I have a scenario that makes me wish this were an option. If someone has a potential for how to solve this nicely, I’m all ears.
Our products leverage a private repo to pull internal artifacts. Because of this, accessing secrets (to authenticate against the private repo) is a requirement just to be able to build the service. This can’t be solved by using separate privileged/non-privileged workflows.
We also use CodeQL to scan the source and report any issues. As the source is Java, it must be built in order to be scanned. A passing CodeQL check is required in order to merge to main.
We discovered that running CodeQL against the pull_request_target event breaks CodeQL as it thinks it’s scanning code against the target branch (main) instead of the PR branch. So results are not annotated in the PR itself. Instead, the results show up in the code scanning results of the repo against “main”. This is definitely not ideal, but I suspect it’s “by design” when using pull_request_target.
However, if I use pull_request, I can’t build the product. Now, in this case, I wouldn’t expect CodeQL results to change simply because of an updated dependency. So bypassing or rubberstamping it is an acceptable outcome. But GitHub Actions doesn’t give me a way to either:
- Make a check required only if it’s determined that it needs to run, or
- Terminate a check early without failing
So as far as I can tell, I’m stuck choosing between less than ideal outcomes:
- Don’t make the CodeQL check required.
- Let the dependabot PRs fail. A user can manually re-run the CodeQL check to get a green checkmark or an admin can simply override and merge anyways.
- Update the CodeQL check job to skip every step on dependabot PRs so that it passes.
I’d love to hear options 4+ that others might have to solve this issue.