chore(ci): bump github/codeql-action from 3 to 4 #62

coderabbitai · 2026-05-25T08:45:01Z

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Action reference violates hash-pinning policy.

The static analysis tool flags this line because a blanket policy requires actions to be pinned to commit SHAs, not mutable tags. Using @v4 (a mutable tag) reduces supply-chain security guarantees—if the upstream repository is compromised, the tag can be moved to point to malicious code.

This contradicts the comment on line 35 which states the action is pinned "for supply-chain security and reproducible runs."

🔒 Recommended fix: Pin to commit SHA

- uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@<commit-sha> # v4

To find the commit SHA for the v4 release:

#!/bin/bash # Find the commit SHA for github/codeql-action v4 release tag gh api repos/github/codeql-action/git/ref/tags/v4 --jq '.object.sha'

Note: This issue also affects the other actions in this workflow (lines 22, 26).

As per static analysis hints: "action is not pinned to a hash (required by blanket policy)".

🧰 Tools

🪛 zizmor (1.25.2)

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/security.yml at line 36, The workflow currently pins actions with mutable tags (e.g., github/codeql-action/upload-sarif@v4) which violates the hash-pinning policy; update each uses: entry (including github/codeql-action/upload-sarif@v4 and the other codeql/action and actions entries referenced in the comment) to use the corresponding commit SHA instead of the tag. Find the exact commit SHA for the v4 tag (or the appropriate release tag you intended) and replace the mutable tag with the full SHA (e.g., github/codeql-action/upload-sarif@<commit-sha>), ensuring all uses lines in the workflow are consistently pinned to their commit SHAs.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

github codeql-action v4 breaking changes upload-sarif

💡 Result:

No single, universally applicable “CodeQL Action v4 breaking change” exists specifically named for “upload-sarif”; instead, there are several v4-relevant changes/edge-cases that commonly make an upload-sarif step appear “broken” after upgrading. 1) v4 major version requires the Node.js 24 Actions runtime (and some GHES versions can’t run it) - GitHub states that CodeQL Action v4 (released Oct 7, 2025) runs on the Node.js 24 runtime [1]. - GitHub also states GHES 3.18 and older cannot run actions using the Node.js 24 runtime, so they are unable to run CodeQL Action v4 [1]. Impact: if you’re on an older GHES or a platform without Node.js 24 runtime support, github/codeql-action/upload-sarif@v4 won’t work. 2) Permissions: upload-sarif can fail with “Resource not accessible by integration” unless actions: read is granted - A CodeQL Action issue documents upload-sarif failing (before any real upload happens) and identifies the missing permission as actions: read [2]. - The issue author reports that adding permissions: actions: read at the job level made upload-sarif work [2]. Impact: workflows (especially reusable/composite workflows) that don’t explicitly grant permissions: actions: read may break. Suggested fix (YAML): permissions: actions: read 3) SARIF post-processing behavior changed for uploads initiated by analyze or upload-sarif (primarily impacts analyze) - The CodeQL Action changelog says that when SARIF files are uploaded by analyze or upload-sarif, the action automatically performs post-processing steps to prepare the data for upload. - It further says those post-processing steps previously ran only “before an upload took place”, but are now always performed even when SARIF files are not uploaded; it also says “This does not change anything for the upload-sarif action,” and notes possible impact on analyze users depending on the upload input [3]. Impact: if your workflow relies on specific timing/side-effects of post-processing for analyze, the behavior can change; upload-sarif itself is stated as unchanged for this particular item [3]. 4) Specific upload-sarif bug fix: non-.sarif files not being uploaded (fixed in the v3.30.4 line) - The changelog notes they fixed “a bug … with upload-sarif … [that] resulted in files without a .sarif extension not getting uploaded” [3]. Impact: if your pipeline uploads files whose names/extensions aren’t standard .sarif, you may see behavior differences depending on which CodeQL Action release your @v4 tag resolves to. 5) GHES 3.18 limitation: combining SARIF files from a single upload is removed - The changelog notes: “Remove support for combining SARIF files from a single upload for GHES 3.18” [3]. Impact: if your GHES 3.18-based setup tried to upload multiple SARIFs in a way that relied on that combining behavior, you may see changes. If you paste your workflow step (the exact uses: github/codeql-action/upload-sarif@v4... line), plus the error message you’re seeing, I can pinpoint which of the above is the match and tell you the minimal change needed.

