Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-enable CodeQL with Dynamic Approach #110

Open
ric-evans opened this issue Feb 17, 2023 · 6 comments
Open

Re-enable CodeQL with Dynamic Approach #110

ric-evans opened this issue Feb 17, 2023 · 6 comments
Assignees
Labels
CI / Testing About CI and/or testing question Further information is requested

Comments

@ric-evans
Copy link
Member

Currently, we're using a codeql.yml file, which may have been the original/only way to do this a couple of months back. Now, we can use the "Default" setup which enables a "dynamic" GHA (no yaml needed).

@dsschult if you didn't configure anything special back in #82, then there are no downsides to the dynamic approach. https://github.com/WIPACrepo/wipac-dev-tools uses this approach. The main pro is that there's less for us to manage--we'll always have the latest workflow.

@ric-evans ric-evans added the question Further information is requested label Feb 17, 2023
@ric-evans ric-evans self-assigned this Feb 17, 2023
@ric-evans ric-evans added the CI / Testing About CI and/or testing label Feb 17, 2023
@ric-evans
Copy link
Member Author

compared to https://github.com/Observation-Management-Service/MQClient/blob/v1.0.3/.github/workflows/codeql.yml, which I replaced similarly, the only diff is the cron schedule

@dsschult
Copy link
Contributor

That was the default config by LGTM. I think they're generally the same, the yaml just gives more flexibility if we want it.

One interesting feature:
https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#avoiding-unnecessary-scans-of-pull-requests

@ric-evans
Copy link
Member Author

ric-evans commented Feb 27, 2023

if we want it

I'm not sure we do. Other than the security features, I've yet to see much I like about CodeQL that flake8 and mypy don't already provide. I'd like to ignore the config as much as possible and let GitHub do its best

@ric-evans
Copy link
Member Author

I'm concerned packages will become out of date: https://github.com/WIPACrepo/rest-tools/blob/master/.github/workflows/codeql.yml#L30

@dsschult
Copy link
Contributor

Sure, that's a relevant concern for all of our actions. You had some version checking bot for the setup action, right? Could that be applied here?

@ric-evans
Copy link
Member Author

Right, it's built into the dependabot. I do think that would apply here--good point

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CI / Testing About CI and/or testing question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants