[release/v7.4.15] Bump github/codeql-action from 4.34.1 to 4.35.1#27175
Conversation
adityapatwardhan
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport update on release/v7.4.15 to bump the pinned github/codeql-action commit SHA used by CodeQL-related workflows, so the branch picks up the newer CodeQL Action behavior described in the PR metadata.
Changes:
- Update
github/codeql-action/initandgithub/codeql-action/analyzepins in the reusable CodeQL workflow. - Update
github/codeql-action/upload-sarifpin in the Scorecards workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 |
There was a problem hiding this comment.
The pinned SHA was updated as part of a bump to github/codeql-action 4.35.1 (per PR title/description), but the trailing version comment still says v3.29.5. Please update the inline comment to reflect the actual CodeQL Action release corresponding to this SHA to avoid future confusion when auditing workflow dependencies.
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 |
There was a problem hiding this comment.
The PR is bumping github/codeql-action to 4.35.1, but this analyze step still has an inline version comment of v3.29.5. Update the comment to match the release/tag associated with the pinned SHA so the workflow accurately documents what is being used.
There was a problem hiding this comment.
This line updates the pinned upload-sarif SHA, but the trailing version comment (v3.29.5) doesn’t match the PR’s stated bump to CodeQL Action 4.35.1 (and previously referenced v2.25.0). Please update the inline comment to the actual action version for this SHA to keep dependency tracking accurate.
Backport of #27120 to release/v7.4.15
Triggered by @adityapatwardhan on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates the pinned github/codeql-action commit in release/v7.4.15 workflows so the release branch picks up the 4.35.1 CodeQL Action changes, including the corrected minimum Git version handling.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Cherry-picked the original PR onto release/v7.4.15 in the dedicated backport worktree. Resolved workflow pin conflicts by applying the updated CodeQL action commit to the release-branch workflow definitions and verified the cherry-pick completed successfully without remaining conflicts.
Risk
REQUIRED: Check exactly one box.
This changes CI and code-scanning workflow definitions on a release branch. The edit is narrowly scoped to pinned action SHAs, but workflow changes can affect build and security scanning behavior across the branch.
Merge Conflicts
Conflicts occurred in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml because release/v7.4.15 had already diverged in its pinned CodeQL action SHAs. Resolved by keeping the release branch workflow structure and replacing only the CodeQL action references with the PR's updated c10b8064de6f491fea524254123dbe5e09572f13 pin.