ppkarwasz commented on code in PR #343:
URL: https://github.com/apache/logging-parent/pull/343#discussion_r1987733189
##
.github/workflows/codeql-analysis.yaml:
##
Review Comment:
The `codeql-analysis-reusable.yaml` workflow is mostly for Java projects
that require a JDK t
ppkarwasz commented on PR #344:
URL: https://github.com/apache/logging-parent/pull/344#issuecomment-2710079948
> @ppkarwasz, can you explain the hardening practiced by replacing
`input.foo` statements with shell environment variables?
This follows the [Security Hardening for GitHub
A
github-actions[bot] merged PR #345:
URL: https://github.com/apache/logging-parent/pull/345
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications
vy commented on code in PR #343:
URL: https://github.com/apache/logging-parent/pull/343#discussion_r1986931989
##
.github/workflows/codeql-analysis.yaml:
##
Review Comment:
Shouldn't we be using our own `codeql-analysis-reusable.yaml` somewhere?
--
This is an automated
ppkarwasz opened a new pull request, #344:
URL: https://github.com/apache/logging-parent/pull/344
This change removes all direct usages of GitHub expressions to prevent
potential script injections.
**Note**: The GitHub expressions modified in this PR only come from
**trusted** source
ppkarwasz opened a new pull request, #343:
URL: https://github.com/apache/logging-parent/pull/343
CodeQL now supports analysis of GitHub Action scripts.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to
github-advanced-security[bot] commented on code in PR #343:
URL: https://github.com/apache/logging-parent/pull/343#discussion_r1986851176
##
.github/workflows/codeql-analysis.yaml:
##
@@ -0,0 +1,47 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# co
