Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Required Workflows

What is a required workflow?

A required workflow is automation that must pass before a pull request can be merged. Required workflows are used to enforce organizational security policies.

Note: Required workflows are configured by GitHub organization administrators and are not configurable at the repository level.

Which required workflows are deployed?

The following required workflows are deployed in the Department of Veterans Affairs GitHub organization:

  • Code Scanning using CodeQL must be configured on your repository
  • All code scanning alerts must be remediated within 30 days of being identified

If your repository does not meet these requirements at the time a pull request is opened, you will see a failure notice on your pull request as well as information about why the failure occurred and how to remediate it.

Note: At this time, the VA’s required workflows are only enabled as a notification and not a requirement. This means that the policy will not prevent code from being merged into a protected branch, but it will notify the user of any policy violations.

You may merge a pull request regardless of the status of any policy at this time.