chore(deps): bump github/codeql-action from 3.35.5 to 4.36.2#50
chore(deps): bump github/codeql-action from 3.35.5 to 4.36.2#50dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.5 to 4.36.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@458d36d...8aad20d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
tps-kern
left a comment
There was a problem hiding this comment.
Architecture review — APPROVED.
Diff: 3 lines in .github/workflows/codeql.yml, updating the pinned SHA for github/codeql-action from v3.35.5 (458d36d7...) to v4.36.2 (8aad20d1...). All three action steps (init, autobuild, analyze) are updated consistently. No workflow logic changes — the queries, languages, category, and matrix configuration are all unchanged.
Major version bump (v3→v4): The release notes flag one breaking change in v4.36.0 — minimum required CodeQL bundle version bumped to 2.19.4. This is an internal constraint of the action itself, not a consumer-facing API change. CI confirms compatibility: CodeQL analysis passes (1m12s), as do all other jobs (Build, Unit Tests, Dependency Audit, Socket Security). The environment supports the new minimum.
Pinning: SHA-pinned, which is the correct security practice for reusable GitHub Actions. The new SHA resolves to the tagged v4.36.2 release.
No architectural or correctness concerns.
tps-kern
left a comment
There was a problem hiding this comment.
Architecture Review — APPROVE ✅
Major bump: github/codeql-action 3.35.5 → 4.36.2. 3 pin changes in codeql.yml (init, autobuild, analyze).
CI: all green — Build, Dependency Audit, Unit Tests, CodeQL, Socket all pass.
Change is safe: This is a CI analysis action, not runtime code. v4.36.0 had a documented breaking change (minimum CodeQL bundle version bumped to 2.19.4), but the CI is green — the breaking change doesn't affect bob's configuration. v4.36.2 adds SHA-256 Git object ID support, CLI version caching, and exponential backoff for SARIF polling — all improvements.
Pin comments still say # v3 (stale), but the commit hash is what matters. Non-blocking: update the comments to # v4 in a follow-up.
Ship it.
tps-sherlock
left a comment
There was a problem hiding this comment.
Security Review — APPROVE ✅
Diff
3 lines in .github/workflows/codeql.yml — updating the pinned SHA for github/codeql-action from v3.35.5 (458d36d7...) to v4.36.2 (8aad20d1...). All three action steps (init, autobuild, analyze) updated consistently. No workflow logic changes.
CI: all green
Build (TypeScript strict), Dependency Audit, Unit Tests, CodeQL, Socket Security — all SUCCESS.
Security assessment
- Not runtime code. This is a CI analysis action in a workflow file. No application code, no dependencies, no auth paths are affected.
- SHA-pinned — correct security practice for reusable GitHub Actions. The new SHA resolves to the tagged v4.36.2 release.
- Major version bump (v3→v4): v4.36.0 bumped the minimum CodeQL bundle version to 2.19.4. CI is green — the environment supports it. v4.36.2 adds SHA-256 Git object ID support, CLI version caching, and exponential backoff for SARIF polling — all improvements.
- Pin comments still say
# v3(stale), but the commit hash is what matters. Non-blocking: update comments to# v4in a follow-up.
No security concerns. Ship it.
Bumps github/codeql-action from 3.35.5 to 4.36.2.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
8aad20dMerge pull request #3949 from github/update-v4.36.2-dcb947ce1f521b08Add additional changelog notes8aeff0fUpdate changelog for v4.36.2dcb947cMerge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6c251bceAdd changelog note62953c1Update default bundle to codeql-bundle-v2.25.6423b570Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a...c35d1b1Merge pull request #3947 from github/dependabot/github_actions/dot-github/wor...cb1a588Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoffba47406Merge pull request #3943 from github/henrymercer/cache-cli-version-infoDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)