Bump github/codeql-action from 2 to 3 (#100)

dependabot[bot] · monty-bot · web-flow · commit 470407b69e94 · 2025-01-10T08:15:06.000Z
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v2.28.0</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <p>Note that the only difference between <code>v2</code> and <code>v3</code> of the CodeQL Action is the node version they support, with <code>v3</code> running on node 20 while we continue to release <code>v2</code> to support running on node 16. For example <code>3.22.11</code> was the first <code>v3</code> release and is functionally identical to <code>2.22.11</code>. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.</p> <p><strong>This is the last planned release of the <code>v2</code>. To continue getting updates for the CodeQL Action, please switch to <code>v3</code>.</strong></p> <h2>2.28.0 - 20 Dec 2024</h2> <ul> <li>Bump the minimum CodeQL bundle version to 2.15.5. <a href="https://redirect.github.com/github/codeql-action/pull/2655">#2655</a></li> <li>Don't fail in the unusual case that a file is on the search path. <a href="https://redirect.github.com/github/codeql-action/pull/2660">#2660</a>.</li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v2.28.0/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v2.27.9</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <p>Note that the only difference between <code>v2</code> and <code>v3</code> of the CodeQL Action is the node version they support, with <code>v3</code> running on node 20 while we continue to release <code>v2</code> to support running on node 16. For example <code>3.22.11</code> was the first <code>v3</code> release and is functionally identical to <code>2.22.11</code>. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.</p> <h2>2.27.9 - 12 Dec 2024</h2> <p>No user facing changes.</p> <p>See the full <a href="https://github.com/github/codeql-action/blob/v2.27.9/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v2.27.7</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <p>Note that the only difference between <code>v2</code> and <code>v3</code> of the CodeQL Action is the node version they support, with <code>v3</code> running on node 20 while we continue to release <code>v2</code> to support running on node 16. For example <code>3.22.11</code> was the first <code>v3</code> release and is functionally identical to <code>2.22.11</code>. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.</p> <h2>2.27.7 - 10 Dec 2024</h2> <ul> <li>We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. <a href="https://redirect.github.com/github/codeql-action/pull/2631">#2631</a></li> <li>Update default CodeQL bundle version to 2.20.0. <a href="https://redirect.github.com/github/codeql-action/pull/2636">#2636</a></li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v2.27.7/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v2.27.6</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <p>Note that the only difference between <code>v2</code> and <code>v3</code> of the CodeQL Action is the node version they support, with <code>v3</code> running on node 20 while we continue to release <code>v2</code> to support running on node 16. For example <code>3.22.11</code> was the first <code>v3</code> release and is functionally identical to <code>2.22.11</code>. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.</p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/48fe0d8fb168b9da4713543aa069aed7084890d3"><code>48fe0d8</code></a> Update changelog and version after v3.27.9</li> <li><a href="https://github.com/github/codeql-action/commit/df409f7d9260372bd5f19e5b04e83cb3c43714ae"><code>df409f7</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/2649">#2649</a> from github/update-v3.27.9-7972a42f3</li> <li><a href="https://github.com/github/codeql-action/commit/feca44ddf6862ba0707723d320d5c42780fe6499"><code>feca44d</code></a> Update changelog for v3.27.9</li> <li><a href="https://github.com/github/codeql-action/commit/7972a42f3de41c0960aeae9d0efc1705c9d5da62"><code>7972a42</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/2648">#2648</a> from github/aeisenberg/add-environment</li> <li><a href="https://github.com/github/codeql-action/commit/44bf16d3a1ed508cdc836322a8e39526f7c301b8"><code>44bf16d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/2646">#2646</a> from github/mergeback/v3.27.8-to-main-8a93837a</li> <li><a href="https://github.com/github/codeql-action/commit/f124ad0e7ef6ecb9840fcd1b908d1630211d37c3"><code>f124ad0</code></a> Adds an environment for creating releases</li> <li><a href="https://github.com/github/codeql-action/commit/92753708cf0395732c3e3ea1666edb55192158c5"><code>9275370</code></a> Update checked-in dependencies</li> <li><a href="https://github.com/github/codeql-action/commit/a059a7a0ee19212a3820398327f1ba34fd73676f"><code>a059a7a</code></a> Update changelog and version after v3.27.8</li> <li><a href="https://github.com/github/codeql-action/commit/8a93837afdf1873301a68d777844b43e98cd4313"><code>8a93837</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/2645">#2645</a> from github/update-v3.27.8-9cfbef4bd</li> <li>See full diff in <a href="https://github.com/github/codeql-action/compare/v2...v3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2&new-version=3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Monty Bot <monty-bot@arm.com>
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -41,7 +41,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,7 +55,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -68,6 +68,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
+        uses: github/codeql-action/upload-sarif@673cceb2b4886e2dfff697ab64a1ecd1c0a14a05 # v2.28.0
         with:
           sarif_file: results.sarif
diff --git a/news/20250110072020.bugfix b/news/20250110072020.bugfix
@@ -0,0 +1 @@
+Dependency upgrade: codeql-action-3
