Skip to content

ci: bump codeql-action to v4.36.3 in lockstep + group dependabot Action PRs#485

Merged
InauguralPhysicist merged 1 commit into
mainfrom
ci-codeql-action-4.36.3-grouped
Jul 8, 2026
Merged

ci: bump codeql-action to v4.36.3 in lockstep + group dependabot Action PRs#485
InauguralPhysicist merged 1 commit into
mainfrom
ci-codeql-action-4.36.3-grouped

Conversation

@InauguralPhysicist

Copy link
Copy Markdown
Collaborator

Why

Two open dependabot PRs are red — #479 (codeql-action/init) and #481 (codeql-action/analyze). They are not a code problem:

github/codeql-action is a monorepo, and codeql.yml pins init and analyze to the same SHA. Dependabot (ungrouped) opened a separate PR per sub-action, so each PR alone bumps only one of them → the job runs init@4.36.2 + analyze@4.36.3 (or the reverse). codeql-action rejects an init/analyze version mismatch, so Analyze C fails. Merging either alone would also skew main.

Fix

Verification

CI on this PR is the proof: with init+analyze matched at v4.36.3, Analyze C should pass (it's red on #479/#481 solely due to the skew).

🤖 Generated with Claude Code

…on PRs

The two red dependabot PRs (#479 init, #481 analyze) were not a code problem:
dependabot split one logical bump (github/codeql-action 4.36.2 -> 4.36.3) into a
separate PR per sub-action, but codeql.yml pins init and analyze to the same SHA
and codeql-action rejects an init/analyze version mismatch. Each PR alone ran
init@4.36.2 + analyze@4.36.3 (or the reverse) -> "Analyze C" failed, and merging
either alone would have skewed main.

Fix: bump init, analyze (codeql.yml) and upload-sarif (scorecard.yml) to v4.36.3
together — codeql-action is a monorepo, so all three share SHA
54f647b7e1bb85c95cddabcd46b0c578ec92bc1a. This supersedes #479 and #481.

Prevent recurrence: group all github-actions bumps into one dependabot PR, so the
codeql-action sub-actions always move in lockstep instead of skewing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@InauguralPhysicist InauguralPhysicist merged commit adebae9 into main Jul 8, 2026
17 checks passed
@InauguralPhysicist InauguralPhysicist deleted the ci-codeql-action-4.36.3-grouped branch July 8, 2026 23:30
InauguralPhysicist added a commit to InauguralSystems/DMG that referenced this pull request Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused
(see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must
move in lockstep. Grouping keeps them in a single PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist added a commit to InauguralSystems/dynamics that referenced this pull request Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused
(see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must
move in lockstep. Grouping keeps them in a single PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist added a commit to InauguralSystems/EigenGauntlet that referenced this pull request Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused
(see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must
move in lockstep. Grouping keeps them in a single PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist added a commit to InauguralSystems/EigenMiniSat that referenced this pull request Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused
(see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must
move in lockstep. Grouping keeps them in a single PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist added a commit to InauguralSystems/liferaft that referenced this pull request Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused
(see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must
move in lockstep. Grouping keeps them in a single PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist added a commit to InauguralSystems/tidelog that referenced this pull request Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused
(see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must
move in lockstep. Grouping keeps them in a single PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
InauguralPhysicist added a commit to InauguralSystems/Tidepool that referenced this pull request Jul 8, 2026
Prevents the codeql-action init/analyze version skew that split bumps caused
(see InauguralSystems/EigenScript#485): the sub-actions share one SHA and must
move in lockstep. Grouping keeps them in a single PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant