Move CodeQL analysis to release PRs only #338

New issue

Closed

opened 2026-04-11 08:49:32 -07:00 by jwilger-ai-bot · 0 comments

jwilger-ai-bot commented

2026-04-11 08:49:32 -07:00

(Migrated from github.com)

Problem

CodeQL analysis runs on every PR and takes significant CI time. It has not surfaced any issues that our existing checks (clippy, cargo-audit, tests) don't already catch. Running it on every PR adds latency without providing additional value.

Desired Behavior

Apply the same pattern used for mutation testing (see #336): the Analyze (rust) job runs on every PR but is a noop unless the PR has the release label. On release PRs it runs the full CodeQL analysis.

This keeps the required status check satisfied on all PRs while only doing real work on releases.

Acceptance Criteria

CodeQL job skips immediately on non-release PRs
CodeQL job runs full analysis on release PRs (labeled release)
Existing Analyze (rust) required status check continues to work without ruleset changes

## Problem CodeQL analysis runs on every PR and takes significant CI time. It has not surfaced any issues that our existing checks (clippy, cargo-audit, tests) don't already catch. Running it on every PR adds latency without providing additional value. ## Desired Behavior Apply the same pattern used for mutation testing (see #336): the `Analyze (rust)` job runs on every PR but is a noop unless the PR has the `release` label. On release PRs it runs the full CodeQL analysis. This keeps the required status check satisfied on all PRs while only doing real work on releases. ## Acceptance Criteria - [ ] CodeQL job skips immediately on non-release PRs - [ ] CodeQL job runs full analysis on release PRs (labeled `release`) - [ ] Existing `Analyze (rust)` required status check continues to work without ruleset changes