diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ae43c53..7cd047d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -22,3 +22,12 @@ updates: commit-message: prefix: "chore" include: "scope" + # Group the codeql-action sub-actions (init / analyze / upload-sarif) + # into a single PR. They share one version, and CodeQL refuses to run + # when its steps mix versions, so they must bump in lockstep. Separate + # per-sub-action PRs each leave a version mismatch that fails CI (the + # split that produced PRs #200 / #201). + groups: + codeql-action: + patterns: + - "github/codeql-action*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 57bec7e..93b5ead 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,7 +43,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Initialize CodeQL - uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} # Reference the in-tree config so the rule-suppressions land. @@ -56,6 +56,6 @@ jobs: queries: security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:${{ matrix.language }}"