Unable to apply CodeQL to any branch that is not the default branch about ghas-enablement HOT 3 CLOSED

Hi @NickLiffen. I didn't have assigning privileges, but thought I'd tag you in the comments.

Regarding the questions in the readme:

• Windows, Linux, Codespaces or Mac
  Mac (VS Code)
• What version of NodeJS you are running.
  node v16.17.0
• Add any logs that appeared when you ran into the issue.
  There is a lot of console writelines about PRs being created and on what branches, but nothing stands out as an error. How do I get the logs to Error or warning/error?

from ghas-enablement.

Hey @benhorgen 👋

Firstly, it was LOVELY to see you last week at universe 〽️ 🥳

Secondly, sorry for the late reply here; this week has been focused on getting caught up with life and making sure everything is running as normal 👍 I hope you don't mind this slightly delayed response.

Okay, so you are correct in that behaviour, and that's actually by default as well.

We don't read the branches: [*, *] array within your workflow file. We will only raise a pull request into the default branch irrelevant of what you put in that array of strings. Why do we do this? Well, it's actually for a few reasons. Firstly, for security overview, or anything else within GitHub, to think that code scanning is "turned on", it needs an analysis upload only into the default branch. So for GitHub to look at this repo and think, "is this turned on?" it only needs an analysis uploaded to the default branch, nothing else. Secondly, human error. :D This one is where the user enters the name of a branch, that isn't a branch. Maybe they mis-spelt something? Or maybe they don't really know what goes in the branches: [*, *] array.

If you would like to do what you are talking about, my advice is to do a git pull and then a git merge where you merge the changes from the default branch into whatever sub-branches you have 👍 Hopefully that makes sense and somewhat explains why it works in this way 👍

from ghas-enablement.

Thanks for the insights @NickLiffen, sorry I didn't close the issue after reading your response. I was hoping to try it out before replying by then got delayed.

Your insights make sense, but based on your response, I'm curious if using the branches value is necessary or if it can be ignored then? Or should I specify a few branches, like our test and our main branches? Based on your response above I get the feeling code scanning occurs on every branch (and PR) once the codeql-analysis.yml file is committed to the default branch (and the code scanning flag is toggled in the GitHub settings menu for that repo).

from ghas-enablement.