chore(ci): bump github/codeql-action from 3 to 4

[dependabot]

Bumps github/codeql-action from 3 to 4.

Release notes

Sourced from github/codeql-action's releases.

v3.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

v3.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v3.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

v3.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

v3.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

v3.35.1

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v3.35.0

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

v3.34.1

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v3.34.0

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

v3.33.0

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562 To opt out of this change:
  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

4.32.3 - 13 Feb 2026

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

• Update default CodeQL bundle version to 2.24.1. #3460

4.32.1 - 02 Feb 2026

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

4.32.0 - 26 Jan 2026

• Update default CodeQL bundle version to 2.24.0. #3425

4.31.11 - 23 Jan 2026

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
• Improved error handling throughout the CodeQL Action. #3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #3393

4.31.9 - 16 Dec 2025

No user facing changes.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #3343

4.31.6 - 01 Dec 2025

No user facing changes.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #3321

4.31.4 - 18 Nov 2025

... (truncated)

Commits

• 8442bc0 Release process: Automatically rebuild PRs
• 26a1e57 Merge pull request #3913 from github/henrymercer/downgrade-ava
• 9b6438e Tweak workflow
• b5b50d6 Merge branch 'main' into henrymercer/repo-size-diff-check
• 9665bc2 Downgrade ava to version 6.4.1
• 5a80681 Address review comments
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow to use the latest version of the CodeQL upload-sarif action.

[dependabot]

Labels

The following labels could not be found: ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[greptile-apps]

dependabot[bot] has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[coderabbitai]

📝 Walkthrough

Walkthrough

The security workflow is updated to use GitHub's CodeQL action version 4 for uploading Trivy SARIF results, replacing the previous v3 dependency. This single-line change modernizes the security scanning integration.

Changes

Security Workflow Update

Layer / File(s)	Summary
SARIF upload action version bump .github/workflows/security.yml	The workflow step uploading Trivy SARIF results to GitHub Security is updated from github/codeql-action/upload-sarif@v3 to @v4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A bunny hops by with a version update,
From v3 to v4, sealed with a date,
Security scans will now flow more fine,
Through CodeQL's action, a cleaner design! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. While it provides detailed release notes and changelog information, it does not follow the required template structure with mandatory sections like Type of Change, Strict Checklist, and the required Security Checklist items.	Complete the PR description by selecting the appropriate Type of Change checkbox (likely 'Infrastructure/Ecosystem'), and checking off the mandatory Security Checklist items and other applicable sections from the template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: bumping the github/codeql-action dependency from version 3 to version 4 in the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/github/codeql-action-4

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security.yml:
- Line 36: The workflow currently pins actions with mutable tags (e.g.,
github/codeql-action/upload-sarif@v4) which violates the hash-pinning policy;
update each uses: entry (including github/codeql-action/upload-sarif@v4 and the
other codeql/action and actions entries referenced in the comment) to use the
corresponding commit SHA instead of the tag. Find the exact commit SHA for the
v4 tag (or the appropriate release tag you intended) and replace the mutable tag
with the full SHA (e.g., github/codeql-action/upload-sarif@<commit-sha>),
ensuring all uses lines in the workflow are consistently pinned to their commit
SHAs.
- Line 36: The workflow step using uses: github/codeql-action/upload-sarif@v4 is
not pinned and the job lacks required action permissions for CodeQL v4; update
the job to pin the upload-sarif action to a specific commit SHA (replace
github/codeql-action/upload-sarif@v4 with
github/codeql-action/upload-sarif@<commit-sha>) and add permissions: actions:
read in addition to the existing permissions (contents: read and
security-events: write) so upload-sarif runs reliably across runners and GHES
versions; also consider pinning other actions referenced in the workflow for
consistency with the repo’s hash-pinning policy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: faf08198-ed64-4ccd-b215-9832b4af9d2b

📥 Commits

Reviewing files that changed from the base of the PR and between e9d472a and 3482bcd.

📒 Files selected for processing (1)

• .github/workflows/security.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Action reference violates hash-pinning policy.

The static analysis tool flags this line because a blanket policy requires actions to be pinned to commit SHAs, not mutable tags. Using @v4 (a mutable tag) reduces supply-chain security guarantees—if the upstream repository is compromised, the tag can be moved to point to malicious code.

This contradicts the comment on line 35 which states the action is pinned "for supply-chain security and reproducible runs."

🔒 Recommended fix: Pin to commit SHA

-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@<commit-sha>  # v4

To find the commit SHA for the v4 release:

#!/bin/bash
# Find the commit SHA for github/codeql-action v4 release tag
gh api repos/github/codeql-action/git/ref/tags/v4 --jq '.object.sha'

Note: This issue also affects the other actions in this workflow (lines 22, 26).

As per static analysis hints: "action is not pinned to a hash (required by blanket policy)".

🧰 Tools

🪛 zizmor (1.25.2)

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yml at line 36, The workflow currently pins
actions with mutable tags (e.g., github/codeql-action/upload-sarif@v4) which
violates the hash-pinning policy; update each uses: entry (including
github/codeql-action/upload-sarif@v4 and the other codeql/action and actions
entries referenced in the comment) to use the corresponding commit SHA instead
of the tag. Find the exact commit SHA for the v4 tag (or the appropriate release
tag you intended) and replace the mutable tag with the full SHA (e.g.,
github/codeql-action/upload-sarif@<commit-sha>), ensuring all uses lines in the
workflow are consistently pinned to their commit SHAs.

