fix: update codeql-action to v4.35.2 and add SCORECARD_TOKEN#1445
fix: update codeql-action to v4.35.2 and add SCORECARD_TOKEN#1445
Conversation
The pinned SHA for github/codeql-action was flagged as an 'imposter commit' by the scorecard webapp, causing publish_results to fail with: 'imposter commit: 0e9f55954318745b37b7933c693bc093f7336125 does not belong to github/codeql-action/upload-sarif' Updated to v4.35.2 (95e58e9a) which is a valid release commit. Also added repo_token input using SCORECARD_TOKEN secret for the Branch-Protection check.
liudger
added
bugfix
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1445 +/- ##
=======================================
Coverage 99.89% 99.89%
=======================================
Files 6 6
Lines 955 955
Branches 128 128
=======================================
Hits 954 954
Partials 1 1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
There was a problem hiding this comment.
Pull request overview
This PR updates pinned github/codeql-action SHAs used in the repository’s security workflows and adds a dedicated token input to the Scorecard workflow to support the Branch-Protection check.
Changes:
- Bump
github/codeql-action/*from the previously pinned SHA tov4.35.2(pinned by commit SHA). - Add
repo_tokeninput toossf/scorecard-actionusingsecrets.SCORECARD_TOKEN.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/scorecard.yml | Adds repo_token for Scorecard and updates CodeQL SARIF upload action pin. |
| .github/workflows/codeql.yaml | Updates CodeQL init/analyze action pins to v4.35.2. |
| with: | ||
| results_file: results.sarif | ||
| results_format: sarif | ||
| repo_token: ${{ secrets.SCORECARD_TOKEN }} |
There was a problem hiding this comment.
repo_token is always set to secrets.SCORECARD_TOKEN. If that secret is not configured, this expression resolves to an empty string and can override the action’s default token, causing authentication failures. Consider falling back to github.token (or conditionally setting repo_token) so the workflow still runs when the secret is absent, and/or document the required secret in the workflow comments.
| repo_token: ${{ secrets.SCORECARD_TOKEN }} | |
| # Prefer a dedicated Scorecard token when configured, but fall back | |
| # to the default GitHub token so the workflow still runs if the | |
| # secret is not set. | |
| repo_token: ${{ secrets.SCORECARD_TOKEN || github.token }} |
The pinned SHA for github/codeql-action was flagged as an 'imposter commit' by the scorecard webapp, causing publish_results to fail with: 'imposter commit: 0e9f55954318745b37b7933c693bc093f7336125 does not belong to github/codeql-action/upload-sarif'
Updated to v4.35.2 (95e58e9a) which is a valid release commit. Also added repo_token input using SCORECARD_TOKEN secret for the Branch-Protection check.