fix(ci): support CodeQL comments on fork PRs#234
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe CodeQL workflows distinguish same-repository and fork pull requests. Fork results and Go metadata are uploaded as artifacts, then a follow-up workflow validates the pull request, summarizes SARIF findings, and creates or updates a marked comment. ChangesCodeQL pull request comments
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant CodeQL
participant ArtifactStore
participant CodeQLComment
participant GitHubPR
CodeQL->>ArtifactStore: Upload SARIF results and Go PR metadata for fork PRs
ArtifactStore->>CodeQLComment: Provide completed workflow artifacts
CodeQLComment->>GitHubPR: Validate matching pull request
CodeQLComment->>CodeQLComment: Aggregate findings and build report
CodeQLComment->>GitHubPR: Create or update marked comment
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Upload fork PR SARIF results from the read-only CodeQL workflow, then post or update the result comment from a privileged workflow_run job that never executes fork code. Signed-off-by: Seven Cheng <sevenc@nvidia.com>
f3936d5 to
17c78b5
Compare
b69606c to
c21881b
Compare
Signed-off-by: Seven Cheng <sevenc@nvidia.com>
c21881b to
8a0fdaf
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codeql-comment.yml:
- Around line 33-35: Update the codeql-comment workflow to receive the
originating PR number from codeql.yml or trusted workflow-run metadata, validate
it matches the head repository and commit SHA, and use that PR number for both
concurrency.group and pull-request comment lookup. Replace the current
github.event.workflow_run.head_repository.full_name plus head_branch key and
/pulls?head=... selection while preserving cancellation behavior.
In @.github/workflows/codeql.yml:
- Around line 77-85: Update the fork PR artifact step associated with “Upload
CodeQL results for fork PR comment” to upload only the scanner-produced SARIF
file rather than the broad results/*.sarif glob. Use the exact CodeQL output
path, or first copy that file into a clean temporary directory and upload from
there, while preserving the existing artifact naming and retention settings.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 2e1aca64-2890-48ee-aef5-8bf1235a3a72
📒 Files selected for processing (2)
.github/workflows/codeql-comment.yml.github/workflows/codeql.yml
Signed-off-by: Seven Cheng <sevenc@nvidia.com>
Signed-off-by: Seven Cheng <sevenc@nvidia.com>
balajinvda
left a comment
There was a problem hiding this comment.
Nice - this is the right shape for fork-PR commenting. The workflow_run job takes only actions: read + pull-requests: write, never checks out fork code, validates the PR number and cross-matches the artifact metadata against head_repository/ref/sha, and SHA-pins the artifact actions. I also confirmed the two things that would silently no-op it: name: codeql matches the workflow_run.workflows: ["codeql"] trigger, and both matrix languages always run so the Go-only codeql-pr-metadata upload is always produced.
One thing worth fixing before merge:
Markdown indentation will render the comment as a code block. The REPORT heredoc lines (## CodeQL Analysis, the severity list, <details>, etc.) carry the ~10 leading spaces from the YAML run: block, so $REPORT contains literally-indented lines. GitHub renders 4+ space-indented lines as an indented code block, so the posted comment shows as a raw block instead of a formatted report with headings/lists. The same-repository path avoids this because the shared composite action builds the body without that indentation.
Fix: build the report flush-left, or strip the indentation before posting, e.g.:
REPORT=$(printf '%s\n' "$REPORT" | sed 's/^ \{1,\}//')(careful not to strip the leading spaces inside the - list items you want to keep as list markers).
Minor/optional: if-no-files-found: error on the results upload hard-fails the comment path if a language's SARIF is ever missing. Reasonable to keep, just flagging the strictness.
Approve once the comment renders correctly.
|
@balajinvda Thanks for flagging this. YAML strips the leading spaces when it parses the I verified the exact committed workflow with: ruby -ryaml -e '
workflow = YAML.load_file(".github/workflows/codeql-comment.yml")
run = workflow["jobs"]["comment"]["steps"].find {
|step| step["name"] == "Post or update CodeQL results comment"
}["run"]
run.each_line.grep(
/^(##|✅|🚨|\*\*Severity|- 🔴|- 🟡|- 🔵|<details>|<summary>|<\/details>)/
).each do |line|
puts "leading_spaces=#{line[/\A */].length} | #{line.chomp}"
end
'The parsed output is: Therefore, the Markdown body is already flush-left when Bash receives it and will not be rendered as an indented code block. The proposed |
TL;DR
CodeQL scans on fork pull requests complete successfully, but posting the summary comment fails because fork workflows receive a read-only
GITHUB_TOKEN. This change keeps fork PR workflows read-only and uses a separate workflow_run workflow with permission to post the CodeQL summary.Additional Details
The NVCF CodeQL workflow invokes a reusable composite action from
NVIDIA/dsx-github-actionsto initialize CodeQL, run analysis, upload SARIF, optionally post a PR comment, and enforce the configured quality gate. Fork pull requests receive a read-onlyGITHUB_TOKEN, so analysis and SARIF upload succeed, but the action fails when it attempts to post its PR comment:For example, in the NVIDIA/nvcf#233 CodeQL workflow run, both the Rust and Go jobs completed analysis and found their SARIF files, then failed at the PR comment step with this error.
This change separates fork scanning from commenting:
post-pr-commentin theNVIDIA/dsx-github-actionsCodeQL composite action.workflow_runworkflow runs in the base repository context, downloads both artifacts, aggregates their results, and creates or updates one CodeQL comment.Issues
NO-REF
Checklist
Summary by CodeRabbit