chore(deps): bump github/codeql-action from 4.34.1 to 4.36.2

[dependabot]

Bumps github/codeql-action from 4.34.1 to 4.36.2.

Release notes

Sourced from github/codeql-action's releases.

v4.36.2

• Cache CodeQL CLI version information across Actions steps. #3943
• Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
• Update default CodeQL bundle version to 2.25.6. #3948

v4.36.1

No user facing changes.

v4.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

v4.35.1

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v4.35.0

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.2 - 04 Jun 2026

• Cache CodeQL CLI version information across Actions steps. #3943
• Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
• Update default CodeQL bundle version to 2.25.6. #3948

4.36.1 - 02 Jun 2026

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

... (truncated)

Commits

• 8aad20d Merge pull request #3949 from github/update-v4.36.2-dcb947ce1
• f521b08 Add additional changelog notes
• 8aeff0f Update changelog for v4.36.2
• dcb947c Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
• c251bce Add changelog note
• 62953c1 Update default bundle to codeql-bundle-v2.25.6
• 423b570 Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a...
• c35d1b1 Merge pull request #3947 from github/dependabot/github_actions/dot-github/wor...
• cb1a588 Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoff
• ba47406 Merge pull request #3943 from github/henrymercer/cache-cli-version-info
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aafdb21e-151c-424f-8990-0e6f11d0a49a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

워크스루

세 개의 GitHub Actions 워크플로우(codeql.yml, ossf-scorecard.yml, trivy.yml)에서 github/codeql-action과 upload-sarif 액션의 고정 커밋 SHA를 v4.36.2로 갱신합니다. 워크플로우 로직은 변경되지 않았습니다.

변경 사항

GitHub 액션 보안 스캔 업데이트

Layer / File(s)	Summary
CodeQL 액션 버전 업그레이드 .github/workflows/codeql.yml	init, autobuild, analyze 단계의 고정 커밋 SHA를 v4.34.1 계열에서 v4.36.2 계열로 업데이트합니다.
SARIF 업로드 액션 SHA 갱신 .github/workflows/ossf-scorecard.yml, .github/workflows/trivy.yml	두 워크플로우의 github/codeql-action/upload-sarif 단계 고정 커밋 SHA를 v4.36.2로 변경합니다.

예상 코드 리뷰 수고도

🎯 2 (Simple) | ⏱️ ~10 minutes

관련 PR

• Seongho-Bae/bandscope#82: 동일한 github/codeql-action/upload-sarif 단계의 핀 SHA를 수정한 PR입니다.
• Seongho-Bae/bandscope#21: .github/workflows/codeql.yml의 CodeQL 액션 핀을 업데이트한 PR입니다.

추천 검토자

• seonghobae

축하 시

🐰 액션 핀을 새것으로 갈아,
워크플로우는 조용히 웃고,
SHA 길을 따라 숫자들 춤추며,
한 줄 바뀌어 로그는 맑아지고,
CI는 다시 평온히 뛴다 ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목은 github/codeql-action 버전을 4.34.1에서 4.36.2로 업그레이드하는 변경사항을 명확하게 요약하며, 변경 세트의 주요 내용과 일치합니다.
Description check	✅ Passed	설명은 버전 업그레이드, 릴리스 노트, 변경 로그 및 커밋 내역을 포함하여 변경사항과 관련된 충분한 정보를 제공합니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/develop/github/codeql-action-4.36.2

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch dependabot/github_actions/develop/github/codeql-action-4.36.2

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ossf-scorecard.yml:
- Line 69: Update the inline comment that documents the version for the pinned
SHA on the uses line
"github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e" so
the comment's human-readable tag matches the SHA used elsewhere (change
"v4.35.2" to "v4.36.2"); locate the comment at the end of that uses line and
replace the version string only, keeping the SHA pin and explanatory text
intact.

In @.github/workflows/trivy.yml:
- Line 41: The inline comment next to the GitHub Action SHA pin for
github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e is
stale (it says v4.35.2); update the comment so the annotated tag/version matches
the pinned commit SHA (or remove the tag annotation) to avoid misleading version
information during security reviews—look for the uses line referencing
upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e and correct the adjacent
comment text accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75b67594-5e7b-43f2-aa1c-d18e60d3d84c

📥 Commits

Reviewing files that changed from the base of the PR and between 63a61bb and d958455.

📒 Files selected for processing (3)

• .github/workflows/codeql.yml
• .github/workflows/ossf-scorecard.yml
• .github/workflows/trivy.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/trivy.yml:
- Line 41: The workflow pins github/codeql-action/upload-sarif to a SHA that
does not match the v4.36.2 tag; update the pinned commit or clarify intent:
replace the current SHA 8aad20d150bbac5944a9f9d289da16a4b0d87c1e with the
v4.36.2 tag's commit SHA 1a818fd5f97ed0ee9a823421bd5b171add01227f so the comment
and pin align, or if you deliberately need a different commit keep the existing
SHA but change the comment to explicitly state the actual commit SHA and reason
for choosing it (referencing upload-sarif and the v4.36.2 tag).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 664a879e-2162-406f-9a47-2223e4d9c90d

📥 Commits

Reviewing files that changed from the base of the PR and between d958455 and 6a58768.

📒 Files selected for processing (2)

• .github/workflows/ossf-scorecard.yml
• .github/workflows/trivy.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ossf-scorecard.yml

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

Rate Limit Exceeded

@seonghobae have exceeded the limit for the number of chat messages per hour. Please wait 4 minutes and 9 seconds before sending another message.