Jan Macku

I can squash them If you prefer.

> @jamacku Have you had a chance to test this ? I run a brief test and at first run this will open about 300 code scanning issues based on...

@evverx I think we can try it and see the results for enabling code scanning for `oss-fuzz`. It could be helpful and more visible for systemd maintainers. NOTE: I saw...

@evverx Yes, as far as I know, defects that don't have code line numbers directly associated with them won't be shown on PRs (as code annotations). They will still be...

```yml if: failure() && steps.build.outcome == 'success' ``` I think it should be `if: always() && ...`. Otherwise, GitHub won't mark resolved issues as `fixed`.

> @jamacku It's a good point. That `if: failure()` statement came from [8ba4f3a](https://github.com/google/oss-fuzz/commit/8ba4f3a3755f8a7a5f8071b174e7189fc26fa4dd) and it doesn't seem to be applicable to the part sending SARIF. I'm not sure what should...

/packit rebuild-failed

> @jamacku , what's the difference or what is better than my PR #2754 ? Hi @thomasmerz, looking at your PR, I see the following differences: * In your workflow,...

Hi @thomasmerz, Thanks a lot for your constructive approach and discussion. It's nice to see such a great community of developers. > Just some final question: Will your workflow use...

> Can you maybe also add a dependabot entry to update the pinned GitHub actions versions? That way we won't "forget" to update. Sure, I'll add the Dependabot config.