qwen-code/.github/workflows/codeql.yml
易良 d851f49135
ci: take CodeQL and E2E off the per-merge push path (#5859)
After #5842, CodeQL and the E2E suite were the only things running on every push to `main` — the per-commit, post-merge backstop. With merges landing back-to-back, those runs (CodeQL ~30min, three E2E jobs ~25/36/36min, the latter never cancel-superseded) stacked on the scarce hosted Linux pool and were a main driver of the recent runner-saturation incident.

- CodeQL moves to its own scheduled codeql.yml (nightly + workflow_dispatch). It was never a required check and findings still surface in the Security tab, so per-commit scanning bought little. ci.yml loses its now-empty `push` trigger as a result (every remaining job is gated to pull_request / merge_group).
- E2E gets event-scoped concurrency so back-to-back pushes to `main` cancel superseded runs (only the latest tree matters and it covers every merged change), plus a nightly full regression as the guaranteed signal in case a busy merge window keeps cancelling the push run. Manual workflow_dispatch added.

The merge_group gate (ubuntu + integration + mac + win) still validates every PR before it lands; this only changes the non-gating post-merge work.

Follow-up (separate PR): alert on E2E/CodeQL failure (a deduped ci-failure issue) now that they run unattended.
2026-06-25 10:50:12 +00:00

41 lines
1.4 KiB
YAML

name: 'CodeQL'
# CodeQL used to be a per-push job in ci.yml. Security findings rarely change
# commit-to-commit and the scan is non-blocking (never a required check), so
# running it on every merge to `main` just piled onto the scarce hosted Linux
# pool. Run it on a nightly schedule (plus manual dispatch) instead; findings
# still surface in the Security tab. If fresher results are wanted, add a
# path-filtered `push` trigger for security-relevant sources.
on:
schedule:
- cron: '0 3 * * *' # nightly (~03:00 UTC), staggered from the E2E nightly
workflow_dispatch:
permissions:
actions: 'read'
contents: 'read'
security-events: 'write'
concurrency:
group: 'codeql'
cancel-in-progress: false
jobs:
codeql:
name: 'CodeQL'
runs-on: 'ubuntu-latest'
# Analysis normally finishes in ~7-9 min (22 min worst case observed). Cap it
# so a runner that drops its heartbeat mid-analysis can't hold a slot for the
# default 6h.
timeout-minutes: 30
steps:
- name: 'Checkout'
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
- name: 'Initialize CodeQL'
uses: 'github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/init@v3
with:
languages: 'javascript'
- name: 'Perform CodeQL Analysis'
uses: 'github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/analyze@v3