Log error and only enable code-scanning if multiple analysis kinds are specified#3892
Open
mbg wants to merge 3 commits into
Open
Log error and only enable code-scanning if multiple analysis kinds are specified#3892mbg wants to merge 3 commits into
code-scanning if multiple analysis kinds are specified#3892mbg wants to merge 3 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens handling of the experimental analysis-kinds input by disallowing multiple enabled analysis kinds in normal (non-test) runs, with an escape hatch via a new feature flag for internal/testing environments. This reduces maintenance burden ahead of planned removal of multi-kind support.
Changes:
- Pass
featuresintogetAnalysisKindsfrominit-actionso multi-kind gating can consult feature enablement. - Introduce
Feature.AllowMultipleAnalysisKinds(defaultfalse) to allow multi-kind runs only when explicitly enabled. - Update
getAnalysisKindsto throw aConfigurationErrorwhen multiple analysis kinds are enabled outside test mode, plus add/adjust unit tests.
Show a summary per file
| File | Description |
|---|---|
| src/init-action.ts | Wires features through to getAnalysisKinds calls. |
| src/feature-flags.ts | Adds new AllowMultipleAnalysisKinds feature flag and config (default disabled). |
| src/analyses.ts | Enforces single analysis kind outside test mode unless the new feature flag is enabled. |
| src/analyses.test.ts | Updates tests for new getAnalysisKinds signature and adds coverage for the new error. |
| lib/upload-sarif-action.js | Generated JS updated to reflect TS changes. |
| lib/upload-sarif-action-post.js | Generated JS updated to reflect TS changes. |
| lib/upload-lib.js | Generated JS updated to reflect TS changes. |
| lib/start-proxy-action.js | Generated JS updated to reflect TS changes. |
| lib/start-proxy-action-post.js | Generated JS updated to reflect TS changes. |
| lib/setup-codeql-action.js | Generated JS updated to reflect TS changes. |
| lib/resolve-environment-action.js | Generated JS updated to reflect TS changes. |
| lib/init-action-post.js | Generated JS updated to reflect TS changes. |
| lib/autobuild-action.js | Generated JS updated to reflect TS changes. |
| lib/analyze-action.js | Generated JS updated to reflect TS changes. |
| lib/analyze-action-post.js | Generated JS updated to reflect TS changes. |
Copilot's findings
- Files reviewed: 5/17 changed files
- Comments generated: 2
henrymercer
reviewed
May 12, 2026
Contributor
henrymercer
left a comment
There was a problem hiding this comment.
How about instead treating multiple inputs as just code-scanning instead? If we want to make it an error, I'd suggest we allow a month's deprecation period and in the meantime logging a warning that this will be treated as an error in June? I agree this was marked as an internal input in the action.yml but I don't think we can rely on customers reading that.
code-scanning if multiple analysis kinds are specified
henrymercer
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
analysis-kindsinput is experimental and for GitHub-internal use only. We provide no support for this input or its functionality.We stopped using multiple analysis kinds per job months ago and intend to remove support for it entirely to reduce maintenance overheads and code complexity.
This PR logs an error if multiple analysis kinds are requested at the same time outside of our testing environments and only enables
code-scanning. Full removal of the related code will follow at a future point.Risk assessment
For internal use only. Please select the risk level of this change:
Which use cases does this change impact?
Workflow types:
Managed workflows do not specify multiple inputs for
analysis-kindsand advanced setup is unsupported.Products:
N/A
Environments:
github.comand/or GitHub Enterprise Cloud with Data Residency.How did/will you validate this change?
.test.tsfiles).pr-checks).If something goes wrong after this change is released, what are the mitigation and rollback strategies?
How will you know if something goes wrong after this change is released?
Are there any special considerations for merging or releasing this change?
Merge / deployment checklist