ci: bump github/codeql-action from 3.26.7 to 3.26.8 in the all-actions group #146
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
|
@evelikov is it going to be this annoying? I don't feel like tracking the minor version if we have to keep applying 1 commit every week to update it |
dependabot
bot
force-pushed
the
dependabot/github_actions/all-actions-366513d706
branch
from
bca2959 to
14a3db4
Compare
|
I think the key point is that codeql (or github actions as a whole I believe) rewrite the major tag. So as Which is the key point why security people recommend using hashes, instead of tags. I hope that codeql are being temporarily overzealous with the releases, but if it's too annoying feel free to switch to |
|
Looking through their 3.26 and 3.25 tags ... it's 1-2 tags every week. Which is borderline ridiculous IMHO - will open an issue asking them to reconsider. In the meantime - do whatever you think is best. Even if that means removing/disabling the action. |
|
We can also change depenabot to check monthly for updates - depehttps://github.com//pull/150 |
what's the benefit if then dependabot raises a PR with the update? I'm certainly not going to review once a week or once a month when codeql is updated. As long as codeql has a readonly token, I don't really care if it's running 3.26.5 or 3.26.7. The only issue would be if it started to cause noise with different results depending on the version used. But in that case we should then consider disabling the whole thing as it's useless. |
|
Unlike other actions, this one has Personally I skim through the action change log, although it's by no means a full/proper audit or anything. I don't have an opinion - I suggest using what you feel most comfortable with. |
dependabot
bot
force-pushed
the
dependabot/github_actions/all-actions-366513d706
branch
from
14a3db4 to
669b4b6
Compare
Bumps the all-actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.26.7 to 3.26.8 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@8214744...294a9d9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-actions ... Signed-off-by: dependabot[bot] <[email protected]> Link: #146 Signed-off-by: Lucas De Marchi <[email protected]>
lucasdemarchi
force-pushed
the
dependabot/github_actions/all-actions-366513d706
branch
from
669b4b6 to
6714d2a
Compare
|
Looks like github/codeql-action is updatable in another way, so this is no longer needed. |
dependabot
bot
deleted the
dependabot/github_actions/all-actions-366513d706
branch
Bumps the all-actions group with 1 update: github/codeql-action.
Updates
github/codeql-actionfrom 3.26.7 to 3.26.8Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
294a9d9Merge pull request #2490 from github/update-v3.26.8-64431c66d00b3604Update changelog for v3.26.864431c6Merge pull request #2483 from github/update-bundle/codeql-bundle-v2.19.0e0e2d75Merge branch 'main' into update-bundle/codeql-bundle-v2.19.0cb28816Merge pull request #2487 from rvermeulen/rvermeulen/uri-errors-as-warnings498c508Rebuild JavaScript filesa1a585fMerge branch 'main' into rvermeulen/uri-errors-as-warnings34666c1Merge pull request #2488 from github/henrymercer/debug-artifacts-better-logging6e24973Improve logging for combined SARIF debug artifactd0a3cf2Improve logging for debug artifactsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions