-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suppress "Please specify an on.push hook" warning #1339
Comments
Are you also specifying a category for the analysis from those workflows, with the same category for each workflow? If a category is not specified, the CodeQL Action will generate a category for you, which by default includes the workflow name. This means the alerts from the two separate workflows would be considered distinct and wouldn't be correctly matched against each other. For this reason, we generally recommend having the same workflow with both |
Yes, I'm setting the category to the same value in both. Would it maybe make sense to suppress the warning if category is set? The shared workflows here are intended for k8s deployed services. We use Skaffold, and typically Jib, to build images and render manifests. Both workflows builds an image, runs unit tests and renders manifests. The PR workflow will additionally publish test reports and optionally diff the rendered manifests with the currently deployed ones and display the result. The push (main) workflow will start a deployment flow by pushing the rendered manifests to a "deployment" branch and then start a job that is waiting for a Argo CD to report back the result via a GH check. It's obviously possible to put all of this in a single workflow but that would end up being a bunch of if-else spagetti. We could also keep the CodeQL stuff in a separate workflow that only does that, but that means there is more boilerplate needed in each repo, which is something we're trying to avoid with the shared workflows. |
@adityasharad Any more thoughts on this? |
Thanks for explaining your use case, and for your patience while I discussed this with my colleagues. Your solution sounds sensible for that purpose. A missing However, I appreciate your desire to avoid the warning confusing the devs using your shared workflows. Here is a workaround that we think will help you avoid the warning, without meaningfully impacting your devs or changing the behaviour of your workflows. Will this work for you?
|
Thanks for the suggested workaround but the problem with it is that it needs to be added in every caller workflow which is something we'd like to avoid. Having this unexpected trigger/if condition everywhere and seeing the skipped jobs would potentially be even more confusing for all devs using the shared workflow than seeing the warning. I'd kindly ask you to reconsider providing an explicit option to suppress the warning - as opposed to my suggestion about always suppressing it when category is provided this can't really be done by mistake. I would also be willing to create a PR if you were to reconsider. |
Second the suggestion for this; we do have an Please, either fix the logic to properly detect that |
I moved this issue back to our triage column so we will discuss it again. A proposal that I have is that we introduce an environment variable (eg- |
@aeisenberg we are pinned to - name: "Analysis: CodeQL (Language: ${{ inputs.language }})"
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{inputs.language}}" This is confirmed by logs:
So, I guess, |
That is interesting. Does your workflow have a |
@aeisenberg It has a |
Do you have an example of this happening in a public repo? I can't find any. I was just poking around in some of the public repositories that you seem to be a contributor to. Many of them use the pattern you are describing and none of them are emitting this warning as far as I can tell. For example, this workflow: https://github.com/elide-dev/uuid/blob/main/.github/workflows/codeql.ci.yml has had a recent success here: https://github.com/elide-dev/uuid/actions/runs/10286210862 and the warning is not emitted. |
@aeisenberg I'm really not sure either, because you're right, I would expect the warning from that run. The repos where we are still seeing the warning are all private, and we rolled back CodeQL for now anyway. I will try to find a workflow run and isolate the conditions that produce the warning, or verify that we were on the wrong version. |
Please keep me posted. Thanks for checking up on this. |
I'll close this one out since I haven't heard back from you. Feel free to comment if you see this again. |
Hi,
I'm looking to using codeql-action for some shared workflows that are intended to be used across our organization. However, we have separate workflows for PRs and pushes to main so in the PR workflow we get the warning
Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch
. In this case the warning is a false positive since Code Scanning will run on push, only from a different workflow. And since this warning would be seen by devs across our organization that typically shouldn't need to care too much about the contents of the reusable workflow we see it as a significant problem.What is your take on adding an action input parameter for suppressing this warning?
The text was updated successfully, but these errors were encountered: