Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Restore CodeQL to doc-only commits #1261

Closed
ianlewis opened this issue Nov 24, 2022 · 4 comments · Fixed by #1792
Closed

[feature] Restore CodeQL to doc-only commits #1261

ianlewis opened this issue Nov 24, 2022 · 4 comments · Fixed by #1792
Labels
area:tooling An issue with project tooling and config type:feature New feature or request

Comments

@ianlewis
Copy link
Member

Currently we don't run CodeQL for PRs and commits that are only *.md or *.y(a)ml files. However, scorecard dings us for not running CodeQL on all of our commits.

Should we just run CodeQL on all of our commits so we can improve our scorecard score?

Related #547
@ianlewis ianlewis added type:feature New feature or request area:tooling An issue with project tooling and config labels Nov 24, 2022
@ianlewis
Copy link
Member Author

Related ossf/scorecard#2487

@ianlewis
Copy link
Member Author

/cc @asraa

@asraa
Copy link
Collaborator

asraa commented Nov 28, 2022

Oof, I see. That's kinda unfortunate. At this point maybe it's OK since it's unlikely we'll have to move as quick on the doc-only changes. It'd be nice to see if the scorecard issue has any movement, but in the meantime, we can re-enable and see how annoying it gets?

@ianlewis
Copy link
Member Author

I think I'll just leave this issue open for now.

  1. It's nice to get PR checks to complete quickly.
  2. It doesn't ding us too bad. Just a 7/10 for one sub-score.
  3. It's not actually an security issue but an issue with the tool.
  4. We already have a reasonably high score: 9.0, and still have room for improvement elsewhere.

@ianlewis ianlewis assigned ianlewis and unassigned ianlewis Feb 21, 2023
@ianlewis ianlewis mentioned this issue Mar 10, 2023
Merged
ianlewis pushed a commit that referenced this issue Mar 22, 2023
chore: Always run CodeQL (#1792)
f1e307f 
Fixes #1261 

Run CodeQL on all PRs. CodeQL actions succeed even if there are errors
so our noop setup didn't really work anyway. What we really need is the
protected branch check that looks at the resulting "Checks" output that
CodeQL uploads.

Signed-off-by: Ian Lewis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:tooling An issue with project tooling and config type:feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Always run CodeQL ianlewis/slsa-github-generator
2 participants
@ianlewis @asraa