Skip to content

fix(ci): support CodeQL comments on fork PRs#234

Open
cr7258 wants to merge 4 commits into
NVIDIA:mainfrom
cr7258:agent/skip-codeql-comments-for-forks
Open

fix(ci): support CodeQL comments on fork PRs#234
cr7258 wants to merge 4 commits into
NVIDIA:mainfrom
cr7258:agent/skip-codeql-comments-for-forks

Conversation

@cr7258

@cr7258 cr7258 commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

TL;DR

CodeQL scans on fork pull requests complete successfully, but posting the summary comment fails because fork workflows receive a read-only GITHUB_TOKEN. This change keeps fork PR workflows read-only and uses a separate workflow_run workflow with permission to post the CodeQL summary.

Additional Details

The NVCF CodeQL workflow invokes a reusable composite action from NVIDIA/dsx-github-actions to initialize CodeQL, run analysis, upload SARIF, optionally post a PR comment, and enforce the configured quality gate. Fork pull requests receive a read-only GITHUB_TOKEN, so analysis and SARIF upload succeed, but the action fails when it attempts to post its PR comment:

GraphQL: Resource not accessible by integration (addComment)

For example, in the NVIDIA/nvcf#233 CodeQL workflow run, both the Rust and Go jobs completed analysis and found their SARIF files, then failed at the PR comment step with this error.

This change separates fork scanning from commenting:

  • Same-repository pull requests continue to use post-pr-comment in the NVIDIA/dsx-github-actions CodeQL composite action.
  • Fork pull requests upload the Go and Rust SARIF files as one-day workflow artifacts.
  • A companion workflow_run workflow runs in the base repository context, downloads both artifacts, aggregates their results, and creates or updates one CodeQL comment.
  • The fork comment follows the existing CodeQL composite action comment format.

Issues

NO-REF

Checklist

  • I am familiar with the Contributing Guidelines.
  • I have signed off my commits for Developer Certificate of Origin (DCO) compliance.
  • New or existing tests cover these changes.
  • The documentation is up to date with these changes.

Summary by CodeRabbit

  • New Features
    • Added automated CodeQL scan summary comments on pull requests, including severity counts and a short “Top Issues” list.
    • Scan comments are now kept up to date by creating or updating an existing comment marker.
    • Improved support for fork-based pull requests by uploading scan results and using PR metadata to publish summaries only when applicable.
  • Chores
    • Added a dedicated follow-up workflow that generates and posts the CodeQL report after the scan completes.
    • Updated the CodeQL workflow to conditionally enable PR commenting and to upload fork-specific artifacts only when needed.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e941ae97-43e8-4abc-af70-ae11b155fdc9

📥 Commits

Reviewing files that changed from the base of the PR and between bd3a757 and 3d0cff5.

📒 Files selected for processing (1)
  • .github/workflows/codeql-comment.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/codeql-comment.yml

📝 Walkthrough

Walkthrough

The CodeQL workflows distinguish same-repository and fork pull requests. Fork results and Go metadata are uploaded as artifacts, then a follow-up workflow validates the pull request, summarizes SARIF findings, and creates or updates a marked comment.

Changes

CodeQL pull request comments

Layer / File(s) Summary
Conditional CodeQL result delivery
.github/workflows/codeql.yml
Same-repository pull requests retain direct CodeQL commenting, while fork pull requests upload SARIF results and Go pull request metadata with short retention.
SARIF parsing and PR comment updates
.github/workflows/codeql-comment.yml
The completed-workflow handler validates the matching pull request, downloads SARIF artifacts, aggregates severity counts, formats up to five top issues, and creates or updates a marker-based comment.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CodeQL
  participant ArtifactStore
  participant CodeQLComment
  participant GitHubPR
  CodeQL->>ArtifactStore: Upload SARIF results and Go PR metadata for fork PRs
  ArtifactStore->>CodeQLComment: Provide completed workflow artifacts
  CodeQLComment->>GitHubPR: Validate matching pull request
  CodeQLComment->>CodeQLComment: Aggregate findings and build report
  CodeQLComment->>GitHubPR: Create or update marked comment
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: enabling CodeQL comments for fork PRs in CI.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

Upload fork PR SARIF results from the read-only CodeQL workflow, then post or update the result comment from a privileged workflow_run job that never executes fork code.

