Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ci: adds codeql-analysis.yml for codeql execution #694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 28, 2022
Merged

ci: adds codeql-analysis.yml for codeql execution #694

merged 3 commits into from
Jun 28, 2022

Conversation

nickfloyd
Copy link
Contributor

@nickfloyd nickfloyd commented Jun 27, 2022
edited
Loading

This PR:

  • enables codeql for this repo to meet the security and stability requirements of the octokit org.
  • Removes the error and stack from being returned from the middleware
  • Logs errors to stdout via logger

@nickfloyd
ci: adds codeql-analysis.yml for codeql execution
db5d377 
This enables codeql for this repo to meet the security and stability requirements of the octokit org.
@nickfloyd nickfloyd added the Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR label Jun 27, 2022
G-Rath
G-Rath previously approved these changes Jun 27, 2022
View reviewed changes
Copy link
Member

@G-Rath G-Rath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think both of what's been flagged are false positives (the one about $ definitely is)

gr2m
gr2m previously approved these changes Jun 27, 2022
View reviewed changes
Copy link
Contributor

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can make the replace a global replace to appease CodeQL

wolfy1339
wolfy1339 reviewed Jun 27, 2022
View reviewed changes
.github/workflows/codeql-analysis.yml Outdated
strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be typescript

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Great catch, I'll make sure that gets updated. Thanks!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there actually a difference in this? My assumption was that javascript did cover TypeScript even though it is listed in the docs as a different language.

I'm now wondering if a bunch of my repos might have been getting only half-checked because of this 😅

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah after reading through the docs the best strategy seemed to be to use both for any repo where the source had both TypeScript and JavaScript i.e.:

language: [ 'javascript', 'typescript' ] < this seems to be working correctly for mixed source.

Copy link
Member

@G-Rath G-Rath Jun 28, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds like something that the default codeql workflow generator should include (at the least, mention typescript as one of the options in it's comment) - can I assume from this you'll pass this on to the right folks at GitHub to action that, or should I open a ticket or issue somewhere?

nickfloyd
nickfloyd commented Jun 28, 2022
View reviewed changes
@nickfloyd nickfloyd dismissed stale reviews from gr2m and G-Rath via 85d5bae June 28, 2022 15:35
@timrogers
Copy link

It feels like it would be reasonable to change response.end(String(error));. There isn't really any need for that to expose quite so much information, although I don't consider it to be a big deal by any means.

@nickfloyd
Copy link
Contributor Author

It feels like it would be reasonable to change response.end(String(error));. There isn't really any need for that to expose quite so much information, although I don't consider it to be a big deal by any means.

I could definitely go to the logging to server log route. I didn't want to assume I knew why that was there (Chesterton's fence and all 😉). Perhaps, @gr2m, @wolfy1339, or @G-Rath would have more historical knowledge on why the error is being returned the way it is - my assumption is that it eases debugging, but again, we should be able to post and get that from server logs.

@wolfy1339
Copy link
Member

That has been there since the very beginnings of this project.

It would make sense to remove it and log it instead

@nickfloyd
Copy link
Contributor Author

It would make sense to remove it and log it instead

Solid. I'll take care of it in this PR. Thanks for the 👀!

@nickfloyd
logs errors to stdout and ensures there is an appropriate error messa…
992d131 
…ge and code returned when errors happen in the middleware on requests
@nickfloyd nickfloyd requested review from wolfy1339, G-Rath and gr2m June 28, 2022 21:13
@nickfloyd nickfloyd merged commit 61241f7 into master Jun 28, 2022
@nickfloyd nickfloyd deleted the enable-codeql branch June 28, 2022 21:53
@github-actions
Copy link
Contributor

github-actions bot commented Jul 1, 2022

🎉 This PR is included in version 10.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@G-Rath G-Rath mentioned this pull request Nov 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfy1339 wolfy1339 wolfy1339 approved these changes

@G-Rath G-Rath Awaiting requested review from G-Rath

@gr2m gr2m Awaiting requested review from gr2m

Assignees
No one assigned
Labels
Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nickfloyd @timrogers @wolfy1339 @gr2m @G-Rath