codeql-action/init workflow validation doesn't respect custom source-root

[g-ulli]

We get the warning

Warning: Unable to validate code scanning workflow: error: getWorkflow() failed: Error: Expected to find a code scanning workflow file at /home/runner/_work/ProDriver-Safety-Path/ProDriver-Safety-Path/.github/workflows/nightly_codeql.yml, but no such file existed. This can happen if the currently running workflow checks out a branch that doesn't contain the corresponding workflow file.

in our custom CodeQL workflow. We check out our repository in a custom location and specify this location using source-root:

  - name: Checkout
    uses: actions/checkout@v4
    if: always()
    with:
        path: "my-custom-path"

  - name: Initialize CodeQL
    uses: github/codeql-action/init@v3
    with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
        source-root: "my-custom-path"

It looks like the bug is this code:

codeql-action/src/workflow.ts

Lines 285 to 290 in c6e30a2

	async function getWorkflowAbsolutePath(logger: Logger): Promise<string> {
	const relativePath = await api.getWorkflowRelativePath();
	const absolutePath = path.join(
	getRequiredEnvParam("GITHUB_WORKSPACE"),
	relativePath,
	);

[mbg]

Hi @g-ulli 👋🏻

Thanks for reporting this. The workflow validation is generally best-effort and you can obviously ignore the warning if you are not having any other problems with your analysis.

The input for source-root is somewhat unrelated here, because it is referring to the root of the directory containing the source code you wish to analyse with CodeQL, not the root of the checkout for the repository containing the active workflow. The workflow validation that's producing the warning here is not part of the CodeQL analysis. If you're concerned about e.g. actions analysis, that should work fine and is unrelated to this workflow validation.

Generally, GitHub Actions expects the .github/workflows folder to exist in $GITHUB_WORKSPACE (e.g. for reusable / local actions). For simple workflows that doesn't matter too much, but for more complex workflows you may run into issues. If you're checking out your repo outside of $GITHUB_WORKSPACE and run into issues, consider moving the .github/workflows directory back to $GITHUB_WORKSPACE after checking out the repo.