chore(gha): pin github/codeql-action to a SHA#40043
Merged
Merged
Conversation
Replace `github/codeql-action/init@v4` and `github/codeql-action/analyze@v4` with the commit SHA the v4 tag currently dereferences to (68bde559dea0fdcac2102bfdf6230c5f70eb485e), keeping `# v4` as a trailing comment for readability. This matches the existing convention for actions/checkout on line 34 of the same file and is the standard mitigation for the supply-chain risk of mutable tags. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rusackas
requested review from
betodealmeida,
craig-rueda,
dpgaspar,
eschutho,
geido,
hainenber,
kgabryje,
mistercrunch,
nytai,
sadpandajoe and
villebro
as code owners
Contributor
|
Bito Automatic Review Skipped - Files Excluded |
github-actions
Bot
added
the
github_actions
hainenber
approved these changes
May 12, 2026
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
qfcwell
pushed a commit
to qfcwell/superset
that referenced
this pull request
May 12, 2026
Co-authored-by: Superset Dev <dev@superset.apache.org> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SUMMARY
Pin both `github/codeql-action/init@v4` and `github/codeql-action/analyze@v4` in `.github/workflows/codeql-analysis.yml` to the commit SHA the `v4` tag currently dereferences to:
```yaml
uses: github/codeql-action@68bde55 # v4
```
`# v4` is kept as a trailing comment for readability and matches the existing convention for `actions/checkout` on line 34 of the same file.
This is the standard mitigation for the supply-chain risk of mutable tags (a tag can be force-pushed by an attacker who compromises the upstream repo; a SHA cannot). Verified that `refs/tags/v4` on `github/codeql-action` dereferences to `68bde559dea0fdcac2102bfdf6230c5f70eb485e` at the time of this PR.
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — workflow change only.
TESTING INSTRUCTIONS
GitHub Actions workflow files aren't unit-testable in this repo's test suite. Verifiable by inspection: both `uses:` lines now reference a 40-char SHA followed by `# v4`, matching the `actions/checkout` line above them.
CodeQL analysis behavior is unchanged — the action source code at the pinned SHA is byte-identical to what `@v4` resolved to on the previous run.
ADDITIONAL INFORMATION