ci: Simplify CodeQL setup #27733
ci: Simplify CodeQL setup #27733
Conversation
278f46f to
ac93141
Compare
|
Looking at the results here, it appears that the C++ job is uploading results for 0 files. But so far, it seems like it's always done that? I'm investigating older runs to see if this ever worked and/or when it broke. |
|
I suspected that this changed with the Meson build, and looking at Code Scanning results, they were indeed all "fixed" (even the closed ones) as of Oct 4, 2023 by the merging of #26621. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
4ee402b to
d670194
Compare
|
Maybe you have already tried this in your previous attempts, but I was inspired to set up the same thing for one of my repositories when I saw this and with the default template it worked pretty simple. I basically skipped the autobuild and just installed it with pip. (And had to add a setup-python-step to be able to install using meson.) However, I assume that the remaining problem is that not that many of the files are considered? FWIW: https://github.com/apytypes/apytypes/blob/main/.github/workflows/codeql.yml |
|
Oh, that's interesting; I would've thought that just building (as we used to do) would be equivalent, unless it's something to do with where it builds. I'll give that a try as well. |
68088d5 to
867971c
Compare
The workflow is now warning that `CODEQL_PYTHON` should not be set, as it is no longer used. According to the message, we also don't need to install dependencies, so fold everything into the 'build-for-C++' step.
|
Thanks, that worked and looks even simpler to me:
(Note: we get some extra from Qhull/FreeType/etc, so we get more C files than we actually have. We could maybe configure it to ignore those.) But note that we don't need a new Python, just upgrading |
|
Looks good. One of the checks is complaining that:
(https://github.com/matplotlib/matplotlib/pull/27733/checks?check_run_id=21143960748) I'm guessing this will get fixed upon merging this into main? |
|
Yes, I believe that's because we "lost" the C/C++ results on |
There was a problem hiding this comment.
👍 - looks like there's lots of new alterts at https://github.com/matplotlib/matplotlib/security/code-scanning?query=pr%3A27733+tool%3ACodeQL+is%3Aopen.
|
All of the new alerts are in the |
PR summary
The workflow is now warning that
CODEQL_PYTHONshould not be set, as it is no longer used. According to the message, we also don't need to install dependencies, so fold everything into the 'build-for-C++' step.PR checklist