Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔍 Only the init step was bumped; analyze step left at old SHA

The PR title/commit message says "bump github/codeql-action/init from 4.36.1 to 4.36.3" which suggests the scope was intentionally limited to just the init action. However, GitHub's own documentation and the CodeQL starter workflow template always pin init and analyze to the same SHA. The analyze step at .github/workflows/codeql.yml:109 still uses @87557b9c84dde89fdd9b10e88954ac2f4248e463. This may have been an oversight from Dependabot or a similar automated tool that only matched the init path. Worth confirming whether this was intentional or if the analyze step should also be bumped.

(Refers to line 109)

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 CodeQL init and analyze steps use mismatched action versions, risking CI failures

The initialization step is updated to a newer version (github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a at .github/workflows/codeql.yml:76) but the analysis step still references the old version, so the two steps may be incompatible.

Impact: The CodeQL CI workflow may produce errors or inconsistent scan results due to version mismatch between initialization and analysis.

Version mismatch between init and analyze steps

The commit message says this bumps github/codeql-action/init from 4.36.1 to 4.36.3. However, the Perform CodeQL Analysis step at .github/workflows/codeql.yml:109 still uses the old SHA 87557b9c84dde89fdd9b10e88954ac2f4248e463 (4.36.1). The init and analyze actions from the same github/codeql-action repository should always be pinned to the same commit SHA to ensure they are compatible with each other.

Suggested change
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Expand Down
Loading