From ded841cc6226e1073244938ee145cc48c23b4d28 Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Thu, 26 Mar 2026 19:51:53 -0600 Subject: [PATCH 1/3] Pin actions to full-length commit SHAs This commit: - pins each GitHub Action, regardless of publisher/maintainter, to its full-length commit SHA (instead of tag) to ensure that all actions refs are immutable; - updates the .github/instructions/*.md for actions and workflows; --- .../setup-codeql-environment/action.yml | 28 +++++++++---------- .../github_workflows_yaml.instructions.md | 9 +++--- .../workflow-template.yml | 4 +-- .../workflows/build-and-test-extension.yml | 6 ++-- .github/workflows/build-server.yml | 4 +-- .../workflows/client-integration-tests.yml | 8 +++--- .github/workflows/copilot-setup-steps.yml | 6 ++-- .github/workflows/dependency-review.yml | 4 +-- .github/workflows/lint-and-format.yml | 4 +-- .github/workflows/query-unit-tests-swift.yml | 4 +-- .github/workflows/query-unit-tests.yml | 4 +-- .github/workflows/release-codeql.yml | 4 +-- .github/workflows/release-npm.yml | 6 ++-- .github/workflows/release-tag.yml | 4 +-- .github/workflows/release-vsix.yml | 6 ++-- .github/workflows/release.yml | 8 +++--- .github/workflows/update-codeql.yml | 8 +++--- 17 files changed, 59 insertions(+), 58 deletions(-) diff --git a/.github/actions/setup-codeql-environment/action.yml b/.github/actions/setup-codeql-environment/action.yml index 780d7dd1..c2702f07 100644 --- a/.github/actions/setup-codeql-environment/action.yml +++ b/.github/actions/setup-codeql-environment/action.yml @@ -82,7 +82,7 @@ runs: - name: Cache `gh-codeql` extension and CodeQL packages (Unix) id: cache-codeql-unix if: runner.os != 'Windows' - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/.local/share/gh-codeql @@ -94,7 +94,7 @@ runs: - name: Cache `gh-codeql` extension and CodeQL packages (Windows) id: cache-codeql-windows if: runner.os == 'Windows' - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~\AppData\Local\GitHub\gh-codeql @@ -320,7 +320,7 @@ runs: - name: Setup Node.js if: inputs.install-language-runtimes == 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' cache-dependency-path: 'package-lock.json' @@ -330,7 +330,7 @@ runs: - name: Cache language runtimes id: cache-runtimes if: inputs.install-language-runtimes == 'true' - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/go/pkg/mod @@ -344,20 +344,20 @@ runs: - name: Setup Python (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'true' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} cache: 'pip' - name: Setup Python (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'false' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} - name: Setup Java (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'true' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: ${{ inputs.java-version }} @@ -365,21 +365,21 @@ runs: - name: Setup Java (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'false' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: ${{ inputs.java-version }} - name: Setup Go (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'true' - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version: ${{ inputs.go-version }} cache: true - name: Setup Go (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'false' - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version: ${{ inputs.go-version }} cache: false @@ -388,7 +388,7 @@ runs: - name: Cache .NET packages if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp') id: cache-dotnet-packages - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/.nuget/packages @@ -400,20 +400,20 @@ runs: - name: Setup .NET (for C#) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp') - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5 with: dotnet-version: ${{ inputs.dotnet-version }} - name: Setup Ruby (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'true' - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1 with: ruby-version: ${{ inputs.ruby-version }} bundler-cache: true - name: Setup Ruby (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'false' - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1 with: ruby-version: ${{ inputs.ruby-version }} bundler-cache: false diff --git a/.github/instructions/github_workflows_yaml.instructions.md b/.github/instructions/github_workflows_yaml.instructions.md index 382ffc4f..595d85c4 100644 --- a/.github/instructions/github_workflows_yaml.instructions.md +++ b/.github/instructions/github_workflows_yaml.instructions.md @@ -1,17 +1,18 @@ --- -applyTo: '.github/workflows/*.{yml,yaml}' +applyTo: '.github/{actions,workflows}/*.{yml,yaml}' description: 'Instructions for editing GitHub Actions workflows for this repository.' --- -# Copilot Instructions for `.github/workflows/*.{yml,yaml}` files +# Copilot Instructions for `.github/{actions,workflows}/*.{yml,yaml}` files ## PURPOSE -This file contains instructions for working with GitHub Actions workflow files in the `.github/workflows/` directory of the `codeql-development-mcp-server` repository. +This file contains instructions for working with GitHub Actions YAML files in the `.github/actions/` and `.github/workflows/` directories of the `codeql-development-mcp-server` repository. ## REQUIREMENTS - **ALWAYS run `npm run build-and-test` from the repo root directory and ensure it passes completely before committing any changes. This is MANDATORY and must be verified before every commit.** +- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its commit SHA, run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG` (or `refs/heads/BRANCH` for branch-based refs). - ALWAYS use the principle of least privilege, and explicitly set `permissions` for workflows. - ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions. - ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability. @@ -22,7 +23,6 @@ This file contains instructions for working with GitHub Actions workflow files i ## PREFERENCES -- PREFER using the latest stable versions of GitHub Actions (e.g., `actions/checkout@v6`, `actions/setup-node@v6`). - PREFER explicit permissions declarations using the `permissions` key for security. - PREFER descriptive step names that include the workflow context (e.g., "Lint and Format - Checkout repository"). - PREFER matrix strategies for testing multiple versions when applicable. @@ -30,6 +30,7 @@ This file contains instructions for working with GitHub Actions workflow files i ## CONSTRAINTS +- **NEVER reference an external GitHub Action by tag or branch name (e.g., `@v6`, `@main`). ALWAYS use the full 40-character commit SHA with a `# tag` comment.** - NEVER use overly broad permissions. - NEVER leave any trailing whitespace on any line. - NEVER use deprecated GitHub Actions or workflow syntax. diff --git a/.github/skills/add-mcp-support-for-new-language/workflow-template.yml b/.github/skills/add-mcp-support-for-new-language/workflow-template.yml index 1f0482ec..53c31aee 100644 --- a/.github/skills/add-mcp-support-for-new-language/workflow-template.yml +++ b/.github/skills/add-mcp-support-for-new-language/workflow-template.yml @@ -44,10 +44,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up CodeQL CLI - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@480db559a14342288b67e54bd959dd52dc3ee68f # v3 with: languages: '{LANGUAGE}' diff --git a/.github/workflows/build-and-test-extension.yml b/.github/workflows/build-and-test-extension.yml index 180766f6..48993a66 100644 --- a/.github/workflows/build-and-test-extension.yml +++ b/.github/workflows/build-and-test-extension.yml @@ -31,10 +31,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' @@ -64,7 +64,7 @@ jobs: install-language-runtimes: 'false' - name: Cache VS Code for integration tests - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: key: vscode-test-${{ runner.os }}-stable path: extensions/vscode/.vscode-test diff --git a/.github/workflows/build-server.yml b/.github/workflows/build-server.yml index 766565d8..771017d9 100644 --- a/.github/workflows/build-server.yml +++ b/.github/workflows/build-server.yml @@ -29,10 +29,10 @@ jobs: steps: - name: Build Server - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build Server - Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/client-integration-tests.yml b/.github/workflows/client-integration-tests.yml index 58f94d22..85a0030f 100644 --- a/.github/workflows/client-integration-tests.yml +++ b/.github/workflows/client-integration-tests.yml @@ -44,10 +44,10 @@ jobs: steps: - name: MCP Integration Tests - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: MCP Integration Tests - Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' @@ -157,10 +157,10 @@ jobs: steps: - name: CODEQL_PATH Tests - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: CODEQL_PATH Tests - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 1ef7204f..1bd1a857 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Copilot Setup - Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 ## TODO : fix and/or rework to avoid "token not provided" error when this workflow ## is initiated purely for use by Copilot Coding Agent (CCA) (i.e. not triggered ## by normal code change). Uncomment the `with` section or refactor approach. @@ -45,7 +45,7 @@ jobs: # token: ${{ secrets.QL_DEV_TOKEN }} - name: Copilot Setup - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' @@ -78,7 +78,7 @@ jobs: npm run bundle:server - name: Copilot Setup - Cache VS Code for integration tests - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: key: vscode-test-${{ runner.os }}-stable path: extensions/vscode/.vscode-test diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 71e33d01..13c72eec 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -13,9 +13,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 with: config-file: '.github/dependency-review-config.yml' diff --git a/.github/workflows/lint-and-format.yml b/.github/workflows/lint-and-format.yml index 90008155..99c07c33 100644 --- a/.github/workflows/lint-and-format.yml +++ b/.github/workflows/lint-and-format.yml @@ -17,10 +17,10 @@ jobs: steps: - name: Lint and Format - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Lint and Format - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/query-unit-tests-swift.yml b/.github/workflows/query-unit-tests-swift.yml index 76f408dc..3f475a05 100644 --- a/.github/workflows/query-unit-tests-swift.yml +++ b/.github/workflows/query-unit-tests-swift.yml @@ -33,10 +33,10 @@ jobs: steps: - name: Query Unit Tests - swift - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Query Unit Tests - swift - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/query-unit-tests.yml b/.github/workflows/query-unit-tests.yml index 5cee2582..3beed8f5 100644 --- a/.github/workflows/query-unit-tests.yml +++ b/.github/workflows/query-unit-tests.yml @@ -46,10 +46,10 @@ jobs: steps: - name: Query Unit Tests - ${{ matrix.language }} - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Query Unit Tests - ${{ matrix.language }} - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml index e88d949b..82aafca6 100644 --- a/.github/workflows/release-codeql.yml +++ b/.github/workflows/release-codeql.yml @@ -57,7 +57,7 @@ jobs: echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT - name: CodeQL - Checkout tag - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: refs/tags/${{ steps.version.outputs.version }} @@ -127,7 +127,7 @@ jobs: ls -lh dist-packs/ - name: CodeQL - Upload CodeQL pack artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: codeql-tool-query-packs-${{ steps.version.outputs.version }} path: dist-packs/*.tar.gz diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml index a66537e6..efafbb88 100644 --- a/.github/workflows/release-npm.yml +++ b/.github/workflows/release-npm.yml @@ -54,12 +54,12 @@ jobs: echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT - name: npm - Checkout tag - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: refs/tags/${{ steps.version.outputs.version }} - name: npm - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' @@ -99,7 +99,7 @@ jobs: echo "✅ Published npm package to npmjs.org (with provenance)" - name: npm - Upload release build artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: release-build-${{ steps.version.outputs.version }} path: | diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 56c64e61..e0820a0b 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Tag - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 fetch-tags: true @@ -98,7 +98,7 @@ jobs: - name: Tag - Setup Node.js if: steps.check-tag.outputs.tag_exists != 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/release-vsix.yml b/.github/workflows/release-vsix.yml index 5bbc2c74..2d7b5f65 100644 --- a/.github/workflows/release-vsix.yml +++ b/.github/workflows/release-vsix.yml @@ -55,12 +55,12 @@ jobs: echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT - name: VSIX - Checkout tag - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: refs/tags/${{ steps.version.outputs.version }} - name: VSIX - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' @@ -112,7 +112,7 @@ jobs: done - name: VSIX - Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: codeql-development-mcp-server-vsix-${{ steps.version.outputs.version }} path: extensions/vscode/${{ steps.package.outputs.vsix_name }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ec187c23..9004239b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -181,18 +181,18 @@ jobs: steps: - name: Release - Download release build artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: release-build-${{ needs.resolve-version.outputs.version }} - name: Release - Download CodeQL pack artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: codeql-tool-query-packs-${{ needs.resolve-version.outputs.version }} path: dist-packs - name: Release - Download VSIX artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: codeql-development-mcp-server-vsix-${{ needs.resolve-version.outputs.version }} path: dist-vsix @@ -232,7 +232,7 @@ jobs: tar -czvf codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz -C dist-package . - name: Release - Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }} path: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml index 3fe53e0e..ced6fc48 100644 --- a/.github/workflows/update-codeql.yml +++ b/.github/workflows/update-codeql.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Detect - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Detect - Check latest CodeQL CLI version id: check-version @@ -119,7 +119,7 @@ jobs: steps: - name: Update - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Update - Update .codeql-version run: | @@ -133,7 +133,7 @@ jobs: install-language-runtimes: false - name: Update - Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version-file: '.node-version' @@ -160,7 +160,7 @@ jobs: run: xvfb-run -a npm run build-and-test - name: Update - Create Pull Request - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}' body: | From 7d83ebec3f2e3a362eac2d5c4f81eecce7813cfe Mon Sep 17 00:00:00 2001 From: Nathan Randall <70299490+data-douser@users.noreply.github.com> Date: Thu, 26 Mar 2026 19:59:56 -0600 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> --- .github/instructions/github_workflows_yaml.instructions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/instructions/github_workflows_yaml.instructions.md b/.github/instructions/github_workflows_yaml.instructions.md index 595d85c4..034fa521 100644 --- a/.github/instructions/github_workflows_yaml.instructions.md +++ b/.github/instructions/github_workflows_yaml.instructions.md @@ -1,5 +1,5 @@ --- -applyTo: '.github/{actions,workflows}/*.{yml,yaml}' +applyTo: '.github/{actions,workflows}/**/*.{yml,yaml}' description: 'Instructions for editing GitHub Actions workflows for this repository.' --- @@ -12,7 +12,7 @@ This file contains instructions for working with GitHub Actions YAML files in th ## REQUIREMENTS - **ALWAYS run `npm run build-and-test` from the repo root directory and ensure it passes completely before committing any changes. This is MANDATORY and must be verified before every commit.** -- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its commit SHA, run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG` (or `refs/heads/BRANCH` for branch-based refs). +- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its underlying commit SHA (handling annotated tags correctly), run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG^{}`; for branch-based refs, use `refs/heads/BRANCH`. - ALWAYS use the principle of least privilege, and explicitly set `permissions` for workflows. - ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions. - ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability. From c337f2c445b4911147908dd9480ffa68e34fe8e5 Mon Sep 17 00:00:00 2001 From: Nathan Randall <70299490+data-douser@users.noreply.github.com> Date: Thu, 26 Mar 2026 20:30:59 -0600 Subject: [PATCH 3/3] Update github_workflows_yaml.instructions.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> --- .github/instructions/github_workflows_yaml.instructions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/instructions/github_workflows_yaml.instructions.md b/.github/instructions/github_workflows_yaml.instructions.md index 034fa521..43f8c725 100644 --- a/.github/instructions/github_workflows_yaml.instructions.md +++ b/.github/instructions/github_workflows_yaml.instructions.md @@ -3,7 +3,7 @@ applyTo: '.github/{actions,workflows}/**/*.{yml,yaml}' description: 'Instructions for editing GitHub Actions workflows for this repository.' --- -# Copilot Instructions for `.github/{actions,workflows}/*.{yml,yaml}` files +# Copilot Instructions for `.github/{actions,workflows}/**/*.{yml,yaml}` files ## PURPOSE