Employ CodeQL checks for PR workflow#2358
Employ CodeQL checks for PR workflow#2358ruspl-afed wants to merge 1 commit intoeclipse-4diac:developfrom
Conversation
|
Oh, we have configuration issue again They say we need to fix this issue with repo settings, but I'm not sure how to do this better https://docs.github.com/en/code-security/reference/code-scanning/sarif-files/troubleshoot-sarif-uploads/default-setup-enabled @mx990 WDYT? |
mx990
left a comment
mx990
left a comment
There was a problem hiding this comment.
I checked the default configuration and it claims to already run on push and pull requests to develop and protected branches, but it does not seem to be running for PRs from other repositories1. I also saw no way to further configure that with the default configuration.
I guess we just have to switch over to the advanced configuration in the settings. In order to keep the downtime short, we should probably wait right before merging this PR and then switch over.
@azoitl WDYT?
Footnotes
|
|
||
| jobs: | ||
| callCodeQLworkflow: | ||
| uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/codeQLworkflow.yml@master |
There was a problem hiding this comment.
I had a look at codeQLworkflow.yml and it seems to be running a full Maven build ahead of the scanning. So we might want to just run it as part of the regular .github/workflows/maven.yml workflow to save on build time?
There was a problem hiding this comment.
I also find it strange that we pull in a workflow from another repo. This somehow feels not right. I the end it is to get to more actions into our default maven workflow. Therefore I would opt in integrating the codeql steps into our existing maven workflow.
What advanced settings you mean? |
I meant the advanced setup for CodeQL, see also Configuring advanced setup for code scanning. |
3 participants
Fixes #2357