Skip to content

Merge releases/v4 into releases/v3 #3577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mbg merged 147 commits into from
Mar 16, 2026
Merged

Merge releases/v4 into releases/v3 #3577

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
147 commits
Select commit Hold shift + click to select a range
0f3e632
Rename secondary `run` to `uploadFailureInfo`
mbg Feb 24, 2026
e9ce32d
Change order of checks in `tryUploadSarifIfRunFailed`
mbg Feb 24, 2026
56d1ccc
Change skipped reason message
mbg Feb 24, 2026
60ca40e
Refactor `prepareFailedSarif` out of `maybeUploadFailedSarif`
mbg Feb 26, 2026
44b66a8
Upload failed SARIF as artifact for risk assessments
mbg Feb 26, 2026
f265dd9
Separate `generateFailedSarif` out of `prepareFailedSarif`
mbg Feb 26, 2026
5b9d1f4
Simplify `prepareFailedSarif` for risk assessments
mbg Feb 26, 2026
003044e
Add test
mbg Feb 26, 2026
ce97dfe
Sanitise artifact name
mbg Feb 26, 2026
ca32b84
Ensure correct failed SARIF file names for CSRA
mbg Feb 26, 2026
383b86d
Refactor some test setup code into `mockRiskAssessmentEnv`
mbg Feb 27, 2026
1e7e52a
Add tests where upload should get skipped
mbg Feb 27, 2026
e995ba3
Add more tests/assertions
mbg Feb 27, 2026
f3663cd
Fix typos in comments
mbg Feb 28, 2026
5db3a9e
Extract `JobSpecification` type from `Specification`
mbg Mar 3, 2026
97a3705
Organise language-specific setup information
mbg Mar 3, 2026
369d73b
Refactor matrix generation into its own function
mbg Mar 3, 2026
92ab799
Refactor job generation into `generateJob`
mbg Mar 3, 2026
95fc2f1
Move `yq` setup code into `getSetupSteps`
mbg Mar 4, 2026
2b60771
Add support for additional, validation jobs
mbg Mar 3, 2026
56ebdff
Merge branch 'main' into mbg/pr-checks/validation-jobs
mbg Mar 5, 2026
3d47812
Add `tsconfig.json` for `pr-checks`
mbg Mar 5, 2026
79fdef7
Fix `generateValidationJobs` typing
mbg Mar 5, 2026
103db93
Make it more explicit that `getSetupSteps` just needs a `JobSpecifica…
mbg Mar 5, 2026
2a00604
Fix condition
mbg Mar 5, 2026
0da2e79
Remove `installPython` from checks which should no longer need it
mbg Mar 5, 2026
05a4820
Update changelog and version after v4.32.6
github-actions[bot] Mar 5, 2026
0ccdcb8
Rebuild
github-actions[bot] Mar 5, 2026
d1a6527
Merge pull request #3552 from github/mergeback/v4.32.6-to-main-0d579ffd
oscarsj Mar 6, 2026
8e70ae2
Update `GitHubRepositoryProperty` to match schema
mbg Mar 9, 2026
9c75a5f
Only validate property `value` type if we care about the property
mbg Mar 9, 2026
5899159
Validate `value` types returned by API against expectations
mbg Mar 9, 2026
58314dc
Export types that weren't already
mbg Mar 9, 2026
5311ed4
Include type in error message
mbg Mar 9, 2026
149fd14
Add unknown property with `string[]` value
mbg Mar 9, 2026
da11f44
Run `prepare-test` after setup steps
mbg Mar 9, 2026
5ddbbbe
Install python if there is no `matrix.version`
mbg Mar 9, 2026
6f90eb6
Add changelog entry
mbg Mar 9, 2026
f054eea
Merge pull request #3549 from github/mbg/pr-checks/remove-python-setup
mbg Mar 9, 2026
b39251f
Merge pull request #3557 from github/mbg/repo-props/multi-select
mbg Mar 9, 2026
b35c0d3
Clean up repository properties feature flag
henrymercer Mar 9, 2026
8924dfb
