Runs a standalone action along with a configured one

[akshatgarg12]

I have a PR-workflow file in my .github/workflow
Whenever a PR is created, a CodeQL action is being run from this config but an additional standalone CodeQL action is also created which fails with a warning

name: PR Workflow
on:
  pull_request:
    branches:
      - '**'

jobs:
  # few other actions here
  CodeQL:
    name: Analyse code with codeQL
    runs-on: ubuntu-latest
    needs: Continuous-Integration
    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
    steps:
       - name: Checkout repository
         uses: actions/checkout@v2

       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
         with:
          languages: ${{ matrix.language }}

       - name: Autobuild
         uses: github/codeql-action/autobuild@v1

       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v1
       

Error

Workflow example

What changes do i need to make , to stop the last action from running which remains unresolved with the above warning?

[adityasharad]

The check status labelled Code scanning results / CodeQL is not a second Actions run, but is created by the GitHub code scanning service whenever it processes an analysis for your PR. This is by design: it contains a summary of the code scanning alerts for the PR. See https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests for more information.

By default this check status is informational and non-blocking, unless there are error-severity alerts and you've created branch protection rules that require the check. (The severity threshold is customisable, according to the docs linked above).

[adityasharad]

The warning about the base branch not being found is because your CodeQL analysis workflow has not run on the target branch of the PR (in this case, develop), so Code Scanning cannot perform a comparison to find out which alerts were fixed/introduced by the PR. Again this is not blocking, but if you set up the same workflow to run on your develop branch, then that should make the warning go away.

For example:

on:
  push:
    branches:
      - develop
  pull_request:
    branches:
      - develop

[akshatgarg12]

@adityasharad Hey , thanks for the help man.
Is there a way to run the CodeQL analysis on the target branch of the PR in all cases.
Like here i have specified it to run on all branches at the top level of my yaml file

on:
  pull_request:
    branches:
      - '**'

[adityasharad]

Depends what you are trying to achieve. Do you have PRs against all possible branches of your project? And are your PRs usually from branches of the same repository, or from forks?

Could you narrow down the set of likely PR target branches? Then you could try something like:

on:
  push:
    branches:
      - main
      - other-possible-target-branch
      - ...
  pull_request:
    branches:
      - main
      - other-possible-target-branch
      - ...   

For completeness, I should point out that you can technically do the following to run on every single push and PR from/to any branch, but personally I wouldn't recommend it. Using pull_request events rather than push events for PR branches allows the PR merge commit to be analysed (rather than the base branch) and enables Code Scanning to compute an accurate comparison of the alerts fixed/introduced.

# Possible but not recommended
on:
  push:
    branches:
      - '**'
      - ...
  pull_request:
    branches:
      - '**'   

[adityasharad]

You can also do:

on:
  push:
    branches:
      - main
      - other-possible-target-branch
      - ... # more branches here, but not all branches
  pull_request:  # no branches filter

This will analyse any PR. But you'll get the best results, without the "analysis not found" warning you asked about earlier, for the PRs whose base branch is analysed by the push events. Hope this helps!

[akshatgarg12]

Thanks this was really helpful.