From f0767c48a17201c9fd01413ddb53f16a130ceffd Mon Sep 17 00:00:00 2001
From: Sam Robson <samrobson321@gmail.com>
Date: Fri, 20 Feb 2026 19:38:39 +0000
Subject: [PATCH] docs: risks of pinning

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 7c6a3c1c2b..e4bd1e79c4 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,13 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
+## Keeping the CodeQL Action up to date
+
+We recommend referencing the CodeQL Action using a major version tag (e.g. `v3`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
+
+If you pin to a specific commit SHA or patch version tag, ensure you keep it updated (e.g. via [Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)). Some CodeQL Action features are controlled by server-side flags that may be removed over time, which can cause pinned versions to lose functionality.
+
+
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).