chore(deps): bump github/codeql-action from 4.32.6 to 4.35.1#314
chore(deps): bump github/codeql-action from 4.32.6 to 4.35.1#314dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.6 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@0d579ff...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Greptile SummaryThis is a routine Dependabot bump of Key changes included in the upstream versions:
Confidence Score: 5/5This PR is safe to merge — it is a straightforward, consistent Dependabot version bump with no logic changes. All four action references are updated uniformly and correctly: both the pinned commit SHA and the inline version comment match the target release. No custom logic was modified, and the upstream changelog shows only bug fixes and improvements with no breaking changes. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[security.yml Workflow] --> B[actions/checkout]
B --> C[codeql-action/init v4.35.1]
C --> D[codeql-action/autobuild v4.35.1]
D --> E[codeql-action/analyze v4.35.1]
E --> F[CodeQL Results]
A --> G[ossf/scorecard-action]
G --> H[codeql-action/upload-sarif v4.35.1]
H --> I[Scorecard SARIF Upload]
Reviews (1): Last reviewed commit: "chore(deps): bump github/codeql-action f..." | Re-trigger Greptile |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot bump of github/codeql-action from 4.32.6 to 4.35.1 with correct SHA pins and version comments.
Extended reasoning...
Overview\nThis PR updates four github/codeql-action references in .github/workflows/security.yml — init, autobuild, analyze, and upload-sarif — from commit SHA 0d579ffd... (v4.32.6) to c10b8064... (v4.35.1). No logic, configuration, or non-action-version content is touched.\n\n### Security risks\nThe only flagged issue is a pre-existing incorrect version comment on actions/checkout (# v6 when v4 is the latest major), which this PR neither introduces nor worsens. The new github/codeql-action SHA pins match the v4.35.1 tag as documented in the Dependabot-generated commit list, so there is no supply-chain concern with the changes themselves.\n\n### Level of scrutiny\nLow. This is a mechanical Dependabot dependency bump with no behaviour changes to the repository's application code. The version jump (4.32.6 → 4.35.1) brings incremental analysis and CodeQL bundle improvements, all backward-compatible.\n\n### Other factors\nNo prior reviews on this PR from any reviewer. The pre-existing actions/checkout # v6 comment nit is captured as an inline annotation and is out of scope for this PR's approval decision.
| @@ -28,16 +28,16 @@ jobs: | |||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |||
There was a problem hiding this comment.
🟣 Pre-existing issue: All three actions/checkout steps (lines 28, 51, 69) are pinned to commit de0fac2e4500dabe0009e67214ff5f5447ce83dd with the comment # v6, but actions/checkout has never released a v6 — the latest major version is v4. The incorrect comment undermines the auditability purpose of commit-pinned actions; to fix, update the comment to reflect the actual release tag (e.g., # v4.1.x) that corresponds to the pinned commit.
Extended reasoning...
What the bug is and how it manifests
All three actions/checkout steps in .github/workflows/security.yml (lines 28, 51, and 69) reference the action as actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6. The comment # v6 is factually incorrect — actions/checkout has only released up to major version v4 (the latest as of early 2026 is in the v4.x line). There is no v6 tag or release in the actions/checkout repository.
The specific code path that triggers it
Every job in this workflow (codeql, dependency-review, scorecard) checks out code using this step. The SHA pin itself may be valid for the v4.x line, but the comment annotation misleads anyone trying to audit the pin by claiming it corresponds to a non-existent v6 release.
Why existing code doesn't prevent it
GitHub Actions does not validate that commit-pinning comments are accurate — they are purely informational annotations. There is no lint or CI check enforcing that the comment matches the actual tag associated with the pinned SHA.
Impact
The primary purpose of commit-SHA pinning in security workflows is auditability: reviewers and automated tools should be able to cross-reference the hash against a known release tag. With an incorrect version comment (# v6), an auditor searching for actions/checkout v6 will find no such release, casting doubt on the legitimacy of the pin and undermining the supply-chain security posture this workflow is designed to enforce.
How to fix it
Determine which v4.x release corresponds to the pinned commit de0fac2e4500dabe0009e67214ff5f5447ce83dd and update the comment accordingly (e.g., # v4.1.x). Alternatively, update all three checkout steps to the latest v4 release with its correct commit hash and comment.
Step-by-step proof
- Examine line 28:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - Check the
actions/checkoutreleases: tags go up tov4.x.x— there is nov5orv6release. - An auditor trying to verify the pin would search for
actions/checkout v6, find nothing, and be unable to confirm the hash is a legitimate official release. - The same incorrect comment appears at lines 51 and 69 for the
dependency-reviewandscorecardjobs respectively. - This PR only modifies
github/codeql-actionversion pins — theactions/checkoutlines are unchanged context, confirming this is entirely pre-existing.
Bumps github/codeql-action from 4.32.6 to 4.35.1.
Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
c10b806Merge pull request #3782 from github/update-v4.35.1-d6d1743b8c5ffd06Update changelog for v4.35.1d6d1743Merge pull request #3781 from github/henrymercer/update-git-minimum-version65d2efaAdd changelog note2437b20Update minimum git version for overlay to 2.36.0ea5f719Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.045ceeeaMerge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f2824448c9Rebuild7c51060Update changelog and version after v4.35.0b8bb9f2Merge pull request #3776 from github/update-v4.35.0-0078ad667Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)