ci(codeql): upgrade CodeQL Action v1→v4 and checkout v2→v4

[skypank-coder]

What

Brings the CodeQL code-scanning workflow up to parity with the rest of the repo:

• github/codeql-action/{init,autobuild,analyze}: v1 → v4
• actions/checkout: v2 → v4 (matching every other workflow, which already use @v4)

Why

The workflow was pinned to CodeQL Action v1, retired by GitHub in 2023 — so
code scanning has effectively been failing rather than just out of date. v4 runs on
the Node 24 runtime and is the correct target (v3 deprecates Dec 2026). Python is a
non-compiled language for CodeQL, so autobuild is a no-op and there's no build
dependency; left in place for a minimal diff.

Note: this intentionally tracks the repo's existing checkout@v4 pin. A separate,
repo-wide migration of all workflows to Node 24 (checkout@v5, etc.) can follow.

Validation

Ran on my fork against main — all checks green, including CodeQL / Analyze (python)
and Code scanning results / CodeQL (no new alerts). CI version bumps only; no
functional changes.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow to use the latest versions for improved security and stability.

Walkthrough

The CodeQL analysis workflow updates GitHub Action versions from v1/v2 to v4, upgrading the checkout, initialization, autobuild, and analysis steps to their latest versions while preserving workflow structure and configuration.

Changes

CodeQL Workflow Actions Upgrade

Layer / File(s)	Summary
GitHub Actions v4 upgrade .github/workflows/codeql-analysis.yml	All CodeQL workflow actions are updated: actions/checkout@v4, github/codeql-action/init@v4, github/codeql-action/autobuild@v4, and github/codeql-action/analyze@v4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and clearly summarizes the main changes: upgrading CodeQL Action from v1 to v4 and checkout from v2 to v4, which matches the actual modifications in the workflow file.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about why the upgrades are necessary, validation results, and technical rationale for the version changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql-analysis.yml:
- Line 42: Replace mutable action tags with immutable commit SHAs: locate each
"uses:" entry that uses a floating tag (e.g., uses: actions/checkout@v4 and the
other similar uses entries in this workflow) and change them to the
corresponding full commit SHA for that action repository (obtain the exact SHA
from the action's GitHub repo tags/commits page for the v4 release and replace
the tag with @<full-commit-sha>); do this for every unpinned action reference in
the workflow so all "uses:" lines are pinned to immutable SHAs.

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: debec2df-a054-4653-a49b-c7b0a2db9f6a

📥 Commits

Reviewing files that changed from the base of the PR and between e93ce92 and f1793c5.

📒 Files selected for processing (1)

• .github/workflows/codeql-analysis.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin GitHub Actions to full commit SHAs instead of mutable @v4 tags.

Line 42, Line 46, Line 57, and Line 71 use unpinned action tags. This leaves the workflow open to supply-chain risk if a tag is moved. Please pin each action to an immutable commit SHA.

🔐 Suggested change pattern

-      uses: actions/checkout@v4
+      uses: actions/checkout@<full_commit_sha>

-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@<full_commit_sha>

-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@<full_commit_sha>

-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@<full_commit_sha>

Also applies to: 46-46, 57-57, 71-71

🧰 Tools

🪛 zizmor (1.25.2)

[error] 42-42: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql-analysis.yml at line 42, Replace mutable action
tags with immutable commit SHAs: locate each "uses:" entry that uses a floating
tag (e.g., uses: actions/checkout@v4 and the other similar uses entries in this
workflow) and change them to the corresponding full commit SHA for that action
repository (obtain the exact SHA from the action's GitHub repo tags/commits page
for the v4 release and replace the tag with @<full-commit-sha>); do this for
every unpinned action reference in the workflow so all "uses:" lines are pinned
to immutable SHAs.

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

The agent generated fixes only for .github/workflows/ files, which cannot be committed due to permission restrictions. Please apply these changes manually.

---

⚠️ 1 file(s) could not be committed — the agent does not have permission to push to .github/workflows/. Please apply these changes manually:

.github/workflows/codeql-analysis.yml — 3 changes:

Lines 39–49

 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0806c09f0fcbf6c
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.

Lines 54–60

     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0806c09f0fcbf6c
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl

Lines 68–71

     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0806c09f0fcbf6c