Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

actionlint: bump upload-sarif to v3.28.5 #247

Merged
merged 1 commit into from
Jan 26, 2025
Merged

actionlint: bump upload-sarif to v3.28.5 #247

merged 1 commit into from
Jan 26, 2025

Conversation

woodruffw
Copy link
Member

This addresses GHSA-vqf5-2xx6-9wfm.

That vulnerability has no direct impact on us since we're not doing Java/Kotlin scanning, but there's also no reason to keep it on our radar.

Detected with zizmor:

error[known-vulnerable-actions]: action has a known vulnerability
  --> .github/workflows/actionlint.yml:82:9
   |
82 |         uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ GHSA-vqf5-2xx6-9wfm
   |
   = note: audit confidence → High

@woodruffw woodruffw requested a review from p-linnane January 26, 2025 18:39
@woodruffw woodruffw self-assigned this Jan 26, 2025
@woodruffw
Copy link
Member Author

For cross-check: version and digest were pulled from here: https://github.com/github/codeql-action/releases/tag/v3.28.5

@p-linnane p-linnane merged commit 335a645 into master Jan 26, 2025
32 checks passed
@p-linnane p-linnane deleted the ww/bump-upload-sarif branch January 26, 2025 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p-linnane p-linnane p-linnane approved these changes

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@woodruffw @p-linnane