Always run codeql (latest) job on PRs so we can make it required

Author: henrymercer

.github/workflows/codeql.yml

@@ -46,13 +46,19 @@ jobs:
         CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
         echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
-        if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
-          # Just use `tools: null` to avoid duplication in the analysis job.
+
+        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
+        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
+        # required status check.
+        #
+        # If we're running on push, then we can skip running with `tools: latest` when it would be
+        # the same as running with `tools: null`.
+        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
-          # Use both `tools: null` and `tools: latest` in the analysis job.
           VERSIONS_JSON='[null, "latest"]'
         fi
+
         # Output a JSON-encoded list with the distinct versions to test against.
         echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
         echo "::set-output name=versions::${VERSIONS_JSON}"