github
Runs a standalone action along with a configured one
I have a PR-workflow file in my .github/workflow Whenever a PR is created, a CodeQL action is being run from this config but an additional standalone CodeQL action is also created which fails with a warning
name: PR Workflow
on:
pull_request:
branches:
- '**'
jobs:
# few other actions here
CodeQL:
name: Analyse code with codeQL
runs-on: ubuntu-latest
needs: Continuous-Integration
strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
Error
Workflow example
What changes do i need to make , to stop the last action from running which remains unresolved with the above warning?
The check status labelled Code scanning results / CodeQL is not a second Actions run, but is created by the GitHub code scanning service whenever it processes an analysis for your PR. This is by design: it contains a summary of the code scanning alerts for the PR. See https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests for more information.
By default this check status is informational and non-blocking, unless there are error-severity alerts and you've created branch protection rules that require the check. (The severity threshold is customisable, according to the docs linked above).
The warning about the base branch not being found is because your CodeQL analysis workflow has not run on the target branch of the PR (in this case, develop), so Code Scanning cannot perform a comparison to find out which alerts were fixed/introduced by the PR. Again this is not blocking, but if you set up the same workflow to run on your develop branch, then that should make the warning go away.
For example:
on:
push:
branches:
- develop
pull_request:
branches:
- develop
@adityasharad Hey , thanks for the help man. Is there a way to run the CodeQL analysis on the target branch of the PR in all cases. Like here i have specified it to run on all branches at the top level of my yaml file
on:
pull_request:
branches:
- '**'
Depends what you are trying to achieve. Do you have PRs against all possible branches of your project? And are your PRs usually from branches of the same repository, or from forks?
Could you narrow down the set of likely PR target branches? Then you could try something like:
on:
push:
branches:
- main
- other-possible-target-branch
- ...
pull_request:
branches:
- main
- other-possible-target-branch
- ...
For completeness, I should point out that you can technically do the following to run on every single push and PR from/to any branch, but personally I wouldn't recommend it. Using pull_request events rather than push events for PR branches allows the PR merge commit to be analysed (rather than the base branch) and enables Code Scanning to compute an accurate comparison of the alerts fixed/introduced.
# Possible but not recommended
on:
push:
branches:
- '**'
- ...
pull_request:
branches:
- '**'
You can also do:
on:
push:
branches:
- main
- other-possible-target-branch
- ... # more branches here, but not all branches
pull_request: # no branches filter
This will analyse any PR. But you'll get the best results, without the "analysis not found" warning you asked about earlier, for the PRs whose base branch is analysed by the push events. Hope this helps!