From d97778cde77fdda6c8f90154c8ebcf45338f5e25 Mon Sep 17 00:00:00 2001 From: Aitor Perez Cedres <1515757+Zerpet@users.noreply.github.com> Date: Tue, 29 Oct 2024 12:44:13 +0000 Subject: [PATCH 1/2] Update CodeQL workflow Dependabot does not have write permissions in the repository, and it causes failures when running on push events, because CodeQL needs write access to upload the results of the scaning to GitHub. This commit adds a conditional to run CodeQL if the event is a pull request, OR if the actor is not dependabot. This conditional should filter "push" events when dependabot is the actor, and always run pull request scans. --- .github/workflows/codeql-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 12967a738..89103a5f2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,6 +23,7 @@ on: jobs: analyze: name: Analyze + if: ${{ github.actor != 'dependabot[bot]' || github.event_name == "pull_request" }} runs-on: ubuntu-latest strategy: From b304742ef8829b7e12173afe91d9b4bdd8de59fc Mon Sep 17 00:00:00 2001 From: Aitor Perez Cedres <1515757+Zerpet@users.noreply.github.com> Date: Tue, 29 Oct 2024 12:47:24 +0000 Subject: [PATCH 2/2] CodeQL workflow to ignore non-code files --- .github/workflows/codeql-analysis.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 89103a5f2..41393f265 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,9 +14,19 @@ name: "CodeQL" on: push: branches: [ main ] + paths-ignore: + - 'docs/**' + - '*.md' + - 'LICENSE.txt' + - 'PROJECT' pull_request: # The branches below must be a subset of the branches above branches: [ main ] + paths-ignore: + - 'docs/**' + - '*.md' + - 'LICENSE.txt' + - 'PROJECT' schedule: - cron: '0 0 * * 0'