Skip to content

Bump github/codeql-action from 4.30.9 to 4.31.0 #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlphaOne1 merged 2 commits into from
Nov 1, 2025
Merged

Bump github/codeql-action from 4.30.9 to 4.31.0 #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8e1c2c3
Bump github/codeql-action from 4.30.9 to 4.31.0
dependabot[bot] Oct 27, 2025
16d7778
Refactored GitHub workflows for consistent formatting
AlphaOne1 Nov 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,11 @@ name: "CodeQL"

on:
push:
branches: [ "master" ]
branches:
- master
pull_request:
branches: [ "master" ]
branches:
- master
schedule:
- cron: '28 4 * * 2'

Expand Down Expand Up @@ -71,7 +73,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Expand Down Expand Up @@ -99,6 +101,6 @@ jobs:
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
with:
category: "/language:${{matrix.language}}"
174 changes: 87 additions & 87 deletions .github/workflows/compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
name: Compliance Checks

on:
push:
branches:
push:
branches:
- master
pull_request:
branches:
pull_request:
branches:
- master

concurrency:
Expand Down Expand Up @@ -37,82 +37,82 @@ jobs:

CheckSignedOffCommit:
if: >
github.event_name == 'push' &&
!contains(github.actor, '[bot]') &&
!contains(github.event.pusher.name, '[bot]') &&
github.event.pusher.name != 'web-flow'
github.event_name == 'push' &&
!contains(github.actor, '[bot]') &&
!contains(github.event.pusher.name, '[bot]') &&
github.event.pusher.name != 'web-flow'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0

- name: Determine pushed commits
id: range
run: |
set -euo pipefail

# Use GitHub-provided SHAs to build the range for this push
BEFORE="${{ github.event.before }}"
AFTER="${{ github.sha }}"

if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
then
# New branch or force push without previous SHA
git rev-list --no-merges "$AFTER" > shas.txt
else
git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
fi

- name: Check for Signed-off-by
run: |
set -euo pipefail
missing=""

while read -r sha
do
[ -n "$sha" ] || continue

# Skip commits from bots
committer_name=`git log --format=%cn -n 1 "$sha"`
committer_email=`git log --format=%ce -n 1 "$sha"`
if echo "$committer_name" | grep -Fq '[bot]' \
|| [ "$committer_name" = "web-flow" ] \
|| echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$'
then
echo "Skipping commit $sha from $committer_name <$committer_email>"
continue
fi

msg=`git log --format=%B -n 1 "$sha"`

if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
then
echo "Commit $sha missing Signed-off-by"
missing="true"

echo "Committer name: $committer_name"
echo "Committer email: $committer_email"
echo "github.actor: ${{ github.actor }}"
echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
fi
done < shas.txt

if [ "$missing" = "true" ]
then
echo "DCO check failed on push"
exit 1
fi

echo "All pushed commits are signed"
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0

- name: Determine pushed commits
id: range
run: |
set -euo pipefail

# Use GitHub-provided SHAs to build the range for this push
BEFORE="${{ github.event.before }}"
AFTER="${{ github.sha }}"

if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
then
# New branch or force push without previous SHA
git rev-list --no-merges "$AFTER" > shas.txt
else
git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
fi

- name: Check for Signed-off-by
run: |
set -euo pipefail
missing=""

while read -r sha
do
[ -n "$sha" ] || continue

# Skip commits from bots
committer_name=`git log --format=%cn -n 1 "$sha"`
committer_email=`git log --format=%ce -n 1 "$sha"`
if echo "$committer_name" | grep -Fq '[bot]' \
|| [ "$committer_name" = "web-flow" ] \
|| echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$'
then
echo "Skipping commit $sha from $committer_name <$committer_email>"
continue
fi

msg=`git log --format=%B -n 1 "$sha"`

if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
then
echo "Commit $sha missing Signed-off-by"
missing="true"

echo "Committer name: $committer_name"
echo "Committer email: $committer_email"
echo "github.actor: ${{ github.actor }}"
echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
fi
done < shas.txt

if [ "$missing" = "true" ]
then
echo "DCO check failed on push"
exit 1
fi

echo "All pushed commits are signed"

CheckSignedOffPullRequest:
if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
Expand All @@ -124,25 +124,25 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
fetch-depth: 0

- name: Get PR commits
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
gh --version
jq --version

# Fetch all commits of the PR with pagination and extract SHAs
gh api -H "Accept: application/vnd.github+json" --paginate \
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
| jq -r '.[].sha' > shas.txt
set -euo pipefail
gh --version
jq --version

# Fetch all commits of the PR with pagination and extract SHAs
gh api -H "Accept: application/vnd.github+json" --paginate \
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
| jq -r '.[].sha' > shas.txt

- name: Check for Signed-off-by
run: |
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]
on:
- pull_request

permissions:
contents: read
Expand Down
Loading
Loading