chore(ci): bump github/codeql-action/analyze from 4.36.1 to 4.36.3#1746
chore(ci): bump github/codeql-action/analyze from 4.36.1 to 4.36.3#1746dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github/codeql-action/analyze](https://github.com/github/codeql-action) from 4.36.1 to 4.36.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@87557b9...54f647b) --- updated-dependencies: - dependency-name: github/codeql-action/analyze dependency-version: 4.36.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 | ||
| uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 |
There was a problem hiding this comment.
🔴 CodeQL init and analyze steps pinned to different versions, risking workflow failures
The analysis step is updated to a new version (github/codeql-action/analyze@54f647b7... at .github/workflows/codeql.yml:109) but the initialization step still uses the old version (@87557b9c... at line 76), so the two tightly-coupled steps may be incompatible and cause the scan to fail.
Impact: CodeQL security scanning may break due to version mismatch between the initialization and analysis steps.
Version mismatch between codeql-action/init and codeql-action/analyze
The github/codeql-action/init (.github/workflows/codeql.yml:76) and github/codeql-action/analyze (.github/workflows/codeql.yml:109) are sub-actions of the same repository and share internal state — the init step creates a CodeQL database that analyze consumes. They must be pinned to the same commit hash to ensure compatibility.
Line 76 still uses the old hash:
uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4Line 109 was updated to the new hash:
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4Both should use the same commit hash.
Prompt for agents
The github/codeql-action/analyze step at line 109 was updated to commit hash 54f647b7e1bb85c95cddabcd46b0c578ec92bc1a, but the github/codeql-action/init step at line 76 still uses the old hash 87557b9c84dde89fdd9b10e88954ac2f4248e463. These two actions are sub-actions of the same repository and must be pinned to the same version. Either update the init step on line 76 to also use 54f647b7e1bb85c95cddabcd46b0c578ec92bc1a, or revert the analyze step back to 87557b9c84dde89fdd9b10e88954ac2f4248e463.
Was this helpful? React with 👍 or 👎 to provide feedback.
Bumps github/codeql-action/analyze from 4.36.1 to 4.36.3.
Release notes
Sourced from github/codeql-action/analyze's releases.
Changelog
Sourced from github/codeql-action/analyze's changelog.
... (truncated)
Commits
54f647bMerge pull request #3984 from github/update-v4.36.3-1f34ec164e78819eTrigger checks2c9d3d6Update changelog for v4.36.31f34ec1Merge pull request #3983 from github/mbg/repo-props/ff-for-config-file-propd5f0145Log when repository property has a value but is ignoredf27f563Add test for when the FF is off0025d0fUse FFf7fa18fAdd FF for config file repo property628fc3fMerge pull request #3979 from github/henrymercer/overlay-db-cleanup-size-tele...9cfb67bAdd clarifying commentsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)