github
Code scanning doesn't run on pull request in organization repo
Description of the issue
Our repo uses GitHub Actions and JavaScript / TypeScript CodeQL default configuration.
In addition, these events will trigger by push and pull request.
However, the Code scanning doesn't run in this part1 pull request.
The part2 and part3 aren't scanned, either.
On the other hand, the part4 pull request got the CodeQL scan result.
Moreover, the code scanning works correctly on every push events.
Why doesn't the code scanning run on every pull request?
Hi @Marukome0743 👋🏻
Thanks for reporting this!
I've had a look at your repo, and specifically the list of runs for the CodeQL workflow. There, I can see that there are some CodeQL workflow runs for the first two PRs as well, although not for their most recent commits:
- https://github.com/OpenUp-LabTakizawa/robopo/actions/runs/15502954438 for https://github.com/OpenUp-LabTakizawa/robopo/pull/76
- https://github.com/OpenUp-LabTakizawa/robopo/actions/runs/15502961580 for https://github.com/OpenUp-LabTakizawa/robopo/pull/77
This suggests to me that, in principle, your configuration is correct and should behave as you would expect. I am not immediately sure why the workflow would not have triggered for some commits. It's possible that you may have been affected by a temporary issue with Actions that prevented workflows from running. I would recommend keeping an eye out on whether this issue persists. If not, then it was indeed just a temporary issue. If it does persist, we can investigate further.
Hello @mbg 😀
Thank you for checking the issue and nice explanation.
This issue occurred in my another repo(OpenUp-LabTakizawa/caravan-kidstec). See this PR.
It shows "Code scanning is waiting for results from CodeQL for the commits 5c46ac0 or cbaad94.". cbaad94 is same commit with PR. However 5c46ac0 is unknown commit and doesn't exist in OpenUp-LabTakizawa/caravan-kidstec history.
I often use force commit to update the original commit changes. It overrides the commit ID (e.g. 098rlw3 was replaced with 5c46ac0). Perhaps this action affects the CodeQL to continue scanning an unknown commit.
I would recommend keeping an eye out on whether this issue persists.
The first repo I raised an issue is too new to have a long history. So OpenUp-LabTakizawa/caravan-kidstec CodeQL history is useful. You can see the most of PRs aren't sanned from last year.
By the way, sorry for merging the part1 ~ 3 PRs. OpenUp-LabTakizawa/caravan-kidstec's PR is always open for investigation.
Hi again @Marukome0743,
Thanks for the extra information. I just noticed that all the PRs you linked to are based on a fork of the repository. Unfortunately, default setup doesn't currently support PRs from forks. The team is aware of this limitation, but I don't know when this may be supported.
In the meantime, if you disable default setup and set up a manual (advanced) workflow for CodeQL, then that would work for PRs from forks of the repository.
Hello @mbg,
Unfortunately, default setup doesn't currently support PRs from forks.
Uh, I see. Indeed, the PR which dependabot made was scanned.
However, I have a question. Why did the part4 CodeQL scanning success? 🤔
The part4 PR was also made in forked repo. I mean the PRs from forks sometimes work fine.
Anyway, thank you for letting me know manual (advanced) settings. 😄 I will try it.
Good question -- I don't have an answer for you. I will follow this up internally with the relevant people to see if they can answer it.