ci: bump codeql-action to v4.36.3 in lockstep + group dependabot Action PRs#485
Merged
Merged
Conversation
…on PRs The two red dependabot PRs (#479 init, #481 analyze) were not a code problem: dependabot split one logical bump (github/codeql-action 4.36.2 -> 4.36.3) into a separate PR per sub-action, but codeql.yml pins init and analyze to the same SHA and codeql-action rejects an init/analyze version mismatch. Each PR alone ran init@4.36.2 + analyze@4.36.3 (or the reverse) -> "Analyze C" failed, and merging either alone would have skewed main. Fix: bump init, analyze (codeql.yml) and upload-sarif (scorecard.yml) to v4.36.3 together — codeql-action is a monorepo, so all three share SHA 54f647b7e1bb85c95cddabcd46b0c578ec92bc1a. This supersedes #479 and #481. Prevent recurrence: group all github-actions bumps into one dependabot PR, so the codeql-action sub-actions always move in lockstep instead of skewing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jul 8, 2026
InauguralPhysicist
added a commit
to InauguralSystems/DMG
that referenced
this pull request
Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused (see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must move in lockstep. Grouping keeps them in a single PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist
added a commit
to InauguralSystems/dynamics
that referenced
this pull request
Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused (see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must move in lockstep. Grouping keeps them in a single PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist
added a commit
to InauguralSystems/EigenGauntlet
that referenced
this pull request
Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused (see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must move in lockstep. Grouping keeps them in a single PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist
added a commit
to InauguralSystems/EigenMiniSat
that referenced
this pull request
Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused (see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must move in lockstep. Grouping keeps them in a single PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist
added a commit
to InauguralSystems/liferaft
that referenced
this pull request
Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused (see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must move in lockstep. Grouping keeps them in a single PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist
added a commit
to InauguralSystems/tidelog
that referenced
this pull request
Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused (see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must move in lockstep. Grouping keeps them in a single PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist
added a commit
to InauguralSystems/Tidepool
that referenced
this pull request
Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused (see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must move in lockstep. Grouping keeps them in a single PR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Two open dependabot PRs are red — #479 (
codeql-action/init) and #481 (codeql-action/analyze). They are not a code problem:github/codeql-actionis a monorepo, andcodeql.ymlpinsinitandanalyzeto the same SHA. Dependabot (ungrouped) opened a separate PR per sub-action, so each PR alone bumps only one of them → the job runsinit@4.36.2 + analyze@4.36.3(or the reverse). codeql-action rejects an init/analyze version mismatch, soAnalyze Cfails. Merging either alone would also skewmain.Fix
init,analyze(codeql.yml) andupload-sarif(scorecard.yml) to v4.36.3 together — all share SHA54f647b…. This supersedes build(deps): bump github/codeql-action/init from 4.36.2 to 4.36.3 #479 and build(deps): bump github/codeql-action/analyze from 4.36.2 to 4.36.3 #481 (they'll auto-close once this lands).github-actionsbumps into one dependabot PR so the codeql-action sub-actions always move in lockstep and never skew again.Verification
CI on this PR is the proof: with init+analyze matched at v4.36.3,
Analyze Cshould pass (it's red on #479/#481 solely due to the skew).🤖 Generated with Claude Code