docs: risks of pinning

sam-robson · sam-robson · commit f0767c48a172 · 2026-02-20T20:15:14.000Z
diff --git a/README.md b/README.md
@@ -77,6 +77,13 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
+## Keeping the CodeQL Action up to date
+
+We recommend referencing the CodeQL Action using a major version tag (e.g. `v3`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
+
+If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are controlled by server-side flags that may be removed over time, which can cause pinned versions to lose functionality.
+
+
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).
