Create codeql-analysis.yml #38
Conversation
📊 Code Metrics Report
|
Codecov Report
@@ Coverage Diff @@
## main #38 +/- ##
=======================================
Coverage 25.25% 25.25%
=======================================
Files 17 17
Lines 1275 1275
Branches 691 691
=======================================
Hits 322 322
Misses 495 495
Partials 458 458
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
|
NOTE: Background and how to use this feature with ROS. https://discourse.ros.org/t/github-code-scanning-for-ros-repos/16084 |
| @@ -0,0 +1,2 @@ | |||
| paths-ignore: | |||
| - '**/vendor/*' | |||
There was a problem hiding this comment.
IMHO: In the security point of view, it might be useful to scan the vendor packages as well. If the scan for vendor packages is found to be annoying, let's ignore them.
There was a problem hiding this comment.
How about testing vendor packages in another workflow?
There was a problem hiding this comment.
Ah, that might be a perfect solution!
There was a problem hiding this comment.
I also agree with @kmiya san 's opinion.
I'd like to see what it means to test in another workflow, does that mean it should be tested in the vendor's repository?
There was a problem hiding this comment.
No, I meant to add codeql-vendor-config.yml!
Co-authored-by: Kazuki Miyahara <[email protected]>
| # The branches below must be a subset of the branches above | ||
| branches: [ main ] | ||
| schedule: | ||
| - cron: '17 23 * * 3' # run at 08:17 AM Thursdays, JST |
There was a problem hiding this comment.
By the way, why 08:17 AM? 🤔
There was a problem hiding this comment.
I don't know why, but it's the time listed in the template 😕
There was a problem hiding this comment.
Okay, then let's change it as we like!
What kinds of PR
What is this PR
Add codeQL analysis for evaluation.
How to check this PR