Skip to content

Commit

Permalink
Run CodeQL in container
Browse files Browse the repository at this point in the history
With the CI job now run in-container, and with executors being re-used in the private pool to improve efficiency, there end up being directories created by root (inside the container) that the checkout step on non-container jobs is unable to clean up.

One possible solution is to move all jobs run in private pools to container images. I remembered, probably incorrectly, that CodeQL could not be run in a container. But that does not seem to be the case now, there are only a few requirements: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container
  • Loading branch information
achamayou authored Jun 30, 2024
1 parent 9238e7c commit 2d8ad59
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ jobs:
name: Analyze
# Insufficient space to run on public runner, so use custom pool
runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
container:
image: ccfmsrc.azurecr.io/ccf/ci:2024-06-26-virtual-clang15

permissions:
security-events: write
Expand Down

0 comments on commit 2d8ad59

Please sign in to comment.