build(deps): bump codeql-action init+analyze to v4.37.0 together (supersedes #30, #31)#32
Conversation
Dependabot split the codeql-action v3->v4 bump into two PRs (#31 init, #30 analyze). codeql-action requires init and analyze to be the same major version, so each PR alone leaves a v3/v4 mismatch that fails CI — neither can merge on its own. Bump both in one commit. Supersedes #30 and #31. SHA 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 = the v4.37.0 annotated tag dereferenced to its commit (verified via the GitHub git/tags API).
sprayberry-reviewer
left a comment
There was a problem hiding this comment.
Automated review from the Sprayberry Labs fleet code reviewer (sprayberry-reviewer bot).
Verdict: no blocking issues — approving.
What I checked
This is a 2-line SHA bump in .github/workflows/codeql.yml that upgrades github/codeql-action from v3.37.0 to v4.37.0 for both the init and analyze steps.
Check 1 — Both steps moved to the same SHA.
Confirmed from the diff:
- uses: github/codeql-action/init@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0
+ uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
- uses: github/codeql-action/analyze@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0
+ uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
Both steps use 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 — no version skew.
Check 2 — SHA matches the real v4.37.0 tag.
Verified via the GitHub API:
GET /repos/github/codeql-action/git/refs/tags/v4.37.0→ annotated tag object24ea975...GET /repos/github/codeql-action/git/tags/24ea975...→object.sha = 99df26d4f13ea111d4ec1a7dddef6063f76b97e9,tag = "v4.37.0", tagged2026-07-08T12:09:39Z
The SHA in the workflow exactly matches the commit the annotated tag points to. No substitution or mismatch.
What's good
The PR description correctly explains why a split bump (as Dependabot produced in #30/#31) is broken for codeql-action — init and analyze must share a major version. Bundling both in one commit is the right fix. The commit also supersedes the two earlier open PRs cleanly.
Dependabot split the codeql-action v3→v4 bump into two PRs (#31 init, #30 analyze). codeql-action requires
initandanalyzeto be the same major version, so each PR alone leaves a v3/v4 mismatch that fails CI — neither can merge on its own (theAnalyzejobs fail on both). This bumps both in one commit so CI passes. Supersedes #30 and #31 (close them once this merges). SHA99df26d…= the v4.37.0 annotated tag dereferenced to its commit, verified via the git/tags API.