Bump github/codeql-action from 2.2.12 to 2.3.3

[dependabot]

Bumps github/codeql-action from 2.2.12 to 2.3.3.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

[UNRELEASED]

No user facing changes.

2.3.3 - 04 May 2023

• Update default CodeQL bundle version to 2.13.1. #1664
• You can now configure CodeQL within your code scanning workflow by passing a config input to the init Action. See Using a custom configuration file for more information about configuring code scanning. #1590

2.3.2 - 27 Apr 2023

No user facing changes.

2.3.1 - 26 Apr 2023

No user facing changes.

2.3.0 - 21 Apr 2023

• Update default CodeQL bundle version to 2.13.0. #1649
• Bump the minimum CodeQL bundle version to 2.8.5. #1618

2.2.12 - 13 Apr 2023

• Include the value of the GITHUB_RUN_ATTEMPT environment variable in the telemetry sent to GitHub. #1640
• Improve the ease of debugging failed runs configured using default setup. The CodeQL Action will now upload diagnostic information to Code Scanning from failed runs configured using default setup. You can view this diagnostic information on the tool status page. #1619

2.2.11 - 06 Apr 2023

No user facing changes.

2.2.10 - 05 Apr 2023

• Update default CodeQL bundle version to 2.12.6. #1629

2.2.9 - 27 Mar 2023

• Customers post-processing the SARIF output of the analyze Action before uploading it to Code Scanning will benefit from an improved debugging experience. #1598
  • The CodeQL Action will now upload a SARIF file with debugging information to Code Scanning on failed runs for customers using upload: false. Previously, this was only available for customers using the default value of the upload input.
  • The upload input to the analyze Action now accepts the following values:
    • always is the default value, which uploads the SARIF file to Code Scanning for successful and failed runs.
    • failure-only is recommended for customers post-processing the SARIF file before uploading it to Code Scanning. This option uploads debugging information to Code Scanning for failed runs to improve the debugging experience.
    • never avoids uploading the SARIF file to Code Scanning even if the code scanning run fails. This is not recommended for external users since it complicates debugging.
    • The legacy true and false options will be interpreted as always and failure-only respectively.

2.2.8 - 22 Mar 2023

• Update default CodeQL bundle version to 2.12.5. #1585

... (truncated)

Commits

• 29b1f65 Merge pull request #1669 from github/update-v2.3.3-318bcc7f8
• 140500d Update changelog for v2.3.3
• 318bcc7 Merge pull request #1664 from github/update-bundle/codeql-bundle-20230428
• f72bf5d Fix workflow formatting
• 3346195 Merge branch 'main' into update-bundle/codeql-bundle-20230428
• 8ca5570 Merge pull request #1666 from github/aeisenberg/readme-update
• b1b3d00 Add link to changenote for custom config
• d2f6dfd Merge pull request #1665 from github/aeisenberg/config-param
• cba5616 Update CHANGELOG.md
• 40c9593 Add changelog note
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[step-security-bot]

Please find code comments generated by StepSecurity AI CodeReviewer below. As we have used multiple ways to analyze the diff, our bot will create multiple comments with code feedback

Code Reviewer Model Name: default

Code Comments

.github/workflows/codeql-analysis.yml

Here are my code review comments for the pull request:

• The CodeQL init and analyze actions are being updated to use the latest version. This is good because it ensures that your actions are up to date with the latest features and bug fixes.
• The CodeQL autobuild action is not being updated in this pull request. You might want to consider updating this action as well, to ensure that it is also using the latest version.
• It would be good to add more comments to the workflow file, to explain what each step is doing and why it is important.
• Overall, the changes in this pull request seem to be in line with engineering best practices.

Therefore, my output would be:
"Update CodeQL init and analyze actions to use the latest version."

• Consider adding a version tag for the CodeQL tools initialization step to ensure that future changes do not break compatibility. For example, changing "uses: github/codeql-action/init@..." to "uses: github/codeql-action/init@v1.0.0".
• Similarly, add a version tag for the autobuild step, for example "uses: github/codeql-action/autobuild@v1.0.0".
• Verify that there are no breaking changes in the new version of the CodeQL tools being used, as this could affect the quality of the analysis.
• Consider adding more comments or documentation to clarify the purpose and configuration of each step of the CI/CD process.

.github/workflows/scorecards.yml

Here are my high confidence code improvements:

• It is nice to see the pull request updating the code scanning action version and uploading the SArIF file. No further improvements required.
• The exact reason for the change in the github/codeql-action/upload-sarif version is not clear. Adding comments to explain the reason may help in the future.
• It might be helpful to use a specific commit hash for github/codeql-action/upload-sarif instead of a tag, to ensure that the exact same version is used every time.
• Consider adding error handling for when results.sarif is not generated correctly or when the upload to the dashboard fails.

Feedback

We appreciate your feedback in helping us enhance the service! To provide feedback, please use emojis on the comments generated by the bot. If you find the comments helpful, give them a 👍. If they aren't useful, kindly express that with a 👎. Thank you for your support!

[step-security-bot]

Please find code comments generated by StepSecurity AI CodeReviewer below.

Code Reviewer Model Name: beta

Code Comments

.github/workflows/codeql-analysis.yml

• Update the CodeQL action references from version 7df0ce34898d659f95c0c4a09eaa8d4e32ee64db to 29b1f65c5e92e24fe6b6647da1eaabe529cec70f.
• Add description for the custom queries if added in the config.
• Add a static version to CodeQL action reference to ensure stability in the build process.

.github/workflows/scorecards.yml

• Consider adding a comment above the code block to explain the reason for the change or why this specific version was chosen.

• Avoid adding comments inline with code, it could make the code hard to read.

• Consider adding a validation step to ensure the uploaded SARIF file conforms to expectations before uploading.

• Consider setting up conditional uploading based on specific criteria, such as only uploading if new issues have been detected.

• Avoid hardcoding versions to provide more flexibility in the future.

Feedback

We appreciate your feedback in helping us enhance the service! To provide feedback, please use emojis on the comments generated by the bot. If you find the comments helpful, give them a 👍. If they aren't useful, kindly express that with a 👎. Thank you for your support!