Skip to content

ci(codeql): add main to push.branches to unfreeze default-branch status#4704

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
mainfrom
kakkoyun/fix-codeql-default-branch
May 4, 2026
Merged

ci(codeql): add main to push.branches to unfreeze default-branch status#4704
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
mainfrom
kakkoyun/fix-codeql-default-branch

Conversation

@kakkoyun

@kakkoyun kakkoyun commented Apr 29, 2026

Copy link
Copy Markdown
Member

Problem

The CodeQL status page shows the last scan date as 2025-09-03, even though CodeQL runs successfully on every PR and every mq-working-branch-** push.

This is an association problem, not an execution problem. GitHub Code Scanning indexes each SARIF upload by the ref the trigger event carried. The default-branch status panel only counts uploads tagged with refs/heads/main. CodeQL is running, but every upload it produces is filed under a non-default ref.

Root cause

PR #3887 (2025-09-04, "move main CI checks to merge queue runs") restructured the workflow triggers:

Removed Kept / Added
push: branches: [main, master] push: branches: [mq-working-branch-**]
pull_request: branches: [main] pull_request: (no branch filter)
merge_group: workflow_call: (unused — no caller wires CodeQL)

After this change, CodeQL only ever sees refs of the form refs/pull/<n>/merge or refs/heads/mq-working-branch-XXX. The repository's merge mechanism fast-forwards main onto a green staging commit and deletes the staging branch — no push event for refs/heads/main fires, so CodeQL never runs against the default branch. The SARIF uploaded during the queue run stays tagged with the staging ref even after that exact SHA becomes HEAD of main.

This is asymmetric with GitHub's native merge queue: native queue events arrive on refs/heads/gh-readonly-queue/main/<sha> and Code Scanning rolls those uploads up to the default branch on completion. Custom queues built on fast-forward branches get no such roll-up.

Why it matters

  • The security tab shows the configuration as inactive, which trips compliance alarms and looks like a regression to auditors.
  • New CodeQL findings introduced after 2025-09-03 are recorded against PR / staging refs and never roll up to the canonical main view.
  • Branch-protection rules of the form "CodeQL must be passing on default branch" can mis-report.

Verification

  • git diff shows exactly one inserted line: - main
  • actionlint .github/workflows/codeql-analysis.yml passes with no errors
  • After merge, the Actions tab shows a new "CodeQL" run on refs/heads/main
  • The status page shows a timestamp newer than 2025-09-03, still with configuration ID FZTWS5DIOVRC653POJVWM3DPO5ZS6Y3PMRSXC3BNMFXGC3DZONUXGLTZNVWA

GitHub Code Scanning indexes SARIF uploads by the ref they are tagged
with. The default-branch status panel only counts uploads tagged with
refs/heads/main. Since PR #3887 (2025-09-04), CodeQL only runs on
refs/pull/<n>/merge and refs/heads/mq-working-branch-**; the custom
merge queue fast-forwards main without firing a push event, so no SARIF
ever lands on refs/heads/main and the status panel has been frozen since
2025-09-03.

Adding main to push.branches ensures a CodeQL run fires after each
fast-forward merge, tagging the upload with refs/heads/main and
unfreezing the configuration panel. The existing configuration ID is
preserved — no risk of orphaning historical alerts.
@kakkoyun
kakkoyun requested a review from a team as a code owner April 29, 2026 14:29
@kakkoyun kakkoyun added the AI Assisted AI/LLM assistance used in this PR (partially or fully) label Apr 29, 2026
@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Apr 29, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 61.36% (+3.86%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 7cf846a | Docs | Datadog PR Page | Give us feedback!

@codecov

codecov Bot commented Apr 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.10%. Comparing base (997e8b2) to head (4d4b337).

Additional details and impacted files

see 450 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter

pr-commenter Bot commented Apr 29, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-05-04 11:22:20

Comparing candidate commit 7cf846a in PR branch kakkoyun/fix-codeql-default-branch with baseline commit 625c602 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 93 metrics, 8 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot merged commit bc4344c into main May 4, 2026
189 of 190 checks passed
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot deleted the kakkoyun/fix-codeql-default-branch branch May 4, 2026 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI Assisted AI/LLM assistance used in this PR (partially or fully) mergequeue-status: done

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants