Skip to content

fix(ci): pin codeql-action with exact version comment#481

Merged
jdx merged 1 commit into
mainfrom
fix/codeql-action-version-comments
May 17, 2026
Merged

fix(ci): pin codeql-action with exact version comment#481
jdx merged 1 commit into
mainfrom
fix/codeql-action-version-comments

Conversation

@jdx

@jdx jdx commented May 17, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Owner

Summary

  • Update the # v4 comments on the three github/codeql-action/* SHA pins in codeql-analysis.yml to # v4.35.4, matching what the pinned SHA actually resolves to.
  • Resolves the three ref-version-mismatch medium findings that are currently failing the zizmor check on every PR.

Test plan

  • zizmor workflow passes on this branch
  • CodeQL workflow still runs (no behavior change — same SHA pinned, only the comment changed)

🤖 Generated with Claude Code

Note

Low Risk
Comment-only change in CI workflow; the CodeQL action SHA pins are unchanged so runtime behavior should not change.

Overview
Updates .github/workflows/codeql-analysis.yml to change the inline version comments on the pinned github/codeql-action steps (init, autobuild, analyze) from # v4 to # v4.35.4, matching the existing pinned SHA and avoiding version-mismatch lint findings.

Reviewed by Cursor Bugbot for commit e3a6003. Bugbot is set up for automated code reviews on this repo. Configure here.

@jdx @claude
fix(ci): pin codeql-action with exact version comment
e3a6003 
Zizmor's ref-version-mismatch audit flagged the # v4 comments — the
pinned SHA actually resolves to v4.35.4, so the comment was misleading
and caused zizmor to fail with exit code 13.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@gemini-code-assist

gemini-code-assist Bot commented May 17, 2026

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@greptile-apps

greptile-apps Bot commented May 17, 2026

Copy link
Copy Markdown

Greptile Summary

This PR updates the version comments on the three github/codeql-action SHA-pinned steps in codeql-analysis.yml from the vague # v4 to the precise # v4.35.4. No SHA values are changed; the pinned commit 68bde559dea0fdcac2102bfdf6230c5f70eb485e is confirmed to correspond to v4.35.4, making the comments accurate.

  • Updates # v4# v4.35.4 on codeql-action/init, codeql-action/autobuild, and codeql-action/analyze steps, resolving three ref-version-mismatch findings from the zizmor security scanner.
  • No runtime behavior change — same SHA, same action versions, only the inline comment is more specific.

Confidence Score: 5/5

Safe to merge — the change is comment-only with no runtime impact.

All three SHA pins are unchanged and confirmed to match v4.35.4; the only modification is the inline annotation becoming more specific. There is no logic, configuration, or permission change of any kind.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/codeql-analysis.yml Comment-only update: three # v4 version annotations updated to # v4.35.4 on pinned SHA references; SHA itself is unchanged and confirmed to match v4.35.4.

Reviews (1): Last reviewed commit: "fix(ci): pin codeql-action with exact ve..." | Re-trigger Greptile

@jdx jdx merged commit 6e1ac6b into main May 17, 2026
15 of 19 checks passed
@jdx jdx deleted the fix/codeql-action-version-comments branch May 17, 2026 16:54
@jdx jdx mentioned this pull request May 22, 2026
Merged
@jdx jdx mentioned this pull request Jun 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx