Skip to content

Upgrading GH action versions to fix authentication errors#646

Merged
mnovak merged 1 commit into
xtf-cz:mainfrom
simonpriadka:feature/bump-codeql-gh-actions-versions
Jun 15, 2026
Merged

Upgrading GH action versions to fix authentication errors#646
mnovak merged 1 commit into
xtf-cz:mainfrom
simonpriadka:feature/bump-codeql-gh-actions-versions

Conversation

@simonpriadka

@simonpriadka simonpriadka commented Jun 12, 2026

Copy link
Copy Markdown

Please make sure your PR meets the following requirements:

  • [ x] Pull Request contains a description of the changes
  • Pull Request does not include fixes for multiple issues/topics
  • Code is formatted, imports ordered, code compiles and tests are passing
  • [ x] Code is self-descriptive and/or documented

Summary by Sourcery

Update CodeQL analysis workflow to use the latest major versions of GitHub Actions.

Build:

  • Bump actions/checkout from v3 to v4 in the CodeQL analysis workflow.
  • Upgrade github/codeql-action init, autobuild, and analyze steps from v2 to v3 in the CodeQL analysis workflow.

@sourcery-ai

sourcery-ai Bot commented Jun 12, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the GitHub Actions workflow for CodeQL analysis to use newer major versions of the checkout and CodeQL actions, which should address authentication errors with the older versions.

Flow diagram for updated CodeQL GitHub Actions workflow

flowchart TD
    A[Workflow_dispatch_or_push] --> B[actions_checkout_v4]
    B --> C[codeql_action_init_v3]
    C --> D[codeql_action_autobuild_v3]
    D --> E[codeql_action_analyze_v3]
Loading

File-Level Changes

Change Details Files
Update GitHub Actions workflow to latest supported action versions for checkout and CodeQL analysis.
  • Bump actions/checkout from v3 to v4 in the CodeQL analysis workflow.
  • Bump github/codeql-action init step from v2 to v3.
  • Bump github/codeql-action autobuild step from v2 to v3.
  • Bump github/codeql-action analyze step from v2 to v3.
.github/workflows/codeql-analysis.yml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • Consider pinning the GitHub Actions to specific commit SHAs instead of just major versions (e.g., @v4/@v3) to reduce supply chain risk and ensure deterministic builds.
  • Since CodeQL is being upgraded from v2 to v3, double-check the v3 migration notes (e.g., any default behavior changes or new required configuration) to ensure the workflow still produces the desired analysis results.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider pinning the GitHub Actions to specific commit SHAs instead of just major versions (e.g., `@v4`/`@v3`) to reduce supply chain risk and ensure deterministic builds.
- Since CodeQL is being upgraded from v2 to v3, double-check the v3 migration notes (e.g., any default behavior changes or new required configuration) to ensure the workflow still produces the desired analysis results.

## Individual Comments

### Comment 1
<location path=".github/workflows/codeql-analysis.yml" line_range="39-41" />
<code_context>
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

     # Initializes the CodeQL tools for scanning.
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Consider pinning the checkout action to a specific commit SHA for stronger supply-chain security.

Using a floating major tag means you automatically trust any future `v4` release, including a compromised one. For security‑sensitive workflows like CodeQL, prefer pinning to a specific commit SHA (and optionally annotating which version it corresponds to) so updates are explicit and controlled.

```suggestion
    steps:
    - name: Checkout repository
      # Pinned to actions/checkout v4.1.1 for supply-chain security
      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
```
</issue_to_address>

### Comment 2
<location path=".github/workflows/codeql-analysis.yml" line_range="45-48" />
<code_context>
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Pin CodeQL actions to exact SHAs or a locked version strategy rather than the floating v3 tag.

Because this workflow is security-sensitive, consider pinning `init`, `autobuild`, and `analyze` to specific commit SHAs (or at least fixed minor/patch versions) instead of the floating `v3` tag to reduce the risk of unexpected behavior or supply-chain changes when upstream updates `v3`.

Suggested implementation:

```
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      # Pinned to a specific commit SHA for security; update intentionally as needed.
      uses: github/codeql-action/init@3ab410191c324a8f182a0ef673f70449f1e5ae08
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.

```

```
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      # Pinned to the same CodeQL action commit SHA as init for consistency.
      uses: github/codeql-action/autobuild@3ab410191c324a8f182a0ef673f70449f1e5ae08

```

1. Find the `analyze` step in this workflow (often named `Perform CodeQL Analysis` or similar) and replace `github/codeql-action/analyze@v3` with `github/codeql-action/analyze@3ab410191c324a8f182a0ef673f70449f1e5ae08`, including a short comment that it is pinned to a specific SHA.
2. If you decide to update to a newer CodeQL action release in the future, update the commit SHA consistently for `init`, `autobuild`, and `analyze`, and consider noting the corresponding upstream version in a comment for traceability.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment on lines 39 to +41
steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Consider pinning the checkout action to a specific commit SHA for stronger supply-chain security.

Using a floating major tag means you automatically trust any future v4 release, including a compromised one. For security‑sensitive workflows like CodeQL, prefer pinning to a specific commit SHA (and optionally annotating which version it corresponds to) so updates are explicit and controlled.

Suggested change
steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4
steps:
- name: Checkout repository
# Pinned to actions/checkout v4.1.1 for supply-chain security
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

Comment thread .github/workflows/codeql-analysis.yml Outdated
Comment on lines 45 to 48
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Pin CodeQL actions to exact SHAs or a locked version strategy rather than the floating v3 tag.

Because this workflow is security-sensitive, consider pinning init, autobuild, and analyze to specific commit SHAs (or at least fixed minor/patch versions) instead of the floating v3 tag to reduce the risk of unexpected behavior or supply-chain changes when upstream updates v3.

Suggested implementation:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      # Pinned to a specific commit SHA for security; update intentionally as needed.
      uses: github/codeql-action/init@3ab410191c324a8f182a0ef673f70449f1e5ae08
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.

    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      # Pinned to the same CodeQL action commit SHA as init for consistency.
      uses: github/codeql-action/autobuild@3ab410191c324a8f182a0ef673f70449f1e5ae08

  1. Find the analyze step in this workflow (often named Perform CodeQL Analysis or similar) and replace github/codeql-action/analyze@v3 with github/codeql-action/analyze@3ab410191c324a8f182a0ef673f70449f1e5ae08, including a short comment that it is pinned to a specific SHA.
  2. If you decide to update to a newer CodeQL action release in the future, update the commit SHA consistently for init, autobuild, and analyze, and consider noting the corresponding upstream version in a comment for traceability.

@simonpriadka simonpriadka force-pushed the feature/bump-codeql-gh-actions-versions branch 2 times, most recently from 305627b to 879e072 Compare June 12, 2026 19:45
@simonpriadka simonpriadka force-pushed the feature/bump-codeql-gh-actions-versions branch from 879e072 to 23c8556 Compare June 12, 2026 19:52
@mnovak mnovak merged commit bd59f37 into xtf-cz:main Jun 15, 2026
6 checks passed
@mnovak

mnovak commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

LGTM, merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants