Chore: Suppress unqualified CodeQL admonitions

amotl · amotl · commit c469eae8546b · 2024-11-14T00:45:21.000+01:00
GitHub's CodeQL flags [1] those spots with "Unused global variable" [2]. Based on a suggestion [3], this patch attempts to use the `advanced-security/dismiss-alerts` [4] GitHub Action recipe to provide measures to suppress CodeQL flagging by using inline code annotations. [1] https://github.com/crate/crate-python/security/code-scanning [2] https://codeql.github.com/codeql-query-help/python/py-unused-global-variable/ [3] github/codeql#11427 (comment) [4] https://github.com/advanced-security/dismiss-alerts
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -63,3 +63,19 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+          # define the output folder for SARIF files
+          output: sarif-results
+
+      # Unlock inline mechanism to suppress CodeQL warnings.
+      # https://github.com/github/codeql/issues/11427#issuecomment-1721059096
+      - name: Dismiss alerts
+        if: github.ref == 'refs/heads/main'
+        uses: advanced-security/dismiss-alerts@v1
+        with:
+          # specify a 'sarif-id' and 'sarif-file'
+          sarif-id: ${{ steps.analyze.outputs.sarif-id }}
+          sarif-file: sarif-results/${{ matrix.language }}.sarif
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/src/crate/client/__init__.py b/src/crate/client/__init__.py
@@ -31,6 +31,6 @@
 # regex!
 __version__ = "1.0.0"
 
-apilevel = "2.0"
-threadsafety = 1
-paramstyle = "qmark"
+apilevel = "2.0"  # codeql[py/unused-global-variable]
+threadsafety = 1  # codeql[py/unused-global-variable]
+paramstyle = "qmark"  # codeql[py/unused-global-variable]
