From bd4917e20b42651be84300416c504556b7dd4321 Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Tue, 23 Jun 2026 15:52:18 -0600 Subject: [PATCH] chore(deps): bump pinned actions, add Dependabot cooldown Bump SHA pins for actions under .github/{actions,workflows}/** to their latest cooldown-compliant release tags: - actions/setup-node v6.3.0 -> v6.4.0 - actions/setup-go v6.3.0 -> v6.4.0 - actions/setup-java v5.2.0 -> v5.3.0 - actions/setup-dotnet v5.2.0 -> v5.3.0 - actions/cache v5.0.4 -> v5.0.5 - ruby/setup-ruby v1.310 -> v1.313.0 Normalize trailing tag comments to specific versions (e.g. `# v6` -> `# v6.4.0`) so each pin's tag is unambiguous, and correct the actions/dependency-review-action comment from `v4` to `v5.0.0` to match the tag its SHA now resolves to. Update .github/dependabot.yaml: - Add `cooldown: { default-days: 7 }` to every ecosystem. - Add a `gomod` ecosystem entry for /client. - Group github-actions updates under `all-github-actions` for parity with the existing `all-npm-dependencies` group. Verified with `npm run lint`, `npm run format:check`, and `npm run build-and-test`. --- .../setup-codeql-environment/action.yml | 32 +++++++++---------- .github/dependabot.yaml | 20 ++++++++++++ .github/workflows/build-and-test-client.yml | 4 +-- .../workflows/build-and-test-extension.yml | 4 +-- .github/workflows/build-server.yml | 2 +- .github/workflows/copilot-setup-steps.yml | 4 +-- .github/workflows/dependency-review.yml | 2 +- .github/workflows/lint-and-format.yml | 2 +- .github/workflows/query-unit-tests-swift.yml | 2 +- .github/workflows/query-unit-tests.yml | 2 +- .github/workflows/release-codeql.yml | 2 +- .github/workflows/release-npm.yml | 4 +-- .github/workflows/release-tag.yml | 2 +- .github/workflows/release-vsix.yml | 4 +-- .github/workflows/release.yml | 8 ++--- .github/workflows/update-codeql.yml | 2 +- 16 files changed, 58 insertions(+), 38 deletions(-) diff --git a/.github/actions/setup-codeql-environment/action.yml b/.github/actions/setup-codeql-environment/action.yml index 27b60b95..4e857e4b 100644 --- a/.github/actions/setup-codeql-environment/action.yml +++ b/.github/actions/setup-codeql-environment/action.yml @@ -104,7 +104,7 @@ runs: - name: Cache `gh-codeql` extension and CodeQL packages (Unix) id: cache-codeql-unix if: runner.os != 'Windows' && inputs.enable-cache == 'true' - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.local/share/gh-codeql @@ -116,7 +116,7 @@ runs: - name: Cache `gh-codeql` extension and CodeQL packages (Windows) id: cache-codeql-windows if: runner.os == 'Windows' && inputs.enable-cache == 'true' - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~\AppData\Local\GitHub\gh-codeql @@ -342,7 +342,7 @@ runs: - name: Setup Node.js (with cache) if: inputs.install-language-runtimes == 'true' && inputs.enable-cache == 'true' - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' cache-dependency-path: 'package-lock.json' @@ -350,7 +350,7 @@ runs: - name: Setup Node.js (without cache) if: inputs.install-language-runtimes == 'true' && inputs.enable-cache != 'true' - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.node-version' @@ -358,7 +358,7 @@ runs: - name: Cache language runtimes id: cache-runtimes if: inputs.install-language-runtimes == 'true' && inputs.enable-cache == 'true' - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/go/pkg/mod @@ -372,20 +372,20 @@ runs: - name: Setup Python (with cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',python,') && steps.check-deps.outputs.python-deps == 'true' && inputs.enable-cache == 'true' - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ inputs.python-version }} cache: 'pip' - name: Setup Python (without cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',python,') && (steps.check-deps.outputs.python-deps == 'false' || inputs.enable-cache != 'true') - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ inputs.python-version }} - name: Setup Java (with cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',java,') && steps.check-deps.outputs.java-deps == 'true' && inputs.enable-cache == 'true' - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0 with: distribution: 'temurin' java-version: ${{ inputs.java-version }} @@ -393,21 +393,21 @@ runs: - name: Setup Java (without cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',java,') && (steps.check-deps.outputs.java-deps == 'false' || inputs.enable-cache != 'true') - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0 with: distribution: 'temurin' java-version: ${{ inputs.java-version }} - name: Setup