{"id":13809758,"url":"https://github.com/octodemo/codeql-selective-analysis","last_synced_at":"2026-01-12T12:43:32.129Z","repository":{"id":189156247,"uuid":"680136040","full_name":"octodemo/codeql-selective-analysis","owner":"octodemo","description":null,"archived":false,"fork":false,"pushed_at":"2023-08-18T13:27:33.000Z","size":9,"stargazers_count":2,"open_issues_count":2,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-02-15T15:35:09.445Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/octodemo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-08-18T12:31:46.000Z","updated_at":"2023-10-10T09:32:24.000Z","dependencies_parsed_at":"2023-08-18T15:18:04.256Z","dependency_job_id":null,"html_url":"https://github.com/octodemo/codeql-selective-analysis","commit_stats":null,"previous_names":["octodemo/codeql-selective-analysis"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fcodeql-selective-analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fcodeql-selective-analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fcodeql-selective-analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fcodeql-selective-analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/octodemo","download_url":"https://codeload.github.com/octodemo/codeql-selective-analysis/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225282538,"owners_count":17449527,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T02:00:35.597Z","updated_at":"2026-01-12T12:43:32.107Z","avatar_url":"https://github.com/octodemo.png","language":"JavaScript","readme":"# CodeQL selective analysis on Pull Requests\n\nThis repo contains an example workflow file demonstrating how to make `CodeQL` a required status check for Pull Requests, but to skip the analysis in the case that only a certain subset of files are modified (for example, documentation files).\n\nThis solution works by skipping the CodeQL Analysis phase if only certain files are modified, and manually setting the relevant required status.\n\n## Demo\n\n * PR https://github.com/octodemo/codeql-selective-analysis/pull/1 only changes documentation, and the analysis is skipped, but the required check is still satisfied.\n  * PR https://github.com/octodemo/codeql-selective-analysis/pull/2 modifies the code, and runs the analysis.\n## Pre-requisite\n\nIn order to manually set the required status, we first need to modify the relevant \"Branch Protection\" rule to specify that the status is permitted to come from any source:\n\n![image](https://github.com/octodemo/codeql-selective-analysis/assets/5377966/3d54891f-13fd-40fe-8998-68c9b7de69d9)\n\n## Usage\n\nThe [sample workflow](.github/workflows/codeql-analysis.yml) demonstrates the basic pattern. We first need to identify which files have been changed as part of the pull request, through the use of a separate job we call `filter-paths`:\n\n```\n  filter-paths:\n    name: Identify paths which have changed\n    runs-on: ubuntu-latest\n    outputs:\n      changes_outside_docs: ${{ steps.filter-docs.outputs.changes_outside_docs }}\n    steps:\n      - uses: dorny/paths-filter@v2\n        if: github.event_name == 'pull_request'\n        id: filter-docs\n        with:\n          filters: |\n            changes_outside_docs:\n              - '!(docs/**)'\n```\n\nThis uses the `dorny/paths-filter` action to identify the modified files and determine if there are any changes outside the \"docs/\" directory, the set a `changes_outside_docs` output from the job to be `true` if there are changes outside the docs directory and `false` if not. `dorny/paths-filter` provides a general globbing syntax based on https://github.com/micromatch/picomatch.\n\n\u003e Note: it is important you do not exclude any files which may influence how the source code is analyzed\n\nIf you prefer not to add a third-dependency, this list of modified files can instead be fetched using the GitHub API ([List pull requests files](https://docs.github.com/en/free-pro-team@latest/rest/pulls/pulls?apiVersion=2022-11-28#list-pull-requests-files)) and manually parsed for the relevant changed.\n\nThe next step is to modify the standard CodeQL `analyze` job as follows:\n```\n  analyze:\n    name: Analyze\n    runs-on: ubuntu-latest\n    needs: filter-paths\n    if: github.event_name != 'pull_request' || needs.filter-paths.outputs.changes_outside_docs == 'true'\n    ...\n```\n\nWe first add a dependency on the `filter-paths` job using the `needs` property. We then add a conditional to the job, that states the job is only run if the event is not a pull request, or if changes have occurred outside the docs directory (according to the previously set output property of the `filter-paths` job). This will prevent the `analyze` job from running if the event is a pull request and only the `docs` directory was modified.\n\nFinally, we add a new job, `skip-codeql-check`. In the case that the `analyze` job does not run this job will be used to set the required commit status for the `CodeQL` context:\n\n```\n  skip-codeql-check:\n    name: Skip CodeQL check\n    runs-on: ubuntu-latest\n    needs: filter-paths\n    if: github.event_name == 'pull_request' \u0026\u0026 needs.filter-paths.outputs.changes_outside_docs == 'false'\n    steps:\n      - uses: actions/github-script@v6\n        with:\n          script: |\n            const paramObj = {\n              owner: context.repo.owner,\n              repo: context.repo.repo,\n              sha: context.payload.pull_request.head.sha,\n              state: 'success',\n              description: \"Skipped CodeQL analysis as only non-code artifacts were modified.\",\n              context: \"CodeQL\"\n            };\n            console.log(paramObj);\n            const result = await github.rest.repos.createCommitStatus(paramObj);\n            console.log(result);\n```\n\nThis job uses the `actions/github-script` API to set the commit status for `CodeQL` to \"success\", and to add an explanatory comment saying that the real check was skipped because no relevant files were changed.\n","funding_links":[],"categories":["CodeQL Enforcement"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctodemo%2Fcodeql-selective-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foctodemo%2Fcodeql-selective-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctodemo%2Fcodeql-selective-analysis/lists"}