Signed-off-by: Seven Cheng <sevenc@nvidia.com>
@cr7258
cr7258 force-pushed the agent/skip-codeql-comments-for-forks branch from f3936d5 to 17c78b5 Compare July 17, 2026 10:23
@cr7258 cr7258 changed the title fix(ci): skip CodeQL comments on fork PRs fix(ci): support CodeQL comments on fork PRs Jul 17, 2026
@cr7258
cr7258 force-pushed the agent/skip-codeql-comments-for-forks branch 5 times, most recently from b69606c to c21881b Compare July 17, 2026 14:36
Signed-off-by: Seven Cheng <sevenc@nvidia.com>
@cr7258
cr7258 force-pushed the agent/skip-codeql-comments-for-forks branch from c21881b to 8a0fdaf Compare July 17, 2026 14:41
@cr7258
cr7258 marked this pull request as ready for review July 17, 2026 15:09
@cr7258
cr7258 requested a review from a team as a code owner July 17, 2026 15:09

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql-comment.yml:
- Around line 33-35: Update the codeql-comment workflow to receive the
originating PR number from codeql.yml or trusted workflow-run metadata, validate
it matches the head repository and commit SHA, and use that PR number for both
concurrency.group and pull-request comment lookup. Replace the current
github.event.workflow_run.head_repository.full_name plus head_branch key and
/pulls?head=... selection while preserving cancellation behavior.

In @.github/workflows/codeql.yml:
- Around line 77-85: Update the fork PR artifact step associated with “Upload
CodeQL results for fork PR comment” to upload only the scanner-produced SARIF
file rather than the broad results/*.sarif glob. Use the exact CodeQL output
path, or first copy that file into a clean temporary directory and upload from
there, while preserving the existing artifact naming and retention settings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2e1aca64-2890-48ee-aef5-8bf1235a3a72

📥 Commits

Reviewing files that changed from the base of the PR and between ed2f0bd and 8a0fdaf.

📒 Files selected for processing (2)
  • .github/workflows/codeql-comment.yml
  • .github/workflows/codeql.yml

Comment thread .github/workflows/codeql-comment.yml Outdated
Comment thread .github/workflows/codeql.yml
cr7258 added 2 commits July 17, 2026 23:21
Signed-off-by: Seven Cheng <sevenc@nvidia.com>
Signed-off-by: Seven Cheng <sevenc@nvidia.com>

@balajinvda balajinvda left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice - this is the right shape for fork-PR commenting. The workflow_run job takes only actions: read + pull-requests: write, never checks out fork code, validates the PR number and cross-matches the artifact metadata against head_repository/ref/sha, and SHA-pins the artifact actions. I also confirmed the two things that would silently no-op it: name: codeql matches the workflow_run.workflows: ["codeql"] trigger, and both matrix languages always run so the Go-only codeql-pr-metadata upload is always produced.

One thing worth fixing before merge:

Markdown indentation will render the comment as a code block. The REPORT heredoc lines (## CodeQL Analysis, the severity list, <details>, etc.) carry the ~10 leading spaces from the YAML run: block, so $REPORT contains literally-indented lines. GitHub renders 4+ space-indented lines as an indented code block, so the posted comment shows as a raw block instead of a formatted report with headings/lists. The same-repository path avoids this because the shared composite action builds the body without that indentation.

Fix: build the report flush-left, or strip the indentation before posting, e.g.:

REPORT=$(printf '%s\n' "$REPORT" | sed 's/^ \{1,\}//')

(careful not to strip the leading spaces inside the - list items you want to keep as list markers).

Minor/optional: if-no-files-found: error on the results upload hard-fails the comment path if a language's SARIF is ever missing. Reasonable to keep, just flagging the strictness.

Approve once the comment renders correctly.

@cr7258

cr7258 commented Jul 18, 2026

Copy link
Copy Markdown
Contributor Author

@balajinvda Thanks for flagging this. YAML strips the leading spaces when it parses the run: | block. Bash therefore receives the Markdown lines in REPORT at column 0, so no additional processing with sed is needed.

I verified the exact committed workflow with:

ruby -ryaml -e '
workflow = YAML.load_file(".github/workflows/codeql-comment.yml")
run = workflow["jobs"]["comment"]["steps"].find {
  |step| step["name"] == "Post or update CodeQL results comment"
}["run"]

run.each_line.grep(
  /^(##|✅|🚨|\*\*Severity|- 🔴|- 🟡|- 🔵|<details>|<summary>|<\/details>)/
).each do |line|
  puts "leading_spaces=#{line[/\A */].length} | #{line.chomp}"
end
'

The parsed output is:

leading_spaces=0 | ## 🛡️ CodeQL Analysis
leading_spaces=0 | ✅ No security issues found!
leading_spaces=0 | 🚨 Found **${TOTAL_ISSUES}** issue(s)
leading_spaces=0 | **Severity Breakdown:**
leading_spaces=0 | - 🔴 Errors: ${ERRORS}
leading_spaces=0 | - 🟡 Warnings: ${WARNINGS}
leading_spaces=0 | - 🔵 Notes: ${NOTES}
leading_spaces=0 | <details>
leading_spaces=0 | <summary>📋 Top Issues</summary>
leading_spaces=0 | </details>

Therefore, the Markdown body is already flush-left when Bash receives it and will not be rendered as an indented code block. The proposed sed is unnecessary, so no change is needed for this finding.

@cr7258
cr7258 requested a review from balajinvda July 18, 2026 01:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants