[UPDATE] (deps): Bump github/codeql-action from 4.32.2 to 4.32.3 in /.github/workflows

[dependabot]

Bumps github/codeql-action from 4.32.2 to 4.32.3.

Release notes

Sourced from github/codeql-action's releases.

v4.32.3

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

Commits

• 9e907b5 Merge pull request #3479 from github/update-v4.32.3-4bf6fa4e2
• 1814c9f Update changelog for v4.32.3
• 4bf6fa4 Merge pull request #3478 from github/mbg/changelog/add-connection-test-entry
• 9658e23 Merge pull request #3476 from github/henrymercer/retry-auth-errors
• be75dd9 Add changelog entry for #3466
• 05bca54 Apply suggestion from @​Copilot
• 2d6b98c Merge pull request #3475 from github/henrymercer/retry-auth-errors
• 876cecb Avoid requesting features in CCR
• 43b46a1 Retry API authentication errors since these can be transient
• 8ad4b6e Merge pull request #3472 from github/dependabot/github_actions/dot-github/wor...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD workflow dependencies to latest patch versions for improved security and stability.

[deepsource-io]

DeepSource Code Review

DeepSource reviewed changes in the commit range bf0f743..1dd58e4 on this pull request. Below is the summary for the review, and you can see the individual issues we found as review comments.

For detailed review results, please see the PR on DeepSource ↗

PR Report Card

Security	× 0 issues		Overall PR Quality
Reliability	× 0 issues
Complexity	× 0 issues
Hygiene	× 0 issues

Code Review Summary

Analyzer	Status	Summary	Details
Python		No new issues detected.	Review ↗

How are these analyzer statuses calculated?

Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[reactive-firewall]

@coderabbitai full review

Be sure to thoroughly consider the security risk and impact of including these new changes on this repository.

[coderabbitai]

🧩 Analysis chain

@reactive-firewall, I'll gather information about the changes in this PR to provide a thorough security assessment.

---

🏁 Script executed:

#!/bin/bash
# Get the list of files changed in this PR
gh pr view 114 --repo reactive-firewall/python-repo --json files --jq '.files[].path'

Length of output: 70

---

🏁 Script executed:

#!/bin/bash
# Get the diff for this PR to see what's actually changing
gh pr diff 114 --repo reactive-firewall/python-repo

Length of output: 1842

---

🏁 Script executed:

#!/bin/bash
# Check which workflow files use codeql-action
fd -e yml -e yaml . .github/workflows --exec grep -l "github/codeql-action"

Length of output: 99

---

🏁 Script executed:

#!/bin/bash
# Check what version of codeql-action is used in bandit.yml
cat .github/workflows/bandit.yml | grep -A2 -B2 "github/codeql-action"

Length of output: 212

---

🏁 Script executed:

#!/bin/bash
# Get full content of the modified workflow files to understand the context
echo "=== codeql-analysis.yml ==="
cat .github/workflows/codeql-analysis.yml

echo -e "\n\n=== scorecards.yml ==="
cat .github/workflows/scorecards.yml

Length of output: 5701

---

🏁 Script executed:

#!/bin/bash
# Check what commit SHA corresponds to v4.32.3
echo "Checking commit SHA for v4.32.3..."
gh api repos/github/codeql-action/git/ref/tags/v4.32.3 --jq '.object.sha'

echo -e "\nChecking commit SHA for v4.31.10..."
gh api repos/github/codeql-action/git/ref/tags/v4.31.10 --jq '.object.sha'

echo -e "\nVerifying the commit SHA in scorecards.yml (147d1495e44cd79bcd652a4bd2826462378e311d)..."
gh api repos/github/codeql-action/commits/147d1495e44cd79bcd652a4bd2826462378e311d --jq '{sha: .sha, message: .commit.message}'

Length of output: 436

---

🏁 Script executed:

#!/bin/bash
# Get the release notes and security info for v4.32.3
echo "=== Release notes for v4.32.3 ==="
gh api repos/github/codeql-action/releases/tags/v4.32.3 --jq '.body' 2>/dev/null || echo "No release found"

# Check for any security advisories
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  repository(owner: "github", name: "codeql-action") {
    vulnerabilityAlerts(first: 5) {
      nodes {
        securityAdvisory {
          summary
          severity
        }
      }
    }
  }
}'

Length of output: 560

---

@reactive-firewall, I've completed a thorough security analysis of this PR. Here's my assessment:

Security Analysis Summary

Overall Risk Level: LOW ✅

Changes Overview

This PR updates github/codeql-action in two workflow files:

1. .github/workflows/codeql-analysis.yml: Updates from v4.32.2 → v4.32.3 (3 action uses)
2. .github/workflows/scorecards.yml: Updates commit SHA for upload-sarif action

Security Assessment

✅ Positive Findings:

• Official GitHub-maintained action with no known security vulnerabilities
• Patch version bump (4.32.2 → 4.32.3) indicates backward-compatible changes only
• New features are experimental and disabled by default:
  • Private package registry connection testing (not enabled for any analysis)
  • Retry logic for transient API authentication errors (improves reliability)
• No security advisories found for the codeql-action repository

⚠️ Concerns Identified:

1. Version Pinning Strategy: The codeql-analysis.yml uses mutable semantic version tags (v4.32.3) instead of immutable commit SHAs. While GitHub Actions are generally trustworthy, commit SHAs provide stronger security guarantees.

2. Scorecards.yml Version Mismatch: There's a discrepancy in scorecards.yml:

   • Commit SHA updated to: 147d1495e44cd79bcd652a4bd2826462378e311d
   • Comment claims: # v4.31.10
   • Actual v4.32.3 SHA: 9da17a5aa4abec2340d6e6c8d8efb0770b1c9cb8
   • Actual v4.31.10 SHA: db2c8fe24a75c0f28f87ed1a6fe918a5ccf7b1e6
   • The SHA in scorecards.yml (147d149...) is from a different commit related to "forcing the nightly bundle in dynamic workflows"

Recommendations

1. Immediate: Investigate why scorecards.yml was updated to a different commit SHA that doesn't match v4.31.10
2. Short-term: The codeql-analysis.yml changes are safe to merge
3. Long-term: Consider pinning all actions to commit SHAs for enhanced security, following the pattern used in other parts of your workflows (e.g., actions/checkout@de0fac2e...)

Impact Assessment

• Security Impact: Minimal - the changes improve reliability without introducing new attack vectors
• Functionality Impact: None - backward compatible patch update
• Compatibility Impact: None - no breaking changes

The v4.32.3 update in codeql-analysis.yml is safe to merge from a security perspective. However, I recommend clarifying the scorecards.yml change before merging.

---

🧠 Learnings used

Learnt from: reactive-firewall
Repo: reactive-firewall/ymmv PR: 0
File: :0-0
Timestamp: 2024-10-04T03:58:43.291Z
Learning: Reactive-firewall prefers to include tests and documentation in the code review process and not exclude them from analysis.

---

Learnt from: reactive-firewall
Repo: reactive-firewall-org/multicast PR: 448
File: tox.ini:44-44
Timestamp: 2025-06-26T19:54:14.919Z
Learning: reactive-firewall prefers comprehensive refactoring of configuration files over piecemeal fixes, especially when planning to modernize and take advantage of recent tooling enhancements.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 184
File: tests/test_hear_keyboard_interrupt.py:70-70
Timestamp: 2024-11-14T02:25:25.684Z
Learning: Reactive-firewall prefers to include suggested code changes or fixes in the issue's description when requested.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 227
File: .github/workflows/makefile-lint.yml:39-39
Timestamp: 2024-11-29T10:13:46.501Z
Learning: For future reviews, remember that reactive-firewall may handle regressions caused by `${YAML_ARGS}` being incorrectly set, and prefers that suggestions consider potential issues with this variable.

---

Learnt from: reactive-firewall
Repo: reactive-firewall-org/multicast PR: 433
File: generate_changelog.sh:243-257
Timestamp: 2025-06-09T05:01:35.286Z
Learning: The user reactive-firewall prefers to implement code changes manually rather than using automated code change features, following their organization's AI Usage Policy which requires human oversight and control over code modifications.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/ymmv PR: 4
File: .github/workflows/markdown-lint.yml:22-34
Timestamp: 2024-10-06T10:21:24.909Z
Learning: Reactive-firewall prefers detailed walkthroughs and explanations when implementing suggested changes, especially when new tools or commands like npm and npx are involved.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 235
File: tests/check_pip:183-184
Timestamp: 2024-12-06T08:11:49.308Z
Learning: When suggesting code changes or potential issues, reactive-firewall prefers to have the diff and rationale added as comments on relevant GitHub issues.

