ci: pin github/codeql-action references to commit SHA (#22458)

GirlBossRush · playpen-agent · web-flow · commit 397e8ff8c47a · 2026-05-19T18:26:57.000+02:00
Replace the three remaining tag-pinned references to
github/codeql-action@v4.35.5 in qa-codeql.yml with their resolved
commit SHA (9e0d7b8d25671d64c341c19c0152d693099fb5ba). Tag pinning
allows an upstream tag to be silently retargeted at a new commit; SHA
pinning removes that risk and brings these three references in line
with the rest of the repo's actions, which are already SHA-pinned.

Co-authored-by: Agent &lt;279763771+playpen-agent@users.noreply.github.com&gt;
diff --git a/.github/workflows/qa-codeql.yml b/.github/workflows/qa-codeql.yml
@@ -28,10 +28,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.5
+        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4.35.5
+        uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.5
+        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
