Skip to content

ci: add CodeQL advanced setup to scan pull requests before merge#5250

Draft
nopoz wants to merge 1 commit into
odysseus-dev:devfrom
nopoz:ci/codeql-advanced-setup
Draft

ci: add CodeQL advanced setup to scan pull requests before merge#5250
nopoz wants to merge 1 commit into
odysseus-dev:devfrom
nopoz:ci/codeql-advanced-setup

Conversation

@nopoz

@nopoz nopoz commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator

Summary

Moves CodeQL from GitHub's default setup to advanced setup by adding .github/workflows/codeql.yml. Default setup only scans pushes and same-repo branches, so it never scans pull requests from forks, which is where nearly all contributor PRs come from. Today that means CodeQL findings only appear after a change is merged into dev, and the fix lands on maintainers rather than the author. This workflow runs CodeQL on pull requests targeting dev (and on pushes to dev and main), so findings surface on the PR before merge. The check is advisory and does not block merges.

The languages (actions, javascript-typescript, python) and the default query suite match what default setup runs today, so the alert set does not change. Actions are pinned to the same SHAs already used elsewhere in this repo.

Draft on purpose. Advanced setup and default setup cannot run at the same time: while default setup is enabled, this workflow runs but its upload is rejected, so its CodeQL check will show red until a repo admin disables default setup in the repo settings. Keep this as a draft until that switch is made, then it can be marked ready and merged.

Linked Issue

Fixes #5249

Type of Change

  • Bug fix
  • New feature
  • CI / tooling / build
  • Documentation

Checklist

  • I searched existing issues and PRs and this is not a duplicate.
  • No visual change: this touches only .github/workflows, so no screenshot applies.

How to Test

Verified end to end on a fork before opening this. To reproduce after default setup is disabled:

  1. Open a PR to dev that adds a known-bad pattern, for example an inefficient regex like re.compile(r"^(a+)+$").
  2. Confirm the three CodeQL jobs (actions, javascript-typescript, python) run on the PR.
  3. Confirm the finding is reported on the PR before merge.
    On the fork test, a deliberate py/redos in a fork PR was flagged on the PR itself, before merge.

@github-actions github-actions Bot added the ready for review Description complete — ready for maintainer review label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready for review Description complete — ready for maintainer review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Run CodeQL on pull requests so findings are caught before merge

2 participants