ci: replace unmaintained rsdmike/github-security-report-action [TECHOPS-553]#289
Conversation
…PS-553] rsdmike/github-security-report-action is published by a personal account (so it can never be a Marketplace verified creator) and is unmaintained, so it will be blocked once the enterprise action allowlist + required-SHA policy is enabled. Rather than allowlist it, replace it with an inline jq-based step that writes a CodeQL findings summary to the job summary and uploads the raw SARIF as an artifact. CodeQL results still upload to the Security tab via github/codeql-action/analyze. Part of TECHOPS-81. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Claude finished @sayaliM0412's task in 34s —— View job Code ReviewLGTM - no significant issues found. The replacement is clean:
|
Pin checkout, setup-java, github/codeql-action (init/analyze/autobuild) and upload-artifact to full commit SHAs (latest patch within existing major). Added onto the TECHOPS-553 branch so codeql.yml is fully SHA-pinned in one PR with no conflicting double-edit of the file. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Claude finished @sayaliM0412's task in 47s —— View job Code ReviewLGTM - no significant issues found. The replacement is clean:
The workflow maintains backward compatibility with existing CodeQL scanning while removing the unmaintained third-party dependency. The per-language finding summaries in the job summary provide better GitHub integration than the previous PDF reports. |
|
Claude finished @sayaliM0412's task in 46s —— View job Code ReviewLGTM - no significant issues found. The replacement is clean:
The workflow maintains backward compatibility with existing CodeQL scanning while removing the unmaintained third-party dependency. The per-language finding summaries in the job summary provide better GitHub integration than the previous PDF reports. |
What
Replaces
rsdmike/github-security-report-action@v3.0.4in the CodeQL workflow with an inline, self-maintained step.Why
Part of TECHOPS-553 (under TECHOPS-81). The enterprise is enabling an Actions allowlist plus "Require actions to be pinned to a full-length commit SHA".
rsdmike/github-security-report-actionis published by a personal account, so it can never qualify as a Marketplace verified creator, and the project is unmaintained. It would be blocked by the policy, so we replace it rather than allowlist it.Change
Perform CodeQL Analysis: addedoutput: sarif-resultsso the SARIF is written locally (still uploaded to the Security tab;uploaddefaults toalways).Generate Security Report(PDF) step withSummarize CodeQL results: an inlinejqstep that writes a per-language findings summary to the GitHub job summary.Upload Security ReporttoUpload CodeQL SARIF: uploads the raw SARIF directory instead ofsummary.pdf.if: always()+continue-on-error: true, matching the prior best-effort behaviour.No third-party report action remains in this workflow.
Test
actionlintpasses (only the pre-existingactions/checkout@v3/setup-java@v3"too old" warnings remain; those are tracked separately under TECHOPS-555).🤖 Generated with Claude Code