-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 Bump CodeQL Action version to 3.24.10 and remove whitespace #3972
Conversation
Indeed, but notice that PR is updating the codeql action ONLY in the Scorecard Analysis workflow? It's not updating it in the CodeQL Workflow? (if I'm reading it correctly) |
It's trying to set it to the value it used to be, and what all the other workflows use. I'm curious if there's a bug with what Dependabot thinks |
What do you think about trying the v3.x series? (only difference being Node 20, which eliminates a GitHub Runner warning about them deprecating Node 16) |
Interestingly I see that commit listed as the ref for the "CodeQL Bundle v2.16.5" release Where as if you look at https://github.com/github/codeql-action/tags: v3.24.8 uses a different hash: I'm good with trying |
here's an example of dependabot picking up the updates properly. so I recommend mirroring what we do there: |
@adamdmharvey are you still interested in patching this (based on |
Yep! I'll take a stab. |
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
5c8766f
to
9c9fbd5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
What kind of change does this PR introduce?
(Is it a bug fix, feature, docs update, something else?)
What is the current behavior?
I don't see Dependabot updating the
github/codeql
action in this particular action workflow, though it's updating a) other actions in this workflow and b)github/codeql
in other actions.Just a while speculation, but this is the only one with the whitespace between the actual name key and the uses? Just in case, firing this to see if the next Dependabot scan will start patching the codeql action in this file also. (and if so, it may infer a minor text checking bug in the upstream Dependabot algorithm?)
What is the new behavior (if this is a feature change)?**
Should allow Dependabot to bump the codeql action in this file.
While here, I also bumped the actions manually to the latest v3.x series (which also includes Node 20, which should help eliminate any actions warnings about Node deprecations).
Note the only other call is this in a different workflow:
scorecard/.github/workflows/scorecard-analysis.yml
Lines 53 to 54 in e780e08
Which issue(s) this PR fixes
Special notes for your reviewer
An attempt to help dig more into ossf/scorecard-action#1354.
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)