Go (with cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',go,') && steps.check-deps.outputs.go-deps == 'true' && inputs.enable-cache == 'true' - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version }} cache: true - name: Setup Go (without cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',go,') && (steps.check-deps.outputs.go-deps == 'false' || inputs.enable-cache != 'true') - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version }} cache: false @@ -416,7 +416,7 @@ runs: - name: Cache .NET packages if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',csharp,') && inputs.enable-cache == 'true' id: cache-dotnet-packages - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.nuget/packages @@ -428,20 +428,20 @@ runs: - name: Setup .NET (for C#) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',csharp,') - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version }} - name: Setup Ruby (with cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',ruby,') && steps.check-deps.outputs.ruby-deps == 'true' && inputs.enable-cache == 'true' - uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1 + uses: ruby/setup-ruby@89f90524b88a01fe6e0b732220432cc6142926af # v1.313.0 with: ruby-version: ${{ inputs.ruby-version }} bundler-cache: true - name: Setup Ruby (without cache) if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',ruby,') && (steps.check-deps.outputs.ruby-deps == 'false' || inputs.enable-cache != 'true') - uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1 + uses: ruby/setup-ruby@89f90524b88a01fe6e0b732220432cc6142926af # v1.313.0 with: ruby-version: ${{ inputs.ruby-version }} bundler-cache: false @@ -459,7 +459,7 @@ runs: - name: Cache Rust toolchain and cargo registry if: inputs.install-language-runtimes == 'true' && contains(format(',{0},', inputs.languages), ',rust,') && inputs.enable-cache == 'true' id: cache-rust - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.cargo/bin diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 85027f27..01b31805 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -4,10 +4,28 @@ updates: directory: '/' schedule: interval: 'weekly' + cooldown: + default-days: 7 - package-ecosystem: 'github-actions' directory: '/' schedule: interval: 'weekly' + cooldown: + default-days: 7 + groups: + all-github-actions: + patterns: + - '*' + - package-ecosystem: 'gomod' + directory: '/client' + schedule: + interval: 'weekly' + cooldown: + default-days: 7 + groups: + all-go-dependencies: + patterns: + - '*' - package-ecosystem: 'npm' directories: - '/' @@ -16,6 +34,8 @@ updates: - '/extensions/vscode/' schedule: interval: 'weekly' + cooldown: + default-days: 7 ignore: ## Ignore all updates for 'zod' as our 'zod' version must match the ## version of 'zod' used by the '@modelcontextprotocol/sdk' dependency. diff --git a/.github/workflows/build-and-test-client.yml b/.github/workflows/build-and-test-client.yml index c05e0580..3ac0cb22 100644 --- a/.github/workflows/build-and-test-client.yml +++ b/.github/workflows/build-and-test-client.yml @@ -102,7 +102,7 @@ jobs: go-version-file: 'client/go.mod' - name: Setup Node.js environment - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' @@ -212,7 +212,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/build-and-test-extension.yml b/.github/workflows/build-and-test-extension.yml index 96e2c58c..90faffc9 100644 --- a/.github/workflows/build-and-test-extension.yml +++ b/.github/workflows/build-and-test-extension.yml @@ -37,7 +37,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js environment - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' @@ -67,7 +67,7 @@ jobs: install-language-runtimes: 'false' - name: Cache VS Code for integration tests - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: key: vscode-test-${{ runner.os }}-stable path: extensions/vscode/.vscode-test diff --git a/.github/workflows/build-server.yml b/.github/workflows/build-server.yml index a07be7e8..5641f0fe 100644 --- a/.github/workflows/build-server.yml +++ b/.github/workflows/build-server.