From 95639d678ea305ad38f0bafe1cf1a9703475b12c Mon Sep 17 00:00:00 2001 From: InauguralPhysicist Date: Wed, 8 Jul 2026 18:10:46 -0500 Subject: [PATCH] ci: bump codeql-action to v4.36.3 in lockstep + group dependabot Action PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The two red dependabot PRs (#479 init, #481 analyze) were not a code problem: dependabot split one logical bump (github/codeql-action 4.36.2 -> 4.36.3) into a separate PR per sub-action, but codeql.yml pins init and analyze to the same SHA and codeql-action rejects an init/analyze version mismatch. Each PR alone ran init@4.36.2 + analyze@4.36.3 (or the reverse) -> "Analyze C" failed, and merging either alone would have skewed main. Fix: bump init, analyze (codeql.yml) and upload-sarif (scorecard.yml) to v4.36.3 together — codeql-action is a monorepo, so all three share SHA 54f647b7e1bb85c95cddabcd46b0c578ec92bc1a. This supersedes #479 and #481. Prevent recurrence: group all github-actions bumps into one dependabot PR, so the codeql-action sub-actions always move in lockstep instead of skewing. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 11 +++++++++++ .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace460..b4ea077 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,14 @@ updates: directory: "/" schedule: interval: "weekly" + # Group all Action bumps into ONE PR. github/codeql-action is a monorepo: + # its init/analyze/upload-sarif sub-actions MUST move in lockstep (the + # workflows pin them to one SHA, and codeql-action rejects an init/analyze + # version mismatch). Ungrouped, dependabot opened a separate PR per + # sub-action, so each one alone created a version skew that failed CI and + # could not be merged without breaking main. A single grouped PR keeps them + # in sync. + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fe06e8b..a8c7069 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + - uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: languages: c-cpp queries: security-and-quality @@ -31,6 +31,6 @@ jobs: - name: Build run: make EIGENSCRIPT_VERSION=codeql - - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + - uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: category: "/language:c-cpp" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7f1265f..10cadcb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: sarif_file: results.sarif