Merge pull request #3499 from github/sam-robson/document-version-pinning-risk

sam-robson · web-flow · commit 4ea06e96f5e2 · 2026-02-23T10:34:02.000Z
docs: guidance on keeping the CodeQL Action up to date
diff --git a/README.md b/README.md
@@ -80,6 +80,13 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
+## Keeping the CodeQL Action up to date
+
+We recommend referencing the CodeQL Action using a major version tag (e.g. `v3`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
+
+If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are controlled by server-side flags that may be removed over time, which can cause pinned versions to lose functionality.
+
+
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).
