[release/v7.6.1] Bump github/codeql-action from 4.34.1 to 4.35.1#27184
Conversation
adityapatwardhan
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport that updates the pinned github/codeql-action commit SHA used by the release/v7.6.1 security analysis workflows (CodeQL reusable analysis and Scorecards SARIF upload).
Changes:
- Updated the pinned SHA for
github/codeql-action/initandgithub/codeql-action/analyzein the reusable CodeQL workflow. - Updated the pinned SHA for
github/codeql-action/upload-sarifin the Scorecards workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/analyze-reusable.yml |
Bumps the pinned CodeQL init/analyze action SHA used by the reusable CodeQL workflow. |
.github/workflows/scorecards.yml |
Bumps the pinned CodeQL upload-sarif action SHA used to upload Scorecards SARIF results. |
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
The inline version annotation still says v3.29.5, but this PR is described as bumping github/codeql-action to 4.35.1. Please update the trailing comment to reflect the actual CodeQL Action version corresponding to this pinned SHA so the workflow pin is unambiguous.
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 |
There was a problem hiding this comment.
The pinned SHA was updated, but the trailing version comment still says v3.29.5 while the PR intent/title is a bump to 4.35.1. Please update the comment to match the actual version for this SHA to avoid confusion during future dependency bumps/audits.
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5 No newline at end of file |
There was a problem hiding this comment.
Same as the init step above: the SHA pin changed but the trailing comment still indicates v3.29.5 even though the PR is a bump to 4.35.1. Please align the inline version annotation with the actual version for this pinned commit.
Backport of #27120 to release/v7.6.1
Triggered by @adityapatwardhan on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates the pinned github/codeql-action references used by CodeQL and scorecards workflows on release/v7.6.1 so the release branch receives the upstream 4.35.1 fix.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Cherry-picked PR #27120 onto release/v7.6.1 and resolved the workflow pin conflicts by applying the updated CodeQL action SHA to the existing release-branch workflow definitions. Validation was limited to reviewing the resulting YAML changes; no local GitHub Actions execution is available from this environment.
Risk
REQUIRED: Check exactly one box.
The change only updates pinned GitHub Actions workflow dependencies, but it affects repository security-analysis workflows that run in CI. The scope is small and matches the original upstream dependency bump.
Merge Conflicts
Conflicts occurred because release/v7.6.1 had different pinned github/codeql-action SHAs in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml. Resolved by keeping the release-branch workflow structure and updating the pinned CodeQL action references to the SHA from PR #27120.