Fix CodeQL workflow: correct alert collection bug and improve fork PR handling#249
Merged
knoepfel merged 9 commits intoFramework-R-D:mainfrom Jan 13, 2026
Merged
Conversation
Contributor
greenc-FNAL
commented
Jan 13, 2026
greenc-FNAL
commented
- Fix CodeQL workflow: correct alert collection bug and improve fork PR handling
- Improve error message clarity for missing comment file
- Add blank line after headling
- Improve API handling for alerts
- Really enable PR comments this time
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a critical bug in the CodeQL workflow where alerts were not being properly collected, and introduces a new workflow architecture to enable PR comments for fork-based pull requests. The fix addresses an indentation error that caused alerts to be skipped, and adds support for multiple alert location formats from the GitHub API.
Changes:
- Fixed critical indentation bug in
collect_alerts()that prevented alerts from being added to buckets - Enhanced alert location parsing to handle both SARIF physicalLocation format and flat API format
- Introduced a new
codeql-comment.yamlworkflow usingworkflow_runtrigger to post comments with elevated permissions - Replaced inline PR comment posting with artifact-based approach in
codeql-analysis.yaml - Updated documentation to explain the new fork PR handling workflow
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
scripts/check_codeql_alerts.py |
Fixed critical bug where alerts were not appended to buckets; added support for flat API location format |
.github/workflows/codeql-comment.yaml |
New privileged workflow for posting PR comments via workflow_run trigger |
.github/workflows/codeql-analysis.yaml |
Refactored to upload PR comment data as artifacts instead of posting comments directly |
.github/CodeQL-README.md |
Added documentation section explaining fork PR handling and alert viewing |
Contributor
Author
|
@phlexbot python-fix |
Contributor
|
Automatic Python linting fixes pushed (commit e51ef97). |
greenc-FNAL
force-pushed
the
bugfix/codeql-pr-comments
branch
from
e51ef97 to
f1a2efc
Compare
… handling - Fixed critical bug in check_codeql_alerts.py where alerts with valid locations were not being added to results - Added validation in workflow to handle missing comment_path gracefully - Enhanced error messages for fork PRs with instructions on viewing alerts - Updated CodeQL-README.md with comprehensive documentation for viewing alerts from fork PRs Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
greenc-FNAL
force-pushed
the
bugfix/codeql-pr-comments
branch
from
13f5b5d to
66d86ea
Compare
knoepfel
approved these changes
Jan 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.