From 2a60953b4fa478ebaa0dd96d4c124da8b4349d1e Mon Sep 17 00:00:00 2001
From: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
Date: Fri, 13 Mar 2026 16:18:58 +0100
Subject: [PATCH] ci(codeql): guard analyze job against changed-scope failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If changed-scope fails (runner error, OOM, etc.), all its outputs become
empty strings. The Check scope step won't match any case, so SHOULD_RUN
stays empty and all matrix entries silently skip — yet the job shows
green. Add an explicit failure guard so analyze correctly surfaces the
upstream failure.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c714bf01c99..bda0f48ddb2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -96,7 +96,7 @@ jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     needs: [docs-scope, changed-scope]
-    if: needs.docs-scope.outputs.docs_only != 'true'
+    if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.result != 'failure'
     runs-on: ${{ matrix.runs_on }}
     strategy:
       fail-fast: false