mirror of
https://github.com/QwenLM/qwen-code.git
synced 2026-07-10 01:29:17 +00:00
After #5842, CodeQL and the E2E suite were the only things running on every push to `main` — the per-commit, post-merge backstop. With merges landing back-to-back, those runs (CodeQL ~30min, three E2E jobs ~25/36/36min, the latter never cancel-superseded) stacked on the scarce hosted Linux pool and were a main driver of the recent runner-saturation incident. - CodeQL moves to its own scheduled codeql.yml (nightly + workflow_dispatch). It was never a required check and findings still surface in the Security tab, so per-commit scanning bought little. ci.yml loses its now-empty `push` trigger as a result (every remaining job is gated to pull_request / merge_group). - E2E gets event-scoped concurrency so back-to-back pushes to `main` cancel superseded runs (only the latest tree matters and it covers every merged change), plus a nightly full regression as the guaranteed signal in case a busy merge window keeps cancelling the push run. Manual workflow_dispatch added. The merge_group gate (ubuntu + integration + mac + win) still validates every PR before it lands; this only changes the non-gating post-merge work. Follow-up (separate PR): alert on E2E/CodeQL failure (a deduped ci-failure issue) now that they run unattended.
41 lines
1.4 KiB
YAML
41 lines
1.4 KiB
YAML
name: 'CodeQL'
|
|
|
|
# CodeQL used to be a per-push job in ci.yml. Security findings rarely change
|
|
# commit-to-commit and the scan is non-blocking (never a required check), so
|
|
# running it on every merge to `main` just piled onto the scarce hosted Linux
|
|
# pool. Run it on a nightly schedule (plus manual dispatch) instead; findings
|
|
# still surface in the Security tab. If fresher results are wanted, add a
|
|
# path-filtered `push` trigger for security-relevant sources.
|
|
on:
|
|
schedule:
|
|
- cron: '0 3 * * *' # nightly (~03:00 UTC), staggered from the E2E nightly
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
actions: 'read'
|
|
contents: 'read'
|
|
security-events: 'write'
|
|
|
|
concurrency:
|
|
group: 'codeql'
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
codeql:
|
|
name: 'CodeQL'
|
|
runs-on: 'ubuntu-latest'
|
|
# Analysis normally finishes in ~7-9 min (22 min worst case observed). Cap it
|
|
# so a runner that drops its heartbeat mid-analysis can't hold a slot for the
|
|
# default 6h.
|
|
timeout-minutes: 30
|
|
steps:
|
|
- name: 'Checkout'
|
|
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
|
|
|
|
- name: 'Initialize CodeQL'
|
|
uses: 'github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/init@v3
|
|
with:
|
|
languages: 'javascript'
|
|
|
|
- name: 'Perform CodeQL Analysis'
|
|
uses: 'github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/analyze@v3
|