merlimat opened a new pull request, #25932: URL: https://github.com/apache/pulsar/pull/25932
### Motivation The `CodeQL` workflow fails intermittently with: > CodeQL detected code written in Java/Kotlin but could not process any of it. (the [no-source-code-seen-during-build](https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build) error). These failures block PRs from merging — e.g. https://github.com/apache/pulsar/actions/runs/26842303893 **Root cause:** CodeQL's traced Java/Kotlin extraction works by observing the compiler (`javac`/`kotlinc`) as the build runs. But the project enables the Gradle build cache (`org.gradle.caching=true`) plus the shared Develocity remote build cache. When the cache is warm, every `compileJava`/`compileKotlin` task is restored `FROM-CACHE` and the compiler never actually executes, so CodeQL extracts zero source and `codeql database finalize` aborts. This is why the failures are intermittent, and it correlates directly with the Analyze job duration: | Outcome | Analyze job duration | What happened | |---|---|---| | ❌ failure | ~1.5 min | every `compileJava` restored `FROM-CACHE` → compiler never ran → no source seen | | ✅ success | 8–17 min | cache missed → compilation actually ran → CodeQL traced it | ### Modifications Switch the CodeQL job to buildless extraction with `build-mode: none`, so CodeQL extracts the source directly and no longer depends on the Gradle build executing: - Set `build-mode: none` on the `Initialize CodeQL` step. - Remove the now-unnecessary `Build Java code` (`./gradlew assemble`), `Setup Gradle`, and `Set up JDK` steps (and the orphaned `JDK_DISTRIBUTION` env), leaving the canonical `checkout → init → analyze` flow. This makes the workflow immune to Gradle build-cache state and faster (no compilation), while remaining within the standard CodeQL security query suite. ### Verifying this change - [ ] Make sure that the change passes the CI checks. This change is a trivial rework / code cleanup without any test coverage. The CodeQL workflow runs on `push` to `master` and on schedule; it can also be validated on demand via `workflow_dispatch`. ### Does this pull request potentially affect one of the following parts: *If the box was checked, please highlight the changes* - [ ] Dependencies (add or upgrade a dependency) - [ ] The public API - [ ] The schema - [ ] The default values of configurations - [ ] The threading model - [ ] The binary protocol - [ ] The REST endpoints - [ ] The admin CLI options - [ ] The metrics - [ ] Anything that affects deployment -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
