Bump codeql-action to v4.36.2, group future bumps#204
Merged
Conversation
Bump both github/codeql-action/init and .../analyze to v4.36.2 in one change. CodeQL fails when its steps run mixed versions, so the two sub-actions must move together. Dependabot split the 4.36.1 -> 4.36.2 bump into separate PRs (#200, #201), each of which left a version mismatch that failed the Analyze job; this supersedes both. Add a Dependabot group for github/codeql-action* so future bumps arrive as a single PR and the mismatch cannot recur.
There was a problem hiding this comment.
Pull request overview
Updates the repository’s CodeQL scanning workflow to keep CodeQL Action sub-steps on a single matching version (preventing CI failures from mixed CodeQL Action versions) and configures Dependabot to avoid this mismatch recurring.
Changes:
- Bump
github/codeql-action/initandgithub/codeql-action/analyzeto v4.36.2 (pinned SHA8aad20d...) in the CodeQL workflow. - Add a Dependabot group to bundle future
github/codeql-action*updates into one PR (lockstep updates for init/analyze/upload-sarif).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/codeql.yml | Pins both CodeQL init/analyze steps to the same v4.36.2 SHA to prevent version mismatch failures. |
| .github/dependabot.yml | Adds a Dependabot group for github/codeql-action* so sub-action bumps arrive together. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #200 and #201.
Dependabot split the codeql-action 4.36.1 -> 4.36.2 bump into two PRs (one for
init, one foranalyze). CodeQL refuses to run when its steps use mixed versions, so each PR on its own left a version mismatch that failed the Analyze job:This bumps both
github/codeql-action/initandgithub/codeql-action/analyzeto v4.36.2 (8aad20d) in one change, so the versions stay matched and CI passes.It also adds a Dependabot
groupforgithub/codeql-action*, so future codeql-action bumps arrive as a single PR and this lockstep issue cannot recur.Closing #200 and #201 as superseded.