ci: replace unmaintained rsdmike/github-security-report-action [TECHOPS-553]#289
Open
sayaliM0412 wants to merge 1 commit into
Open
ci: replace unmaintained rsdmike/github-security-report-action [TECHOPS-553]#289sayaliM0412 wants to merge 1 commit into
sayaliM0412 wants to merge 1 commit into
Conversation
…PS-553] rsdmike/github-security-report-action is published by a personal account (so it can never be a Marketplace verified creator) and is unmaintained, so it will be blocked once the enterprise action allowlist + required-SHA policy is enabled. Rather than allowlist it, replace it with an inline jq-based step that writes a CodeQL findings summary to the job summary and uploads the raw SARIF as an artifact. CodeQL results still upload to the Security tab via github/codeql-action/analyze. Part of TECHOPS-81. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Claude finished @sayaliM0412's task in 34s —— View job Code ReviewLGTM - no significant issues found. The replacement is clean:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replaces
rsdmike/github-security-report-action@v3.0.4in the CodeQL workflow with an inline, self-maintained step.Why
Part of TECHOPS-553 (under TECHOPS-81). The enterprise is enabling an Actions allowlist plus "Require actions to be pinned to a full-length commit SHA".
rsdmike/github-security-report-actionis published by a personal account, so it can never qualify as a Marketplace verified creator, and the project is unmaintained. It would be blocked by the policy, so we replace it rather than allowlist it.Change
Perform CodeQL Analysis: addedoutput: sarif-resultsso the SARIF is written locally (still uploaded to the Security tab;uploaddefaults toalways).Generate Security Report(PDF) step withSummarize CodeQL results: an inlinejqstep that writes a per-language findings summary to the GitHub job summary.Upload Security ReporttoUpload CodeQL SARIF: uploads the raw SARIF directory instead ofsummary.pdf.if: always()+continue-on-error: true, matching the prior best-effort behaviour.No third-party report action remains in this workflow.
Test
actionlintpasses (only the pre-existingactions/checkout@v3/setup-java@v3"too old" warnings remain; those are tracked separately under TECHOPS-555).🤖 Generated with Claude Code