From aa831d0b8989e16923316f19ab11de644c595e8d Mon Sep 17 00:00:00 2001 From: John Kerl Date: Thu, 9 Jul 2026 15:11:46 -0400 Subject: [PATCH] Group codeql-action Dependabot bumps to keep init/autobuild/analyze in sync The workflow pins all three codeql-action steps to the same commit SHA, but Dependabot was opening separate PRs per action path, so merging just one broke CI with a CodeQL config-version mismatch. Co-Authored-By: Claude Sonnet 5 --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6e56be257..ddc459a4d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,6 +10,13 @@ updates: directory: "/" schedule: interval: "daily" + groups: + # The codeql-analysis.yml workflow pins init/autobuild/analyze to the + # same commit SHA, so they must be bumped together or CI breaks with a + # CodeQL config-version mismatch. + codeql-action: + patterns: + - "github/codeql-action/*" # Maintain dependencies for Go - package-ecosystem: "gomod"