chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 in the github-actions group

[dependabot]

Bumps the github-actions group with 1 update: github/codeql-action.

Updates github/codeql-action from 4.35.5 to 4.36.0

Release notes

Sourced from github/codeql-action's releases.

v4.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

... (truncated)

Commits

• 7211b7c Merge pull request #3927 from github/update-v4.36.0-ebc2d9e2b
• 7740f2f Update changelog for v4.36.0
• ebc2d9e Merge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5
• d1f74b7 Add changelog note
• 2dc40ce Update default bundle to codeql-bundle-v2.25.5
• 8449852 Merge pull request #3910 from github/henrymercer/repo-size-diff-check
• 72ac23c Update excluded required check list
• c5297a2 Merge pull request #3919 from github/henrymercer/workflow-concurrency
• 8ffeae7 CI: Automatically cancel non-generated workflows
• f3f52bf Revert getErrorMessage import
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 6:29 PM ET / 22:29 UTC.

Summary
The branch updates both github/codeql-action/init and github/codeql-action/analyze pins in .github/workflows/codeql.yml from the v4.35.5 commit to the v4.36.0 commit.

Reproducibility: not applicable. this is a workflow dependency bump, not a reported runtime bug. Source and diff inspection verify the changed action refs instead of a failing reproduction path.

Review metrics: 2 noteworthy metrics.

• Workflow surface: 1 workflow changed. The review scope is limited to the CodeQL automation workflow rather than runtime CLI code.
• Action refs: 2 pinned CodeQL refs updated. Both init and analyze will execute the new upstream CodeQL Action commit after merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Confirm the CodeQL workflow succeeds on this PR head before merge.

Risk before merge

• Merging changes the third-party action code used for code scanning; v4.36.0 also raises the minimum required CodeQL bundle, so maintainers should rely on a successful CodeQL workflow run and the security automation owner review before landing.

Maintainer options:

1. Merge after CodeQL validation (recommended)
   Accept the update once the CodeQL workflow succeeds on this head and the required security automation review is satisfied.
2. Hold if bundle compatibility fails
   Pause, close, or let Dependabot recreate the PR if v4.36.0 fails because of the new minimum CodeQL bundle requirement.

Next step before merge
No repair lane is needed; maintainers should handle this through normal CI and CODEOWNER review for the Dependabot workflow update.

Security
Cleared: No concrete security regression was found: the PR keeps existing permissions and pinned action usage, and the new SHA matches the peeled upstream v4.36.0 tag.

Review details

Best possible solution:

Land the pinned CodeQL action bump after the CodeQL matrix and required security automation review confirm v4.36.0 works for this repository, or let Dependabot refresh the PR if the workflow fails.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a workflow dependency bump, not a reported runtime bug. Source and diff inspection verify the changed action refs instead of a failing reproduction path.

Is this the best way to solve the issue?

Yes: for this dependency update, changing both CodeQL init and analyze pins together while leaving workflow permissions and config unchanged is the narrow maintainable path. The remaining question is validation of the upgraded action in CI.

AGENTS.md: found, but no applicable review policy affected this item.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ed3d5750ff89.

Label changes

Label justifications:

• P3: This is a low-risk dependency maintenance PR with no runtime product behavior change.
• merge-risk: 🚨 automation: The PR changes the pinned CodeQL Action code that runs repository security scanning, and the upstream release includes a workflow-relevant breaking minimum bundle requirement.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PR; the contributor real-behavior proof gate is not applicable, and workflow CI is the relevant validation path.

Evidence reviewed

What I checked:

• Repository policy read: Read the full target AGENTS.md; it contains TypeScript CLI and testing guidance but no workflow-specific rule that changes this dependency-update review. (AGENTS.md:1, ed3d5750ff89)
• Current main still uses v4.35.5 SHA: Current main pins both CodeQL init and analyze steps to 9e0d7b8d25671d64c341c19c0152d693099fb5ba, so the requested update is not already implemented on main. (.github/workflows/codeql.yml:69, ed3d5750ff89)
• PR diff is limited to CodeQL action pins: The PR head commit changes exactly two uses: lines in .github/workflows/codeql.yml, replacing the old CodeQL Action SHA with 7211b7c8077ea37d8641b6271f6a365a22a5fbfa. (.github/workflows/codeql.yml:69, 49a0eb6e9c12)
• Upstream tag provenance: Read-only tag lookup shows upstream refs/tags/v4.35.5^{} peels to 9e0d7b8d25671d64c341c19c0152d693099fb5ba and refs/tags/v4.36.0^{} peels to 7211b7c8077ea37d8641b6271f6a365a22a5fbfa. (7211b7c8077e)
• Workflow ownership: CODEOWNERS routes .github/workflows/ changes to @openclaw/openclaw-secops, which is relevant because this PR changes the CodeQL automation workflow. (.github/CODEOWNERS:13, ed3d5750ff89)
• History provenance: git blame attributes the current CodeQL workflow pin lines to release/import commit cdd58ac59213ef24c357be0749ce70f61409d95b; current branch history also shows .github/workflows/codeql.yml present since the v0.4.0 release import. (.github/workflows/codeql.yml:69, cdd58ac59213)

Likely related people:

• Peter Steinberger: Current git blame for the CodeQL workflow lines points to the v0.4.0 release/import commit authored by Peter Steinberger. (role: current workflow provenance; confidence: medium; commits: cdd58ac59213; files: .github/workflows/codeql.yml)
• Vincent Koc: Recent current-branch history shows Vincent Koc updating CODEOWNERS around security automation surfaces, including workflow ownership routing. (role: adjacent security automation contributor; confidence: medium; commits: 857d854ac8d0; files: .github/CODEOWNERS)
• @openclaw/openclaw-secops: CODEOWNERS assigns .github/workflows/ and CodeQL configuration paths to this security automation owner group. (role: CODEOWNERS routing handle; confidence: high; files: .github/CODEOWNERS, .github/workflows/codeql.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Neon Shellbean

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: polishes edge cases.
Image traits: location merge queue dock; accessory release bell; palette cobalt, lime, and pearl; mood proud; pose balancing on a branch marker; shell soft velvet shell; lighting subtle sparkle highlights; background tiny artifact crates.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Neon Shellbean in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.