codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

Does not run on Dependabot PRs

Open Sammcb opened this issue 8 months ago • 3 comments

Hi! I recently started using CodeQL for checking my GitHub Actions via the Default Setup. I also use Dependabot for version management. I noticed on my Dependabot PRs that I was seeing the CodeQL jobs fail with the following error:

Image

This was not occurring on PRs I made myself. After searching, I found this community discussion which explains that the default setup will not run jobs on Dependabot PRs.

I would appreciate having the ability to configure the default setup to run these jobs on Dependabot PRs, as this makes it difficult to require the job in a branch ruleset. At the very least, I would love better documentation of this limitation and a change in the error message to make it clearer what the issue is.

Thanks so much!

Sammcb avatar Apr 10 '25 02:04 Sammcb

👋 Thanks for the feedback.

I would appreciate having the ability to configure the default setup to run these jobs on Dependabot PRs, as this makes it difficult to require the job in a branch ruleset.

This is something we are not currently looking to support. The Dependabot PR is different from other code changes because it potentially introduces new external code that has not been vetted yet by the repo owner, thus creating a potential security risk.

as this makes it difficult to require the job in a branch ruleset.

Can you require the Code Scanning check rather than the CodeQL one? We mark the workflow intentionally as neutral as to not be blocking. Wondering if that is enough for your purpose.

At the very least, I would love better documentation of this limitation and a change in the error message to make it clearer what the issue is.

Fair point. I'll review our docs, because that should indeed be spelled out a bit more clearly. Regarding the specific error in the check suite, this is a generic message from code scanning that might occur in other contexts, but I will check with the team whether we can override it in this specific case, as it would be indeed useful.

marcogario avatar Apr 14 '25 15:04 marcogario

Got it, yeah I think I can just mark the Code Scanning check for now. Thanks for planning to look over the docs/error message!

Sammcb avatar Apr 16 '25 04:04 Sammcb

For anyone else finding this issue, "Code Scanning" refers to the "Require code scanning results" at the bottom of the list of branch rules in the ruleset view.

smlx avatar Jul 02 '25 06:07 smlx