Skip to content

chore(deps): bump github/codeql-action from 3 to 4 #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump github/codeql-action from 3 to 4 #38

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,11 @@ jobs:
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@v4
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Current workflow refs:"
rg -n 'uses:\s*(github/codeql-action/init@|github/codeql-action/analyze@)' .github/workflows/codeql.yml

echo
echo "Resolve current commit behind codeql-action v4 tag:"
git ls-remote https://github.com/github/codeql-action refs/tags/v4 | awk '{print "codeql-action v4 sha: "$1}'

echo
echo "After updating, verify refs are SHA-pinned (40 hex chars):"
rg -nP 'uses:\s*github/codeql-action/(init|analyze)@[a-f0-9]{40}\b' .github/workflows/codeql.yml

Repository: OpenDevFlow/md-latex

Length of output: 354

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/codeql.yml"

echo "---- Relevant snippet ----"
nl -ba "$FILE" | sed -n '20,60p'

echo
echo "---- All github/codeql-action uses in this workflow ----"
rg -n 'uses:\s*github/codeql-action/' "$FILE"

echo
echo "---- Any unpinned uses for github/codeql-action/ (tags or branches) ----"
rg -n 'uses:\s*github/codeql-action/(init|analyze)@([^a-f0-9]{7,}|v4|V4|main|master|release|tags)' "$FILE" || true

Repository: OpenDevFlow/md-latex

Length of output: 152

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/codeql.yml"

echo "File exists?"; test -f "$FILE" && echo "yes" || (echo "no"; exit 1)

echo
echo "---- Relevant snippet (around lines 25-45) ----"
cat -n "$FILE" | sed -n '25,45p'

echo
echo "---- All github/codeql-action uses in this workflow ----"
rg -n 'uses:\s*github/codeql-action/' "$FILE"

echo
echo "---- Any unpinned init/analyze uses (non-40hex) ----"
rg -nP 'uses:\s*github/codeql-action/(init|analyze)@[A-Za-z0-9_.-]+' "$FILE" || true

Repository: OpenDevFlow/md-latex

Length of output: 963

Pin CodeQL action refs to immutable SHAs.

.github/workflows/codeql.yml uses github/codeql-action/init@v4 (Line 32) and github/codeql-action/analyze@v4 (Line 37). Pin both to the v4 tag’s commit SHA a6fd1787519fd23e68309fad43738e41a6ff2a9d.

🔒 Suggested hardening 
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@a6fd1787519fd23e68309fad43738e41a6ff2a9d # v4
...
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@a6fd1787519fd23e68309fad43738e41a6ff2a9d # v4
🧰 Tools
🪛 zizmor (1.25.2)

[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml at line 32, Update the workflow to pin the
CodeQL actions to the immutable SHA instead of the floating tag: replace the
uses references to github/codeql-action/init@v4 and
github/codeql-action/analyze@v4 with the exact commit SHA
a6fd1787519fd23e68309fad43738e41a6ff2a9d so the init and analyze steps always
run the pinned v4 commit; ensure both occurrences are updated consistently.

with:
languages: ${{ matrix.language }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
Loading