crickets-and-comb/shared

Add codeql.yml reusable workflow.

Open

#82 geöffnet am 10. Juli 2025

Auf GitHub ansehen
 (0 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)Makefile (0 Forks)auto 404
bugenhancementhelp wanted

Repository-Metriken

Stars
 (2 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

Create a reusable workflow to configure CodeQL scanning action.

Problem:

CodeQL code scanning is currently configured with GitHub's default settings (so, no workflow in our .github/workflows directories), in each repo except in bfb_delivery, but the default setting does not allow scanning PRs from forked repos. This is a good precaution since that can lead to malicious activity, but it defeats the purpose of requiring code scanning of PRs while allowing PRs from outside contributors who must fork.

Proposed Solution:

bfb_delivery now has a .github/workflows/codeql.yml workflow that configures how code scanning is run, specifically checking out the PR's ref, instead of the forked repo's head ref which could inject malicious workflows. https://github.com/crickets-and-comb/bfb_delivery/blob/main/.github/workflows/codeql.yml

We can use this to create a shared workflow that consuming repos can call from a workflow, as we do with our CI/CD workflow.

Implementation:

  1. Create a copy of https://github.com/crickets-and-comb/bfb_delivery/blob/main/.github/workflows/codeql.yml in the shared repo's workflows directory.
  1. Create a calling workflow in reference_package.
  1. Test it out.
  • Did it work on push to main?
  • Does it work on dispatch? (manual trigger from Actions tab in GitHub UI.)
  • Does code scanning work on a PR to reference_package?
  • Does it work on a PR from a forked repo?
  1. Repeat for each repo in the org, including testing.

Note on implementation

Some repos have different languages to scan. You'll probably need to add those to the shared matrix, because you probably can't add a parameter to pass to the reusable workflow and set the language matrix.

Alternative approach

You may face difficulty due, e.g. having trouble calling the CodeQL action from a reused workflow. So, you can try putting the workflow in the org's .github repo's workflows directory so that it becomes a default repo in each of the org's repos. This would mean it's not a reusable workflow that's called but one called directly from the repo, just as a copy. It also might mean that it doesn't show up in existing repos, nor would they get updates to it.

Success

CodeQL scans run in each repo on push to main, on dispatch, on PRs from within repo and from forks.

Contributor Guide