Conversation
Bumps the aws group with 1 update: [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials). Updates `aws-actions/configure-aws-credentials` from 4 to 6 - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](aws-actions/configure-aws-credentials@v4...v6) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: aws ... Signed-off-by: dependabot[bot] <support@github.com>
…evelop/aws-e11c4ba6fd chore(deps): bump aws-actions/configure-aws-credentials from 4 to 6 in the aws group
… in READMEs (#160) * chore(refs): pin all @develop refs to v1.18.0 in workflows and v1.x.x in README examples * fix(lint): quote GITHUB_OUTPUT in release-notification SC2086
Bumps the security-scanners group with 1 update: [securego/gosec](https://github.com/securego/gosec). Updates `securego/gosec` from 2.24.7 to 2.25.0 - [Release notes](https://github.com/securego/gosec/releases) - [Commits](securego/gosec@v2.24.7...v2.25.0) --- updated-dependencies: - dependency-name: securego/gosec dependency-version: 2.25.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: security-scanners ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…141) Bumps the go-tooling group with 1 update: [fgrosse/go-coverage-report](https://github.com/fgrosse/go-coverage-report). Updates `fgrosse/go-coverage-report` from 1.2.0 to 1.3.0 - [Release notes](https://github.com/fgrosse/go-coverage-report/releases) - [Changelog](https://github.com/fgrosse/go-coverage-report/blob/main/CHANGELOG.md) - [Commits](fgrosse/go-coverage-report@v1.2.0...v1.3.0) --- updated-dependencies: - dependency-name: fgrosse/go-coverage-report dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-tooling ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…oup (#163) Bumps the actions-core group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…scan (#162) * ci(codeql): add CodeQL analysis workflow for this repository * ci(codeql): extract CodeQL steps into composites and improve workflow Extract init and analyze steps into reusable composite actions under src/security/. Remove schedule trigger (moving to future schedule-job), remove unnecessary matrix strategy, and add YAML path filters. New composites: - src/security/codeql-init — initializes CodeQL with security-extended suite - src/security/codeql-analyze — performs analysis and uploads SARIF results * refactor(codeql): use changed-workflows composite and remove push trigger Reuse existing changed-workflows composite for file detection instead of inline git diff. CodeQL analysis now only runs when action/workflow YAML files are changed in PRs. Full repo scan will move to a future schedule-job. * docs(codeql-analyze): add actions:read to permissions section Align codeql-analyze README permissions with codeql-init for consistency, since both composites are used together. * docs(codeql): document wrapped upstream actions in READMEs Add references to github/codeql-action/init and github/codeql-action/analyze in composite README descriptions for transparency. * feat(security): add CodeQL to pr-security-scan and consolidate self-codeql into self-pr-validation Add CodeQL as optional feature in pr-security-scan.yml with new inputs (enable_codeql, codeql_languages, codeql_queries). Create codeql-reporter composite that reads SARIF and posts findings as PR comments. Remove standalone self-codeql.yml and move CodeQL analysis into self-pr-validation.yml as a job alongside existing linters. * refactor(security): extract CodeQL config generation into codeql-config composite Create src/security/codeql-config composite that generates a dynamic CodeQL configuration scoped to changed paths. Supports both file lists (extracts parent dirs) and directory lists (uses as-is). Update self-pr-validation.yml and pr-security-scan.yml to use the new composite instead of inline shell scripts. * fix(security): address code injection risks and improve robustness Move ${{ }} interpolations to env: blocks in pr-security-scan.yml and codeql-config composite to prevent shell injection. Fix path-mode detection in pr-security-scan to correctly switch between dirs/files mode based on actual fallback behavior. Remove overly broad permissions from self-pr-validation.yml workflow level. Add SARIF availability detection in codeql-reporter to avoid false negatives. * fix(codeql-reporter): mark SARIF unavailable on parse errors and move outputs to env Set sarifAvailable = false when SARIF parsing fails to prevent false negatives. Move step output interpolations to env: blocks for consistency with the injection prevention pattern. * fix(codeql-reporter): separate parse errors from SARIF unavailability Track parse errors independently so a corrupt SARIF file does not suppress findings from other valid SARIF files. Only show the unavailable warning when no SARIF directory or files exist at all. * revert(pr-security-scan): remove CodeQL changes from reusable workflow Remove CodeQL integration from pr-security-scan.yml — will be added in a separate PR with proper planning for external consumers. * fix(codeql-config): use exact file paths instead of parent directories The dirname extraction was causing CodeQL to scan entire directories (e.g., all of .github/workflows/) instead of only the changed files. Now uses exact file paths in the config, ensuring CodeQL only analyzes the specific files that were modified in the PR. * fix(codeql-reporter): add PR filter to security tab link Pre-filter the Security tab URL with pr:<number>+is:open so the link opens directly to the findings for the current PR. * fix(security): warn on partial parse errors and remove dead path-mode input Add warning in codeql-reporter when findings exist but some SARIF files failed to parse. Remove unused path-mode input and PATH_MODE env var from codeql-config (became dead code after dirname removal).
…es (#165) * feat(build): add build_context_from_working_dir input for independent modules Adds a new boolean input to build.yml and pr-security-scan.yml that uses the component working_dir as Docker build context instead of the repo root. This enables building tools/services with their own go.mod without conflicting with the main project dependencies. * fix(gitops): change enable_docker_login default to false GitOps updates only modify YAML files in the gitops repo and do not pull or push Docker images. Docker login is unnecessary by default and can be explicitly enabled when needed. * fix(gitops): remove trailing spaces and add cd guard for shellcheck Fix pre-existing lint issues: - Remove trailing whitespace from 17 lines - Add || exit 1 to cd commands (SC2164)
|
Caution Review failedPull request was closed or merged during review WalkthroughThis PR pins shared GitHub Actions references from the Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
github-actions
bot
added
workflow
🔍 Lint Analysis
❌ Failures (3)YAML Lint
Action Lint
Shell Check
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
🛡️ CodeQL Analysis ResultsLanguages analyzed: Found 44 issue(s): 44 Medium
... and 14 more findings. 🔍 View full scan logs | 🛡️ Security tab |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Actions Shared Workflows
Description
Type of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None.
Testing
@developor the beta tagCaller repo / workflow run:
Related Issues
Closes #
Summary by CodeRabbit
Release Notes
New Features
Chores