The [rng] project was signed up to LGTM.com analysis (I presume at their website). This is now being decommissioned. The underlying analysis engine is CodeQL and this is migrating to direct support as a Github action.
Do we want to continue with this for [rng]? There is a PR open by their bot to enable it [1]. AFAICR the analysis has never noticed any issues. We get far more feedback from using the sonarcloud analysis that is run by the Jenkins CI build [2]. I compared their recommended GH workflow to the one configured to [lang]. It appears mostly the same. I note that both ask for write permission to the security events. I do not know how this fits with the security policy to not publicly disclose events until reviewed and patched, i.e. I do not know if the security tab for the GH page is restricted, and where event notifications will be sent. So I do not want to enable this without further investigation, unless someone can confirm what exactly the CodeQL build analysis will do if it finds something. Alex [1] https://github.com/apache/commons-rng/pull/119 [2] https://sonarcloud.io/project/overview?id=commons-rng --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
