[release/v7.5.6] Bump github/codeql-action from 4.32.4 to 4.32.6#27159
Conversation
There was a problem hiding this comment.
Pull request overview
Backport to release/v7.5.6 updating the pinned github/codeql-action commit SHAs used by release GitHub Actions workflows, to keep CodeQL scanning tooling current.
Changes:
- Update
github/codeql-action/upload-sarifpin in the Scorecards workflow. - Update
github/codeql-action/initandgithub/codeql-action/analyzepins in the reusable CodeQL analysis workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/scorecards.yml | Updates the pinned SHA for github/codeql-action/upload-sarif used to upload SARIF results. |
| .github/workflows/analyze-reusable.yml | Updates the pinned SHAs for CodeQL init and analyze steps in the reusable workflow. |
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 |
There was a problem hiding this comment.
The PR title/description indicates a bump to github/codeql-action 4.32.6, but this workflow pins init/analyze to a SHA annotated as v3.29.5. Please confirm the intended CodeQL Action release for this backport and update the inline version comment(s) (and/or the pinned SHA) so the workflow and PR metadata are consistent.
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 | ||
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 |
There was a problem hiding this comment.
The workflow now pins upload-sarif to a SHA annotated as v3.29.5, but the PR title/description says the bump is to github/codeql-action 4.32.6. Please verify the SHA corresponds to the intended release and align the inline version comment (or PR metadata) to avoid ambiguity about what version is actually being used.
b38c846
into
PowerShell:release/v7.5.6
Backport of #26942 to release/v7.5.6
Triggered by @adityapatwardhan on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates pinned github/codeql-action SHAs used by release workflow files to keep CI security tooling current on release/v7.5.6.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified cherry-pick completed successfully after resolving branch-drift conflicts in two workflow files, and validated the resulting branch has only the intended CodeQL action SHA updates with a clean git status.
Risk
REQUIRED: Check exactly one box.
Change is limited to pinned GitHub Actions SHA updates in two workflow YAML files with no runtime product code changes.
Merge Conflicts
Resolved conflicts in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml by applying only the intended codeql-action SHA bumps from the original PR while preserving release/v7.5.6 workflow structure.