search

adoptium / aqa-test-tools

Home of Test Results Summary Service (TRSS) and PerfNext. These tools are designed to improve our ability to monitor and triage tests at the Adoptium project. The code is generic enough that it is extensible for use by any project that needs to monitor multiple CI servers and aggregate their results.
Apache License 2.0
28 stars 79 forks source link

Update codeql github workflow to use latest version and enable dependabot #882

Closed smlambert closed 3 months ago

smlambert commented 3 months ago

We are using a deprecated version of the codeql-action (v1), so we should update to the latest version https://github.com/github/codeql-action/releases/tag/v3.25.8, and since we are now preferring to pin to the SHA corresponding to the version (as a secure development best practice), we should update codeql-analysis.yml#L42:

uses: github/codeql-action/init@v1

with:

uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8

We can also enable dependabot by adding a dependabot.yml file. Look at this PR as an example of this: https://github.com/adoptium/ci-jenkins-pipelines/pull/481

Once dependabot.yml is added, a bot will watch for opportunities to update versions in yml files and create PRs so we will not have to manually do it.

gdams commented 3 months ago

As a side note here, it probably makes sense to also enable dependabot

Sangyoon21 commented 3 months ago

Can you assign this. I would resolve the issue for this one and wrap up the another one i was working and related to this issue.

smlambert commented 3 months ago

Closed via https://github.com/adoptium/aqa-test-tools/pull/883