What is a required workflow?
A required workflow is automation that must pass before a pull request can be merged. Required workflows are used to enforce organizational security policies.
Note: Required workflows are configured by GitHub organization administrators and are not configurable at the repository level.
Which required workflows are deployed?
The following required workflows are deployed in the Department of Veterans Affairs GitHub organization:
- Code Scanning using CodeQL must be configured on your repository
- All code scanning alerts must be remediated within 30 days of being identified
If your repository does not meet these requirements at the time a pull request is opened, you will see a failure notice on your pull request as well as information about why the failure occurred and how to remediate it.
Note: At this time, the VA’s required workflows are only enabled as a notification and not a requirement. This means that the policy will not prevent code from being merged into a protected branch, but it will notify the user of any policy violations.
You may merge a pull request regardless of the status of any policy at this time.