ci(templates): run CodeQL on merge_group for go-app and go-lib#170
Conversation
The go-app and go-lib templates configure a merge queue (ci.yml triggers on merge_group), and the default ruleset requires code scanning results. But the codeql.yml callers only triggered on push/pull_request/schedule, never on merge_group — so CodeQL never ran for the merge-queue commit and GitHub kept reporting "Code scanning is still expecting 1 result from CodeQL", leaving every Renovate/Dependabot PR unmergeable until an admin bypass. Add the merge_group trigger (mirroring ci.yml) so CodeQL runs in the queue and satisfies the code_scanning rule. The reusable codeql.yml is workflow_call with only input-based conditions, so it runs unchanged from a merge_group caller. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds the merge_group trigger to the CodeQL workflow configuration files for both the Go application and Go library templates. No review comments were provided, and the changes are straightforward and correct.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR updates the Go template CodeQL workflows so they also run for merge queue commits (merge_group), aligning with templates that already gate merges on code scanning results.
Changes:
- Add the
merge_grouptrigger to thego-apptemplate’s CodeQL workflow. - Add the
merge_grouptrigger to thego-libtemplate’s CodeQL workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| templates/go-lib/.github/workflows/codeql.yml | Adds merge_group so CodeQL runs for merge queue commits in go-lib consumer repos. |
| templates/go-app/.github/workflows/codeql.yml | Adds merge_group so CodeQL runs for merge queue commits in go-app consumer repos. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Problem
Both the
go-appandgo-libtemplates configure a merge queue (ci.ymltriggers onmerge_group) and their default ruleset requires code scanning results. Butcodeql.ymlonly triggered onpush/pull_request/schedule— nevermerge_group.GitHub requires the code-scanning workflow to run on
merge_groupwhen a merge queue gates on it. Without it, CodeQL never runs for the merge-queue commit, so GitHub permanently reports:The result: every Renovate/Dependabot PR in consumer repos is unmergeable and only lands via an admin bypass. Seen repeatedly on netresearch/ldap-manager (#607, #608).
Fix
Add the
merge_grouptrigger to bothcodeql.ymlcallers, mirroringci.yml. The reusablecodeql.ymlisworkflow_callwith only input-basedif:conditions, so it runs unchanged from amerge_groupcaller — no other changes needed.After merge
Consumers need a template sync (
scripts/sync-template.sh) to pick up the new trigger; until then their drift check will flagcodeql.yml.