Problem

.github/workflows/codeql-advanced.yml still uses floating @v4 tags on several uses: references:

• Line 60: actions/checkout@v4
• Line 70: github/codeql-action/init@v4
• Line 102: github/codeql-action/analyze@v4

Per AGENTS.md > Review Learnings (PR #92) > Action Pinning:

All uses: references in workflows pin to a full 40-character commit SHA, with the version tag preserved as a trailing comment: uses: actions/checkout@<sha> # v4.2.2.

The sister workflow codeql.yml already follows this standard (e.g. @4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4). The matrix workflow should be brought up to the same level.

Additional concern: major-version drift between the two CodeQL workflows

Surfaced in #216 R3 review. After #216 lands, both workflows load the same config-file: ./.github/codeql/config.yml, but they pin to different majors of github/codeql-action:

• codeql.yml: init@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4
• codeql-advanced.yml: init@v4 (and analyze@v4)

Different majors of the action can produce divergent query-filters semantics or different SARIF post-processing. A contributor could see the suppression work in one workflow and silently no-op in the other. The fix for this issue should put both workflows on the same major as part of the SHA-pinning sweep -- whichever major is chosen (v3 or v4), pin both workflows to a SHA on that major.

Why this matters

1. Floating tags are the exact supply-chain pattern exploited in the tj-actions/changed-files incident. The pypa/gh-action-pypi-publish moving-branch scenario is another example. SHA-pinning removes the attack surface; Dependabot's github-actions ecosystem entry keeps them fresh.
2. Major-version drift between two workflows that share a config file is a behavioural bug, not just a hygiene one.

Acceptance criteria

• All uses: in codeql-advanced.yml pin to a full 40-char SHA with the version tag as a trailing comment
• Both codeql.yml and codeql-advanced.yml are on the same major of github/codeql-action (resolution: pick v3 or v4 once, apply to both)
• .github/dependabot.yml includes a github-actions ecosystem entry covering both workflow files (confirm existing or add)
• No functional change to the workflow logic beyond the major alignment
• Verify on the post-merge CodeQL run that both workflows produce identical SARIF post-processing for the simulation-triple suppression

Context

• Surfaced during PR security(codeql): suppress py/unsafe-cyclic-import on simulation triple (closes #215) #216 R1 review (floating-tag thread SIL/HIL Integration with Isaac Sim #5) and reinforced during PR security(codeql): suppress py/unsafe-cyclic-import on simulation triple (closes #215) #216 R3 review (major-version drift thread).
• The floating tags pre-date security(codeql): suppress py/unsafe-cyclic-import on simulation triple (closes #215) #216; filing as a follow-up per scope discipline.
• security(codeql): suppress py/unsafe-cyclic-import on simulation triple (closes #215) #216 narrows scope to config-only / breadcrumb-only changes; this issue is the right home for both the SHA-pinning sweep and the major alignment.

Filed by autonomous agent. Strands Agents.