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Build Server - Setup Node.js environment - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 79af4d24..f7fc7bd8 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -40,7 +40,7 @@ jobs: # token: ${{ secrets.QL_DEV_TOKEN }} - name: Copilot Setup - Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' @@ -73,7 +73,7 @@ jobs: npm run bundle:server - name: Copilot Setup - Cache VS Code for integration tests - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: key: vscode-test-${{ runner.os }}-stable path: extensions/vscode/.vscode-test diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 7d87707c..aaee96cb 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,6 +16,6 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Dependency Review - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 with: config-file: '.github/dependency-review-config.yml' diff --git a/.github/workflows/lint-and-format.yml b/.github/workflows/lint-and-format.yml index 81d6f991..7c1168ab 100644 --- a/.github/workflows/lint-and-format.yml +++ b/.github/workflows/lint-and-format.yml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Lint and Format - Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/query-unit-tests-swift.yml b/.github/workflows/query-unit-tests-swift.yml index 4d284a71..10dd5f06 100644 --- a/.github/workflows/query-unit-tests-swift.yml +++ b/.github/workflows/query-unit-tests-swift.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Query Unit Tests - swift - Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/query-unit-tests.yml b/.github/workflows/query-unit-tests.yml index cd084fdf..c2928df6 100644 --- a/.github/workflows/query-unit-tests.yml +++ b/.github/workflows/query-unit-tests.yml @@ -48,7 +48,7 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Query Unit Tests - ${{ matrix.language }} - Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version' diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml index 62442e5e..11a3e76a 100644 --- a/.github/workflows/release-codeql.yml +++ b/.github/workflows/release-codeql.yml @@ -135,7 +135,7 @@ jobs: ls -lh dist-packs/ - name: CodeQL - Upload CodeQL pack artifacts - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: codeql-tool-query-packs-${{ steps.version.outputs.version }} path: dist-packs/*.tar.gz diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml index c11e5aea..fa31c5cc 100644 --- a/.github/workflows/release-npm.yml +++ b/.github/workflows/release-npm.yml @@ -65,7 +65,7 @@ jobs: persist-credentials: false - name: npm - Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.node-version' registry-url: 'https://registry.npmjs.org' @@ -104,7 +104,7 @@ jobs: echo "✅ Published npm package to npmjs.org (with provenance)" - name: npm - Upload release build artifact - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: release-build-${{ steps.version.outputs.version }} path: | diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index fe149353..59564caa 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -103,7 +103,7 @@ jobs: - name: Tag - Setup Node.js if: steps.check-tag.outputs.tag_exists != 'true' - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.node-version' diff --git a/.github/workflows/release-vsix.yml b/.github/workflows/release-vsix.yml index 97030805..94a41d29 100644 --- a/.github/workflows/release-vsix.yml +++ b/.github/workflows/release-vsix.yml @@ -66,7 +66,7 @@ jobs: persist-credentials: false - name: VSIX - Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.node-version' @@ -117,7 +117,7 @@ jobs: done - name: VSIX - Upload artifact - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: codeql-development-mcp-server-vsix-${{ steps.version.outputs.version }} path: extensions/vscode/${{ steps.package.outputs.vsix_name }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 74eac45a..05b494fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -197,18 +197,18 @@ jobs: steps: - name: Release - Download release build artifact - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: release-build-${{ needs.resolve-version.outputs.version }} - name: Release - Download CodeQL pack artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: codeql-tool-query-packs-${{ needs.resolve-version.outputs.version }} path: dist-packs - name: Release - Download VSIX artifact - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: codeql-development-mcp-server-vsix-${{ needs.resolve-version.outputs.version }} path: dist-vsix @@ -248,7 +248,7 @@ jobs: tar -czvf codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz -C dist-package . - name: Release - Upload artifact - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }} path: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml index bf98a709..b22cb169 100644 --- a/.github/workflows/update-codeql.yml +++ b/.github/workflows/update-codeql.yml @@ -197,7 +197,7 @@ jobs: install-language-runtimes: false - name: Update - Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: 'npm' node-version-file: '.node-version'