CodeQl: Support repos with no packages. (#525)

apop5 · web-flow · commit 9e9450fc076b · 2026-02-24T16:16:23.000-08:00
The codeql workflow will attempting to locate Packages by finding
folders ending with pkg and then attempting to find a .dsc located
within that folder.

For repos without any valid pkgs, the codeql workflow will generate an
empty matrix. Adding a package_count variable to differentiate this
scenario and gate creating and empty matrix.

Most repos list the codeql Analyze task as a required check. With an
empty matrix, this would fail. Skipping the Analyze task would result in
a pending check that will never execute.

Modify the codeql to create an empty sarif file when the package_count
is zero and upload this. This will allow the Analyze step to run and
pass CI when a repo contains no valid packages that can have results
uploaded.

This is being handled in this manor to allow the same CI checks to exist
for repos which still contain a valid release/202502 branch, and a
release/202511 branch which deprecates the repo.
diff --git a/.sync/workflows/leaf/codeql.yml b/.sync/workflows/leaf/codeql.yml
@@ -48,6 +48,7 @@ jobs:
       contents: read
     outputs:
       packages: ${{ steps.generate_matrix.outputs.packages }}
+      package_count: ${{ steps.generate_matrix.outputs.package_count }}
 
     steps:
     - name: Checkout repository
@@ -81,12 +82,14 @@ jobs:
 
         with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
             print(f'packages={json.dumps(packages)}', file=fh)
+            print(f'package_count={len(packages)}', file=fh)
 
   analyze:
     name: Analyze
     runs-on: windows-2022
     needs:
       - gather_packages
+    if: needs.gather_packages.outputs.package_count != '0'
     permissions:
       actions: read
       contents: read
@@ -502,4 +505,49 @@ jobs:
         # Each package is a separate category.
         category: ${{ matrix.package }}
 
+  analyze_empty:
+    name: Analyze
+    runs-on: ubuntu-latest
+    needs:
+      - gather_packages
+    if: needs.gather_packages.outputs.package_count == '0'
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+
+    - name: Create Empty SARIF
+      shell: python
+      run: |
+        import json
+
+        sarif = {
+            "version": "2.1.0",
+            "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+        "runs": [
+          {
+            "tool": {
+              "driver": {
+                "name": "CodeQL",
+                "informationUri": "https://github.com/github/codeql-action"
+              }
+            },
+            "results": []
+          }
+        ]
+        }
+
+        with open('empty.sarif', 'w', encoding='utf-8') as f:
+            json.dump(sarif, f)
+
+    - name: Upload Empty SARIF To GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v4
+      with:
+        sarif_file: empty.sarif
+        category: no-packages
+
 {% endraw %}
