From 3d316318b62971395bce64e3fc22b2b0eeef0f37 Mon Sep 17 00:00:00 2001
From: Matthias Crauwels <matthias.crauwels@planetscale.com>
Date: Thu, 18 Jun 2026 10:37:00 +0200
Subject: [PATCH] ci: pin CodeQL workflow actions to commit SHAs

The org now requires all GitHub Actions to be pinned to a full-length
commit SHA, which was failing the "Analyze (go)" check on every PR.

Pin each action to its release commit SHA and bump off the deprecated
majors while here: actions/checkout v3 -> v4, actions/setup-go v3 -> v5,
github/codeql-action v2 -> v3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index cded5f8..08bd7e4 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -22,22 +22,22 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-    - uses: actions/setup-go@v3
+    - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
       with:
         go-version: '>=1.18.0'
         check-latest: true
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
       with:
         category: "/language:${{matrix.language}}"