Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(ci): drop continue-on-error from CodeQL analyze job#2178

Merged
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/ci-codeql-drop-continue-on-error
May 12, 2026
Merged

fix(ci): drop continue-on-error from CodeQL analyze job#2178
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/ci-codeql-drop-continue-on-error

Conversation

@finnoybu

Copy link
Copy Markdown
Contributor

Summary

.github/workflows/codeql.yml:29 sets continue-on-error: true on the analyze job. That means CodeQL failures (autobuild crashes, analyze step errors, SARIF upload failures, init action problems) are recorded as passing checks. The intent on a code-scanning workflow is the opposite: the analysis must succeed or the check should fail, so the team can fix the analyzer and not silently drift away from SAST coverage.

strategy.fail-fast: false already keeps the matrix legs independent — a Python failure doesn't block JavaScript/TypeScript analysis and vice versa. Dropping continue-on-error only changes the outcome reported for a leg that genuinely failed; the other leg still runs to completion.

(Note: scorecard.yml does not have continue-on-error: true on its analyze job, so this PR is scoped to codeql.yml. If the reviewer noticed the same shape elsewhere, it's not present today.)

Change

Single-line deletion of continue-on-error: true from the analyze job header.

Effect — these previously-silent failures will now mark the check as failed

  • CodeQL init action failure (e.g. ref/SHA pin breakage)
  • CodeQL autobuild action failure (e.g. missing build deps)
  • CodeQL analyze step failure (e.g. queries running out of memory)
  • SARIF upload failure to GitHub Security

None of these should be considered passing states; the previous configuration hid real coverage gaps.

Verification

  • Diff is a single deletion; nothing else touched.
  • actionlint parses cleanly.

Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Infrastructure/CI].

`.github/workflows/codeql.yml:29` sets `continue-on-error: true` on
the `analyze` job, which means CodeQL failures (autobuild crashes,
analyze step errors, SARIF upload failures, init action problems) are
recorded as passing checks. The intent on a code-scanning workflow is
the opposite: the analysis must succeed or the check should fail so
the team can fix the analyzer and not silently drift away from
SAST coverage.

`strategy.fail-fast: false` already keeps the matrix legs independent —
a Python failure doesn't block JavaScript/TypeScript analysis and vice
versa. Dropping `continue-on-error` only changes the outcome reported
for a leg that genuinely failed; the other leg still runs to
completion.

Effect after this change — these previously-silent failures will now
mark the check as failed:
  - CodeQL `init` action failure (e.g. ref/SHA pin breakage)
  - CodeQL `autobuild` action failure (e.g. missing build deps)
  - CodeQL `analyze` step failure (e.g. queries out of memory)
  - SARIF upload failure to GitHub Security

None of these should be considered passing states; the previous
configuration hid real coverage gaps.
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: breaking-change-detector — View details

No breaking changes detected.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: security-scanner — View details

No security issues found.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: docs-sync-checker — Docs Sync

Docs Sync

Documentation is in sync.

@github-actions github-actions Bot added the size/XS Extra small PR (< 10 lines) label May 12, 2026
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: test-generator — View details

Test coverage looks good. No gaps identified.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: code-reviewer — View details

TL;DR: 1 blocker, 0 warnings. The change improves security by ensuring CodeQL failures are reported correctly.

# Sev Issue Where
1 Blocker CodeQL failures previously reported as passing .github/workflows/codeql.yml

Action items: Remove continue-on-error: true from the CodeQL analyze job to ensure failures are reported correctly.

Warnings: No warnings found. Fine as follow-up PRs.

@github-actions

Copy link
Copy Markdown

🟡 Contributor Check: MEDIUM

Check Result
Profile MEDIUM
Credential NONE
Overall MEDIUM

Automated check by AGT Contributor Check.

@github-actions github-actions Bot added the needs-review:MEDIUM Contributor check flagged MEDIUM risk label May 12, 2026
@github-actions

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ❌ Failed Issues detected
🛡️ Security Scan ✅ Passed No issues found
🔄 Breaking Changes ✅ Passed No issues found
📝 Docs Sync ✅ Passed No issues found
🧪 Test Coverage ✅ Completed Analysis complete

Verdict: ❌ Changes needed

@imran-siddique imran-siddique merged commit 3c3fd03 into microsoft:main May 12, 2026
13 of 14 checks passed
MohammadHaroonAbuomar pushed a commit to MohammadHaroonAbuomar/agt-acs that referenced this pull request Jun 1, 2026
`.github/workflows/codeql.yml:29` sets `continue-on-error: true` on
the `analyze` job, which means CodeQL failures (autobuild crashes,
analyze step errors, SARIF upload failures, init action problems) are
recorded as passing checks. The intent on a code-scanning workflow is
the opposite: the analysis must succeed or the check should fail so
the team can fix the analyzer and not silently drift away from
SAST coverage.

`strategy.fail-fast: false` already keeps the matrix legs independent —
a Python failure doesn't block JavaScript/TypeScript analysis and vice
versa. Dropping `continue-on-error` only changes the outcome reported
for a leg that genuinely failed; the other leg still runs to
completion.

Effect after this change — these previously-silent failures will now
mark the check as failed:
  - CodeQL `init` action failure (e.g. ref/SHA pin breakage)
  - CodeQL `autobuild` action failure (e.g. missing build deps)
  - CodeQL `analyze` step failure (e.g. queries out of memory)
  - SARIF upload failure to GitHub Security

None of these should be considered passing states; the previous
configuration hid real coverage gaps.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-review:MEDIUM Contributor check flagged MEDIUM risk scripts/ci/cd size/XS Extra small PR (< 10 lines)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants