Skip to content

Validate workflow to check that all codeql-action versions are the same #3099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 11, 2025
Merged

Validate workflow to check that all codeql-action versions are the same #3099

merged 2 commits into from
Sep 11, 2025

Conversation

mbg
Copy link
Member

@mbg mbg commented Sep 10, 2025

This PR adds an extra check to validateWorkflows which collects all the refs used for github/codeql-action steps in the workflow and checks that they are all the same.

If there is a mismatch, then this results in a warning.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg requested a review from a team as a code owner September 10, 2025 11:26
@Copilot Copilot AI review requested due to automatic review settings September 10, 2025 11:26
Copilot
Copilot AI reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds validation to ensure all github/codeql-action steps in a workflow use the same version reference. The change introduces a new warning when inconsistent versions are detected, helping prevent compatibility issues.

Key changes:

  • Added version consistency validation for CodeQL Action steps
  • Added comprehensive test coverage for the new validation logic
  • Added a new error type for inconsistent action versions

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

File Description
src/workflow.ts Added validation logic to check version consistency across CodeQL Action steps and new error message
src/workflow.test.ts Added test cases covering version mismatch scenarios, consistent versions, and other actions
lib/*.js Generated JavaScript files (not reviewed per guidelines)

src/workflow.ts
) {
const parts = step.uses.split("@");
if (parts.length >= 2) {
codeqlStepRefs.push(parts[parts.length - 1]);
Copy link
Preview

Copilot AI Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic assumes that splitting on '@' will always produce the version as the last part, but this may not handle edge cases correctly. For example, if step.uses is 'github/codeql-action/init@v2@extra', this would extract 'extra' instead of 'v2@extra'. Consider using parts.slice(1).join('@') to handle multiple '@' characters properly.

Suggested change
codeqlStepRefs.push(parts[parts.length - 1]);
codeqlStepRefs.push(parts.slice(1).join("@"));

Copilot uses AI. Check for mistakes.

esbena
esbena reviewed Sep 10, 2025
View reviewed changes
src/workflow.ts
Comment on lines +175 to +176
const parts = step.uses.split("@");
if (parts.length >= 2) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: don't we have this kind of parsing elsewhere already?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have

  const format = new RegExp(
    "(?<owner>[^/]+)/(?<repo>[^/]+)/(?<path>[^@]+)@(?<ref>.*)",
  );

in getRemoteConfig, but I thought I'd keep this simple.

@mbg mbg force-pushed the mbg/validate-action-version-in-workflow branch from 0d7b992 to bb98ff4 Compare September 10, 2025 12:02
@mbg mbg mentioned this pull request Sep 10, 2025
Open
@mbg mbg merged commit 0d058cd into main Sep 11, 2025
290 checks passed
@mbg mbg deleted the mbg/validate-action-version-in-workflow branch September 11, 2025 10:53
@mbg mbg mentioned this pull request Sep 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@esbena esbena esbena approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mbg @esbena