[release/v7.5.6] Bump github/codeql-action from 4.32.6 to 4.34.1#27170
Conversation
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
adityapatwardhan
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport PR updating pinned github/codeql-action references in release/v7.5.6 workflows to align CodeQL scanning dependencies with the vetted version used on main.
Changes:
- Update
github/codeql-action/initandgithub/codeql-action/analyzepinned SHAs in the reusable CodeQL workflow. - Update
github/codeql-action/upload-sarifpinned SHA in the scorecards workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
The pinned CodeQL action SHA was updated, but the inline version comment still says # v3.29.5. Given the PR’s stated goal is to bump github/codeql-action to 4.34.1, please update the comment (or remove it) so the annotated version matches the SHA being pinned; otherwise it’s misleading for security/audit reviews.
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5 |
There was a problem hiding this comment.
The action SHA changed but the inline version comment remains # v3.29.5, which appears inconsistent with the PR’s stated bump to CodeQL Action 4.34.1. Please update the comment (or remove it) so it accurately reflects the pinned SHA/version.
There was a problem hiding this comment.
The pinned SHA was updated, but the inline comment still says # v3.29.5. Since this PR claims to bump github/codeql-action to 4.34.1, please adjust/remove the comment so the annotated version matches the SHA to avoid confusion during auditing.
Backport of #27087 to release/v7.5.6
Triggered by @adityapatwardhan on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates CodeQL workflow action SHAs on the release branch to the same vetted version as main, maintaining CI/security scanning consistency.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Cherry-picked PR #27087 onto release/v7.5.6 and resolved workflow SHA conflicts in analyze-reusable.yml and scorecards.yml by preserving the intended dependency bump. Verified cherry-pick completed successfully and only the expected workflow action references changed.
Risk
REQUIRED: Check exactly one box.
The change is a targeted workflow dependency SHA update with no product/runtime code changes; scope is limited to code scanning workflows.
Merge Conflicts
Resolved conflicts in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml by taking the incoming github/codeql-action SHA updates from the original PR.