chore(ci): bump github/codeql-action/init from 4.36.1 to 4.36.2#1685
chore(ci): bump github/codeql-action/init from 4.36.1 to 4.36.2#1685dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github/codeql-action/init](https://github.com/github/codeql-action) from 4.36.1 to 4.36.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@87557b9...8aad20d) --- updated-dependencies: - dependency-name: github/codeql-action/init dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 | ||
| uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 |
There was a problem hiding this comment.
🔴 CodeQL init and analyze steps pinned to different versions, risking scan failures
The initialization step was updated to a new commit hash (github/codeql-action/init@8aad20d... at .github/workflows/codeql.yml:76) but the analysis step still uses the old hash (@87557b9... at line 109), so the two paired steps run from mismatched versions and may produce errors or incompatible behavior.
Impact: CodeQL scans may fail or produce unreliable results because the setup and analysis steps are from different releases of the same action.
Version mismatch between init and analyze sub-actions
The github/codeql-action repository publishes init and analyze as sub-actions that share internal state (databases, configuration). Both should always be pinned to the same commit SHA to guarantee compatibility.
.github/workflows/codeql.yml:76—initupdated to@8aad20d150bbac5944a9f9d289da16a4b0d87c1e.github/workflows/codeql.yml:109—analyzestill at old@87557b9c84dde89fdd9b10e88954ac2f4248e463
The PR updated init but forgot to update analyze to the same SHA.
Prompt for agents
The github/codeql-action/init step at line 76 was updated to SHA 8aad20d150bbac5944a9f9d289da16a4b0d87c1e, but the github/codeql-action/analyze step at line 109 still references the old SHA 87557b9c84dde89fdd9b10e88954ac2f4248e463. Both sub-actions (init and analyze) must be pinned to the same commit SHA since they share internal state. Update line 109 to use the same SHA as line 76: change @87557b9c84dde89fdd9b10e88954ac2f4248e463 to @8aad20d150bbac5944a9f9d289da16a4b0d87c1e.
Was this helpful? React with 👍 or 👎 to provide feedback.
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps github/codeql-action/init from 4.36.1 to 4.36.2.
Release notes
Sourced from github/codeql-action/init's releases.
Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
8aad20dMerge pull request #3949 from github/update-v4.36.2-dcb947ce1f521b08Add additional changelog notes8aeff0fUpdate changelog for v4.36.2dcb947cMerge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6c251bceAdd changelog note62953c1Update default bundle to codeql-bundle-v2.25.6423b570Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a...c35d1b1Merge pull request #3947 from github/dependabot/github_actions/dot-github/wor...cb1a588Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoffba47406Merge pull request #3943 from github/henrymercer/cache-cli-version-infoDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)