Skip to content

ci(codeql): delegate PR CodeQL to central, keep local push-only (fixes duplicate check contexts)#953

Open
seonghobae wants to merge 1 commit into
developfrom
feat/central-codeql-delegate
Open

ci(codeql): delegate PR CodeQL to central, keep local push-only (fixes duplicate check contexts)#953
seonghobae wants to merge 1 commit into
developfrom
feat/central-codeql-delegate

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Why (user decision: central delegation)

The org CWL Central required workflows ruleset has a code_scanning rule (CodeQL, medium+). The central ContextualWisdomLab/.github codeql-pr.yml already uploads PR-head AND merge-preview SARIF (upload: always) → it fully satisfies the merge gate for this repo's languages (actions/js-ts/python). But the local codeql.yml also ran on pull_request and uploaded the same /language:<lang> category, double-uploading SARIF and duplicating the CodeQL compatibility analysis/merge preview check contexts — which stalled opencode auto-approve. This is the CodeQL merge-blocker.

What

  • codeql.yml: drop the pull_request trigger + the analyze-merge (merge-preview) job → scans only the default branch on push; PR CodeQL + the code_scanning gate are delegated to the central workflow. Default-branch scanning is preserved (central is PR-only).
  • test_release_governance: rewrite the codeql assertion to match push-only delegation.

Verification

Supersedes

Stale #916 (based on the pre-#912 upload: always shape) — will close it.

🤖 Generated with Claude Code

User decision: central delegation. The org 'CWL Central required workflows'
ruleset has a code_scanning rule (CodeQL, medium+), and the central
ContextualWisdomLab/.github codeql-pr.yml already uploads PR-head AND
merge-preview SARIF (upload: always) — so it fully satisfies the merge gate for
this repo's languages (actions/js-ts/python). The local codeql.yml also ran on
pull_request and uploaded the SAME /language:<lang> category, double-uploading
SARIF and duplicating the 'CodeQL compatibility analysis'/'merge preview' check
contexts, which stalled opencode auto-approve.

- codeql.yml: drop the pull_request trigger + the analyze-merge (merge preview)
  job. It now scans only the default branch on push (there is no default-setup),
  and PR CodeQL + the code_scanning gate are owned by the central workflow.
- test_release_governance: rewrite the codeql assertion to match push-only
  delegation (no PR trigger, no merge-preview, still uploads default-branch SARIF).

Verified: the rewritten codeql governance test passes. (The 2 other governance
failures — scorecard/trivy + dependency-review.yml — are the pre-existing
develop-red that #935 fixes; inherited, not from this change.)

Supersedes the stale #916 (based on the pre-#912 upload:always shape).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RkKdtHRLG4wSLh6PVsp8J
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant