From 79a7d8584841fd913160b83e919824ca9c49010a Mon Sep 17 00:00:00 2001
From: bartzbeielstein <32470350+bartzbeielstein@users.noreply.github.com>
Date: Sun, 14 Jun 2026 10:52:43 +0200
Subject: [PATCH 1/2] ci(codeql): analyze actions workflows to fix stale-config
 scan error

Default CodeQL setup previously analyzed python, actions, and
javascript-typescript. Switching to a Python-only custom workflow left
the actions and javascript-typescript configurations stale, which GitHub
surfaces as a "Code scanning configuration error" on the security page.

- Add a language matrix covering python and actions so the actions
  configuration is refreshed on every run (and the workflow files
  themselves get security scanning). Use build-mode: none for both
  interpreted targets, dropping the now-unnecessary autobuild step.
- The stale javascript-typescript analyses (the repo has no JS/TS
  source) were deleted out of band via the code-scanning API.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8a8bc024..0248bdeb 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -16,12 +16,20 @@ permissions: read-all
 
 jobs:
   analyze:
-    name: Analyze (python)
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: python
+            build-mode: none
+          - language: actions
+            build-mode: none
 
     steps:
       - name: Checkout repository
@@ -30,13 +38,11 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
-          languages: python
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
           queries: security-extended
 
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
-          category: /language:python
+          category: "/language:${{ matrix.language }}"

From 87f7c982f2db9a3def75792003d20473abfbde72 Mon Sep 17 00:00:00 2001
From: bartzbeielstein <32470350+bartzbeielstein@users.noreply.github.com>
Date: Sun, 14 Jun 2026 11:01:31 +0200
Subject: [PATCH 2/2] ci: bump remaining Node 20 actions to Node 24 runtimes

CI emitted "Node.js 20 actions are deprecated" warnings. Bump the actions
still running on Node 20 to their Node 24 releases:

- github/codeql-action v3.32.6 -> v4.36.2 (init/analyze in codeql.yml,
  upload-sarif in scorecard.yml)
- cycjimmy/semantic-release-action v4.2.2 -> v5.0.2 in release.yml; v5's
  only breaking change is the Node 24 runner (no semantic-release version
  bump), so it is a drop-in for the existing extra_plugins config.

All other pinned actions already run on Node 24 (checkout v6, setup-python
v6, setup-uv v8, setup-node v6, upload-artifact v7) or are composite/docker
actions (quarto-actions, pypi-publish, scorecard-action).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/codeql.yml    | 4 ++--
 .github/workflows/release.yml   | 2 +-
 .github/workflows/scorecard.yml | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0248bdeb..eae53afd 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -36,13 +36,13 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
           queries: security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e888ef42..54b9493c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -72,7 +72,7 @@ jobs:
 
       - name: Semantic Release
         id: release
-        uses: cycjimmy/semantic-release-action@16ca923e6ccbb50770c415a0ccd43709a8c5f7a4 # v4.2.2
+        uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2
         with:
           extra_plugins: |
             @semantic-release/git@10
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 6db6aacd..2746335d 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -48,6 +48,6 @@ jobs:
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           sarif_file: results.sarif