From 072030787442ce79cd22bfc8f31266d500529967 Mon Sep 17 00:00:00 2001 From: Robert M1 <50460704+githubrobbi@users.noreply.github.com> Date: Tue, 7 Jul 2026 09:07:55 -0700 Subject: [PATCH] ci(deps): bump codeql-action to 4.36.3 and group action bumps Bump github/codeql-action `init` + `analyze` from 4.36.2 to 4.36.3 together. CodeQL requires all `codeql-action` steps to use the same version; Dependabot had opened them as two separate PRs (#533 init, #534 analyze), so each branch carried a version mismatch that failed "Not all steps use the same version" and errored on SARIF upload, blocking both. Also add a `groups:` to the github-actions Dependabot config so all action bumps arrive as one PR, keeping multi-step actions in lockstep and preventing this split from recurring. Supersedes #533 and #534. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 12 ++++++++++++ .github/workflows/codeql.yml | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9571ffc7f..141790c1e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -65,3 +65,15 @@ updates: commit-message: prefix: "ci" include: "scope" + # Group ALL github-actions bumps into a single PR. Multi-step actions + # (notably github/codeql-action's `init` + `analyze`, which MUST share + # the same version or CodeQL fails "Not all steps use the same version" + # and the SARIF upload errors out) were previously split into separate + # per-step PRs that each carried a version mismatch and could never go + # green. Grouping everything keeps such steps in lockstep. Actions are + # SHA-pinned and gated by the Dependabot Actions Review check, so a + # single combined PR is safe to review as one unit. + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 23d73ead1..7e9338b38 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -138,7 +138,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Initialize CodeQL - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: languages: ${{ matrix.language }} # Rust support (public preview) currently only accepts @@ -153,6 +153,6 @@ jobs: # queries: security-and-quality - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: category: "/language:${{ matrix.language }}"