-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-enable CodeQL with Dynamic Approach #110
Comments
compared to |
That was the default config by LGTM. I think they're generally the same, the yaml just gives more flexibility if we want it. One interesting feature: |
I'm not sure we do. Other than the security features, I've yet to see much I like about CodeQL that flake8 and mypy don't already provide. I'd like to ignore the config as much as possible and let GitHub do its best |
I'm concerned packages will become out of date: https://github.com/WIPACrepo/rest-tools/blob/master/.github/workflows/codeql.yml#L30 |
Sure, that's a relevant concern for all of our actions. You had some version checking bot for the setup action, right? Could that be applied here? |
Right, it's built into the dependabot. I do think that would apply here--good point |
Currently, we're using a
codeql.yml
file, which may have been the original/only way to do this a couple of months back. Now, we can use the "Default" setup which enables a "dynamic
" GHA (no yaml needed).@dsschult if you didn't configure anything special back in #82, then there are no downsides to the dynamic approach. https://github.com/WIPACrepo/wipac-dev-tools uses this approach. The main pro is that there's less for us to manage--we'll always have the latest workflow.
The text was updated successfully, but these errors were encountered: