chore(deps): bump github/codeql-action from 3.28.5 to 3.28.8

[dependabot]

Bumps github/codeql-action from 3.28.5 to 3.28.8.

Release notes

Sourced from github/codeql-action's releases.

v3.28.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.8 - 29 Jan 2025

• Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

See the full CHANGELOG.md for more information.

v3.28.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.7 - 29 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.6 - 27 Jan 2025

• Re-enable debug artifact upload for CLI versions 2.20.3 or greater. #2726

See the full CHANGELOG.md for more information.

Commits

• dd74661 Merge pull request #2746 from github/update-v3.28.8-a91a3f767
• 3210a3c Fix Kotlin version in changelog
• 72f9d02 Update changelog for v3.28.8
• a91a3f7 Merge pull request #2744 from github/igfoo/kot2.1.10
• c520fb5 Merge pull request #2745 from github/mergeback/v3.28.7-to-main-6e545590
• 3879c57 Add changelog entry
• 0c21937 Run "npm run build"
• 5a61bf0 Kotlin: The 2.20.3 release supports Kotlin 2.1.10.
• 163d119 Update checked-in dependencies
• bcf5cec Update changelog and version after v3.28.7
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[saidsef]

/code pr

[saidsef]

🤖
Reviewing the changes in the GitHub Actions workflows:

.github/workflows/charts.yml

Observations:

• Updated GitHub CodeQL Action versions from v3.28.5 to v3.28.8
  • Lines 80, 82: CodeQL init and analyse actions
  • Line 95: Upload SARIF results action

.github/workflows/scorecard.yml

Observations:

• Updated GitHub CodeQL upload-sarif action reference
  • Line 33: Changed commit hash while keeping version at v2.22.11

Code looks clean and follows standard GitHub Actions version update practice. No specific issues or suggestions.

_{> claude-3-5-haiku-latest [pr | 0]}

[saidsef]

/code pr

[saidsef]

🤖
.github/workflows/charts.yml:
• The CodeQL actions (init, analyze, upload-sarif) have been updated from v3.28.5 to v3.28.8. Verify that the new version’s behaviour remains compatible with your workflows.
• The continue-on-error settings have been preserved; double-check that this is still the desired approach for error management.

.github/workflows/scorecard.yml:
• The upload-sarif action now uses a different commit hash (0701025a8b1600e416be4f3bb5a830b1aa6af01e) while retaining the label v2.22.11. Confirm that this revision does not introduce any unexpected changes.

_{> o3-mini [pr | 1]}

[saidsef]

/code pr

[saidsef]

🤖

Summary of Changes and Suggestions

File: .github/workflows/charts.yml

Changes:

• The CodeQL Action versions have been updated from v3.28.5 to v3.28.8 for both initialize and analyze steps.
• The upload-sarif step for CodeQL has also been updated to version v3.28.8.

Suggestions:

• Consistency Check: Ensure that updating the CodeQL Action to v3.28.8 does not introduce any compatibility issues with other dependencies or scripts in your workflows. It's a good practice to test the updated actions for any regressions.

File: .github/workflows/scorecard.yml

Changes:

• The upload-sarif step has been updated to a newer commit hash 0701025a8b1600e416be4f3bb5a830b1aa6af01e instead of the previous commit hash e7c0c9d71b7bd108fd12e06b56fc58d3d154164d.

Suggestions:

• Pin to Version: If possible, pin the upload-sarif action to a specific version number instead of a commit hash for easier version tracking and rollback if necessary. For instance, specify v2.22.11 explicitly if that corresponds with the commit.

Issues Noted

• Switch from Commit to Version: In the scorecard.yml, the change from a commit hash to a more stable version identifier when available is generally better for maintainability. If the exact version v2.22.11 corresponds to 0701025a8b1600e416be4f3bb5a830b1aa6af01e, update the comment to reflect this accurately.

By addressing these suggestions, your workflows should remain stable and maintainable as you update their components.

_{> microsoft/phi-4 [pr | 0]}