Create codeql-analysis.yml #2644

Flyingmana · 2022-10-03T11:09:56Z

Description (*)

Related Pull Requests

Fixed Issues (if relevant)

Fixes Replace LGTM.com as it's going to shutdown in Dec. 2022 #2642

Manual testing scenarios (*)

...
...

Questions or comments

Contribution checklist (*)

Pull request has a meaningful description of its purpose
All commits are accompanied by meaningful commit messages
All automated tests passed successfully (all builds are green)
Add yourself to contributors list

sreichel · 2022-11-28T20:01:54Z

Seems LGTM is down ... last check already runs for a hour. (https://github.com/OpenMage/magento-lts/runs/9753202323)

@Flyingmana can you please disable?

addison74 · 2022-12-30T18:06:15Z

Can we move forward with this issue? LGTM.com is already shut down.

fballiano · 2022-12-30T18:18:54Z

it seems this PR is already complete

sreichel · 2022-12-30T18:25:36Z

it seems this PR is already complete

But ... 92 new alerts including 87 high severity security vulnerabilities. Should we fix that first?

fballiano · 2022-12-30T18:35:03Z

where do you see those errors?

sreichel · 2022-12-30T18:36:38Z

https://github.com/OpenMage/magento-lts/runs/8675295733

fballiano · 2022-12-30T18:39:10Z

uff, prototype and tinymce = 99% impossible to solve

Flyingmana · 2022-12-30T18:44:03Z

we dont need to solve this "new errors", maybe put them into an ignore or mark it as allowed to fail

sreichel · 2022-12-30T18:47:24Z

There seems to be a baseline option ... needs some test?!?

Flyingmana · 2022-12-30T18:54:23Z

will look into it

sreichel · 2022-12-30T20:27:05Z

.github/workflows/codeql-analysis.yml

+  schedule:
+    - cron: '33 4 * * 4'


Do we need this? Set path to js only?

removed the cron trigger.
We dont have any js files outside the js directory? then makes sense to add it, too

we've a lot of .js in /skin/

can it also check the inline js in templates?

I'd use include **/*.js instead of ... to run it only when js files changed.

paths-ignore: - '**/*.md' - '**/*.txt'

sreichel · 2022-12-30T20:47:31Z

Nice, LGTM.

I'd add it to current workflow later.

github-actions · 2022-12-30T21:28:13Z

Unit Test Results

7 tests 5 ✔️ 0s ⏱️
1 suites 2 💤
1 files 0 ❌

Results for commit 71da6e1.

♻️ This comment has been updated with latest results.

addison74 · 2022-12-30T21:32:30Z

@Flyingmana - Nice work and super fast.

Flyingmana · 2022-12-30T21:34:03Z

I now got all errors covered with paths-ignore.
Baseline is a bit more complicated I think, as the state of errors is stored in github, where we can mark the alerts as ignored then one by one.

fballiano · 2022-12-30T22:27:50Z

Could we test the js in templates?

Flyingmana · 2022-12-30T22:52:00Z

Could we test the js in templates?

iam not sure, first it should replace the LGTM what we had before. I dont think it was able to parse the templates.

But it might be able with codeql, although its a bit more work, why I would delay it for a later time

sreichel · 2022-12-31T06:41:33Z

But it might be able with codeql, although its a bit more work

If we have a working js code coverage ... 👍

Create codeql-analysis.yml

57a1210

github-actions bot added the environment label Oct 3, 2022