Reviewed 16 of 16 files at r1, 1 of 1 files at r2, 4 of 4 files at r3, 2 of 2 files at r4, 1 of 1 files at r5, 2 of 2 files at r6, all commit messages.
Reviewable status: all files reviewed, 8 unresolved discussions (waiting on @osalyk)

.github/actions/pmem_benchmark_run/action.yml line 36 at r3 (raw file):

    - name: Archive logs
      if: always()
      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4

.

Suggestion:

# v4.4.0

.github/workflows/docker_rebuild.yml line 40 at r1 (raw file):

    steps:
      - name: Clone the git repo
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

Please use the exact tag. v4 will be changed whenever a new v4.x.y will be released.
Please apply to all occurrences.

Ref: actions/checkout@692973e

Suggestion:

# v4.1.7

.github/workflows/scan_codeql.yml line 39 at r4 (raw file):

    - name: Initialize CodeQL
      uses: github/codeql-action/init@be8b74c09c1778bcdbea38e1a45efea2cb73e18c # v2

I believe we should use v3.26.6 consequently in all instances. No point in using two versions.

.github/workflows/scan_codeql.yml line 47 at r4 (raw file):

    - name: CodeQL scan
      uses: github/codeql-action/analyze@be8b74c09c1778bcdbea38e1a45efea2cb73e18c # v2

v3.26.6?

.github/workflows/scan_coverage.yml line 42 at r5 (raw file):

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4

.

Suggestion:

# v4.5.0

.github/workflows/scan_log_calls.yml line 33 at r6 (raw file):

      - name: Upload artifacts
        if: steps.log_calls_diff.outputs.length != '0'
        uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3

I think we uniformly use v4.4.0.

.github/workflows/scan_stack_usage.yml line 80 at r6 (raw file):

      - name: Upload artifacts
        uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3

I think we uniformly use v4.4.0.

.github/workflows/scorecard.yml line 72 at r4 (raw file):

      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3

.

Suggestion:

# v3.26.6

Reviewable status: 0 of 18 files reviewed, 8 unresolved discussions (waiting on @janekmi)

.github/actions/pmem_benchmark_run/action.yml line 36 at r3 (raw file):

Done.

.github/workflows/docker_rebuild.yml line 40 at r1 (raw file):

Done.

.github/workflows/scan_codeql.yml line 39 at r4 (raw file):

Done.

.github/workflows/scan_codeql.yml line 47 at r4 (raw file):

Done.

.github/workflows/scan_coverage.yml line 42 at r5 (raw file):

Done.

.github/workflows/scan_log_calls.yml line 33 at r6 (raw file):

Done.

.github/workflows/scan_stack_usage.yml line 80 at r6 (raw file):

Done.

.github/workflows/scorecard.yml line 72 at r4 (raw file):

Done.

Reviewed 9 of 18 files at r7, 6 of 6 files at r9, 2 of 2 files at r10, 1 of 1 files at r11, all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @osalyk)

Reviewed 18 of 18 files at r7, 1 of 1 files at r8, 6 of 6 files at r9, 2 of 2 files at r10, 1 of 1 files at r11, all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @osalyk)

Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @osalyk)