Merge pull request #3500 from github/mbg/fixup/version-pinning

mbg · web-flow · commit a754a57c217e · 2026-02-23T14:19:30.000Z
Minor improvements to "Keeping the CodeQL Action up to date" section
diff --git a/README.md b/README.md
@@ -80,12 +80,11 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
-## Keeping the CodeQL Action up to date
+## Keeping the CodeQL Action up to date in advanced setups
 
-We recommend referencing the CodeQL Action using a major version tag (e.g. `v3`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
-
-If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are controlled by server-side flags that may be removed over time, which can cause pinned versions to lose functionality.
+If you are using an [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning), we recommend referencing the CodeQL Action using a major version tag (e.g. `v4`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
 
+If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are enabled by server-side flags that may be removed over time, which can cause old versions to lose functionality.
 
 ## Troubleshooting
 
