Upgrading GH action versions to fix authentication errors#646
Conversation
Reviewer's guide (collapsed on small PRs)Reviewer's GuideThis PR updates the GitHub Actions workflow for CodeQL analysis to use newer major versions of the checkout and CodeQL actions, which should address authentication errors with the older versions. Flow diagram for updated CodeQL GitHub Actions workflowflowchart TD
A[Workflow_dispatch_or_push] --> B[actions_checkout_v4]
B --> C[codeql_action_init_v3]
C --> D[codeql_action_autobuild_v3]
D --> E[codeql_action_analyze_v3]
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- Consider pinning the GitHub Actions to specific commit SHAs instead of just major versions (e.g.,
@v4/@v3) to reduce supply chain risk and ensure deterministic builds. - Since CodeQL is being upgraded from v2 to v3, double-check the v3 migration notes (e.g., any default behavior changes or new required configuration) to ensure the workflow still produces the desired analysis results.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider pinning the GitHub Actions to specific commit SHAs instead of just major versions (e.g., `@v4`/`@v3`) to reduce supply chain risk and ensure deterministic builds.
- Since CodeQL is being upgraded from v2 to v3, double-check the v3 migration notes (e.g., any default behavior changes or new required configuration) to ensure the workflow still produces the desired analysis results.
## Individual Comments
### Comment 1
<location path=".github/workflows/codeql-analysis.yml" line_range="39-41" />
<code_context>
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Consider pinning the checkout action to a specific commit SHA for stronger supply-chain security.
Using a floating major tag means you automatically trust any future `v4` release, including a compromised one. For security‑sensitive workflows like CodeQL, prefer pinning to a specific commit SHA (and optionally annotating which version it corresponds to) so updates are explicit and controlled.
```suggestion
steps:
- name: Checkout repository
# Pinned to actions/checkout v4.1.1 for supply-chain security
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
```
</issue_to_address>
### Comment 2
<location path=".github/workflows/codeql-analysis.yml" line_range="45-48" />
<code_context>
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v2
+ uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Pin CodeQL actions to exact SHAs or a locked version strategy rather than the floating v3 tag.
Because this workflow is security-sensitive, consider pinning `init`, `autobuild`, and `analyze` to specific commit SHAs (or at least fixed minor/patch versions) instead of the floating `v3` tag to reduce the risk of unexpected behavior or supply-chain changes when upstream updates `v3`.
Suggested implementation:
```
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
# Pinned to a specific commit SHA for security; update intentionally as needed.
uses: github/codeql-action/init@3ab410191c324a8f182a0ef673f70449f1e5ae08
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
```
```
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
# Pinned to the same CodeQL action commit SHA as init for consistency.
uses: github/codeql-action/autobuild@3ab410191c324a8f182a0ef673f70449f1e5ae08
```
1. Find the `analyze` step in this workflow (often named `Perform CodeQL Analysis` or similar) and replace `github/codeql-action/analyze@v3` with `github/codeql-action/analyze@3ab410191c324a8f182a0ef673f70449f1e5ae08`, including a short comment that it is pinned to a specific SHA.
2. If you decide to update to a newer CodeQL action release in the future, update the commit SHA consistently for `init`, `autobuild`, and `analyze`, and consider noting the corresponding upstream version in a comment for traceability.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🚨 suggestion (security): Consider pinning the checkout action to a specific commit SHA for stronger supply-chain security.
Using a floating major tag means you automatically trust any future v4 release, including a compromised one. For security‑sensitive workflows like CodeQL, prefer pinning to a specific commit SHA (and optionally annotating which version it corresponds to) so updates are explicit and controlled.
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 | |
| steps: | |
| - name: Checkout repository | |
| # Pinned to actions/checkout v4.1.1 for supply-chain security | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 |
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| # If you wish to specify custom queries, you can do so here or in a config file. |
There was a problem hiding this comment.
🚨 suggestion (security): Pin CodeQL actions to exact SHAs or a locked version strategy rather than the floating v3 tag.
Because this workflow is security-sensitive, consider pinning init, autobuild, and analyze to specific commit SHAs (or at least fixed minor/patch versions) instead of the floating v3 tag to reduce the risk of unexpected behavior or supply-chain changes when upstream updates v3.
Suggested implementation:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
# Pinned to a specific commit SHA for security; update intentionally as needed.
uses: github/codeql-action/init@3ab410191c324a8f182a0ef673f70449f1e5ae08
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
# Pinned to the same CodeQL action commit SHA as init for consistency.
uses: github/codeql-action/autobuild@3ab410191c324a8f182a0ef673f70449f1e5ae08
- Find the
analyzestep in this workflow (often namedPerform CodeQL Analysisor similar) and replacegithub/codeql-action/analyze@v3withgithub/codeql-action/analyze@3ab410191c324a8f182a0ef673f70449f1e5ae08, including a short comment that it is pinned to a specific SHA. - If you decide to update to a newer CodeQL action release in the future, update the commit SHA consistently for
init,autobuild, andanalyze, and consider noting the corresponding upstream version in a comment for traceability.
305627b to
879e072
Compare
879e072 to
23c8556
Compare
|
LGTM, merging. |
Please make sure your PR meets the following requirements:
Summary by Sourcery
Update CodeQL analysis workflow to use the latest major versions of GitHub Actions.
Build: