build(deps): bump github/codeql-action/init from 3.37.0 to 4.37.0#31
build(deps): bump github/codeql-action/init from 3.37.0 to 4.37.0#31dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github/codeql-action/init](https://github.com/github/codeql-action) from 3.37.0 to 4.37.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@02c5e83...99df26d) --- updated-dependencies: - dependency-name: github/codeql-action/init dependency-version: 4.37.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
sprayberry-reviewer
left a comment
There was a problem hiding this comment.
Automated review from the Sprayberry Labs fleet code reviewer (sprayberry-reviewer bot). This is a verdict-bearing automated review — not a human sign-off.
Verdict: no blocking issues — approved. Single SHA-pinned version bump; SHA verified correct.
What I checked
Diff surface: one changed line in .github/workflows/codeql.yml:
- uses: github/codeql-action/init@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0
+ uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0SHA verification: I resolved refs/tags/v4.37.0 in github/codeql-action via the Git API. The annotated tag object (24ea975…) dereferences to commit 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 — an exact match to the pinned SHA in this PR. The version comment # v4.37.0 is accurate.
Breaking changes in the version range (v3.37.0 → v4.37.0): the only breaking change noted in the release history is v4.36.0 bumping the minimum required CodeQL bundle version to 2.19.4. This workflow does not pin a CodeQL CLI version, so the action uses its own bundled default (2.26.0 in v4.37.0) — the breaking change does not apply.
No correctness bugs, security issues, or misconfigured inputs were found in the changed lines.
Minor note (non-blocking)
This PR bumps codeql-action/init to v4; the companion codeql-action/analyze step remains on v3.37.0 until PR #30 is also merged. Using mismatched major versions of init and analyze within the same workflow run is the standard Dependabot split-PR pattern, and the CodeQL analysis CI check on this PR exercises the merged state directly — if it passes, the intermediate configuration is validated. Merging both #31 and #30 together (or #30 immediately after) will restore full version consistency.
What's good
The workflow already pins every action to a full commit SHA with a version comment — a sound supply-chain practice. The Dependabot PR correctly maintains that pattern for the bumped version.
…er (#32) Dependabot split the codeql-action v3->v4 bump into two PRs (#31 init, #30 analyze). codeql-action requires init and analyze to be the same major version, so each PR alone leaves a v3/v4 mismatch that fails CI — neither can merge on its own. Bump both in one commit. Supersedes #30 and #31. SHA 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 = the v4.37.0 annotated tag dereferenced to its commit (verified via the GitHub git/tags API).
|
Superseded by #32 — codeql-action init+analyze bumped to v4.37.0 together (this PR alone left a v3/v4 mismatch that failed CI). |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps github/codeql-action/init from 3.37.0 to 4.37.0.
Release notes
Sourced from github/codeql-action/init's releases.
... (truncated)
Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
b987514Rebuilda04a87cUpdate changelog and version after v4.36.354f647bMerge pull request #3984 from github/update-v4.36.3-1f34ec164e78819eTrigger checksc1e7c7aMerge pull request #3981 from github/mario-campos/runCliJson50bd53bMerge pull request #3989 from github/dependabot/npm_and_yarn/js-yaml-5.1.0289efcaRe-addforceQuotes: trueDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)