You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/CodeQL-README.md
+23-2Lines changed: 23 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,34 @@
1
1
# CodeQL scanning for this repository
2
2
3
-
This repository uses C++ (C++20 / moving to C++23) built with CMake under the phlex-src directory, plus some Python and CI bits (Bash). The repository includes a CodeQL GitHub Actions workflow on branch `copilot/codeql-workflow`that:
3
+
This repository uses C++ (C++20 / moving to C++23) built with CMake under the phlex-src directory, plus some Python and CI bits (Bash). The repository includes a CodeQL GitHub Actions workflow that:
4
4
5
5
- Runs on pushes to `main`, PRs targeting `main`, a weekly schedule, and can be run manually.
6
6
- Uses the repository's existing Phlex CMake build actions (not CodeQL autobuild) so the same build configuration is used for tests and release builds.
7
7
- Scans C++ and Python sources and is scoped to the `phlex-src` tree (see the CodeQL config).
8
8
- Uses RelWithDebInfo build type in CI so debug symbols are present while keeping realistic optimization.
9
+
-**Implements intelligent language detection**: On pull requests, only languages with relevant file changes are analyzed, significantly reducing CI time.
9
10
10
-
Important workflow-specific notes
11
+
## Language-Specific Analysis and Automatic Detection
12
+
13
+
The CodeQL workflow analyzes three language categories:
14
+
15
+
1.**C++** (`cpp`): Analyzes C++ and header files, plus CMake files
3.**GitHub Actions** (`actions`): Analyzes workflow and action YAML files
18
+
19
+
### Detection Behavior by Event Type
20
+
21
+
-**Pull Requests**: Only languages with relevant file changes are analyzed
22
+
- Example: A PR changing only Python files will skip C++ and Actions analysis (saves 35-70 minutes)
23
+
- Example: A PR changing only C++ files will skip Python and Actions analysis (saves 10-20 minutes)
24
+
- Example: A PR changing only workflow files will skip C++ and Python analysis
25
+
-**Pushes to main/develop**: All languages are analyzed (no detection)
26
+
-**Scheduled runs**: All languages are analyzed (no detection)
27
+
-**Manual runs** (`workflow_dispatch`): All languages are analyzed (no detection)
28
+
29
+
This detection mechanism follows the same pattern used by other workflows in this repository (python-check, clang-tidy-check, etc.) and uses the `detect-relevant-changes` action.
30
+
31
+
## Important workflow-specific notes
11
32
12
33
- The workflow sets `autobuild: false` during the CodeQL init so the repository's own configure / build steps run. This is intentional: the Phlex build actions are used to build exactly what you ship.
13
34
- The workflow tries to locate and copy a compile_commands.json (from `phlex-src/build/` or `phlex-build/`) to the workspace root so diagnostic tools and manual inspection have a predictable path.
Copy file name to clipboardExpand all lines: .github/REUSABLE_WORKFLOWS.md
+19-1Lines changed: 19 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -414,6 +414,12 @@ jobs:
414
414
415
415
Performs static analysis on the codebase using GitHub CodeQL to identify potential security vulnerabilities and coding errors.
416
416
417
+
**Key Features:**
418
+
419
+
- **Automatic Relevance Detection**: On pull requests, the workflow automatically detects which languages have relevant file changes and only runs CodeQL analysis for those languages. This significantly reduces CI time when changes affect only a subset of languages.
420
+
- **Language-Specific Scanning**: Supports separate analysis for C++, Python, and GitHub Actions workflows.
421
+
- **Fallback to Full Scan**: Scheduled runs, manual triggers (`workflow_dispatch`), and pushes to main branches always run all language scans regardless of changes.
422
+
417
423
#### Usage Example
418
424
419
425
```yaml
@@ -426,10 +432,22 @@ jobs:
426
432
427
433
- `checkout-path` (string, optional): Path to check out code to.
428
434
- `build-path` (string, optional): Path for build artifacts.
429
-
- `language-matrix` (string, optional, default: `'["cpp", "python", "actions"]'`): JSON array of languages to analyze.
435
+
- `language-matrix` (string, optional, default: `'["cpp", "python", "actions"]'`): JSON array of languages to analyze. When provided in `workflow_call`, bypasses automatic detection and forces analysis of specified languages.
430
436
- `pr-number` (string, optional): PR number if run in PR context.
431
437
- `pr-head-repo` (string, optional): The full name of the PR head repository.
432
438
- `pr-base-repo` (string, optional): The full name of the PR base repository.
439
+
- `pr-base-sha` (string, optional): Base SHA of the PR for relevance check.
440
+
- `pr-head-sha` (string, optional): Head SHA of the PR for relevance check.
441
+
- `ref` (string, optional): The branch, ref, or SHA to checkout.
442
+
- `repo` (string, optional): The repository to checkout from.
443
+
444
+
#### Behavior Notes
445
+
446
+
- **Pull Requests**: Only languages with relevant file changes are analyzed. For example, a PR that only modifies Python files will skip C++ and Actions analysis, saving 35-70 minutes of CI time.
447
+
- **Manual Runs** (`workflow_dispatch`): All languages are analyzed regardless of changes.
448
+
- **Scheduled Runs**: All languages are analyzed regardless of changes.
449
+
- **Pushes to main/develop**: All languages are analyzed regardless of changes.
450
+
- **Language Override**: Providing the `language-matrix` input in `workflow_call` bypasses automatic detection.
0 commit comments