---

Learnt from: reactive-firewall
Repo: reactive-firewall-org/multicast PR: 448
File: Makefile:123-128
Timestamp: 2025-07-02T05:51:47.172Z
Learning: reactive-firewall prefers to investigate environmental discrepancies thoroughly before making changes to working code, even when the logic appears mathematically incorrect, to ensure comprehensive understanding of the system behavior before implementing fixes.

---

Learnt from: reactive-firewall
Repo: reactive-firewall-org/multicast PR: 448
File: Makefile:123-128
Timestamp: 2025-07-02T05:51:47.172Z
Learning: reactive-firewall prefers to investigate environmental discrepancies thoroughly before making changes to working code, even when the logic appears mathematically incorrect, to ensure comprehensive understanding of the system behavior before implementing fixes.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 148
File: multicast/__init__.py:327-330
Timestamp: 2024-10-09T23:42:21.123Z
Learning: For future reviews, remember that reactive-firewall intentionally includes module import error checks after imports to handle specific edge cases.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 351
File: .github/workflows/codeql-analysis.yml:58-58
Timestamp: 2025-04-13T01:28:20.194Z
Learning: Changes made by dependabot should be monitored for compatibility with project-specific conventions like CEP-7.

---

Learnt from: reactive-firewall
Repo: reactive-firewall-org/multicast PR: 448
File: .coderabbit.yaml:13-13
Timestamp: 2025-07-02T05:28:04.435Z
Learning: reactive-firewall prefers to avoid using acronyms when they are ambiguous or violate design principles (such as "Avoid Hasty Abstractions"), favoring explicit, clear phrases over potentially confusing abbreviations, even when the acronym might seem convenient.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 429
File: docs/FAQ.md:23-26
Timestamp: 2025-06-05T04:41:34.391Z
Learning: Reactive-firewall prefers to maintain existing table header formatting in documentation even when more explicit headers are suggested, indicating a preference for their established stylistic choices over standardized formatting recommendations when the current headers are functional and descriptive.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 424
File: docs/Testing.md:308-312
Timestamp: 2025-05-27T22:39:32.660Z
Learning: Reactive-firewall prefers to maintain documentation formatting that preserves paragraph structure and readability over strict style rules, particularly when line length constraints and the intent of content organization (like maintaining single paragraph flow) are factors, indicating a preference for practical readability over cosmetic formatting adjustments.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/ymmv PR: 9
File: payload/bin/lsmap:17-27
Timestamp: 2024-11-07T04:15:11.692Z
Learning: Reactive-firewall prefers scripts to support both BSD and GNU versions of commands, with a slight preference for BSD.

---

Learnt from: reactive-firewall
Repo: reactive-firewall-org/multicast PR: 454
File: tests/test_extra.py:113-115
Timestamp: 2025-07-09T00:28:59.903Z
Learning: reactive-firewall prefers to avoid even minor style "improvements" when they view them as introducing abstractions that go against their "Avoid Hasty Abstractions" principle, favoring clear, explicit code over adherence to style conventions when they perceive a conflict with their design philosophy.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 115
File: multicast/hear.py:180-180
Timestamp: 2024-10-08T21:59:30.537Z
Learning: Reactive-firewall prefers to re-use already loaded modules to keep memory overhead low when possible.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 115
File: multicast/hear.py:180-180
Timestamp: 2024-09-19T03:43:24.037Z
Learning: Reactive-firewall prefers to re-use already loaded modules to keep memory overhead low when possible.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 415
File: .github/AI_USAGE_POLICY.md:32-34
Timestamp: 2025-05-25T21:33:32.345Z
Learning: Reactive-firewall prefers to maintain existing documentation style and wording in policy documents, declining stylistic refinements when the current text is functional, indicating a preference for stability over cosmetic improvements in documentation.

---

Learnt from: reactive-firewall
Repo: reactive-firewall/multicast PR: 379
File: .ast-grep/utils/python/structure/multicast-mtool-subclass-definitions/undecorated_function_definition.yml:8-12
Timestamp: 2025-04-23T04:07:24.393Z
Learning: Reactive-firewall follows the "Avoid Hasty Abstraction" principle, being cautious about changes that might introduce unnecessary abstractions or alter existing behavior, particularly in configuration files like ast-grep rule definitions.

✅ Actions performed

Full review triggered.

[coderabbitai]

Walkthrough

GitHub Actions workflow files receive dependency updates: CodeQL action versions bumped from v4.32.2 to v4.32.3, and the upload-sarif action's commit hash is updated. No functional logic or control flow changes introduced.

