Split CodeQL database generation and analysis phases#521
Merged
Conversation
Komal362000
force-pushed
the
koma_codeqltest
branch
from
1c0fb27 to
61d0ac9
Compare
castler
reviewed
Jun 10, 2026
Comment on lines
+32
to
+35
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| branches: [main] |
Contributor
There was a problem hiding this comment.
Please remove, we only want to run it on a per night basis.
| disk-cache: "codeql" | ||
| repository-cache: true | ||
| cache-optimized: true | ||
| cache-save: ${{ github.ref == 'refs/heads/main' }} |
Contributor
There was a problem hiding this comment.
CodeQL cannot use caches, thus, we should only setup bazel but without caching.
| bazel run //quality/static_analysis:codeql_lint -- \ | ||
| --phase create-database \ | ||
| --database-path /var/tmp/codeql_databases/codeql_db \ | ||
| --target //score/... |
Contributor
There was a problem hiding this comment.
We need to run codeql only for two targets:
//score/message_passing//score/mw/com
Maybe extend that mutiple targets can be supplied
Comment on lines
+108
to
+115
| - name: Setup Bazel | ||
| uses: castler/setup-bazel@cache-optimized | ||
| with: | ||
| bazelisk-cache: true | ||
| disk-cache: "codeql" | ||
| repository-cache: true | ||
| cache-optimized: true | ||
| cache-save: false |
Contributor
There was a problem hiding this comment.
No caching needed, only setup bazel please.
Comment on lines
+93
to
+138
| # ── Phase 2a: Quick analysis (PR / push to main) ──────────────────────── | ||
| analyze-pr: | ||
| if: github.event_name != 'schedule' | ||
| needs: create-codeql-database | ||
| runs-on: ubuntu-24.04 | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Free Disk Space (Ubuntu) | ||
| uses: eclipse-score/more-disk-space@v1 | ||
| with: | ||
| level: 4 | ||
|
|
||
| - name: Setup Bazel | ||
| uses: castler/setup-bazel@cache-optimized | ||
| with: | ||
| bazelisk-cache: true | ||
| disk-cache: "codeql" | ||
| repository-cache: true | ||
| cache-optimized: true | ||
| cache-save: false | ||
|
|
||
| - name: Allow linux-sandbox | ||
| uses: ./actions/unblock_user_namespace_for_linux_sandbox | ||
|
|
||
| - name: Download CodeQL database | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: codeql-database | ||
| path: /var/tmp/codeql_databases/codeql_db | ||
|
|
||
| - name: Run CodeQL analysis (quick — incremental queries) | ||
| run: | | ||
| bazel run //quality/static_analysis:codeql_lint -- \ | ||
| --phase analyze-database \ | ||
| --database-path /var/tmp/codeql_databases/codeql_db \ | ||
| --output-dir /tmp/codeql-results \ | ||
| --output-prefix codeql | ||
|
|
||
| - name: Upload SARIF to GitHub Code Scanning | ||
| uses: github/codeql-action/upload-sarif@v4 | ||
| with: | ||
| sarif_file: /tmp/codeql-results/codeql.sarif | ||
| category: codeql-pr |
Comment on lines
+155
to
+162
| - name: Setup Bazel | ||
| uses: castler/setup-bazel@cache-optimized | ||
| with: | ||
| bazelisk-cache: true | ||
| disk-cache: "codeql" | ||
| repository-cache: true | ||
| cache-optimized: true | ||
| cache-save: false |
| bazel run //quality/static_analysis:codeql_lint -- \ | ||
| --phase analyze-database \ | ||
| --database-path /var/tmp/codeql_databases/codeql_db \ | ||
| --query-spec "codeql/misra-cpp-coding-standards@2.52.0" \ |
Contributor
There was a problem hiding this comment.
Please remove this line, that we execute in CI the standard
Komal362000
force-pushed
the
koma_codeqltest
branch
from
acba936 to
9ac0970
Compare
Komal362000
requested review from
LittleHuba,
bemerybmw,
crimson11,
hoe-jo and
limdor
as code owners
Komal362000
force-pushed
the
koma_codeqltest
branch
from
9ac0970 to
03f21ce
Compare
Komal362000
force-pushed
the
koma_codeqltest
branch
3 times, most recently
from
13ad18b to
ab953f1
Compare
Run CodeQL via Bazel on all relevant C++ targets (//score/...) on every pull_request and push to main, then upload the resulting SARIF file to GitHub Code Scanning via github/codeql-action/upload-sarif. Without this upload step GitHub has no stored baseline, causing every PR to incorrectly report no new alerts introduced. Refs: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
- separate create and analyze phases in codeql lint flow - include review fixes and output handling improvements
Komal362000
force-pushed
the
koma_codeqltest
branch
from
ab953f1 to
ac3931b
Compare
Contributor
Author
|
recheck |
castler
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR improves CodeQL performance by splitting the Python flow into two reusable phases:
Create CodeQL database
Run CodeQL analysis
With this split, we can reuse one database and run different analysis modes:
Fast checks for PR feedback
Full checks for nightly runs
It reduces repeated work, makes CI faster, and keeps SARIF/CSV outputs as before.