diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b0ed30a..7241a85 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,6 +6,13 @@ updates: interval: "weekly" commit-message: prefix: "chore" + # The codeql-action sub-actions (init, autobuild, analyze) must move in + # lockstep — a partial bump makes CodeQL fail with a step-version mismatch. + # Grouping them means Dependabot opens a single PR that updates all usages. + groups: + codeql-action: + patterns: + - "github/codeql-action*" - package-ecosystem: "docker" directory: "/" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b5642d5..298ff8f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,14 +38,14 @@ jobs: fetch-depth: 1 - name: Initialize CodeQL - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/autobuild@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: category: "/language:${{ matrix.language }}"