Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ci] modify CodeQL settings #6563

Merged
merged 1 commit into from
Jul 21, 2024
Merged

[ci] modify CodeQL settings #6563

merged 1 commit into from
Jul 21, 2024

Conversation

jameslamb
Copy link
Collaborator

@jameslamb jameslamb commented Jul 21, 2024
edited
Loading

For the last few days, we've observed 2 CI issues which happen on every build triggered by a merge to master... but which do not happen on PRs.

Comparing logs between those types of builds, I found only 1 seemingly-significant difference between them... on builds triggered by merges to master, tasks called Initialize CodeQL and Finalize CodeQL are automatically injected.

This proposes trying to prevent those tasks from being injected. If we do that and see a few builds on master succeed, we'll be able to say with confidence that the CodeQL jobs were the issue.

More context on how these jobs might cause the CI failures we've observed #6544 (comment)

Notes for Reviewers

Docs on where this comes from or how to turn it off?

I couldn't really find any. "Configure GitHub Advanced Security for Azure DevOps" (Azure DevOps docs) describes how to enable this scanning, but does not talk about auto-injection.

The variables I'm proposing adding to .vsts-ci.yml were found in other large projects' configs:

  • dotnet/roslyn (link)
  • dotnet/sourcelink (link)
  • interpretml/interpret (link)
  • Microsoft/STL (link)
  • posit-dev/positron (link)

I'm not sure how those projects learned about them... I haven't yet found any documentation referencing them.

This is not the first time we've had to do something like this ... @StrikerRUS I remembered you something very similar back in November 2022: #5175.

How to test this

The only way to test this is to merge to master, as this behavior is only observable there.

borchero
borchero approved these changes Jul 21, 2024
View reviewed changes
Copy link
Collaborator

@borchero borchero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's give it a try 👀

@jameslamb jameslamb merged commit cbee5ee into master Jul 21, 2024
45 checks passed
@jameslamb jameslamb deleted the ci/try-turning-off-codesql branch July 21, 2024 23:11
@jameslamb
Copy link
Collaborator Author

jameslamb commented Jul 22, 2024
edited
Loading

I think this worked?

0 CodeQL tasks were injected, and all of the CI jobs passed on the first attempt (for the first time in a few weeks) 🎉

build link: https://dev.azure.com/lightgbm-ci/lightgbm-ci/_build/results?buildId=16698&view=logs&j=ea56812e-e7ae-55d0-6abc-4a217857fa9f

I strongly suspect that those CodeQL jobs were causing the issues we observed in #6543 and #6544.

This was referenced Jul 22, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borchero borchero borchero approved these changes

@guolinke guolinke Awaiting requested review from guolinke guolinke is a code owner

@shiyu1994 shiyu1994 Awaiting requested review from shiyu1994 shiyu1994 is a code owner

@jmoralez jmoralez Awaiting requested review from jmoralez jmoralez is a code owner

@StrikerRUS StrikerRUS Awaiting requested review from StrikerRUS StrikerRUS is a code owner

Assignees
No one assigned
Labels
maintenance
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jameslamb @borchero