Skip to content

build(deps): bump github/codeql-action from 3.31.8 to 4.31.9 in the actions-monthly group #1423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

build(deps): bump github/codeql-action from 3.31.8 to 4.31.9 in the actions-monthly group #1423

dependabot wants to merge 1 commit into from
+3 −3

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 1, 2026

Bumps the actions-monthly group with 1 update: github/codeql-action.

Updates github/codeql-action from 3.31.8 to 4.31.9

Release notes

Sourced from github/codeql-action's releases.

v4.31.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.9 - 16 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.8 - 11 Dec 2025

  • Update default CodeQL bundle version to 2.23.8. #3354

See the full CHANGELOG.md for more information.

v4.31.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.7 - 05 Dec 2025

  • Update default CodeQL bundle version to 2.23.7. #3343

See the full CHANGELOG.md for more information.

v4.31.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.5

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.5 - 24 Nov 2025

... (truncated)

Commits
  • 5d4e8d1 Merge pull request #3371 from github/update-v4.31.9-998798e34
  • 1dc115f Update changelog for v4.31.9
  • 998798e Merge pull request #3352 from github/nickrolfe/jar-min-ff-cleanup
  • 5eb7519 Merge pull request #3358 from github/henrymercer/database-upload-telemetry
  • d29eddb Extract version number to constant
  • e962687 Merge branch 'main' into henrymercer/database-upload-telemetry
  • 19c7f96 Rename isOverlayBase
  • ae5de9a Use getErrorMessage in log too
  • 0cb8633 Prefer performance.now()
  • c07cc0d Merge pull request #3351 from github/henrymercer/ghec-dr-determine-tools-vers...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump github/codeql-action in the actions-monthly group
f5c7baa 
Bumps the actions-monthly group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 3.31.8 to 4.31.9
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v3.31.8...v4.31.9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.9
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-monthly
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jan 1, 2026
@copy-pr-bot
Copy link
Contributor

copy-pr-bot bot commented Jan 1, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@rwgk
Copy link
Collaborator

rwgk commented Jan 2, 2026

This PR is super weird, I will close it, let's see what happens next month.

What's weird:

-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@v4.31.9

Suddenly it's pinning to a specific patch version. I think that's not what we want?

-      uses: github/codeql-action/init@f47c8e6a9bd05ef3ee422fc8d8663be7fe4bdc61  # v3.31.8
+      uses: github/codeql-action/init@f67ec12472e1b361f5e1e2085f5e6f85a57e3cd6  # v3.31.8

The old hash is correct, but the new hash is not even a release:

rwgk-win11.localdomain:~/wrk/clone/codeql-action $ git show f47c8e6a9bd05ef3ee422fc8d8663be7fe4bdc61
commit f47c8e6a9bd05ef3ee422fc8d8663be7fe4bdc61 (tag: v3.31.8)
Merge: bffd034ab 74951318a
Author: Óscar San José <oscarsj@github.com>
Date:   Fri Dec 12 10:43:49 2025 +0100

    Merge pull request #3357 from github/backport-v3.31.8-1b168cd39

    Merge releases/v4 into releases/v3

rwgk-win11.localdomain:~/wrk/clone/codeql-action $ git show f67ec12472e1b361f5e1e2085f5e6f85a57e3cd6
commit f67ec12472e1b361f5e1e2085f5e6f85a57e3cd6 (HEAD -> main, origin/main, origin/default-setup-testing, origin/HEAD)
Merge: 525b64847 3b6fef64d
Author: Henry Mercer <henrymercer@github.com>
Date:   Thu Dec 18 15:47:40 2025 +0000

    Merge pull request #3370 from github/copilot/update-overlay-git-version-check

    Add git version check for overlay analysis enablement

@rwgk rwgk closed this Jan 2, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jan 2, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/github_actions/actions-monthly-34cf0c888b branch January 2, 2026 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rwgk