codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard

ref not found in this repository

Open ianlewis opened this issue 2 years ago • 13 comments

When running GitHub actions PR checks in the merge queue I get an error message.

Uploading results
  Processing sarif files: ["/home/runner/work/slsa-github-generator/results/go.sarif"]
  Uploading results
  Error: ref 'refs/heads/gh-readonly-queue/main/pr-1804-67d80537cd2bc6f8a811283cdee52752c3aa52a2' not found in this repository

Here is a job run for reference: https://github.com/slsa-framework/slsa-github-generator/actions/runs/4400573949/jobs/7705996656

ianlewis avatar Mar 13 '23 02:03 ianlewis

Perhaps related to #1537

ianlewis avatar Mar 13 '23 02:03 ianlewis

That's correct. We are discussing internally how best to support merge queue. Any information that you have about your use-case would be interesting!

rneatherway avatar Mar 15 '23 11:03 rneatherway

That's correct. We are discussing internally how best to support merge queue. Any information that you have about your use-case would be interesting!

I think our use case is pretty straightforward. We have a (mostly) unmodified CodeQL workflow that we'd like to run and block a merge (via branch protection rules) when there are issues.

ianlewis avatar Mar 16 '23 00:03 ianlewis

Thanks, would you say that your main problem is:

  1. You cannot currently use merge queue and branch protection rules for CodeQL at the same time, which means you cannot have CodeQL as a required check for PRs.
  2. You are concerned about catching additional vulnerabilities in the merge queue runs specifically.

rneatherway avatar Mar 16 '23 10:03 rneatherway

Thanks, would you say that your main problem is:

  1. You cannot currently use merge queue and branch protection rules for CodeQL at the same time, which means you cannot have CodeQL as a required check for PRs.
  2. You are concerned about catching additional vulnerabilities in the merge queue runs specifically.

Yeah, we want to make sure that all of our pre-submits run successfully at HEAD before merging. We're a security focused project so we are more strict than most about it.

ianlewis avatar Mar 16 '23 22:03 ianlewis

Yeah, we want to make sure that all of our pre-submits run successfully at HEAD before merging. We're a security focused project so we are more strict than most about it.

That makes sense :+1:. Were you previously using the "Require branches to be up to date before merging" setting?

image

rneatherway avatar Mar 20 '23 17:03 rneatherway

Yes, we are currently using that setting right now but it makes updating dependencies really time consuming so we'd like to try to solve it by using the merge queue feature.

ianlewis avatar Mar 23 '23 03:03 ianlewis

Understood, thanks. That particular point of view is useful to know about.

rneatherway avatar Mar 23 '23 09:03 rneatherway