ci(deps): bump github/codeql-action/analyze from 3.35.5 to 4.36.2#261
ci(deps): bump github/codeql-action/analyze from 3.35.5 to 4.36.2#261dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github/codeql-action/analyze](https://github.com/github/codeql-action) from 3.35.5 to 4.36.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@458d36d...8aad20d) --- updated-dependencies: - dependency-name: github/codeql-action/analyze dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ce86772713
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| - name: Perform CodeQL analysis | ||
| uses: github/codeql-action/analyze@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3 | ||
| uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3 |
There was a problem hiding this comment.
Pin CodeQL init and analyze to the same version
This updates only codeql-action/analyze to the v4.36.2 SHA while the preceding codeql-action/init step remains pinned to the v3 SHA. CodeQL’s changelog says mixing CodeQL Action versions in one workflow is unsupported and that non-init steps now error when they load a config generated by a different init version; since this workflow always runs init before analyze, the analysis step will fail instead of uploading results. Update init to the matching v4 SHA/tag as well, or keep analyze on v3.
Useful? React with 👍 / 👎.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Automated Dependabot review — ❌ STOP at CI (fail-fast)Change: Step 1 — Code review
Step 2/3 — Regression & CICI is failing. The The v3 DecisionPer the fail-fast policy, processing stops here — not merged. Root cause & recommendation: Dependabot split the Generated by Claude Code |
Automated Dependabot review —
|
Automated Dependabot review — ❌ blocked at CI (fail-fast)Step 1 — Code review
Step 2/3 — Regression / CI: ❌ FAILED. The Root cause: Dependabot split the codeql-action major bump into two separate PRs — this one ( Decision: Per fail-fast, this PR is not merged. Neither #261 nor #259 can pass CI in isolation, and merging either alone would break CodeQL on Suggested resolution (needs a maintainer decision): land both bumps atomically — bump both Generated by Claude Code |
Bumps github/codeql-action/analyze from 3.35.5 to 4.36.2.
Release notes
Sourced from github/codeql-action/analyze's releases.
... (truncated)
Changelog
Sourced from github/codeql-action/analyze's changelog.
... (truncated)
Commits
8aad20dMerge pull request #3949 from github/update-v4.36.2-dcb947ce1f521b08Add additional changelog notes8aeff0fUpdate changelog for v4.36.2dcb947cMerge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6c251bceAdd changelog note62953c1Update default bundle to codeql-bundle-v2.25.6423b570Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a...c35d1b1Merge pull request #3947 from github/dependabot/github_actions/dot-github/wor...cb1a588Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoffba47406Merge pull request #3943 from github/henrymercer/cache-cli-version-infoDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)