[release/v7.6] Bump github/codeql-action from 4.32.4 to 4.32.6#26975
Conversation
There was a problem hiding this comment.
Pull request overview
Backports a Dependabot update on the release/v7.6 branch to bump the pinned github/codeql-action commit used by the CodeQL and Scorecards workflows.
Changes:
- Update
github/codeql-actionpinned SHA for CodeQL init/analyze in the reusable analysis workflow. - Update
github/codeql-actionpinned SHA for SARIF upload in the Scorecards workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/analyze-reusable.yml | Updates pinned github/codeql-action SHA for init and analyze. |
| .github/workflows/scorecards.yml | Updates pinned github/codeql-action SHA for upload-sarif. |
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5 | ||
| uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
The pinned commit SHA was updated but the inline version comment still says v3.29.5. Please update the comment to match the actual github/codeql-action version being pinned (the PR metadata indicates a bump to 4.32.6), or switch to using the version tag if that’s what you intend to track; otherwise this is misleading for audits.
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5 | ||
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.29.5 | ||
| with: |
There was a problem hiding this comment.
The upload-sarif action SHA changed, but the inline comment still states v3.29.5. Please update the comment to reflect the actual version you’re pinning (per PR title/description), otherwise it will be confusing during security review/version audits.
Backport of #26942 to release/v7.6
Triggered by @daxian-dbw on behalf of @app/dependabot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Updates CodeQL action to v4.32.6, bringing latest CodeQL bundle (v2.24.3) with improved incremental analysis and bug fixes for code security scanning.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Automated dependabot update validated in master branch. No functional changes to code analysis workflows, only dependency version updates. Conflicts auto-resolved using git rerere from similar backport patterns.
Risk
REQUIRED: Check exactly one box.
Low risk as this is a patch version bump of the CodeQL action (4.32.4 to 4.32.6). Updates include CodeQL bundle to v2.24.3, improved incremental analysis features, and bug fixes. No breaking changes or significant behavior modifications.
Merge Conflicts
Merge conflicts in .github/workflows/analyze-reusable.yml and .github/workflows/scorecards.yml were auto-resolved by git rerere using previous resolutions.