gh: Add a codeql-build-mode input to CodeQL workflows#314
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new reusable-workflow input to let callers control CodeQL’s build-mode (e.g., disabling autobuild to support source-only analysis or prevent unintended make runs) without forking the workflows.
Changes:
- Introduces a
codeql-build-modeworkflow_callinput tocodeql-analysis.yml,goCI.yml, andcode-scan.yml. - Wires the new input through workflow layers, mapping
codeql-build-mode→ CodeQL actionbuild-modeincodeql-analysis.yml. - Exposes
codeql-build-cmd/codeql-build-modepassthrough oncode-scan.ymlwhen callingcodeql-analysis.yml.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/goCI.yml | Adds codeql-build-mode input and forwards it to the reusable CodeQL workflow. |
| .github/workflows/codeql-analysis.yml | Adds codeql-build-mode input and passes it to github/codeql-action/init as build-mode. |
| .github/workflows/code-scan.yml | Adds codeql-build-mode (and exposes codeql-build-cmd) and forwards both to codeql-analysis.yml. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
azazeal
force-pushed
the
panos/codeql-build-mode
branch
from
6d6f32f to
6029b0e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
azazeal
force-pushed
the
panos/codeql-build-mode
branch
from
6029b0e to
bf2b42e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This PR adds a
codeql-build-modeinput tocodeql-analysis.yml,goCI.yml, andcode-scan.ymlso callers can pick a CodeQL build mode (e.g.autobuild,manual,none) without forking these workflows.The default is the empty string, which
codeql-action'sgetOptionalInputtreats asundefined— so existing callers see no behavior change. Callers that want to opt out ofcodeql-action's autobuild fallback (which detects aMakefileand runsmake, even whencodeql-build-cmdis set to a no-op) can now passcodeql-build-mode: 'manual'and provide their own Go-only build viacodeql-build-cmd: 'go build ./...'.The input name keeps the
codeql-prefix used by the other CodeQL inputs (codeql-build-cmd,codeql-make-bootstrap); it's mapped to the action's unprefixedbuild-modeinput only at thecodeql-analysis.ymllayer.It also gates the
Buildstep so it only runs when the selected mode expects a manual build — i.e. whencodeql-build-modeis''(legacy back-compat) or'manual'. For'autobuild'and'none'the build is handled bycodeql-actionitself, so the manualCODEQL_BUILD_CMDwould be redundant or conflicting.