REF...HEAD" || true)
echo "::debug::Files changed in PR: $files"
if echo "$files" | grep -E -q '(^|/)(package.json|package-lock.json|yarn.lock|pyproject.toml|requirements(\.txt)?|Pipfile|setup\.py|poetry.lock|go.mod|Gemfile|pom.xml)'; then

Check warning on line 126 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

126:141 [line-length] line too long (184 > 140 characters)

Check warning on line 126 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

126:141 [line-length] line too long (184 > 140 characters)
echo "changed=true" >> "$GITHUB_OUTPUT"
else
echo "changed=false" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -469,7 +469,7 @@
continue-on-error: true
run: |
set -euo pipefail
mapfile -t files < <(git ls-files -- '*.c' '*.cc' '*.cpp' '*.cxx' '*.h' '*.hh' '*.hpp' '*.hxx' ':(exclude).github/workflows/**' 2>/dev/null || true)

Check warning on line 472 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

472:141 [line-length] line too long (158 > 140 characters)

Check warning on line 472 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

472:141 [line-length] line too long (158 > 140 characters)
if [ "${#files[@]}" -gt 0 ]; then
clang-format -i --style=file --fallback-style=LLVM "${files[@]}" || true
else
Expand All @@ -492,6 +492,7 @@
if: steps.diff.outputs.changed == 'true' && github.event_name == 'pull_request' && steps.ref.outputs.can_push == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PUSH_REF: ${{ steps.ref.outputs.push_ref }}
run: |
set -euo pipefail
git config user.name "github-actions[bot]"
Expand Down Expand Up @@ -590,7 +591,7 @@
- `eslint --fix` (if configured in the repository)
- `clang-format -i --style=file` (when C/C++ files are present)

Triggered by: `${{ github.event_name }}` on `${{ github.ref }}` (run [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})).

Check warning on line 594 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

594:141 [line-length] line too long (191 > 140 characters)

Check warning on line 594 in .github/workflows/codeql.yml

View workflow job for this annotation

GitHub Actions / Validate Copilot setup files & linters

594:141 [line-length] line too long (191 > 140 characters)
labels: |
automated
autofix
Expand Down
19 changes: 19 additions & 0 deletions tests/test_codeql_workflow_paths_ignore.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,25 @@ def test_codeql_autofix_ref_step_avoids_unbound_shell_vars() -> None:
assert 'echo "can_push=$can_push_value"' not in content


@pytest.mark.unit
def test_codeql_autofix_uses_sha_for_checkout_and_branch_for_push() -> None:
"""Verify the autofix job uses SHA for checkout (resilient to branch deletion)
and a separate push_ref for the git push step (uses branch name)."""
workflow_path = Path(__file__).resolve().parents[1] / ".github" / "workflows" / "codeql.yml"
content = workflow_path.read_text(encoding="utf-8")

# The "Determine checkout ref" step must expose PR_HEAD_SHA for checkout
assert "PR_HEAD_SHA" in content, "PR_HEAD_SHA env var must be set in the ref step"
assert 'echo "ref=$PR_HEAD_SHA"' in content, "checkout ref must use SHA, not branch name"
assert 'echo "push_ref=$PR_HEAD_REF"' in content, "push_ref must preserve the branch name"

# The push step must use push_ref (branch name), not ref (SHA)
assert 'steps.ref.outputs.push_ref' in content, "git push must target push_ref (branch name)"
# push_ref is surfaced via PUSH_REF env var to keep shell script clean
assert 'PUSH_REF: ${{ steps.ref.outputs.push_ref }}' in content, "PUSH_REF env var must map push_ref"
assert 'HEAD:$PUSH_REF' in content, "push must use PUSH_REF env var (branch name)"


@pytest.mark.unit
def test_codeql_autofix_excludes_workflow_files_from_formatting() -> None:
repo_root = Path(__file__).resolve().parents[1]
Expand Down
Loading