Codeql: enable PR check (#101392)

* Enable running a CodeQL check whenever someone opens a PR (for Go code) * Fetch main in the GHA so CodeQL can properly compare code changes * Try to fetch more of main to see if CodeQL can compare changes * Also trigger on push * Rename GHA * Use only one workflow for all languages that runs on each puch hook * Rename GHA * Removing owner from deleted GHA * Temporarily mark this GHA as not required for a PR to get merged * Always run the workflow * Mark action as non blocking
2 months ago · feed071815
parent d7771f7d21
commit feed071815
3 changed files with 3 additions and 56 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -791,7 +791,6 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/metrics-collector.yml @torkelo
 /.github/workflows/milestone.yml @tolzhabayev
 /.github/workflows/pr-checks.yml @tolzhabayev
-/.github/workflows/pr-codeql-analysis-go.yml @DanCech
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands.yml @tolzhabayev
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -3,12 +3,12 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-name: "CodeQL"
+name: "CodeQL checks"

 on:
  workflow_dispatch:
  push:
-    branches: [main, v*.*.*]
+    branches: ['**'] # run on all branches
    paths-ignore:
      - '**/*.cue'
      - '**/*.json'
@ -25,6 +25,7 @@ jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
+    continue-on-error: true # doesn't block PRs from being merged if this fails
    if: github.repository == 'grafana/grafana'

    strategy:
--- a/.github/workflows/pr-codeql-analysis-go.yml
+++ b/.github/workflows/pr-codeql-analysis-go.yml
@ -1,53 +0,0 @@
-name: "CodeQL for PR / go"
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: [main]
-    paths:
-      - '**/*.go'
-
-permissions:
-  security-events: write
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'grafana/grafana'
-
-    steps:
-    - name: "Generate token"
-      id: generate_token
-      continue-on-error: true
-      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-      with:
-        app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-        private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-        token: ${{ steps.generate_token.outputs.token }}
-
-    - name: Set go version
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: "go"
-
-    - name: Build go files
-      run: |
-        go mod verify
-        make build-go
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3