Skip to content

Bump codeql-action to v4.36.2, group future bumps#204

Merged
chris-colinsky merged 1 commit into
mainfrom
chore/bump-codeql-action-4.36.2
Jul 2, 2026
Merged

Bump codeql-action to v4.36.2, group future bumps#204
chris-colinsky merged 1 commit into
mainfrom
chore/bump-codeql-action-4.36.2

Conversation

@chris-colinsky

Copy link
Copy Markdown
Member

Supersedes #200 and #201.

Dependabot split the codeql-action 4.36.1 -> 4.36.2 bump into two PRs (one for init, one for analyze). CodeQL refuses to run when its steps use mixed versions, so each PR on its own left a version mismatch that failed the Analyze job:

Loaded a configuration file for version '4.36.1', but running version '4.36.2'

This bumps both github/codeql-action/init and github/codeql-action/analyze to v4.36.2 (8aad20d) in one change, so the versions stay matched and CI passes.

It also adds a Dependabot group for github/codeql-action*, so future codeql-action bumps arrive as a single PR and this lockstep issue cannot recur.

Closing #200 and #201 as superseded.

Bump both github/codeql-action/init and .../analyze to v4.36.2 in one
change. CodeQL fails when its steps run mixed versions, so the two
sub-actions must move together. Dependabot split the 4.36.1 -> 4.36.2
bump into separate PRs (#200, #201), each of which left a version
mismatch that failed the Analyze job; this supersedes both.

Add a Dependabot group for github/codeql-action* so future bumps arrive
as a single PR and the mismatch cannot recur.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s CodeQL scanning workflow to keep CodeQL Action sub-steps on a single matching version (preventing CI failures from mixed CodeQL Action versions) and configures Dependabot to avoid this mismatch recurring.

Changes:

  • Bump github/codeql-action/init and github/codeql-action/analyze to v4.36.2 (pinned SHA 8aad20d...) in the CodeQL workflow.
  • Add a Dependabot group to bundle future github/codeql-action* updates into one PR (lockstep updates for init/analyze/upload-sarif).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/codeql.yml Pins both CodeQL init/analyze steps to the same v4.36.2 SHA to prevent version mismatch failures.
.github/dependabot.yml Adds a Dependabot group for github/codeql-action* so sub-action bumps arrive together.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chris-colinsky chris-colinsky merged commit fe3000a into main Jul 2, 2026
6 checks passed
@chris-colinsky chris-colinsky deleted the chore/bump-codeql-action-4.36.2 branch July 2, 2026 03:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants