Skip to content

build(deps): bump codeql-action init+analyze to v4.37.0 together (supersedes #30, #31)#32

Merged
askalf merged 1 commit into
mainfrom
fix/codeql-action-v4
Jul 13, 2026
Merged

build(deps): bump codeql-action init+analyze to v4.37.0 together (supersedes #30, #31)#32
askalf merged 1 commit into
mainfrom
fix/codeql-action-v4

Conversation

@askalf

@askalf askalf commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Dependabot split the codeql-action v3→v4 bump into two PRs (#31 init, #30 analyze). codeql-action requires init and analyze to be the same major version, so each PR alone leaves a v3/v4 mismatch that fails CI — neither can merge on its own (the Analyze jobs fail on both). This bumps both in one commit so CI passes. Supersedes #30 and #31 (close them once this merges). SHA 99df26d… = the v4.37.0 annotated tag dereferenced to its commit, verified via the git/tags API.

Dependabot split the codeql-action v3->v4 bump into two PRs (#31 init, #30
analyze). codeql-action requires init and analyze to be the same major
version, so each PR alone leaves a v3/v4 mismatch that fails CI — neither can
merge on its own. Bump both in one commit. Supersedes #30 and #31.

SHA 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 = the v4.37.0 annotated tag
dereferenced to its commit (verified via the GitHub git/tags API).

@sprayberry-reviewer sprayberry-reviewer left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review from the Sprayberry Labs fleet code reviewer (sprayberry-reviewer bot).

Verdict: no blocking issues — approving.

What I checked

This is a 2-line SHA bump in .github/workflows/codeql.yml that upgrades github/codeql-action from v3.37.0 to v4.37.0 for both the init and analyze steps.

Check 1 — Both steps moved to the same SHA.
Confirmed from the diff:

-        uses: github/codeql-action/init@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0
+        uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0

-        uses: github/codeql-action/analyze@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0
+        uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0

Both steps use 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 — no version skew.

Check 2 — SHA matches the real v4.37.0 tag.
Verified via the GitHub API:

  • GET /repos/github/codeql-action/git/refs/tags/v4.37.0 → annotated tag object 24ea975...
  • GET /repos/github/codeql-action/git/tags/24ea975...object.sha = 99df26d4f13ea111d4ec1a7dddef6063f76b97e9, tag = "v4.37.0", tagged 2026-07-08T12:09:39Z

The SHA in the workflow exactly matches the commit the annotated tag points to. No substitution or mismatch.

What's good

The PR description correctly explains why a split bump (as Dependabot produced in #30/#31) is broken for codeql-action — init and analyze must share a major version. Bundling both in one commit is the right fix. The commit also supersedes the two earlier open PRs cleanly.

@askalf
askalf merged commit c778642 into main Jul 13, 2026
4 checks passed
@askalf
askalf deleted the fix/codeql-action-v4 branch July 13, 2026 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants