[release/v7.5.6] Bump github/codeql-action from 4.34.1 to 4.35.1#27174
Conversation
There was a problem hiding this comment.
Pull request overview
Backports a dependency bump for the repository’s security-analysis GitHub Actions workflows on release/v7.5.6, updating pinned github/codeql-action references used for CodeQL analysis and SARIF upload.
Changes:
- Update
github/codeql-action/initandgithub/codeql-action/analyzepins in the reusable CodeQL workflow. - Update
github/codeql-action/upload-sarifpin in the Scorecards workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/analyze-reusable.yml |
Updates pinned SHAs for CodeQL init/analyze steps. |
.github/workflows/scorecards.yml |
Updates pinned SHA for CodeQL SARIF upload step. |
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 |
There was a problem hiding this comment.
The inline version comment (# v3.29.5) doesn’t match the PR title/description, which says this backport bumps github/codeql-action from 4.34.1 to 4.35.1. Please confirm the pinned SHA corresponds to the intended 4.35.1 release and update the comment (and/or SHA) so the workflow is clearly on the expected CodeQL Action version.
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 |
There was a problem hiding this comment.
This step is pinned to the same SHA/comment as the init step, but the version comment (# v3.29.5) conflicts with the PR’s stated goal of bumping github/codeql-action to 4.35.1. Please verify this SHA is the 4.35.1 release commit (or update the pin) and adjust the comment accordingly.
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 | ||
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 |
There was a problem hiding this comment.
The version comment (# v3.29.5) here doesn’t align with the PR title/description (bump github/codeql-action 4.34.1 → 4.35.1). Please double-check the pinned SHA is for the intended 4.35.1 release and update the comment (and/or pin) so the workflow reflects the PR’s stated version bump.
Backport of #27120 to release/v7.5.6
Triggered by @adityapatwardhan on behalf of @dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates the pinned github/codeql-action references used by CodeQL and scorecards workflows on release/v7.5.6 so the release branch receives the upstream 4.35.1 fix.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Cherry-picked PR #27120 onto release/v7.5.6 and resolved the workflow pin conflicts by applying the updated CodeQL action SHA to the existing release-branch workflow definitions. Validation was limited to reviewing the resulting YAML changes; no local GitHub Actions execution is available from this environment.
Risk
REQUIRED: Check exactly one box.
The change only updates pinned GitHub Actions workflow dependencies, but it affects repository security-analysis workflows that run in CI. The scope is small and matches the original upstream dependency bump.
Merge Conflicts
Conflicts occurred because release/v7.5.6 had different pinned github/codeql-action SHAs in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml. Resolved by keeping the release-branch workflow structure and updating the pinned CodeQL action references to the SHA from PR #27120.