Changes

Cohort / File(s)	Summary
CodeQL Workflow Update .github/workflows/codeql-analysis.yml	CodeQL action versions updated from v4.32.2 to v4.32.3 across Init, Autobuild, and Analyze steps.
Scorecards Workflow Update .github/workflows/scorecards.yml	Upload-sarif action commit hash updated while maintaining the same version tag.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop, skip, and a version bump,
Actions updated, workflow jump!
From v4.32.2 to point three,
Security scanning flows with glee.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping github/codeql-action from v4.32.2 to v4.32.3 in workflow files, which matches the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/github_actions/dot-github/workflows/master/github/codeql-action-4.32.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.000%. Comparing base (bf0f743) to head (1dd58e4).

Additional details and impacted files

@@             Coverage Diff             @@
##             master       #114   +/-   ##
===========================================
  Coverage   100.000%   100.000%           
===========================================
  Files             2          2           
  Lines            42         42           
===========================================
  Hits             42         42           

Flag	Coverage Δ
3.10	100.000% <ø> (ø)
3.11	100.000% <ø> (ø)
3.12	100.000% <ø> (ø)
3.13	100.000% <ø> (ø)
3.9	100.000% <ø> (ø)
macos-latest	100.000% <ø> (ø)
ubuntu-latest	100.000% <ø> (ø)
windows-latest	100.000% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bf0f743...1dd58e4. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/codeql-analysis.yml (1)

51-83: Pin codeql-action steps to immutable commit SHA for supply-chain consistency.

actions/checkout on line 44 is already SHA-pinned, and every action in scorecards.yml follows the same pattern with two-space comment annotations. The three github/codeql-action steps (init, autobuild, analyze) still use mutable tag @v4.32.3, creating an inconsistency in a security-scanning workflow where this matters.

Once the correct SHA for v4.32.3 is confirmed, update the three references to immutable SHAs with CEP-7 comment format:

♻️ Suggested update pattern

-      uses: github/codeql-action/init@v4.32.3
+      uses: github/codeql-action/init@<SHA-FOR-v4.32.3>  # v4.32.3

-      uses: github/codeql-action/autobuild@v4.32.3
+      uses: github/codeql-action/autobuild@<SHA-FOR-v4.32.3>  # v4.32.3

-      uses: github/codeql-action/analyze@v4.32.3
+      uses: github/codeql-action/analyze@<SHA-FOR-v4.32.3>  # v4.32.3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.yml around lines 51 - 83, Replace the
mutable version tags for the three CodeQL action steps
(github/codeql-action/init, github/codeql-action/autobuild,
github/codeql-action/analyze) with their immutable commit SHAs corresponding to
v4.32.3 and add the CEP-7 two-space comment annotation above each step;
specifically locate the three uses: "uses: github/codeql-action/init@v4.32.3",
"uses: github/codeql-action/autobuild@v4.32.3", and "uses:
github/codeql-action/analyze@v4.32.3" and update the `@v4.32.3` to the verified
full commit SHA and prepend the CEP-7 style comment lines (two-space comment
annotations) as used elsewhere (e.g., actions/checkout) for supply-chain
consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/scorecards.yml:
- Line 68: Replace the mismatched commit SHA used in the action reference
"github/codeql-action/upload-sarif@147d1495e44cd79bcd652a4bd2826462378e311d" so
the SHA matches the annotated version comment; either swap the SHA to the
v4.31.10 tag SHA (db2c8fe24a75c0f28f87ed1a6fe918a5ccf7b1e6) if you intend
v4.31.10, or update both the SHA and the trailing comment to the v4.32.3 tag SHA
(9da17a5aa4abec2340d6e6c8d8efb0770b1c9cb8) if you intend v4.32.3, ensuring the
uses line and its version annotation are consistent with the other pinned
actions.

---

Nitpick comments:
In @.github/workflows/codeql-analysis.yml:
- Around line 51-83: Replace the mutable version tags for the three CodeQL
action steps (github/codeql-action/init, github/codeql-action/autobuild,
github/codeql-action/analyze) with their immutable commit SHAs corresponding to
v4.32.3 and add the CEP-7 two-space comment annotation above each step;
specifically locate the three uses: "uses: github/codeql-action/init@v4.32.3",
"uses: github/codeql-action/autobuild@v4.32.3", and "uses:
github/codeql-action/analyze@v4.32.3" and update the `@v4.32.3` to the verified
full commit SHA and prepend the CEP-7 style comment lines (two-space comment
annotations) as used elsewhere (e.g., actions/checkout) for supply-chain
consistency.