gha: bump github/codeql-action from 4.31.7 to 4.31.8

[dependabot]

Bumps github/codeql-action from 4.31.7 to 4.31.8.

Release notes

Sourced from github/codeql-action's releases.

v4.31.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #3343

4.31.6 - 01 Dec 2025

No user facing changes.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #3321

4.31.4 - 18 Nov 2025

No user facing changes.

4.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
• Update default CodeQL bundle version to 2.23.5. #3288

4.31.2 - 30 Oct 2025

No user facing changes.

4.31.1 - 30 Oct 2025

• The add-snippets input has been removed from the analyze action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.

4.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #3222

4.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #3204

... (truncated)

Commits

• 1b168cd Merge pull request #3355 from github/update-v4.31.8-1b0b941e1
• 120f277 Update changelog for v4.31.8
• 1b0b941 Merge pull request #3354 from github/update-bundle/codeql-bundle-v2.23.8
• db812c1 Add changelog note
• 2930dba Update default bundle to codeql-bundle-v2.23.8
• c43362b Merge pull request #3340 from github/kaspersv/check-for-overlayBaseSpecifier
• 002a7f2 Overlay: log overlayBaseSpecifier at debug log-level
• 5b7e7fc Update src/codeql.ts
• 149d184 Merge pull request #3345 from github/mergeback/v4.31.7-to-main-cf1bb45a
• 97c2630 Rebuild
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Important

Bumps github/codeql-action from 4.31.7 to 4.31.8 across multiple GitHub Actions workflows.

• Version Update:
  • Bumps github/codeql-action from 4.31.7 to 4.31.8 in .github/workflows/codeql-analysis.yml, .github/workflows/scan.yml, .github/workflows/scorecard.yml, and .github/workflows/snyk.yml.
• Workflows Affected:
  • Updates init, autobuild, analyze, and upload-sarif steps in codeql-analysis.yml.
  • Updates upload-sarif step in scan.yml, scorecard.yml, and snyk.yml.

^{This description was created by for d5e75ff. You can customize this summary. It will automatically update as commits are pushed.}

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/codeql-analysis.yml	0% smaller
.github/workflows/scan.yml	0% smaller
.github/workflows/scorecard.yml	0% smaller
.github/workflows/snyk.yml	0% smaller

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to d5e75ff in 47 seconds. Click for details.

• Reviewed 74 lines of code in 4 files
• Skipped 0 files when reviewing.
• Skipped posting 7 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .github/workflows/codeql-analysis.yml:60

• Draft comment:
  Updated 'github/codeql-action/init' to commit 1b168cd39490f61582a9beae412bb7057a6b2c4e (v4.31.8). Ensure that any custom query configurations are still compatible with the new CodeQL bundle defaults.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is asking the PR author to ensure compatibility with the new CodeQL bundle defaults, which falls under the rule of not asking the author to ensure behavior is intended or tested. It does not provide a specific suggestion or point out a specific issue.

2. .github/workflows/codeql-analysis.yml:75

• Draft comment:
  Updated 'github/codeql-action/autobuild' to commit 1b168cd39490f61582a9beae412bb7057a6b2c4e (v4.31.8). This ensures the build step aligns with the updated CodeQL bundle.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative, providing details about a dependency update. It does not offer any suggestions, ask for confirmation, or highlight any potential issues. According to the rules, purely informative comments should be removed.

3. .github/workflows/codeql-analysis.yml:89

• Draft comment:
  Updated 'github/codeql-action/analyze' to commit 1b168cd39490f61582a9beae412bb7057a6b2c4e (v4.31.8).
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative, as it only states that a specific action was updated to a certain commit. It does not provide any actionable feedback or suggestions for improvement.

4. .github/workflows/scan.yml:52

• Draft comment:
  Updated 'github/codeql-action/upload-sarif' to commit 1b168cd39490f61582a9beae412bb7057a6b2c4e in the Snyk job.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative, as it only states that a specific action was updated to a certain commit. It does not provide any suggestions, questions, or concerns about the code change.

5. .github/workflows/scan.yml:87

• Draft comment:
  Updated 'github/codeql-action/upload-sarif' to commit 1b168cd39490f61582a9beae412bb7057a6b2c4e in the Gosec job.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative, as it only states that a specific action was updated to a certain commit. It does not provide any suggestions, ask for confirmation, or highlight any potential issues.

6. .github/workflows/scorecard.yml:80

• Draft comment:
  Updated 'github/codeql-action/upload-sarif' to commit 1b168cd39490f61582a9beae412bb7057a6b2c4e for uploading security scorecard results.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative, as it only states that a specific action was updated to a certain commit. It doesn't provide any actionable feedback or suggestions for improvement.

7. .github/workflows/snyk.yml:43

• Draft comment:
  Updated 'github/codeql-action/upload-sarif' to commit 1b168cd39490f61582a9beae412bb7057a6b2c4e in the Snyk workflow.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is purely informative, as it only states that a specific action was updated to a certain commit in a workflow. It does not provide any suggestions, ask for confirmation, or highlight any potential issues.

Workflow ID: wflow_rK78tPuyYkQ7NbN5

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud