Skip to content

Commit 237547d

Browse files
committed
ci: fix imposter codeql-action pin across workflows
The pinned commit SHA for github/codeql-action did not belong to that repo (it resolves to no commit upstream). The OpenSSF Scorecard publish step rejects such 'imposter' pins with an HTTP 400, failing the Scorecard run; the same bad SHA was pinned in 9 places across three workflows. Repin all github/codeql-action uses (init/analyze/upload-sarif) to the verified commit for v4.37.0.
1 parent 555f9d1 commit 237547d

3 files changed

Lines changed: 9 additions & 9 deletions

File tree

.github/workflows/dev-containers.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -203,7 +203,7 @@ jobs:
203203
severity: ${{ env.SCAN_LEVEL == 'full' && 'CRITICAL,HIGH,MEDIUM' || 'CRITICAL,HIGH' }}
204204

205205
- name: Upload Trivy scan results
206-
uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
206+
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
207207
if: always()
208208
with:
209209
sarif_file: 'trivy-results-py${{ matrix.python-version }}.sarif'
@@ -219,7 +219,7 @@ jobs:
219219

220220
- name: Upload Hadolint scan results
221221
if: matrix.python-version == needs.config.outputs.default-python-version
222-
uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
222+
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
223223
with:
224224
sarif_file: hadolint-dockerfile.sarif
225225

.github/workflows/reusable-security.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ jobs:
7474
7575
- name: Upload Semgrep SARIF results
7676
if: inputs.scan-type == 'semgrep' && always()
77-
uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
77+
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
7878
with:
7979
sarif_file: semgrep.sarif
8080

@@ -96,7 +96,7 @@ jobs:
9696

9797
- name: Upload Trivy filesystem scan results
9898
if: inputs.scan-type == 'trivy-fs' && always()
99-
uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
99+
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
100100
with:
101101
sarif_file: 'trivy-fs-results.sarif'
102102

@@ -118,7 +118,7 @@ jobs:
118118

119119
- name: Upload Hadolint SARIF results
120120
if: inputs.scan-type == 'hadolint' && always()
121-
uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
121+
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
122122
with:
123123
sarif_file: hadolint-results.sarif
124124

@@ -144,7 +144,7 @@ jobs:
144144
# TODO: ensure branch protection prevents direct pushes to main.
145145
- name: Initialize CodeQL
146146
if: inputs.scan-type == 'codeql'
147-
uses: github/codeql-action/init@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
147+
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
148148
with:
149149
languages: python
150150
queries: security-extended,security-and-quality
@@ -153,13 +153,13 @@ jobs:
153153

154154
- name: Initialize CodeQL (fallback)
155155
if: inputs.scan-type == 'codeql' && steps.codeql-init-extended.outcome == 'failure'
156-
uses: github/codeql-action/init@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
156+
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
157157
with:
158158
languages: python
159159
queries: security-and-quality
160160

161161
- name: Perform CodeQL Analysis
162162
if: inputs.scan-type == 'codeql'
163-
uses: github/codeql-action/analyze@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
163+
uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
164164
with:
165165
category: "/language:python"

.github/workflows/scorecard.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,6 @@ jobs:
3535
publish_results: true
3636

3737
- name: Upload Scorecard SARIF results
38-
uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4
38+
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
3939
with:
4040
sarif_file: scorecard-results.sarif

0 commit comments

Comments
 (0)