Skip to content

chore(security): bump codeql-action/upload-sarif v3 -> v4.35.5#16

Merged
bilbospocketses merged 1 commit into
masterfrom
chore/security-bump-codeql-action-v4
May 19, 2026
Merged

chore(security): bump codeql-action/upload-sarif v3 -> v4.35.5#16
bilbospocketses merged 1 commit into
masterfrom
chore/security-bump-codeql-action-v4

Conversation

@bilbospocketses
Copy link
Copy Markdown
Owner

@bilbospocketses bilbospocketses commented May 19, 2026

Closes control-menu TODO Item 33 — surfaced 2026-05-19 from the very first OpenSSF Scorecard run; shipping same day.

What

Bump github/codeql-action/upload-sarif from v3 SHA `458d36d7d4f47d0dd16ca424c1d3cda0060f1360` to v4.35.5 commit SHA `9e0d7b8d25671d64c341c19c0152d693099fb5ba` in `.github/workflows/scorecard.yml`.

Why

  • Node 20 deprecation banner has been firing on every Scorecard run since the workflow first landed on 2026-05-19. v3 is the last Node-20 major; v4 runs on Node 24. GitHub's `force_node24` cutover is scheduled for 2026-06-02; Node 20 removal from runners 2026-09-16.
  • v4 is mature, not a "wait for stable" gamble. Stable since 2026-03-27 with 6 patch releases (v4.35.0 → v4.35.5). GitHub publishes v3 and v4 in parallel during the deprecation window. The bump is a drop-in for `upload-sarif`.
  • CM only carries one ref to the codeql-action monorepo (in scorecard.yml). The GitHub-managed CodeQL default-setup also uses v3 internally, but GitHub owns that ref and will bump on their own schedule — out of scope here.

Pin discipline applied

Both freshly-shipped repo SOPs applied in the same edit (one PR cycle ago — PRs #14 + #15 surfaced both lessons):

  1. Pin to COMMIT SHA, not annotated-tag-object SHA. `gh api repos/github/codeql-action/git/ref/tags/v4.35.5` returns `{"object": {"sha": "f25eda87...", "type": "tag"}}` — annotated. Dereferenced via `gh api repos/github/codeql-action/git/tags/f25eda87... --jq '.object.sha'` to get commit SHA `9e0d7b8d`. Future verifiers (Scorecard webapp, sigstore) would reject the tag-object SHA as "imposter commit"; commit SHA is the safer convention.
  2. Precise version comment. `# v4.35.5` (not bare `# v4`). Bare-major would make Dependabot interpret the pin as a "track v4 line" range and silently skip future major-bump PRs (v5+ when they ship). The pin comment is what Dependabot reads, not the SHA.

Inline comment in scorecard.yml documents both rules so the next person to touch this pin doesn't re-derive the lesson.

Cross-repo

ws-scrcpy-web's `.github/workflows/codeql.yml` carries the same `458d36d7` pin in 3 places (init + analyze + analyze, across both Rust matrix legs — Linux + Windows). Same bump pending on that side; ws-scrcpy-web TODO §27 already flags the deprecation. Coordinated bump worth doing in a separate session.

Test plan

  • CI `build-and-test` passes
  • Post-merge: Scorecard workflow runs on the merge commit's push-to-master and the Node 20 deprecation annotation is no longer present
  • Score publish to api.securityscorecards.dev still succeeds (v4 of upload-sarif is a drop-in for v3's SARIF upload API)

@bilbospocketses
chore(security): bump codeql-action/upload-sarif v3 -> v4.35.5 (close…
0748628 
… Node 20 deprecation)

SHA 458d36d7 -> 9e0d7b8d in scorecard.yml. Closes the Node 20 deprecation
banner firing on every Scorecard run since the workflow first landed.

v4 has been stable since 2026-03-27 with 6 patch releases (v4.35.0 ->
v4.35.5). GitHub publishes v3 and v4 in parallel during the deprecation
window; v3 is the last Node-20 major.

Both freshly-shipped pin-discipline rules applied:
- Pin to COMMIT SHA (9e0d7b8d), dereferenced from annotated-tag object
  (f25eda87) via `gh api repos/github/codeql-action/git/tags/<tag-obj-sha>
  --jq '.object.sha'`. Per
  feedback_action_sha_pin_commit_not_tag_object.md.
- Precise comment `# v4.35.5`, not bare `# v4`, so Dependabot tracks
  future bumps without falling into the bare-major blind spot. Per
  feedback_dependabot_precise_version_comment.md.

Inline comment in scorecard.yml documents both rules so a future bump
author doesn't have to re-derive the lesson.

Cross-repo note: ws-scrcpy-web's CodeQL advanced-setup workflow
(.github/workflows/codeql.yml) carries the same 458d36d7 pin in 3 places
(init + analyze + analyze, across both Rust matrix legs). Coordinated
bump worth doing in a separate session; ws-scrcpy-web TODO §27 already
flags the deprecation.

Closes control-menu TODO item 33 (surfaced 2026-05-19, shipped same day).
@bilbospocketses bilbospocketses merged commit c2cb21c into master May 19, 2026
5 checks passed
@bilbospocketses bilbospocketses deleted the chore/security-bump-codeql-action-v4 branch May 19, 2026 06:55
@bilbospocketses bilbospocketses mentioned this pull request May 19, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bilbospocketses