-
Notifications
You must be signed in to change notification settings - Fork 232
chore(ci): bump github/codeql-action/init from 4.36.1 to 4.36.3 #1751
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -73,7 +73,7 @@ jobs: | |||||||
|
|
||||||||
| # Initializes the CodeQL tools for scanning. | ||||||||
| - name: Initialize CodeQL | ||||||||
| uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 | ||||||||
| uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4 | ||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 CodeQL init and analyze steps use mismatched action versions, risking CI failures The initialization step is updated to a newer version ( Impact: The CodeQL CI workflow may produce errors or inconsistent scan results due to version mismatch between initialization and analysis. Version mismatch between init and analyze stepsThe commit message says this bumps
Suggested change
Was this helpful? React with 👍 or 👎 to provide feedback. |
||||||||
| with: | ||||||||
| languages: ${{ matrix.language }} | ||||||||
| build-mode: ${{ matrix.build-mode }} | ||||||||
|
|
||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔍 Only the init step was bumped; analyze step left at old SHA
The PR title/commit message says "bump github/codeql-action/init from 4.36.1 to 4.36.3" which suggests the scope was intentionally limited to just the
initaction. However, GitHub's own documentation and the CodeQL starter workflow template always pininitandanalyzeto the same SHA. Theanalyzestep at.github/workflows/codeql.yml:109still uses@87557b9c84dde89fdd9b10e88954ac2f4248e463. This may have been an oversight from Dependabot or a similar automated tool that only matched theinitpath. Worth confirming whether this was intentional or if theanalyzestep should also be bumped.(Refers to line 109)
Was this helpful? React with 👍 or 👎 to provide feedback.