CodeQL scanning of transitive private repository dependency #18780
Comments
This is not correct as far as I know. But it's all a bit guessing at this point, as you don't provide any exact details about your setup. I would strongly recommend opening a support ticket https://docs.github.com/en/support/contacting-github-support/creating-a-support-ticket |
I see. I've created a support ticket, but will keep this issue open for a bit longer in case anyone has a solution or shares similar experiences. Interestingly, our standard build workflow operates correctly, and SPM can fetch the repository using the keychain entry with a PAT. The only difference between the functioning workflow and the one that hangs while trying to fetch the other repository is the initialization of CodeQL. |
Hi,
Our company manages two separate organization accounts on GitHub.
In Organization A, we successfully use CodeQL to scan our repositories. However, we are encountering an issue when integrating a repository from Organization B into a repository in Organization A using Swift Package Manager.
To access the private repository from Organization B, we have added a keychain entry, which works well for standard builds. Unfortunately, it fails during CodeQL scanning.
I suspect there may be a mechanism in place to prevent circumvention of licensing through transitive scanning. Is this correct? I believe that only Organization A holds the license for CodeQL in private repositories.
The reason for my suspicion, is that before we added the keychain entry, it just failed stating it could not access repo in org B. But now that the keychain entry is in place, it starts downloading from org B, but never succeeds, just stuck on that step.
Thank you for your assistance.
The text was updated successfully, but these errors were encountered: