chore(ci): bump github/codeql-action/init from 4.36.1 to 4.36.3#1751
chore(ci): bump github/codeql-action/init from 4.36.1 to 4.36.3#1751dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github/codeql-action/init](https://github.com/github/codeql-action) from 4.36.1 to 4.36.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@87557b9...54f647b) --- updated-dependencies: - dependency-name: github/codeql-action/init dependency-version: 4.36.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
There was a problem hiding this comment.
🔍 Only the init step was bumped; analyze step left at old SHA
The PR title/commit message says "bump github/codeql-action/init from 4.36.1 to 4.36.3" which suggests the scope was intentionally limited to just the init action. However, GitHub's own documentation and the CodeQL starter workflow template always pin init and analyze to the same SHA. The analyze step at .github/workflows/codeql.yml:109 still uses @87557b9c84dde89fdd9b10e88954ac2f4248e463. This may have been an oversight from Dependabot or a similar automated tool that only matched the init path. Worth confirming whether this was intentional or if the analyze step should also be bumped.
(Refers to line 109)
Was this helpful? React with 👍 or 👎 to provide feedback.
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 | ||
| uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 |
There was a problem hiding this comment.
🟡 CodeQL init and analyze steps use mismatched action versions, risking CI failures
The initialization step is updated to a newer version (github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a at .github/workflows/codeql.yml:76) but the analysis step still references the old version, so the two steps may be incompatible.
Impact: The CodeQL CI workflow may produce errors or inconsistent scan results due to version mismatch between initialization and analysis.
Version mismatch between init and analyze steps
The commit message says this bumps github/codeql-action/init from 4.36.1 to 4.36.3. However, the Perform CodeQL Analysis step at .github/workflows/codeql.yml:109 still uses the old SHA 87557b9c84dde89fdd9b10e88954ac2f4248e463 (4.36.1). The init and analyze actions from the same github/codeql-action repository should always be pinned to the same commit SHA to ensure they are compatible with each other.
| uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 | |
| uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 | |
Was this helpful? React with 👍 or 👎 to provide feedback.
Bumps github/codeql-action/init from 4.36.1 to 4.36.3.
Release notes
Sourced from github/codeql-action/init's releases.
Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
54f647bMerge pull request #3984 from github/update-v4.36.3-1f34ec164e78819eTrigger checks2c9d3d6Update changelog for v4.36.31f34ec1Merge pull request #3983 from github/mbg/repo-props/ff-for-config-file-propd5f0145Log when repository property has a value but is ignoredf27f563Add test for when the FF is off0025d0fUse FFf7fa18fAdd FF for config file repo property628fc3fMerge pull request #3979 from github/henrymercer/overlay-db-cleanup-size-tele...9cfb67bAdd clarifying commentsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)