From 97f0aed29dc1e1576dbeb02977070f1a277f9c91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 03:24:49 +0000 Subject: [PATCH 1/2] build(deps): bump github/codeql-action from 3 to 4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 266f74cb..a30cf693 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -34,7 +34,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: results.sarif category: zizmor \ No newline at end of file From 3b892a8cb9e308c025636252910200c318ec4859 Mon Sep 17 00:00:00 2001 From: valued mammal Date: Mon, 1 Dec 2025 23:44:46 -0500 Subject: [PATCH 2/2] ci: Update `zizmor.yml` config Added `github/codeql-action/*` to unpinned-uses policy. --- .github/zizmor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 667e912a..e232e54b 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -5,4 +5,5 @@ rules: policies: # Allow pin by ref/tag actions-rust-lang/setup-rust-toolchain: ref-pin + github/codeql-action/*: ref-pin actions/*: ref-pin