rusackas opened a new pull request, #40724:
URL: https://github.com/apache/superset/pull/40724
### SUMMARY
CodeQL gated only its final `Perform CodeQL Analysis` step on the
change-detector. On a docs-only PR that meant both language runners
(`python`, `javascript`) still spun up, checked out, ran the detector, and
ran
`Initialize CodeQL` before skipping the actual analysis.
This moves the gate to the **job level** using the shared lead-`changes`-job
pattern (same as #40718 / #40723), so the analysis runners don't start at all
when no code changed:
```yaml
analyze:
needs: changes
if: needs.changes.outputs.python == 'true' ||
needs.changes.outputs.frontend == 'true'
```
**Why job-level skip instead of `paths-ignore`:** a skipped *required* check
is
treated as passing by branch protection, whereas a `paths-ignore`d workflow
never reports its check at all — which would **deadlock merges** if CodeQL
is a
required check. push and scheduled (nightly) runs are unaffected: the
detector
returns "all changed" for non-PR events, so full security coverage is
preserved.
### TESTING INSTRUCTIONS
- Code PR: confirm `Analyze (python)` / `Analyze (javascript)` run as before.
- Docs-only PR: confirm both are **skipped** (no CodeQL runners spin up).
- Confirm the nightly schedule and push-to-master still run the full
analysis.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
