Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 Bump CodeQL Action version to 3.24.10 and remove whitespace #3972

Merged
merged 5 commits into from
Apr 12, 2024

Conversation

adamdmharvey
Copy link
Contributor

@adamdmharvey adamdmharvey commented Mar 25, 2024

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

I don't see Dependabot updating the github/codeql action in this particular action workflow, though it's updating a) other actions in this workflow and b) github/codeql in other actions.

Just a while speculation, but this is the only one with the whitespace between the actual name key and the uses? Just in case, firing this to see if the next Dependabot scan will start patching the codeql action in this file also. (and if so, it may infer a minor text checking bug in the upstream Dependabot algorithm?)

What is the new behavior (if this is a feature change)?**

Should allow Dependabot to bump the codeql action in this file.

While here, I also bumped the actions manually to the latest v3.x series (which also includes Node 20, which should help eliminate any actions warnings about Node deprecations).

Note the only other call is this in a different workflow:

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

An attempt to help dig more into ossf/scorecard-action#1354.

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)


@adamdmharvey adamdmharvey marked this pull request as ready for review March 25, 2024 17:10
@adamdmharvey adamdmharvey requested a review from a team as a code owner March 25, 2024 17:10
@adamdmharvey adamdmharvey requested review from spencerschrock and laurentsimon and removed request for a team March 25, 2024 17:10
@spencerschrock
Copy link
Member

I don't see Dependabot updating the github/codeql action in this particular action workflow, though it's updating a) other actions in this workflow and b) github/codeql in other actions.

I manually updated it in the other workflow in #3969. Interestingly dependabot seems to be reverting it in #3971

@adamdmharvey
Copy link
Contributor Author

Indeed, but notice that PR is updating the codeql action ONLY in the Scorecard Analysis workflow? It's not updating it in the CodeQL Workflow? (if I'm reading it correctly)

@spencerschrock
Copy link
Member

spencerschrock commented Mar 25, 2024

It's trying to set it to the value it used to be, and what all the other workflows use. I'm curious if there's a bug with what Dependabot thinks latest is for github/codeql

@adamdmharvey adamdmharvey changed the title 🌱 Bump CodeQL Action version and remove whitespace 🌱 Bump CodeQL Action version to 3.x and remove whitespace Mar 25, 2024
@adamdmharvey
Copy link
Contributor Author

What do you think about trying the v3.x series? (only difference being Node 20, which eliminates a GitHub Runner warning about them deprecating Node 16)

@spencerschrock
Copy link
Member

What do you think about trying the v3.x series? (only difference being Node 20, which eliminates a GitHub Runner warning about them deprecating Node 16)

Interestingly I see that commit listed as the ref for the "CodeQL Bundle v2.16.5" release
https://github.com/github/codeql-action/releases

Where as if you look at https://github.com/github/codeql-action/tags:

v3.24.8 uses a different hash: 05963f47d870e2cb19a537396c1f668a348c7d8f

I'm good with trying @05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8, just please make sure to update the version in scorecard-analysis.yml too

@spencerschrock
Copy link
Member

spencerschrock commented Mar 26, 2024

here's an example of dependabot picking up the updates properly. so I recommend mirroring what we do there:
https://github.com/ossf/scorecard-action/pull/1355/files

@spencerschrock
Copy link
Member

@adamdmharvey are you still interested in patching this (based on v3.24.10 at this point, you can see ossf/scorecard-action#1360)? If not, I would be fine putting it as a good-first-issue for someone else to pickup.

@adamdmharvey
Copy link
Contributor Author

Yep! I'll take a stab.

Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
@adamdmharvey adamdmharvey marked this pull request as draft April 11, 2024 20:26
Signed-off-by: Adam Harvey <33203301+adamdmharvey@users.noreply.github.com>
@adamdmharvey adamdmharvey marked this pull request as ready for review April 11, 2024 20:31
@spencerschrock spencerschrock changed the title 🌱 Bump CodeQL Action version to 3.x and remove whitespace 🌱 Bump CodeQL Action version to 3.24.10 and remove whitespace Apr 12, 2024
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@spencerschrock spencerschrock enabled auto-merge (squash) April 12, 2024 05:26
@spencerschrock spencerschrock merged commit b77f248 into ossf:main Apr 12, 2024
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants