Unexpected version upgrade #74
Description
Original workflow
name: CodeQL Advanced
on:
push:
branches: [ main, v3, v2, v1 ]
pull_request:
branches: [ main, v3, v2, v1 ]
schedule:
- cron: 17 13 * * 3
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') ||
'ubuntu-latest' }}
permissions:
# required for all workflows
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: go
build-mode: autobuild
steps:
- name: Checkout repository
uses: actions/checkout@v5
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: /language:${{matrix.language}}
If I run gh actlock -u on esacteksab/go-yaml/.github/workflows/codeql.yaml, it returns the following.
diff --git i/.github/workflows/codeql.yaml w/.github/workflows/codeql.yaml
index 2bf126e..2058b62 100644
--- i/.github/workflows/codeql.yaml
+++ w/.github/workflows/codeql.yaml
@@ -11,8 +11,7 @@ on:
jobs:
analyze:
name: Analyze (${{ matrix.language }})
- runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') ||
- 'ubuntu-latest' }}
+ runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
# required for all workflows
security-events: write
@@ -27,16 +26,16 @@ jobs:
build-mode: autobuild
steps:
- name: Checkout repository
- uses: actions/checkout@v5
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v3
+ uses: github/codeql-action/init@16df4fbc19aea13d921737861d6c622bf3cefe23 #codeql-bundle-v2.23.0
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
+ uses: github/codeql-action/analyze@16df4fbc19aea13d921737861d6c622bf3cefe23 #codeql-bundle-v2.23.0
with:
category: /language:${{matrix.language}}It is using the codeql-bundle-v2.23.0 ref, which maps to https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.23.0
The above tag is actually set to latest which is likely why this happened, but I'm not sure this is the desired behavior. But that's what the code does, says the API docs.
But if I just pin with gh actlock, I get
diff --git i/.github/workflows/codeql.yaml w/.github/workflows/codeql.yaml
index 2bf126e..1e40805 100644
--- i/.github/workflows/codeql.yaml
+++ w/.github/workflows/codeql.yaml
@@ -27,16 +27,16 @@ jobs:
build-mode: autobuild
steps:
- name: Checkout repository
- uses: actions/checkout@v5
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v3
+ uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 #v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
+ uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 #v3
with:
category: /language:${{matrix.language}}Which is v3.30.3 but also v3 tag. I'm not sure the above is the desired behavior either, as I would have expected #v3.30.3 instead of #v3.