GUARD-2071: Remove Advanced CodeQL setup in favor of Default Setup#205
Merged
Jordi Soucheiron (jsoucheiron) merged 1 commit intomasterfrom Feb 6, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the CodeQL workflow to use a new labeled runner that has allowlisted IPs for the Skyscanner GitHub organization. This eliminates the need for the previous workaround that used a GitHub App token and manual SARIF upload via curl.
Changes:
- Updated runner from
ubuntu-latesttoubuntu-24.04-2cores-tools-public - Removed GitHub App token generation step and all associated token references
- Removed manual SARIF upload workaround (gzip, base64 encoding, and curl upload steps)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The Advanced CodeQL workflow was originally added to work around IP allowlist restrictions that prevented standard GitHub runners from uploading SARIF results to GHAS. Now that the org-level GHAS configuration uses the labeled runner `ubuntu-24.04-2cores-tools-public` which has allowlisted IPs, this repo can use the Default Setup managed at the org level. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ujjwal Saini (UjjwalSaini19)
force-pushed
the
GUARD-2071-update-codeql-runner
branch
from
f5f05e2 to
59411e8
Compare
Ujjwal Saini (UjjwalSaini19)
changed the title
Ramon (w0rmr1d3r)
approved these changes
Feb 6, 2026
Jordi Soucheiron (jsoucheiron)
approved these changes
Feb 6, 2026
Jordi Soucheiron (jsoucheiron)
deleted the
GUARD-2071-update-codeql-runner
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the Advanced CodeQL workflow file in favor of using the org-level Default Setup.
Why
The Advanced CodeQL workflow was originally added to work around IP allowlist restrictions that prevented standard GitHub runners from uploading SARIF results to GHAS.
Now that the org-level GHAS configuration ("Skyscanner Public Repos GHAS configuration") uses the labeled runner
ubuntu-24.04-2cores-tools-publicwhich has allowlisted IPs, this repo can use the Default Setup managed at the org level instead.Changes
.github/workflows/codeql.yml(Advanced Setup workflow)Test plan
Related
🤖 Generated with Claude Code