From ec5f2bcd83546810fa74ab4b5fcfbd10c3489f3a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 8 Oct 2025 13:43:16 +0200
Subject: [PATCH] Upgrade `github/codeql-action` from 3 to 4 version (#1759)

Additionally:
- fix missing NSIS for Windows on CI
- replace macOS 13 with 26 on CI

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kai Ren <tyranron@gmail.com>
---
 .github/workflows/cifuzz.yml | 75 +++++++++++++++++++++---------------
 .github/workflows/codeql.yml |  4 +-
 .github/workflows/macos.yml  | 10 ++---
 .github/workflows/mingw.yml  |  3 ++
 .github/workflows/msvc.yml   |  8 +++-
 5 files changed, 60 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 2916964..aeafda8 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,42 +1,53 @@
 name: CIFuzz
-on: 
-  [pull_request]
+
+on:
+  pull_request:
+    branches: ["master"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
+
 jobs:
-  Fuzzing:
+  fuzz:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
     strategy:
       fail-fast: false
       matrix: 
-        sanitizer: [address, memory, undefined]
+        sanitizer: ["address", "memory", "undefined"]
     steps:
-    - name: checkout repository
-      uses: actions/checkout@v5
-    - name: build fuzzers (${{ matrix.sanitizer }})
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'coturn'
-        language: c
-        sanitizer: ${{ matrix.sanitizer }}
-    - name: run fuzzers (${{ matrix.sanitizer }})
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'coturn'
-        language: c
-        sanitizer: ${{ matrix.sanitizer }}
-        fuzz-seconds: 600
-        output-sarif: true
-    - name: upload crash
-      uses: actions/upload-artifact@v4
-      if: failure() && steps.build.outcome == 'success'
-      with:
-        name: ${{ matrix.sanitizer }}_artifacts
-        path: ./out/artifacts
-    - name: upload sarif
-      if: always() && steps.build.outcome == 'success'
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: cifuzz-sarif/results.sarif
\ No newline at end of file
+      - uses: actions/checkout@v5
+
+      - name: build fuzzers (${{ matrix.sanitizer }})
+        id: build
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+        with:
+          oss-fuzz-project-name: coturn
+          language: c
+          sanitizer: ${{ matrix.sanitizer }}
+
+      - name: run fuzzers (${{ matrix.sanitizer }})
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+        with:
+          oss-fuzz-project-name: coturn
+          language: c
+          sanitizer: ${{ matrix.sanitizer }}
+          fuzz-seconds: 600
+          output-sarif: true
+
+      - name: upload crash
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.sanitizer }}_artifacts
+          path: ./out/artifacts
+        if: ${{ failure() && steps.build.outcome == 'success' }}
+
+      - name: upload sarif
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: cifuzz-sarif/results.sarif
+        if: ${{ always() && steps.build.outcome == 'success' }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6d0df48..d809106 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -30,7 +30,7 @@ jobs:
           SUDO: true
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: cpp
 
@@ -40,4 +40,4 @@ jobs:
         run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index a8bb8dd..cd2243e 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ver: ["13", "14", "15"]
+        ver: ["14", "15", "26"]
     runs-on: macos-${{ matrix.ver }}
     steps:
       - uses: actions/checkout@v5
@@ -35,7 +35,7 @@ jobs:
              | while read formula; do brew unlink $formula; brew link --overwrite $formula; done
 
       - run: brew update
-      - run: brew install wget pkg-config libevent openssl@1.1 sqlite hiredis mongo-c-driver libmicrohttpd
+      - run: brew install wget pkg-config libevent openssl sqlite hiredis mongo-c-driver libmicrohttpd
 
       - run: ./configure
         env:
@@ -54,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ver: ["15"]
+        ver: ["15", "26"]
     runs-on: macos-${{ matrix.ver }}
     steps:
       - uses: actions/checkout@v5
@@ -72,7 +72,7 @@ jobs:
               | while read formula; do brew unlink $formula; brew link --overwrite $formula; done
 
       - run: brew update
-      - run: brew install wget pkg-config libevent openssl@1.1 sqlite hiredis mongo-c-driver libmicrohttpd
+      - run: brew install wget pkg-config libevent openssl sqlite hiredis mongo-c-driver libmicrohttpd
 
       - name: Configure
         run: cmake -B ${{github.workspace}}/build
@@ -82,4 +82,4 @@ jobs:
       - run: ./run_tests.sh
         working-directory: examples/
       - run: ./run_tests_conf.sh
-        working-directory: examples/
\ No newline at end of file
+        working-directory: examples/
diff --git a/.github/workflows/mingw.yml b/.github/workflows/mingw.yml
index 0d466e7..0dfff2a 100644
--- a/.github/workflows/mingw.yml
+++ b/.github/workflows/mingw.yml
@@ -106,6 +106,9 @@ jobs:
           copy /Y ${{ env.RUNVCPKG_VCPKG_ROOT }}\installed\${{ env.RUNVCPKG_VCPKG_TRIPLET_OUT }}\bin\*.dll install\bin
           7z a coturn_windows_mingw.zip ${{ github.workspace }}\build\install\*
           cmake --build . --config ${{ matrix.BUILD_TYPE }} --target package
+        env:
+          MSYSTEM: MINGW64
+          PATH: C:\msys64\mingw64\bin;C:\msys64\usr\bin
         working-directory: ${{ github.workspace }}\build
         if: ${{ matrix.BUILD_TYPE == 'Release' }}
 
diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
index ac92d2e..e4f41a4 100644
--- a/.github/workflows/msvc.yml
+++ b/.github/workflows/msvc.yml
@@ -76,7 +76,7 @@ jobs:
 
       # Upload SARIF file to GitHub Code Scanning Alerts
       - name: Upload SARIF to GitHub
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.run-analysis.outputs.sarif }}
 
@@ -114,6 +114,12 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
+      - name: Install NSIS for packaging
+        uses: repolevedavaj/install-nsis@v1.1.0
+        with:
+          nsis-version: "3.11"
+        if: ${{ matrix.BUILD_TYPE == 'Release' }}
+
       - name: Create directories
         run: |
           cmake -E make_directory ${{ env.SOURCE_DIR }}