I'm a user of the actual actions in codeql-action: in other words I have uses-lines like this in my workflows:
uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4

I like to know what code I'm running in my CI so I use hashes corresponding to releases and let dependabot update them. codeql-action releases are quite difficult to understand. As an example I currently have a dependabot PR that wants to update from codeql-action 2.3.6 to 2.13.4:

• Last update I have seen was 2.3.6 -- what happened in between?
• why am I getting an update to a release that your release page considers a "pre-release"
• why are the releases on the release page titled "CodeQL Bundle" when I'm looking at the "codeql-action" project and I'm not trying to use or update a "bundle"?
• why does changelog only list changes up to 2.3.6?

🤷

I'm sure there is a logic here and some of these versions refer to the software bundle and some refer to the actions themselves... but I can't understand this logic based on what dependabot shows me.