Skip to content

Bump github/codeql-action from 3 to 4#38

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github/codeql-action-4
Closed

Bump github/codeql-action from 3 to 4#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github/codeql-action-4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Dec 17, 2025

Copy link
Copy Markdown
Contributor

Bumps github/codeql-action from 3 to 4.

Release notes

Sourced from github/codeql-action's releases.

v3.31.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.9 - 16 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.8 - 11 Dec 2025

  • Update default CodeQL bundle version to 2.23.8. #3354

See the full CHANGELOG.md for more information.

v3.31.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.7 - 05 Dec 2025

  • Update default CodeQL bundle version to 2.23.7. #3343

See the full CHANGELOG.md for more information.

v3.31.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.5

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.5 - 24 Nov 2025

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

4.31.5 - 24 Nov 2025

  • Update default CodeQL bundle version to 2.23.6. #3321

4.31.4 - 18 Nov 2025

No user facing changes.

Commits
  • 7e0b77e Merge pull request #3349 from github/dependabot/github_actions/dot-github/wor...
  • 0264b51 Merge pull request #3348 from github/dependabot/npm_and_yarn/npm-minor-38a2a7...
  • 2ac846d Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-38a2a793c5
  • 5d063dd Populate database upload results telemetry
  • 8e921c3 Return status report from cleanupAndUploadDatabases
  • 4b675e4 Merge pull request #3356 from github/mergeback/v4.31.8-to-main-1b168cd3
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 17, 2025
@IEvangelist

Copy link
Copy Markdown
Owner

Subsumed by #51 which SHA-pins all third-party Actions to current latest stable and bumps every NuGet package (incl. those in this group). See #51 for the consolidated update + the new auto-merge workflow that handles future Dependabot PRs.

@IEvangelist IEvangelist closed this May 5, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 5, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/github_actions/github/codeql-action-4 branch May 5, 2026 16:13
IEvangelist added a commit that referenced this pull request May 5, 2026
…s, add Dependabot auto-merge (#51)

Three independent improvements bundled into one PR because they all touch the same supply-chain surface area:

**1. SHA-pin every third-party GitHub Action.** All `uses:` references now resolve to a 40-char commit SHA with a trailing `# v<X.Y.Z>` comment so Dependabot still tracks updates. This prevents tag-replay supply-chain attacks (an action owner can repoint a major-version float tag to a malicious commit, which would silently land in CI on the next run). Dependabot's behaviour is documented at https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.

  Pinned versions:

  - actions/checkout            v4 -> v6.0.2 (de0fac2e4500dabe0009e67214ff5f5447ce83dd)

  - actions/setup-dotnet        v4 -> v5.2.0 (c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7)

  - actions/upload-artifact     v4 -> v7.0.1 (043fb46d1a93c77aae656e7c1c64a875d1fc6a0a)

  - github/codeql-action/{init,autobuild,analyze}  v3 -> v4 (e46ed2cbd01164d986452f91f178727624ae40d7)

**2. Bump every NuGet package to its current latest stable.** SharpCompress 0.47.0 removed the `ReaderFactory.Open`/`ArchiveFactory.Open`/`WriterFactory.Open` overloads in favour of `OpenReader`/`OpenArchive`/`OpenWriter` (https://github.com/adamhathcock/sharpcompress/blob/master/CHANGELOG.md), which required mechanical migration of two call sites in `DefaultToolCacheService` and three call sites in `ExtractionTests`. No semantic behaviour change; full managed + AOT test matrix passes (602 tests, 0 failed).

  Bumps in Directory.Packages.props:

  - Microsoft.SourceLink.GitHub                            8.0.0     -> 10.0.203

  - MinVer                                                 6.0.0     -> 7.0.0

  - Microsoft.Extensions.{DI,DI.Abstractions,Http}         10.0.1    -> 10.0.7

  - Microsoft.Extensions.Http.Resilience                   10.1.0    -> 10.5.0

  - Microsoft.NET.Test.Sdk                                 17.12.0   -> 18.5.1

  - System.Linq.Async                                      6.0.1     -> 7.0.1

  - System.Text.Json                                       9.0.0     -> 10.0.7

  - SharpCompress                                          0.40.0    -> 0.47.4 (breaking API)

  - ZstdSharp.Port                                         0.8.6     -> 0.8.8

  - Pathological.Globbing                                  9.0.0     -> 9.1.0

  - xunit.runner.visualstudio                              3.0.1     -> 3.1.5

  - coverlet.collector                                     6.0.4     -> 10.0.0

**3. Add Dependabot auto-merge workflow** at `.github/workflows/dependabot-auto-merge.yml`. Triggers on every Dependabot PR and runs `gh pr merge --auto --squash`, which queues a squash merge to fire as soon as every required status check passes. If any check fails the merge never happens and the PR stays open for manual review. Uses `dependabot/fetch-metadata@25dd0e3` (v3.1.0, SHA-pinned).

Verified: `dotnet build -c Release -m:1` 0 warn / 0 err; `dotnet test` 602 passed / 5 skipped / 0 failed across managed + AOT test matrix. The 4 stale Dependabot PRs (#38, #39, #40, #48) will get refreshed by Dependabot's next weekly run against this updated main.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant