[release/v7.4.15] Bump github/codeql-action from 4.32.6 to 4.34.1#27171
Conversation
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Backport intended to update GitHub Actions used for security scanning (CodeQL/Scorecards) on the release/v7.4.15 branch, primarily by updating action pins (commit SHAs) and inline version annotations.
Changes:
- Updated
github/codeql-actionpins (commit SHAs) used by the reusable CodeQL workflow. - Updated Scorecards workflow action pins, including
github/codeql-action/upload-sarifand several other third-party actions. - Bumped
actions/checkoutandactions/upload-artifactpins referenced by workflows.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/scorecards.yml |
Updates multiple workflow action pins (checkout, scorecards action, upload-artifact, and codeql upload-sarif). |
.github/workflows/analyze-reusable.yml |
Updates checkout pin and CodeQL init/analyze action SHAs used by the reusable analysis workflow. |
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5 | ||
| with: | ||
| languages: ${{ matrix.language }} |
There was a problem hiding this comment.
The PR title/description says this backport bumps github/codeql-action from 4.32.6 to 4.34.1, but this workflow is still pinned (per the inline comment) to v3.29.5 for both init and analyze (only the SHA changed). Please reconcile this by either updating the pinned SHA/comment to the intended CodeQL Action version, or adjusting the PR metadata to match what’s actually being updated.
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | ||
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: "Run analysis" | ||
| uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 | ||
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | ||
| with: |
There was a problem hiding this comment.
The PR is described as a github/codeql-action version bump, but this workflow also upgrades other actions (actions/checkout v3→v6, ossf/scorecard-action v2.0.6→v2.4.3, actions/upload-artifact v3→v7) in the same change. If those upgrades are intentional, the PR title/description should reflect that broader scope; if not, consider reverting the unrelated action bumps to keep this backport focused and lower risk.
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@f72882a05ba58122a44b17f2fce8fb50e5c79a59 # v2.25.0 | ||
| uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5 | ||
| with: | ||
| sarif_file: results.sarif |
There was a problem hiding this comment.
This workflow updates github/codeql-action/upload-sarif from v2.25.0 to v3.29.5, which doesn’t align with the PR title/description claiming a bump to 4.34.1. Please confirm the intended CodeQL Action major/minor version for this release branch and update the pinned SHA/comment accordingly (or adjust the PR metadata if v3.29.5 is the actual target).
Backport of #27087 to release/v7.4.15
Triggered by @adityapatwardhan on behalf of @dependabot[bot]
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates github/codeql-action from 4.32.6 to 4.34.1 in GitHub Actions workflows for CodeQL security scanning.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified by Dependabot compatibility checks. The codeql-action version bump is a standard dependency update with no behavioral changes to PowerShell itself.
Risk
REQUIRED: Check exactly one box.
This is a minor dependency version bump for a GitHub Actions tooling component. It does not affect PowerShell runtime behavior.
Merge Conflicts
Resolved conflicts in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml by accepting the incoming PR changes (updated action SHAs).