codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

codeql-action/init workflow validation doesn't respect custom source-root

Open g-ulli opened this issue 3 months ago • 1 comments

We get the warning

Warning: Unable to validate code scanning workflow: error: getWorkflow() failed: Error: Expected to find a code scanning workflow file at /home/runner/_work/ProDriver-Safety-Path/ProDriver-Safety-Path/.github/workflows/nightly_codeql.yml, but no such file existed. This can happen if the currently running workflow checks out a branch that doesn't contain the corresponding workflow file.

in our custom CodeQL workflow. We check out our repository in a custom location and specify this location using source-root:

  - name: Checkout
    uses: actions/checkout@v4
    if: always()
    with:
        path: "my-custom-path"

  - name: Initialize CodeQL
    uses: github/codeql-action/init@v3
    with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
        source-root: "my-custom-path"

It looks like the bug is this code: https://github.com/github/codeql-action/blob/c6e30a2b5a6e3c0a72eb142ec994f99816593c51/src/workflow.ts#L285-L290

g-ulli avatar Sep 24 '25 08:09 g-ulli

Hi @g-ulli 👋🏻

Thanks for reporting this. The workflow validation is generally best-effort and you can obviously ignore the warning if you are not having any other problems with your analysis.

The input for source-root is somewhat unrelated here, because it is referring to the root of the directory containing the source code you wish to analyse with CodeQL, not the root of the checkout for the repository containing the active workflow. The workflow validation that's producing the warning here is not part of the CodeQL analysis. If you're concerned about e.g. actions analysis, that should work fine and is unrelated to this workflow validation.

Generally, GitHub Actions expects the .github/workflows folder to exist in $GITHUB_WORKSPACE (e.g. for reusable / local actions). For simple workflows that doesn't matter too much, but for more complex workflows you may run into issues. If you're checking out your repo outside of $GITHUB_WORKSPACE and run into issues, consider moving the .github/workflows directory back to $GITHUB_WORKSPACE after checking out the repo.

mbg avatar Sep 24 '25 12:09 mbg