[release/v7.6.1] Bump github/codeql-action from 4.32.6 to 4.34.1#27182
Conversation
Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
adityapatwardhan
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backports the Dependabot update from #27087 onto release/v7.6.1, updating the pinned github/codeql-action commit SHAs used by the CodeQL/Scorecards workflows to keep security scanning dependencies aligned with main.
Changes:
- Update
github/codeql-action/initandgithub/codeql-action/analyzepinned SHA in the reusable CodeQL workflow. - Update
github/codeql-action/upload-sarifpinned SHA in the Scorecards workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/scorecards.yml |
Bumps the pinned upload-sarif action SHA used to upload SARIF results. |
.github/workflows/analyze-reusable.yml |
Bumps the pinned init and analyze action SHAs used for CodeQL analysis. |
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
The PR title/description says this updates github/codeql-action to 4.34.1, but the pinned reference comment still says # v3.29.5. Please update the inline version comment (and ensure it matches the pinned SHA/tag) so the workflow accurately reflects what Dependabot is bumping to.
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
The PR title/description says this updates github/codeql-action to 4.34.1, but the pinned reference comment still says # v3.29.5. Please update the inline version comment (and ensure it matches the pinned SHA/tag) to avoid confusion when auditing action versions.
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5 |
There was a problem hiding this comment.
The PR title/description says this updates github/codeql-action to 4.34.1, but the pinned reference comment still says # v3.29.5. Please update the inline version comment (and ensure it matches the pinned SHA/tag) so reviewers can confirm the intended action version.
adityapatwardhan
merged commit d72d402
into
PowerShell:release/v7.6.1
Backport of #27087 to release/v7.6.1
Triggered by @adityapatwardhan on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates CodeQL workflow action SHAs on the release branch to the same vetted version as main, maintaining CI/security scanning consistency.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Cherry-picked PR #27087 onto release/v7.6.1 and verified the cherry-pick completed successfully with no conflicts. Only the expected workflow action references changed.
Risk
REQUIRED: Check exactly one box.
The change is a targeted workflow dependency SHA update with no product/runtime code changes; scope is limited to code scanning workflows.