CI: revive CodeQL — v3 action, build-mode none, wired to PRs + weekly cron#3104
Merged
Conversation
… cron The existing codeql.yml was the stock template parked on workflow_dispatch-only: it never triggered automatically, ran a full cpp Autobuild per language, and sits on codeql-action@v2, which GitHub has since sunset — even a manual dispatch fails today. Rewritten: c-cpp only (.das is invisible to CodeQL and is covered by the in-tree lint; the template's javascript/python lanes scanned a few scripts for the price of two more jobs), build-mode none instead of Autobuild (no traced build — minutes per run, not a full build; can be upgraded later if finding quality warrants), vendored 3rdparty/ and tests-cpp/3rdparty/ excluded from analysis. Triggers: PRs and master pushes path-filtered to the C++ surface, a weekly cron to keep the master baseline fresh for PR alert diffing, and workflow_dispatch kept for manual full runs. PR checks flag only alerts NEW in the diff; the first-scan backlog lands in the Security tab without gating anything. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Revives and modernizes the repository’s CodeQL workflow so C/C++ code scanning runs automatically on relevant changes (PRs + master pushes) and on a weekly schedule, using CodeQL Action v3 in buildless mode to keep runtime low.
Changes:
- Replace the dormant v2/template-only CodeQL workflow with a v3 workflow that runs automatically on PRs and master pushes (path-filtered) plus a weekly cron.
- Limit scanning to the C/C++ surface and use
build-mode: noneto avoid full build costs. - Exclude vendored third-party directories from analysis results.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Fork PRs get a read-only token regardless of the permissions block, so the analyze step's SARIF upload would red-check every external contributor's C++ PR. Same-repo PRs and push/schedule/dispatch still run; fork-contributed code gets scanned by the post-merge master push. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Rewrites the dormant
.github/workflows/codeql.yml. The existing file was the stock GitHub template parked onworkflow_dispatch-only — it never triggered automatically, and it sits oncodeql-action@v2, which GitHub has since sunset, so even a manual dispatch fails today.Design
languages: c-cpponly..dasis invisible to CodeQL (covered by the in-tree lint, which is stricter anyway); the template's javascript/python lanes scanned a handful of scripts for the price of two extra jobs per run.build-mode: noneinstead of Autobuild — no traced build, so a run costs minutes rather than a full build per PR. Can be upgraded to a built mode later if finding quality warrants the precision.3rdparty/,tests-cpp/3rdparty/) — findings in fmt/uriparser/doctest aren't actionable here. Modules pull externals via FetchContent, so nothing else is in-tree.src/,include/,modules/,tests-cpp/), a weekly cron to keep the master baseline fresh (PR alert diffing compares against it), andworkflow_dispatchkept for manual runs. Orgubuntu-latest-fatrunner label kept per 9f7d8d0.Adoption note
PR checks flag only alerts new in the diff. The first scan of the codebase will land a backlog of findings in the Security tab — that backlog does not gate PRs and can be triaged (or ignored) independently.
Companion to the local-vs-CI coverage-gap work (#3102): Copilot review covers diff-scoped judgment, CodeQL adds whole-program dataflow on the C++ surface.
🤖 Generated with Claude Code