Turn on Dependabot and CodeQL #139
Conversation
Create dependabot.yml
Create codeql.yml
ignore .env.local
remove irrelevant comments
|
I see this as a prerequisite for taking #138 out of draft mode, btw |
| @@ -0,0 +1,82 @@ | |||
| # trac-github/.github/workflows/codeql.yml: GitHub Actions codeql workflow for trac-github | |||
There was a problem hiding this comment.
I'm not familiar with CodeQL. Can you elaborate what the added value of this for this repository is?
There was a problem hiding this comment.
Right, so CodeQL is basically another linter / static analyzer / set of compiler warnings to help ensure future commits or PRs don't break anything. I'd feel a lot more secure about taking #138 out of draft mode if I could get a set of CI checks (such as CodeQL) set up first to verify that it'd be ok to merge.
There was a problem hiding this comment.
Do you have more details than that? From what I see in the marketing material, this sounds like a closed-source third-party tool, which I cannot run locally (or only a limited version) unless I pay for a GitHub Enterprise something thingy.
Is there some way we could see what warnings CodeQL would find in this existing code base? I don't want an opinionated linter that throws a thousand warnings that nobody is ever going to fix in this code.
From a run in your fork, it seems this doesn't even work as expected, because this is still Python 2 code, but Python 2 isn't installed:
Python package installation failed: we detected this code as Python 2, but the 'python2' executable was not available. To enable automatic package installation, please install 'python2' before the 'github/codeql-action/init' step, for example by running 'sudo apt install python2' (Ubuntu 22.04). If your code is not Python 2, but actually Python 3, please file a bug report at https://github.com/github/codeql-action/issues/new
https://github.com/cooljeanius/trac-github/actions/runs/7018282343/job/19093341421
So it seems that in its current state, this CodeQL run doesn't actually do anything.
There was a problem hiding this comment.
Do you have more details than that? From what I see in the marketing material, this sounds like a closed-source third-party tool, which I cannot run locally (or only a limited version) unless I pay for a GitHub Enterprise something thingy.
CodeQL sources are available here under an MIT license: https://github.com/github/codeql
Is there some way we could see what warnings CodeQL would find in this existing code base? I don't want an opinionated linter that throws a thousand warnings that nobody is ever going to fix in this code.
From a run in your fork, it seems this doesn't even work as expected, because this is still Python 2 code, but Python 2 isn't installed:
Python package installation failed: we detected this code as Python 2, but the 'python2' executable was not available. To enable automatic package installation, please install 'python2' before the 'github/codeql-action/init' step, for example by running 'sudo apt install python2' (Ubuntu 22.04). If your code is not Python 2, but actually Python 3, please file a bug report at https://github.com/github/codeql-action/issues/new
Ah ok, let me try that...
There was a problem hiding this comment.
Quoting from https://github.com/github/codeql:
The CodeQL CLI (including the CodeQL engine) is hosted in a different repository and is licensed separately.
There was a problem hiding this comment.
OK, here's a new run:
https://github.com/cooljeanius/trac-github/actions/runs/7118192100/job/19380559866
It still doesn't produce any warnings, but that's good, it means that this codebase doesn't have anything worth warning about. The idea is to prevent that from changing in potential future PRs.
Here's an example of a place where CodeQL does actually warn in some Python code: https://github.com/cooljeanius/jhbuild/security/code-scanning/1
change weekly to monthly Co-authored-by: Clemens Lang <cl@clang.name>
Install python2 before initializing CodeQL
These are just a few YAML files to help integrate a bit more tightly with some of the services that GitHub provides. I also wanted to try migrating the Travis workflow to GitHub Actions, but couldn't, because the GitHub Actions Importer is stupidly overengineered, and requires a running copy of Docker Desktop for some reason, and a recent update to Docker Desktop started using symbols only available on macOS 12 (and up) without adding any sort of compatibility note, and I'm still on macOS 11...