Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-17 10:15:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): avoid duplicate CodeQL setup (#4297)

Browse Source
This commit is contained in:
RaresKeY
2026-06-15 18:39:13 +03:00
committed by GitHub
parent 7fd937fa57
commit d38e2cbc07
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/security-ci.md
+14 -9
View File
@@ -1,14 +1,16 @@
# Security CI guide # Security CI guide
This project runs a set of automated security checks on every pull request and This project runs a set of automated security checks on pull requests and
on every push to `main`. This page explains what each one does, whether it can selected branch pushes. This page explains what each one does, whether it can
block a merge, and the few one-time settings you should turn on to get the full block a merge, and the few one-time settings you should turn on to get the full
benefit. benefit.
## What runs, and why ## What runs, and why
Each check lives in its own file under `.github/workflows/`. They run Most checks live in files under `.github/workflows/`. CodeQL is configured
automatically; you do not start them. through GitHub's code scanning default setup, so it appears as a dynamic GitHub
workflow instead of a checked-in workflow file. They run automatically; you do
not start them.
| Check | What it protects against | Blocks a merge? | | Check | What it protects against | Blocks a merge? |
|---|---|---| |---|---|---|
@@ -88,11 +90,14 @@ let the workflows run on one pull request first, then add them here.
2. Turn on **Dependency graph** (usually on by default for public repos) -- this 2. Turn on **Dependency graph** (usually on by default for public repos) -- this
powers Dependency review and Dependabot. powers Dependency review and Dependabot.
3. Turn on **Dependabot alerts** and **Dependabot security updates**. 3. Turn on **Dependabot alerts** and **Dependabot security updates**.
4. Under **Code scanning**, you have two ways to scan the app code with CodeQL: 4. Under **Code scanning**, use **Set up -> Default** for CodeQL. GitHub then
- The included `codeql.yml` workflow already scans `main` and runs weekly. runs CodeQL as a dynamic workflow without the fork-token limitations that
- To also scan **pull requests** (recommended, since most contributions come affect checked-in advanced workflows.
from forks), click **Set up -> Default** under Code scanning. GitHub then
runs CodeQL on pull requests for you, with no token limitations. Do not also add a checked-in CodeQL workflow while default setup is enabled:
GitHub rejects advanced CodeQL uploads when default setup is active. If the
project later needs an advanced CodeQL workflow, disable default setup first
and keep only one CodeQL publishing path active.
## Keeping it current ## Keeping it current