Dependabot does not have write permissions in the repository, and it
causes failures when running on push events, because CodeQL needs write
access to upload the results of the scaning to GitHub.
This commit adds a conditional to run CodeQL if the event is a pull
request, OR if the actor is not dependabot. This conditional should
filter "push" events when dependabot is the actor, and always run pull
request scans.
Additional Context
Following guidance from this useful error message:
Summary Of Changes
Dependabot does not have write permissions in the repository, and it causes failures when running on push events, because CodeQL needs write access to upload the results of the scaning to GitHub.
This commit adds a conditional to run CodeQL if the event is a pull request, OR if the actor is not dependabot. This conditional should filter "push" events when dependabot is the actor, and always run pull request scans.
Additional Context
Following guidance from this useful error message:
https://github.com/rabbitmq/cluster-operator/actions/runs/11572316735/job/32212033650#step:6:56