Repository metrics
- Stars
- (2 stars)
- PR merge metrics
- (PR metrics pending)
説明
Create a reusable workflow to configure CodeQL scanning action.
Problem:
CodeQL code scanning is currently configured with GitHub's default settings (so, no workflow in our .github/workflows directories), in each repo except in bfb_delivery, but the default setting does not allow scanning PRs from forked repos. This is a good precaution since that can lead to malicious activity, but it defeats the purpose of requiring code scanning of PRs while allowing PRs from outside contributors who must fork.
Proposed Solution:
bfb_delivery now has a .github/workflows/codeql.yml workflow that configures how code scanning is run, specifically checking out the PR's ref, instead of the forked repo's head ref which could inject malicious workflows. https://github.com/crickets-and-comb/bfb_delivery/blob/main/.github/workflows/codeql.yml
We can use this to create a shared workflow that consuming repos can call from a workflow, as we do with our CI/CD workflow.
Implementation:
- Create a copy of https://github.com/crickets-and-comb/bfb_delivery/blob/main/.github/workflows/codeql.yml in the
sharedrepo's workflows directory.
- Modify as needed.
- Change the triggers to only trigger from
workflow_call. See https://github.com/crickets-and-comb/shared/blob/main/.github/workflows/CI.yml for an example of this trigger. - Make other necessary changes as testing reveals.
- Change the triggers to only trigger from
- Create a calling workflow in
reference_package.
- See https://github.com/crickets-and-comb/reference_package/blob/main/.github/workflows/PR_CI_CD.yml for an example of consuming a
sharedreusable workflow. - Unlike that example, use the triggers in workflow we're copying from
bfb_delivery: https://github.com/crickets-and-comb/bfb_delivery/blob/main/.github/workflows/codeql.yml- Namely:
push,pull_request_target,schedule, andworkflow_dispatch.
- Namely:
- Merge to main.
- Test it out.
- Did it work on push to main?
- Does it work on dispatch? (manual trigger from Actions tab in GitHub UI.)
- Does code scanning work on a PR to
reference_package? - Does it work on a PR from a forked repo?
- Repeat for each repo in the org, including testing.
Note on implementation
Some repos have different languages to scan. You'll probably need to add those to the shared matrix, because you probably can't add a parameter to pass to the reusable workflow and set the language matrix.
Alternative approach
You may face difficulty due, e.g. having trouble calling the CodeQL action from a reused workflow. So, you can try putting the workflow in the org's .github repo's workflows directory so that it becomes a default repo in each of the org's repos. This would mean it's not a reusable workflow that's called but one called directly from the repo, just as a copy. It also might mean that it doesn't show up in existing repos, nor would they get updates to it.
Success
CodeQL scans run in each repo on push to main, on dispatch, on PRs from within repo and from forks.