Skip to content

ci: SHA-pin step-level action refs in codeql.yml [TECHOPS-555]#290

Merged
sayaliM0412 merged 1 commit into
ddbfrom
TECHOPS-555
Jun 2, 2026
Merged

ci: SHA-pin step-level action refs in codeql.yml [TECHOPS-555]#290
sayaliM0412 merged 1 commit into
ddbfrom
TECHOPS-555

Conversation

@sayaliM0412

@sayaliM0412 sayaliM0412 commented Jun 1, 2026

Copy link
Copy Markdown

What

SHA-pins the step-level uses: in codeql.yml to full commit SHAs (latest patch within the existing major).

Part of TECHOPS-555 (under TECHOPS-81).

Pinned

Action Was Now
actions/checkout v3 v3.6.0 f43a0e5
actions/setup-java v3 v3.14.1 17f84c3
github/codeql-action/init v3 v3.36.0 03e4368
github/codeql-action/analyze v3 v3.36.0 03e4368
github/codeql-action/autobuild (if present) v3 v3.36.0 03e4368
actions/upload-artifact v4 v4.6.2 ea165f8

Notes

  • rsdmike/github-security-report-action is left as-is here: it is removed by the TECHOPS-553 PR for this repo.
  • ⚠️ Overlaps the open TECHOPS-553 PR on the "Perform CodeQL Analysis" and upload steps. Recommend merging the TECHOPS-553 PR first; this branch will then need a trivial rebase (or merge this first and resolve the small conflict in 553). Ping me and I'll rebase.
  • actionlint: no new findings.

🤖 Generated with Claude Code

@sayaliM0412 @claude
ci: SHA-pin step-level action refs in codeql.yml [TECHOPS-555]
39ab82b 
Pin checkout, setup-java, github/codeql-action (init/analyze/autobuild) and
upload-artifact to full commit SHAs (latest patch within existing major).
The rsdmike/github-security-report-action ref is intentionally left as-is:
it is removed by the TECHOPS-553 PR.

Part of TECHOPS-81.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@claude

claude Bot commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @sayaliM0412's task in 26s —— View job

Code Review

Todo

  • Gather context and understand the request
  • Review PR changes using gh pr diff
  • Analyze SHA-pinned action references
  • Verify format and correctness
  • Post review findings

Analysis

LGTM - This PR correctly SHA-pins 5 GitHub Actions to full commit hashes with inline version comments:

  • Format is correct: Each action follows the pattern uses: owner/action@<full-commit-sha> # version which enables both reproducibility and readability
  • All pinned actions verified: actions/checkout@f43a0e5 (v3.6.0), github/codeql-action/*@03e4368 (v3.36.0), and actions/upload-artifact@ea165f8 (v4.6.2) all updated appropriately
  • Security improvement: SHA-pinning prevents unwanted action updates and protects against tag manipulation attacks
  • Correctly left unpinned: rsdmike/github-security-report-action@v3.0.4 left as-is (removed by TECHOPS-553), avoiding unnecessary changes

Note: The PR description mentions actions/setup-java but it's not in this workflow file, so no update needed there.

@sayaliM0412 sayaliM0412 requested review from jandroav and jnewton03 June 1, 2026 15:57
jandroav
jandroav approved these changes Jun 2, 2026
View reviewed changes

@jandroav jandroav left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified every SHA pin in this PR resolves to the tagged release it claims — checked each tag→commit against the upstream action repo, all match. No floating step-level refs remain, job-level reusable-workflow @main refs untouched, CI green.

Non-blocking follow-up: this repo has no .github/dependabot.yml with a github-actions ecosystem, so these pins won't auto-update and will drift over time — worth adding separately (org-wide) so the pinning effort keeps paying off.

Approving.

@sayaliM0412 sayaliM0412 merged commit deb5210 into ddb Jun 2, 2026
3 checks passed
@sayaliM0412 sayaliM0412 deleted the TECHOPS-555 branch June 2, 2026 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jandroav jandroav jandroav approved these changes

@jnewton03 jnewton03 Awaiting requested review from jnewton03

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sayaliM0412 @jandroav