Skip to content

chore(ci): update CodeQL workflow MONGOSH-1994 #2327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nirinchev merged 3 commits into from
Jan 27, 2025
Merged

chore(ci): update CodeQL workflow MONGOSH-1994 #2327

nirinchev merged 3 commits into from
Jan 27, 2025

Conversation

@nirinchev
Copy link
Collaborator

@nirinchev nirinchev commented Jan 22, 2025
edited
Loading

Cleans up the CodeQL workflow and updates actions to latest

@github-advanced-security
Copy link

github-advanced-security bot commented Jan 22, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@nirinchev nirinchev requested review from addaleax and gagik January 22, 2025 18:32
@addaleax
Copy link
Collaborator

addaleax commented Jan 22, 2025

Fyi, the create_static_analysis_report failure is real, pointing at https://github.com/mongodb-js/mongosh/security/code-scanning/58 – I'm guessing we're fine with dismissing that, feel free to do that, but I'm just making sure we're not merging with a red CI

@nirinchev
Copy link
Collaborator Author

nirinchev commented Jan 23, 2025

Yes, those are legitimate antipatterns. I would lean slightly toward dismissing the alerts as I feel an attacker who's been able to compromise the devtools-shared repo and push a malicious version of the setup-bot-token action would already be in a position to do whatever they want with our other repos, so pinning the action to a commit sha would be slightly more annoying for no obvious benefit.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 27, 2025
View reviewed changes
@nirinchev
Copy link
Collaborator Author

nirinchev commented Jan 27, 2025

@addaleax fixed/dismissed the issues flagged by codeql, so this should be mergeable.

@nirinchev nirinchev merged commit 5ec7b68 into main Jan 27, 2025
18 of 19 checks passed
@nirinchev nirinchev deleted the ni/codeql branch January 27, 2025 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@addaleax addaleax addaleax approved these changes

@gagik gagik gagik approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nirinchev @addaleax @gagik