Fix the currently-failing CodeQL workflow and run it on pull requests#4980
Open
matthargett wants to merge 3 commits into
Open
Fix the currently-failing CodeQL workflow and run it on pull requests#4980matthargett wants to merge 3 commits into
matthargett wants to merge 3 commits into
Conversation
The hard-coded libtinfo5_6.3-2ubuntu0.1_amd64.deb URL 404s now that the GitHub runner's ncurses has moved to 6.3-2ubuntu0.2, so libtinfo5 is not installed and the wamrc link against the prebuilt LLVM 18.1.8 (libomptarget.rtl.amdgpu, which needs the NCURSES_TINFO_5 symbols) fails with undefined references. Resolve the libtinfo5 compat package at the same ncurses version as the runner's installed libtinfo6, with a pool-scrape fallback, so it keeps working across point-release bumps.
codeql_fail_on_error.py crashed with `KeyError: 'rules'` whenever the CodeQL driver's rule list was empty (e.g. a clean scan) and the first tool extension carried no "rules" key - the shape current CodeQL versions emit. Read the driver rules defensively and, when absent, gather rules from all extensions, so the gate no longer aborts and can still see error-level rules contributed by a query pack.
codeql.yml only runs on push to dev/**, a nightly cron, and manual dispatch, so contributor changes are not scanned until after they merge. Add the pull_request event and a concurrency group. The analysis uploads results and reads code-scanning alerts, which requires security-events:write; a pull request from a fork runs with a read-only GITHUB_TOKEN and would fail those steps, so the job now runs on pull_request only when the head branch lives in this same repository. Other events keep the original behavior of running only on the upstream repository. Only pull_request runs cancel their own superseded run; branch and scheduled scans are left to finish.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The CodeQL workflow is currently failing on
main— the nightlyAnalyze (cpp)job cannot finish — for two independent reasons. This PR fixes both. Secondarily, it starts running CodeQL on pull requests so the analysis gates a change before it merges instead of only after.The two fixes (the point of this PR)
1.
codeql_buildscript.sh— stale libtinfo5 URL breaks thewamrclink.The script hard-codes
libtinfo5_6.3-2ubuntu0.1_amd64.deb, which now 404s because theubuntu-22.04runner's ncurses moved to6.3-2ubuntu0.2. With libtinfo5 missing, linkingwamrcagainst the prebuilt LLVM 18.1.8 (libomptarget.rtl.amdgpu, which references theNCURSES_TINFO_5symbols) fails:Fixed by resolving the libtinfo5 compat package at the runner's actual ncurses version (matching the installed
libtinfo6), with a pool-scrape fallback so it survives future point-release bumps.2.
codeql_fail_on_error.py—KeyError: 'rules'on current CodeQL SARIF.The gate reads
run["tool"]["driver"]["rules"]and, when that is empty (e.g. a clean scan), falls back torun["tool"]["extensions"][0]["rules"]— but current CodeQL emits a SARIF whose first extension has noruleskey, so the script raisesKeyError: 'rules'and the step fails. Fixed to read the driver rules defensively and otherwise gather rules from the extensions (which also lets it see error-level rules a query pack contributes).Either fix alone leaves the job red; together they get
Analyze (cpp)green again.Secondary: run CodeQL on pull requests
codeql.ymlruns only onpush: dev/**, the nightly cron, andworkflow_dispatch, so a change isn't scanned until after it merges. This adds thepull_requestevent.Uploading results and reading code-scanning alerts needs
security-events: write, and a pull request from a fork gets a read-onlyGITHUB_TOKEN, so the job would fail on fork PRs. To avoid a spurious red check, it runs onpull_requestonly when the head branch is in this repository:Non-
pull_requestevents keep the original "upstream repo only" behavior. Aconcurrencygroup is added; only apull_requestcancels its own superseded run, whiledev/**pushes and the nightly are left to finish so branch and scheduled scans are never dropped.Consequence: external contributors' fork-head PRs will show the CodeQL job as skipped (not failed) — a read-only token can't upload code-scanning results — so those PRs stay covered by the nightly, while maintainer / in-repo branch PRs get the full pre-merge scan.
Verification
Verified end-to-end on a same-repo pull request in a fork (a fork PR is needed because CodeQL upload requires a writable token, which fork-head PRs lack): with both fixes,
Analyze (cpp)completes the build, performs the analysis, uploads SARIF, and theFail if an error is foundgate passes.codeql_buildscript.shandcodeql_fail_on_error.pyhere are byte-identical tomain, so these fixes apply unchanged; thecodeql.ymlchange is layered on top of the current file (action pins untouched).