ci: Fix CodeQL workflow config (#14117)

mydea · web-flow · commit 8f65bf70ae4c · 2024-10-29T09:22:19.000Z
Reverts #14109 and re-implements this differently. Actually, the problem was dependabot merging to develop (so the fix would not have caught that anyhow), + this was incorrect syntax (oops) as we had ignore-branches _and_ branches, which does not work. Now, instead we just run this always but check if this is a push from dependabot, which hopefully works better. See https://github.com/getsentry/sentry-javascript/actions/runs/11570166519
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,9 +14,6 @@ name: 'CI: CodeQL'
 on:
   push:
     branches: [develop]
-    branches-ignore:
-      # Ignore dependabot branches
-      - "dependabot/**"
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [develop]
@@ -36,6 +33,8 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    # Skip for pushes from dependabot, which is not supported
+    if: github.event_name == 'pull_request' || github.actor != 'dependabot[bot]'
 
     strategy:
       fail-fast: false
