From 3c46ae0a28abc78b28d516ea9d5184505ec483d4 Mon Sep 17 00:00:00 2001 From: chris-colinsky Date: Wed, 1 Jul 2026 20:35:31 -0700 Subject: [PATCH] Bump codeql-action to v4.36.2, group future bumps Bump both github/codeql-action/init and .../analyze to v4.36.2 in one change. CodeQL fails when its steps run mixed versions, so the two sub-actions must move together. Dependabot split the 4.36.1 -> 4.36.2 bump into separate PRs (#200, #201), each of which left a version mismatch that failed the Analyze job; this supersedes both. Add a Dependabot group for github/codeql-action* so future bumps arrive as a single PR and the mismatch cannot recur. --- .github/dependabot.yml | 9 +++++++++ .github/workflows/codeql.yml | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ae43c53..7cd047d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -22,3 +22,12 @@ updates: commit-message: prefix: "chore" include: "scope" + # Group the codeql-action sub-actions (init / analyze / upload-sarif) + # into a single PR. They share one version, and CodeQL refuses to run + # when its steps mix versions, so they must bump in lockstep. Separate + # per-sub-action PRs each leave a version mismatch that fails CI (the + # split that produced PRs #200 / #201). + groups: + codeql-action: + patterns: + - "github/codeql-action*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 57bec7e..93b5ead 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,7 +43,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Initialize CodeQL - uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} # Reference the in-tree config so the rule-suppressions land. @@ -56,6 +56,6 @@ jobs: queries: security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:${{ matrix.language }}"