[release/v7.4.15] Bump github/codeql-action from 4.32.4 to 4.32.6#27143
Conversation
There was a problem hiding this comment.
Pull request overview
Backports the dependency update for github/codeql-action on release/v7.4.15 by changing the pinned SHAs used in the CodeQL reusable workflow and the Scorecards workflow.
Changes:
- Update pinned
github/codeql-actionSHA forinitandanalyzein the reusable CodeQL workflow. - Update pinned
github/codeql-actionSHA forupload-sarifin the Scorecards workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/analyze-reusable.yml |
Updates the pinned SHA for github/codeql-action/init and github/codeql-action/analyze. |
.github/workflows/scorecards.yml |
Updates the pinned SHA for github/codeql-action/upload-sarif used to upload Scorecards SARIF results. |
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
PR title/description says this backport bumps github/codeql-action from 4.32.4 to 4.32.6, but this line is annotated as v3.29.5. Please confirm the pinned SHA corresponds to v4.32.6 and update the inline version comment accordingly (or adjust PR metadata if v3.29.5 is actually intended).
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 No newline at end of file |
There was a problem hiding this comment.
PR title/description says this backport bumps github/codeql-action from 4.32.4 to 4.32.6, but this line is still annotated as v3.29.5. Please confirm the pinned SHA corresponds to v4.32.6 and update the inline version comment accordingly (or adjust PR metadata if v3.29.5 is actually intended).
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@f72882a05ba58122a44b17f2fce8fb50e5c79a59 # v2.25.0 | ||
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
PR title/description says this backport bumps github/codeql-action from 4.32.4 to 4.32.6, but this step is annotated as v3.29.5 (and the previous pin was v2.25.0). Please confirm the pinned SHA corresponds to v4.32.6 and update the inline version comment accordingly (or adjust PR metadata if v3.29.5 is actually intended).
0cfc2c7
into
PowerShell:release/v7.4.15
Backport of #26942 to release/v7.4.15
Triggered by @adityapatwardhan on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates the pinned github/codeql-action SHAs used by CodeQL and scorecard workflows on release/v7.4.15 so the release branch carries the same CodeQL action bump as main.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified the backport cherry-pick on release/v7.4.15 and resolved the two workflow conflicts by applying the newer github/codeql-action SHAs from the original PR. No Pester or product test suite was run because the change only updates pinned GitHub Actions workflow references.
Risk
REQUIRED: Check exactly one box.
This changes security scanning workflow dependencies on a servicing branch. The scope is limited to pinned GitHub Actions SHAs in two workflow files, but workflow and build infrastructure changes can affect CI behavior broadly.
Merge Conflicts
Cherry-pick conflicted in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml because release/v7.4.15 already pinned different github/codeql-action SHAs. Resolved by taking the newer 4.32.6-related SHA updates from the original PR for init, analyze, and upload-sarif.