🌱 Bump CodeQL Action version to 3.24.10 and remove whitespace

[adamdmharvey]

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

I don't see Dependabot updating the github/codeql action in this particular action workflow, though it's updating a) other actions in this workflow and b) github/codeql in other actions.

Just a while speculation, but this is the only one with the whitespace between the actual name key and the uses? Just in case, firing this to see if the next Dependabot scan will start patching the codeql action in this file also. (and if so, it may infer a minor text checking bug in the upstream Dependabot algorithm?)

What is the new behavior (if this is a feature change)?**

Should allow Dependabot to bump the codeql action in this file.

While here, I also bumped the actions manually to the latest v3.x series (which also includes Node 20, which should help eliminate any actions warnings about Node deprecations).

Note the only other call is this in a different workflow:

scorecard/.github/workflows/scorecard-analysis.yml

Lines 53 to 54 in e780e08

	- name: "Upload to code-scanning"
	uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

An attempt to help dig more into ossf/scorecard-action#1354.

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

[spencerschrock]

I don't see Dependabot updating the github/codeql action in this particular action workflow, though it's updating a) other actions in this workflow and b) github/codeql in other actions.

I manually updated it in the other workflow in #3969. Interestingly dependabot seems to be reverting it in #3971

[adamdmharvey]

Indeed, but notice that PR is updating the codeql action ONLY in the Scorecard Analysis workflow? It's not updating it in the CodeQL Workflow? (if I'm reading it correctly)

[spencerschrock]

It's trying to set it to the value it used to be, and what all the other workflows use. I'm curious if there's a bug with what Dependabot thinks latest is for github/codeql

[adamdmharvey]

What do you think about trying the v3.x series? (only difference being Node 20, which eliminates a GitHub Runner warning about them deprecating Node 16)

[spencerschrock]

What do you think about trying the v3.x series? (only difference being Node 20, which eliminates a GitHub Runner warning about them deprecating Node 16)

Interestingly I see that commit listed as the ref for the "CodeQL Bundle v2.16.5" release
https://github.com/github/codeql-action/releases

Where as if you look at https://github.com/github/codeql-action/tags:

v3.24.8 uses a different hash: 05963f47d870e2cb19a537396c1f668a348c7d8f

I'm good with trying @05963f47d870e2cb19a537396c1f668a348c7d8f # v3.24.8, just please make sure to update the version in scorecard-analysis.yml too

[spencerschrock]

here's an example of dependabot picking up the updates properly. so I recommend mirroring what we do there:
https://github.com/ossf/scorecard-action/pull/1355/files

[spencerschrock]

@adamdmharvey are you still interested in patching this (based on v3.24.10 at this point, you can see ossf/scorecard-action#1360)? If not, I would be fine putting it as a good-first-issue for someone else to pickup.

[adamdmharvey]

Yep! I'll take a stab.

[spencerschrock]

Thanks!