Skip to content

Add CodeQL.yml caller workflow + template#138

Merged
mtfishman merged 2 commits into
mainfrom
mf/codeql-template
May 4, 2026
Merged

Add CodeQL.yml caller workflow + template#138
mtfishman merged 2 commits into
mainfrom
mf/codeql-template

Conversation

@mtfishman
Copy link
Copy Markdown
Member

@mtfishman mtfishman commented May 4, 2026
edited
Loading

Summary

Add the CodeQL.yml caller workflow + matching template that targets the new path-aware CodeQL Actions analysis reusable in ITensor/ITensorActions (shipped in v2.1.0). Replaces consumer-side CodeQL default-setup, which doesn't fire on fork PRs from external contributors and leaves the required Analyze (actions) check unreachable on those PRs.

The new caller reports a status check named CodeQL / Analyze (actions). The analyze job runs full CodeQL on PRs that touch .github/workflows/**, reports success-without-running on PRs that don't, and reports skipped on fork PRs that touch workflow files (so auto-merge can't fire and a maintainer must consciously intervene).

Both copies updated per ITensorPkgSkeleton convention: .github/workflows/CodeQL.yml is the actual workflow this skeleton repo uses, and template/.github/workflows/CodeQL.yml.template is what MassApplyPatch installs into consumer repos during sweeps.

Tracked in full at Projects/Ecosystem/codeql_advanced_setup/ in ITensorDevelopmentPlans. Followup steps after this lands: ITensorOrgPatches sweep patch, ecosystem rollout (disabling default-setup CodeQL on each repo, installing the caller), and ruleset-context rename across all 38 repos.

@mtfishman @claude
Add CodeQL.yml caller workflow + template
82e96b5 
Calls the new path-aware CodeQL Actions analysis reusable from
ITensorActions v2.1.0. Skips analysis on PRs that don't touch
.github/workflows (reports success), runs full analysis on
workflow-touching PRs, and reports `skipped` on fork PRs that touch
workflow files (so auto-merge can't fire and a maintainer must
intervene).

Replaces the consumer-side CodeQL default-setup that the
2026-05-04 audit ruleset sweep made required. Default-setup
deliberately skips fork PRs from external contributors as a
security measure, leaving the required `Analyze (actions)` check
unreachable on those PRs. The new caller-driven workflow reports a
status check that's reachable across PR types, with the right
behavior matrix per fork/workflow-touch combination.

Resulting status-check name: `CodeQL / Analyze (actions)`. Branch
rulesets need to require this string instead of the default-setup
`Analyze (actions)` once consumers swap over.

Both copies updated per the ITensorPkgSkeleton convention:
.github/workflows/CodeQL.yml is the actual workflow this skeleton
repo uses, and template/.github/workflows/CodeQL.yml.template is
what MassApplyPatch installs into consumer repos during sweeps.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 4, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.34%. Comparing base (5d19460) to head (959d140).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #138   +/-   ##
=======================================
  Coverage   87.34%   87.34%           
=======================================
  Files           1        1           
  Lines         158      158           
=======================================
  Hits          138      138           
  Misses         20       20
Flag Coverage Δ
docs 60.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mtfishman @claude
Bump version to 0.3.60
959d140 
Patch bump for the CodeQL.yml caller workflow + template addition.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 4, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@mtfishman mtfishman merged commit 218febc into main May 4, 2026
21 of 22 checks passed
@mtfishman mtfishman deleted the mf/codeql-template branch May 4, 2026 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtfishman @github-advanced-security