You can view, comment on, or merge this pull request online at:
https://github.com/geany/geany/pull/3769
-- Commit Summary --
* Add CodeQL Analysis workflow
-- File Changes --
A .github/workflows/codeql.yml (103)
-- Patch Links --
https://github.com/geany/geany/pull/3769.patch https://github.com/geany/geany/pull/3769.diff
It doesn't run. The message is
``` github/codeql-action/init@v3, github/codeql-action/autobuild@v3, and github/codeql-action/analyze@v3 are not allowed to be used in geany/geany. Actions in this workflow must be: within a repository owned by geany or matching the following: actions/cache@v2, actions/setup-python@v2, actions/cache@v3, actions/upload-artifact@v3, actions/checkout@v3, docker/login-action@v2, actions/setup-python@v4, actions/delete-package-versions@v4, msys2/setup-msys2@v2, actions/cache@v4, actions/checkout@v4, actions/upload-artifact@v4, docker/login-action@v3, jwalton/gh-find-current-pr@v1, actions/delete-package-versions@v5, actions/setup-python@v5. ```
Maybe you could try the [CLI](https://docs.github.com/en/code-security/codeql-cli) version and see if its useful first.
I enabled the default scan from my repository settings. The only problems it found were related to Scintilla https://github.com/andy5995/geany/security/code-scanning
Erm, the link doesn't work.
Erm, the link doesn't work.
That's because:
[y]ou need write permission to view a summary of all the alerts for a repository on the **Security** tab.
Only scans of _pull requests_ are publicly visible, *per* the docs.
@rdipardo Thank you for the explanation. @elextr I sent you an invite to be a collaborator.
Another thing CodeQL does is when a workflow is in place, it gives alerts for any problematic code that may be introduced in a pull request.
@andy5995
... an invite to be a collaborator.
You could also just open a PR in your fork from the branch with the CodeQL workflow in it. If an alert doesn't appear automatically, there should be an option to publish it.
Sounds good.
- For the next time, a description to describe what is the PR about and more importantly why, is generally a good idea. - We could add `*.py` to the patterns and `python` to the matrix to also cover the Python helper scripts in the repository. - Also, could you strip the commented code from the workflow definition and also the extensive description comments? I think they are not very useful. - I enabled the mentioned "github/*" actions. In general we restrict the usable actions to the necessary ones for security reasons.
Adding ` workflow_dispatch:` might be a good idea to manually re-run the workflow.
@andy5995 pushed 1 commit.
2c58e9dcc9f9fc5250e57b1eb53d66a9cd393448 strip comments, add workflow_patch trigger, enable python
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on [this overview](/geany/geany/security/code-scanning?query=pr%3A3769+is%3Aopen). Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out [the documentation](https://docs.github.com/code-security/code-scanning/automatically-scanning-y...).
Sounds good.
* For the next time, a description to describe what is the PR about and more importantly why, is generally a good idea.
Understood!
* We could add `*.py` to the patterns and `python` to the matrix to also cover the Python helper scripts in the repository.
Done.
* Also, could you strip the commented code from the workflow definition and also the extensive description comments? I think they are not very useful.
Done.
Adding workflow_dispatch: might be a good idea to manually re-run the workflow.
Done. Some examples of this workflow include a cron schedule as well. Would you like that added, and if so, how often should it be scheduled?
@eht16 commented on this pull request.
@@ -8,6 +8,13 @@ on:
push: branches: - master + - '**'
Why did you change this, what's the intention?
Thanks!
Done. Some examples of this workflow include a cron schedule as well. Would you like that added, and if so, how often should it be scheduled?
I would say once in a month is a good start.
@eht16 commented on this pull request.
@@ -8,6 +8,13 @@ on:
push: branches: - master + - '**'
And it causes an error: ``` Invalid workflow file: .github/workflows/build.yml#L8 You have an error in your yaml syntax on line 8 ```
@andy5995 pushed 1 commit.
d0ff4df5d1558ba4901c1dc53f864d25da96a1bf Add CodeQL Analysis workflow
@andy5995 pushed 1 commit.
629514d67d1ae515686473f36f9c16725cf771e2 Add CodeQL Analysis workflow
@andy5995 commented on this pull request.
@@ -8,6 +8,13 @@ on:
push: branches: - master + - '**'
So it won't run when other yml files are changed. Trivial in this case, but I figured you might want to add more path filters in the future:
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-githu...
@eht16 commented on this pull request.
@@ -8,6 +8,13 @@ on:
push: branches: - master + - '**'
I don't see why, at least for this case it seems a bit beyond the goal.
If we have use cases for excluding files from triggering a CI run, we can add them but no excluding only two YAML files doesn't change much.
Without having checked it, I think about 95% of the commits will change files which should trigger the CI anyway, so don't waste resources maintaining an articial exclude list.
Adding ` workflow_dispatch:` might be a good idea to manually re-run the workflow.
I would still recommend this simple change.
And it seems the configuration still has syntax errors: https://github.com/geany/geany/actions/runs/8135027731/workflow
@andy5995 pushed 1 commit.
e5a73c9e3608ca7185c508fe8f0d1199a4a89078 Add CodeQL Analysis workflow
Adding ` workflow_dispatch:` might be a good idea to manually re-run the workflow.
I would still recommend this simple change.
And it seems the configuration still has syntax errors: https://github.com/geany/geany/actions/runs/8135027731/workflow
That seems outdated. I added the workflow_dispatch and fixed the cron syntax/indentation about a week ago.
@andy5995 commented on this pull request.
@@ -8,6 +8,13 @@ on:
push: branches: - master + - '**'
I totally see your point. I've reverted all changes to build.yml.
@andy5995 pushed 1 commit.
a8bb8700e1d55e63c71fa2850d9862d211178677 Change concurrency rules
@andy5995 commented on this pull request.
@@ -15,7 +15,7 @@ on:
# cancel already running builds of the same branch or pull request concurrency: - group: ci-${{ github.head_ref }} || concat(${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
I've changed this because the codeql job cancelled itself, considering the build job a higher priority
Adding ` workflow_dispatch:` might be a good idea to manually re-run the workflow.
I would still recommend this simple change. And it seems the configuration still has syntax errors: https://github.com/geany/geany/actions/runs/8135027731/workflow
That seems outdated. I added the workflow_dispatch and fixed the cron syntax/indentation about a week ago.
Sorry, I guess I didn't properly refresh this page and so commented on the old code.
Looks good to me now. Thanks.
Merged #3769 into master.
No worries @eht16 , I know mistakes happen to humans. Cheers!
github-comments@lists.geany.org