Skip to content

ci: replace unmaintained rsdmike/github-security-report-action [TECHOPS-553]#289

Merged
sayaliM0412 merged 3 commits into
ddbfrom
TECHOPS-553-replace-security-report-action
Jun 3, 2026
Merged

ci: replace unmaintained rsdmike/github-security-report-action [TECHOPS-553]#289
sayaliM0412 merged 3 commits into
ddbfrom
TECHOPS-553-replace-security-report-action

Conversation

@sayaliM0412

Copy link
Copy Markdown

What

Replaces rsdmike/github-security-report-action@v3.0.4 in the CodeQL workflow with an inline, self-maintained step.

Why

Part of TECHOPS-553 (under TECHOPS-81). The enterprise is enabling an Actions allowlist plus "Require actions to be pinned to a full-length commit SHA". rsdmike/github-security-report-action is published by a personal account, so it can never qualify as a Marketplace verified creator, and the project is unmaintained. It would be blocked by the policy, so we replace it rather than allowlist it.

Change

  • Perform CodeQL Analysis: added output: sarif-results so the SARIF is written locally (still uploaded to the Security tab; upload defaults to always).
  • Replaced the Generate Security Report (PDF) step with Summarize CodeQL results: an inline jq step that writes a per-language findings summary to the GitHub job summary.
  • Renamed Upload Security Report to Upload CodeQL SARIF: uploads the raw SARIF directory instead of summary.pdf.
  • Both new steps keep if: always() + continue-on-error: true, matching the prior best-effort behaviour.

No third-party report action remains in this workflow.

Test

  • actionlint passes (only the pre-existing actions/checkout@v3 / setup-java@v3 "too old" warnings remain; those are tracked separately under TECHOPS-555).
  • CodeQL analysis and Security-tab upload behaviour unchanged.

🤖 Generated with Claude Code

…PS-553]

rsdmike/github-security-report-action is published by a personal account
(so it can never be a Marketplace verified creator) and is unmaintained,
so it will be blocked once the enterprise action allowlist + required-SHA
policy is enabled. Rather than allowlist it, replace it with an inline
jq-based step that writes a CodeQL findings summary to the job summary and
uploads the raw SARIF as an artifact. CodeQL results still upload to the
Security tab via github/codeql-action/analyze.

Part of TECHOPS-81.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@claude

claude Bot commented May 29, 2026

Copy link
Copy Markdown

Claude finished @sayaliM0412's task in 34s —— View job


Code Review

LGTM - no significant issues found. The replacement is clean:

  • ✅ Inline jq-based summary properly replaces the external action while preserving functionality
  • ✅ Error handling is robust with continue-on-error: true and if: always() matching original behavior
  • ✅ Defensive jq filters use // operators to handle missing/null values safely
  • ✅ SARIF upload switched correctly to artifact storage with the new output: sarif-results parameter
  • ✅ Job summary output is a practical replacement for the PDF report with better integration into GitHub UI

Pin checkout, setup-java, github/codeql-action (init/analyze/autobuild) and
upload-artifact to full commit SHAs (latest patch within existing major).
Added onto the TECHOPS-553 branch so codeql.yml is fully SHA-pinned in one
PR with no conflicting double-edit of the file.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@claude

claude Bot commented Jun 1, 2026

Copy link
Copy Markdown

Claude finished @sayaliM0412's task in 47s —— View job


Code Review

LGTM - no significant issues found. The replacement is clean:

  • ✅ All actions properly SHA-pinned to full commit hashes with version comments for traceability
  • ✅ Inline jq-based summary correctly replaces external action while preserving functionality (collapsible markdown output in job summary)
  • ✅ Error handling robust with continue-on-error: true and if: always() matching original behavior
  • ✅ Defensive jq filters use // operators and error suppression (|| true, 2>/dev/null) to handle missing/null SARIF values safely
  • ✅ SARIF artifact upload correctly switched from PDF to raw sarif-results directory with proper output: sarif-results parameter in CodeQL analysis step

The workflow maintains backward compatibility with existing CodeQL scanning while removing the unmaintained third-party dependency. The per-language finding summaries in the job summary provide better GitHub integration than the previous PDF reports.

@sayaliM0412 sayaliM0412 merged commit 2d135c1 into ddb Jun 3, 2026
1 of 3 checks passed
@sayaliM0412 sayaliM0412 deleted the TECHOPS-553-replace-security-report-action branch June 3, 2026 13:48
@claude

claude Bot commented Jun 3, 2026

Copy link
Copy Markdown

Claude finished @sayaliM0412's task in 46s —— View job


Code Review

LGTM - no significant issues found. The replacement is clean:

  • ✅ All actions properly SHA-pinned to full commit hashes with version comments for traceability
  • ✅ Inline jq-based summary correctly replaces external action while preserving functionality (collapsible markdown output in job summary)
  • ✅ Error handling robust with continue-on-error: true and if: always() matching original behavior
  • ✅ Defensive jq filters use // operators and error suppression (|| true, 2>/dev/null) to handle missing/null SARIF values safely
  • ✅ SARIF artifact upload correctly switched from PDF to raw sarif-results directory with proper output: sarif-results parameter in CodeQL analysis step

The workflow maintains backward compatibility with existing CodeQL scanning while removing the unmaintained third-party dependency. The per-language finding summaries in the job summary provide better GitHub integration than the previous PDF reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants