From 3edfa10b93a34185dabdeda33611afa0b9621190 Mon Sep 17 00:00:00 2001 From: muralx Date: Wed, 24 Jun 2026 14:04:16 +0100 Subject: [PATCH] ci: bump CodeQL to v4.35.2 and run the security-extended query suite Align the CodeQL workflow with the current action release and broaden SAST coverage: - Bump github/codeql-action init/analyze to v4.35.2. - Run the security-extended query suite (previously the default suite). - Grant the analyze job actions: read, required by the newer action to read workflow run metadata. --- .github/workflows/codeql.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f40d951..460807a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -37,6 +37,7 @@ jobs: # Required for CodeQL to upload results to the Security tab. security-events: write contents: read + actions: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -48,13 +49,14 @@ jobs: check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@c35d1b164463ee62a100735382aaaa525c5d3496 # codeql-bundle-v2.25.6 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: go # This repo is a Go workspace of four independent modules; the # default autobuild can't span them, so we build each module # manually below. build-mode: manual + queries: security-extended - name: Build modules # Compile every module so the extractor sees all packages. go.work @@ -68,6 +70,6 @@ jobs: done - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c35d1b164463ee62a100735382aaaa525c5d3496 # codeql-bundle-v2.25.6 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:go"