From 8427ba747fcb0bdf1f009823a1fe30b8ae44ae21 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 03:18:25 +0000 Subject: [PATCH] follow the azure pipeline way. --- .github/workflows/codeql-analysis.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 79a81e88..6c75e3c5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,6 +13,10 @@ on: - '202[0-9][0-9][0-9]' workflow_dispatch: +env: + BUILD_BRANCH: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.ref || github.ref_name }} + + jobs: analyze: name: Analyze @@ -37,10 +41,7 @@ jobs: with: repository: sonic-net/sonic-mgmt-common path: sonic-mgmt-common - # Checkout the branch that is being merged into - # This workflow has been audited, and no secrets or untrusted code are exposed to the pull_request_target trigger. - # nosemgrep: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout - ref: ${{ github.event.pull_request.base.ref }} + ref: refs/heads/${{ env.BUILD_BRANCH }} # Update go.mod to use local sonic-mgmt-common. # This is the same hack used in the CI pipeline. See lgtm.yml.