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

github codeql-action v4 breaking changes upload-sarif

💡 Result:

No single, universally applicable “CodeQL Action v4 breaking change” exists specifically named for “upload-sarif”; instead, there are several v4-relevant changes/edge-cases that commonly make an upload-sarif step appear “broken” after upgrading. 1) v4 major version requires the Node.js 24 Actions runtime (and some GHES versions can’t run it) - GitHub states that CodeQL Action v4 (released Oct 7, 2025) runs on the Node.js 24 runtime [1]. - GitHub also states GHES 3.18 and older cannot run actions using the Node.js 24 runtime, so they are unable to run CodeQL Action v4 [1]. Impact: if you’re on an older GHES or a platform without Node.js 24 runtime support, github/codeql-action/upload-sarif@v4 won’t work. 2) Permissions: upload-sarif can fail with “Resource not accessible by integration” unless actions: read is granted - A CodeQL Action issue documents upload-sarif failing (before any real upload happens) and identifies the missing permission as actions: read [2]. - The issue author reports that adding permissions: actions: read at the job level made upload-sarif work [2]. Impact: workflows (especially reusable/composite workflows) that don’t explicitly grant permissions: actions: read may break. Suggested fix (YAML): permissions: actions: read 3) SARIF post-processing behavior changed for uploads initiated by analyze or upload-sarif (primarily impacts analyze) - The CodeQL Action changelog says that when SARIF files are uploaded by analyze or upload-sarif, the action automatically performs post-processing steps to prepare the data for upload. - It further says those post-processing steps previously ran only “before an upload took place”, but are now always performed even when SARIF files are not uploaded; it also says “This does not change anything for the upload-sarif action,” and notes possible impact on analyze users depending on the upload input [3]. Impact: if your workflow relies on specific timing/side-effects of post-processing for analyze, the behavior can change; upload-sarif itself is stated as unchanged for this particular item [3]. 4) Specific upload-sarif bug fix: non-.sarif files not being uploaded (fixed in the v3.30.4 line) - The changelog notes they fixed “a bug … with upload-sarif … [that] resulted in files without a .sarif extension not getting uploaded” [3]. Impact: if your pipeline uploads files whose names/extensions aren’t standard .sarif, you may see behavior differences depending on which CodeQL Action release your @v4 tag resolves to. 5) GHES 3.18 limitation: combining SARIF files from a single upload is removed - The changelog notes: “Remove support for combining SARIF files from a single upload for GHES 3.18” [3]. Impact: if your GHES 3.18-based setup tried to upload multiple SARIFs in a way that relied on that combining behavior, you may see changes. If you paste your workflow step (the exact uses: github/codeql-action/upload-sarif@v4... line), plus the error message you’re seeing, I can pinpoint which of the above is the match and tell you the minimal change needed.

Citations:

• 1: https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/
• 2: codeql/upload-sarif@v3 action failed: Resource not accessible by integration - missing actions: read github/codeql-action#2117
• 3: https://github.com/github/codeql-action/blob/main/CHANGELOG.md

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/security.yml"
echo "== File: $FILE =="
wc -l "$FILE"
echo

echo "== Lines 1-120 (to capture job/permissions context and the flagged step) =="
nl -ba "$FILE" | sed -n '1,120p'

echo
echo "== Find any permissions blocks =="
rg -n "^\s*permissions\s*:" "$FILE" || true
rg -n "actions:\s*read" "$FILE" || true

echo
echo "== List all uses: lines in this workflow =="
rg -n "^\s*uses:\s*" "$FILE"

Repository: AIX-Format/PiWorker-OS

Length of output: 282

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/security.yml"
echo "== File: $FILE =="
wc -l "$FILE"
echo

echo "== Lines 1-200 (include job/permissions context + flagged step) =="
cat -n "$FILE" | sed -n '1,200p'

echo
echo "== permissions blocks =="
rg -n "^\s*permissions\s*:" "$FILE" || true

echo
echo "== actions: read occurrences =="
rg -n "actions:\s*read" "$FILE" || true

echo
echo "== uses: lines =="
rg -n "^\s*uses:\s*" "$FILE"

Repository: AIX-Format/PiWorker-OS

Length of output: 1847

---

Pin github/codeql-action/upload-sarif@v4 and address CodeQL v4 requirements

• uses: github/codeql-action/upload-sarif@v4 isn’t pinned to an immutable ref (contradicts the “Pin action versions…” comments and the hash-pinning policy), so an upstream tag change could alter the action behavior.
• CodeQL v4 can break upload-sarif depending on the runner/platform and permissions: v4 requires the Node.js 24 runtime (GHES < 3.18 may fail), and upload-sarif can error unless permissions: actions: read is granted. This workflow currently only sets contents: read and security-events: write.
• Update the workflow to (1) add permissions: actions: read and (2) pin the CodeQL upload-sarif action to a specific commit SHA (and pin other actions too if your policy is blanket).

🧰 Tools

🪛 zizmor (1.25.2)

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yml at line 36, The workflow step using uses:
github/codeql-action/upload-sarif@v4 is not pinned and the job lacks required
action permissions for CodeQL v4; update the job to pin the upload-sarif action
to a specific commit SHA (replace github/codeql-action/upload-sarif@v4 with
github/codeql-action/upload-sarif@<commit-sha>) and add permissions: actions:
read in addition to the existing permissions (contents: read and
security-events: write) so upload-sarif runs reliably across runners and GHES
versions; also consider pinning other actions referenced in the workflow for
consistency with the repo’s hash-pinning policy.