Skip to content

Downgrade CodeQL action versions to specific commits#351

Open
johnoliver wants to merge 1 commit intomainfrom
johnoliver-patch-2
Open

Downgrade CodeQL action versions to specific commits#351
johnoliver wants to merge 1 commit intomainfrom
johnoliver-patch-2

Conversation

@johnoliver
Copy link
Member

@johnoliver johnoliver commented Feb 4, 2026

Downgrade codeql as latest version seems to incorrectly classify languages

@johnoliver
Update CodeQL action versions to specific commits
c1ad7c5 
Downgrade codeql as latest version seems to incorrectly classify languages
Copilot AI review requested due to automatic review settings February 4, 2026 14:12
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request downgrades the CodeQL action from using semantic version @v4 to a pinned commit hash to address language classification issues in the latest version.

Changes:

  • Replaced @v4 with commit hash @cf1bb45a277cb3c205638b2cd5c984db1c46a412 for all three CodeQL actions (init, autobuild, and analyze)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/codeql-analysis.yml
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a comment explaining why this specific commit is pinned and what issue it resolves. The PR description mentions "incorrectly classify languages" but this workflow only analyzes Java. This would help future maintainers understand the decision and know when it's safe to upgrade.

Copilot uses AI. Check for mistakes.
.github/workflows/codeql-analysis.yml
Comment on lines 37 to 76
@@ -48,7 +48,7 @@ jobs:
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
if: ${{ matrix.language != 'java' }}
uses: github/codeql-action/autobuild@v4
uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412

- name: Setup JDK
uses: actions/setup-java@v5
@@ -73,6 +73,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pinning to a specific commit hash has maintenance implications - this action will not automatically receive security updates or bug fixes. Consider setting up a process to periodically review and update this pinned version, or document when it's expected to be safe to upgrade back to a versioned tag.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnoliver