diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace460..b4ea077 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,14 @@ updates: directory: "/" schedule: interval: "weekly" + # Group all Action bumps into ONE PR. github/codeql-action is a monorepo: + # its init/analyze/upload-sarif sub-actions MUST move in lockstep (the + # workflows pin them to one SHA, and codeql-action rejects an init/analyze + # version mismatch). Ungrouped, dependabot opened a separate PR per + # sub-action, so each one alone created a version skew that failed CI and + # could not be merged without breaking main. A single grouped PR keeps them + # in sync. + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fe06e8b..a8c7069 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + - uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: languages: c-cpp queries: security-and-quality @@ -31,6 +31,6 @@ jobs: - name: Build run: make EIGENSCRIPT_VERSION=codeql - - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + - uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: category: "/language:c-cpp" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7f1265f..10cadcb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: sarif_file: results.sarif