Citations:

1: https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/

2: codeql/upload-sarif@v3 action failed: Resource not accessible by integration - missing actions: read github/codeql-action#2117

3: https://github.com/github/codeql-action/blob/main/CHANGELOG.md

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE=".github/workflows/security.yml" echo "== File: $FILE ==" wc -l "$FILE" echo echo "== Lines 1-120 (to capture job/permissions context and the flagged step) ==" nl -ba "$FILE" | sed -n '1,120p' echo echo "== Find any permissions blocks ==" rg -n "^\s*permissions\s*:" "$FILE" || true rg -n "actions:\s*read" "$FILE" || true echo echo "== List all uses: lines in this workflow ==" rg -n "^\s*uses:\s*" "$FILE"

Repository: AIX-Format/PiWorker-OS

Length of output: 282

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE=".github/workflows/security.yml" echo "== File: $FILE ==" wc -l "$FILE" echo echo "== Lines 1-200 (include job/permissions context + flagged step) ==" cat -n "$FILE" | sed -n '1,200p' echo echo "== permissions blocks ==" rg -n "^\s*permissions\s*:" "$FILE" || true echo echo "== actions: read occurrences ==" rg -n "actions:\s*read" "$FILE" || true echo echo "== uses: lines ==" rg -n "^\s*uses:\s*" "$FILE"

Repository: AIX-Format/PiWorker-OS

Length of output: 1847

Pin github/codeql-action/upload-sarif@v4 and address CodeQL v4 requirements

uses: github/codeql-action/upload-sarif@v4 isn’t pinned to an immutable ref (contradicts the “Pin action versions…” comments and the hash-pinning policy), so an upstream tag change could alter the action behavior.

CodeQL v4 can break upload-sarif depending on the runner/platform and permissions: v4 requires the Node.js 24 runtime (GHES < 3.18 may fail), and upload-sarif can error unless permissions: actions: read is granted. This workflow currently only sets contents: read and security-events: write.

Update the workflow to (1) add permissions: actions: read and (2) pin the CodeQL upload-sarif action to a specific commit SHA (and pin other actions too if your policy is blanket).

🧰 Tools

🪛 zizmor (1.25.2)

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/security.yml at line 36, The workflow step using uses: github/codeql-action/upload-sarif@v4 is not pinned and the job lacks required action permissions for CodeQL v4; update the job to pin the upload-sarif action to a specific commit SHA (replace github/codeql-action/upload-sarif@v4 with github/codeql-action/upload-sarif@<commit-sha>) and add permissions: actions: read in addition to the existing permissions (contents: read and security-events: write) so upload-sarif runs reliably across runners and GHES versions; also consider pinning other actions referenced in the workflow for consistency with the repo’s hash-pinning policy.

-Original file line number
+Diff line change
@@ Expand Up / @@ -33,6 +33,6 @@ jobs: @@
           - name: Upload Trivy scan results to GitHub Security tab
             # Pin action versions to a vetted release tag for supply-chain security and reproducible runs.
-            uses: github/codeql-action/upload-sarif@v3
+            uses: github/codeql-action/upload-sarif@v4
             with:
               sarif_file: 'trivy-results.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(ci): bump github/codeql-action from 3 to 4 #62

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 25, 2026

Uh oh!

Uh oh!

chore(ci): bump github/codeql-action from 3 to 4 #62

Are you sure you want to change the base?

Uh oh!

chore(ci): bump github/codeql-action from 3 to 4 #62

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!