Bump github/codeql-action from 4 to 4.36.0#14800
Conversation
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: github/codeql-action 4 → 4.36.0
Semver risk: Minor (within major v4)
Dependency type: CI/dev workflow (GitHub Actions)
CI status: CodeQL analysis jobs (Analyze (actions), Analyze (javascript-typescript)) passing; remaining checks pending but unrelated to this change.
Changelog Analysis
Sources consulted:
- PR body (release notes v4.33.0–v4.36.0, changelog v4.34.0–v4.36.2)
Breaking changes:
- v4.36.0: "Bump the minimum required CodeQL bundle version to 2.19.4" (#3894). Affects users on GHES 3.15 or older, or those pinning to a CodeQL bundle older than 2.19.4. This project uses
ubuntu-latestwith notools:input — GitHub-hosted runners supply the current default bundle (2.25.5), well above the new minimum. No impact.
Deprecations: CODEQL_ACTION_CLEANUP_TRAP_CACHES env var deprecated (v4.35.2) — not used in this workflow.
Security fixes: None in this range.
Other notable changes: SHA-256 Git object ID support; improved incremental analysis refinements; default CodeQL bundle updated to 2.25.5.
Compatibility Assessment
- Project uses affected APIs: No — no custom bundle pinning, no
tools:input, no GHES config - Peer dependency changes: No
- Code changes required: No
- Prior maintainer concerns: None
Recommendation
APPROVE — no compatibility impact for this project, CodeQL-specific CI jobs passing.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Reviewed the pull request diff checking for:
- Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
- Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
- Architecture: duplicated concerns, minimal interfaces, composition over inheritance
- Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
- Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
- Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
- Checked CI status and linked issue acceptance criteria
- For UI changes: inspected screenshots for layout, visual completeness, and consistency
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| uses: github/codeql-action/init@v4.36.0 |
There was a problem hiding this comment.
praise: Pinning to @v4.36.0 instead of the floating @v4 tag is a meaningful security improvement — a tag compromise can't inject code into this workflow when the ref is pinned to a specific version.
Build Artifacts
Smoke test screenshot |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4 to 4.36.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v4...v4.36.0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
32271af to
092ad30
Compare
Bumps github/codeql-action from 4 to 4.36.0.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
7211b7cMerge pull request #3927 from github/update-v4.36.0-ebc2d9e2b7740f2fUpdate changelog for v4.36.0ebc2d9eMerge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5d1f74b7Add changelog note2dc40ceUpdate default bundle to codeql-bundle-v2.25.58449852Merge pull request #3910 from github/henrymercer/repo-size-diff-check72ac23cUpdate excluded required check listc5297a2Merge pull request #3919 from github/henrymercer/workflow-concurrency8ffeae7CI: Automatically cancel non-generated workflowsf3f52bfRevertgetErrorMessageimport