Remove GHES feature gate
henrymercer Mar 9, 2026
a770e76
Add changelog note
henrymercer Mar 9, 2026
b0642f9
Remove unused imports
henrymercer Mar 9, 2026
1b7fa1a
Drop unused variable
henrymercer Mar 9, 2026
ab180c9
Clean up pre GHES 3.14 code paths
henrymercer Mar 9, 2026
fdecf48
Linting: Require unused function parameters to start with `_`
henrymercer Mar 9, 2026
e046976
feat: add minimumVersion values for existing language-specific overla…
sam-robson Mar 4, 2026
867f2b0
test: verify overlay analysis is disabled for languages without per-l…
sam-robson Mar 5, 2026
c102a6d
Require tools feature flag
henrymercer Mar 9, 2026
9e8c059
Add ability to override via repository property
henrymercer Mar 9, 2026
a3fdd0e
Add telemetry diagnostic to track whether repo property is used
henrymercer Mar 9, 2026
6773afd
Add changelog note
henrymercer Mar 9, 2026
3c97288
Merge pull request #3559 from github/henrymercer/ghes-repository-prop…
henrymercer Mar 9, 2026
3592fe5
Address review comments
henrymercer Mar 9, 2026
8ba8180
Merge remote-tracking branch 'origin/main' into mbg/pr-checks/validat…
mbg Mar 9, 2026
0ad7d7b
Merge pull request #3560 from github/henrymercer/ghes-3.13-cleanup
mbg Mar 9, 2026
babab88
Merge pull request #3561 from github/henrymercer/eslint-unused-vars
mbg Mar 9, 2026
746f940
Merge remote-tracking branch 'origin/main' into mbg/csra/upload-faile…
mbg Mar 9, 2026
65f7f36
Extend `isPrintable` check to all keys with string values
mbg Mar 9, 2026
8bddab0
Merge branch 'main' into sam-robson/overlay-per-lang-min-bundle-version
sam-robson Mar 9, 2026
01b5262
Move out auth config from `Credential` type
mbg Mar 9, 2026
9e26f9e
Add OIDC config types
mbg Mar 9, 2026
37eb89b
Add predicates for `Auth` types
mbg Mar 10, 2026
7263be2
Extract `AuthConfig` from `Credential`
mbg Mar 10, 2026
e168f8e
Move `credentialToStr` and update it
mbg Mar 10, 2026
3d57420
Run more `start-proxy` tests in parallel
mbg Mar 10, 2026
4649e15
Fix old test
mbg Mar 10, 2026
88bd340
Add OIDC tests for `getCredentials`
mbg Mar 10, 2026
e90d128
Add preliminary change note
mbg Mar 10, 2026
3d2bdbb
Simplify default repo properties
henrymercer Mar 10, 2026
55ae117
Reduce duplication of `getFileCoverageInformationEnabled`
henrymercer Mar 10, 2026
ce321da
Merge branch 'main' into henrymercer/skip-file-coverage-rollout
henrymercer Mar 10, 2026
87c3b7b
Merge pull request #3519 from github/mbg/csra/upload-failed-sarif-art…
mbg Mar 10, 2026
13c5489
Fix retries when uploading databases
henrymercer Mar 10, 2026
ca969a9
Add changelog note
henrymercer Mar 10, 2026
edfcb0a
Update tests
henrymercer Mar 10, 2026
bef08ed
Update to log deprecation warning
henrymercer Mar 10, 2026
131392e
Fix changelog entry
mbg Mar 10, 2026
823869d
Use `isDefined` for password and token in `credentialToStr`
mbg Mar 10, 2026
79ea59d
Merge branch 'main' into sam-robson/overlay-per-lang-min-bundle-version
sam-robson Mar 10, 2026
c6e75ac
Add JSON helper types and functions
mbg Mar 10, 2026
c92efdb
Type result of parsing JSON as `unknown` until narrowed
mbg Mar 10, 2026
55a0f2b
Add environment variable override
henrymercer Mar 10, 2026
e07c305
Tweak changelog formatting
henrymercer Mar 10, 2026
ee5ede7
Address review comments
henrymercer Mar 10, 2026
cf972cd
Update database upload tests to use `checkExpectedLogMessages`
henrymercer Mar 10, 2026
048d0ea
Address review comments
mbg Mar 10, 2026
a11c6cb
Merge branch 'main' into henrymercer/skip-file-coverage-rollout
henrymercer Mar 10, 2026
a63886b
Refactor: Extract separate function for `uploadBundledDatabase`
henrymercer Mar 10, 2026
5cb13d6
Merge pull request #3564 from github/henrymercer/fix-database-upload-…
henrymercer Mar 10, 2026
2e7e91f
Merge pull request #3550 from github/sam-robson/overlay-per-lang-min-…
henrymercer Mar 11, 2026
997acaf
Merge pull request #3562 from github/henrymercer/skip-file-coverage-r…
henrymercer Mar 11, 2026
b9b42be
Remove last use of `installPython`
mbg Mar 11, 2026
2e1f08f
Remove `installPython` condition in `sync.ts`
mbg Mar 11, 2026
be7fe2b
Make it more explicit by construction that known inputs always have t…
mbg Mar 11, 2026
6570ad3
Extend base `tsconfig.json`
mbg Mar 11, 2026
89f6321
Use `version` in error message
mbg Mar 11, 2026
d1a7580
Verify PR checks in a different job, with newer Node
mbg Mar 11, 2026
1a97b0f
Merge pull request #3541 from github/mbg/pr-checks/validation-jobs
mbg Mar 11, 2026
6c99ca5
Merge remote-tracking branch 'origin/main' into mbg/private-registry/…
mbg Mar 11, 2026
2bc0658
PR checks: Add support for per-OS CodeQL version
henrymercer Mar 11, 2026
4174779
PR checks: Only run Go macOS tests on latest CodeQL versions
henrymercer Mar 11, 2026
30ecc82
PR checks: Replace inline arrays
henrymercer Mar 11, 2026
117bf91
Sort OS list and versions consistently
henrymercer Mar 11, 2026
de2997a
Bump the npm-minor group with 2 updates
dependabot[bot] Mar 11, 2026
f9f5edb
Bump ava from 6.4.1 to 7.0.0
dependabot[bot] Mar 11, 2026
4472004
CI: Set up Node.js 24 in rebuild workflow
henrymercer Mar 11, 2026
6fb1c2a
Fix merge in progress detection
henrymercer Mar 11, 2026
5f3f250
Fix finishing up in progress merge
henrymercer Mar 11, 2026
567ca73
Address review comments
henrymercer Mar 11, 2026
309fd2a
Merge pull request #3565 from github/henrymercer/go-macos-checks
henrymercer Mar 11, 2026
378e4b3
Merge pull request #3568 from github/henrymercer/fix-rebuild
henrymercer Mar 11, 2026
363219d
Merge branch 'main' into dependabot/npm_and_yarn/ava-7.0.0
henrymercer Mar 11, 2026
9771a76
Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-aebc49e072
henrymercer Mar 11, 2026
373dec9
Rebuild
github-actions[bot] Mar 11, 2026
0d0df94
Rebuild
github-actions[bot] Mar 11, 2026
82d7a77
Merge pull request #3567 from github/dependabot/npm_and_yarn/ava-7.0.0
henrymercer Mar 11, 2026
1dbebad
Merge pull request #3566 from github/dependabot/npm_and_yarn/npm-mino…
henrymercer Mar 11, 2026
a717db1
Emit warning for unrecognised repo properties with our common prefix
mbg Mar 12, 2026
c183dca
Move `ava` config out of `package.json`
mbg Mar 12, 2026
ea70366
Avoid bundling `package.json`
mbg Mar 12, 2026
b5e1fb0
Add `workspaces` to root `package.json`
mbg Mar 12, 2026
7df3db2
Add minimal `Step` type
mbg Mar 12, 2026
e608db4
Add eslint configuration for `pr-checks`
mbg Mar 12, 2026
7950e47
Fix linter errors in `sync.ts`
mbg Mar 12, 2026
967ca85
Rename `sync_back` to `sync-back`
mbg Mar 12, 2026
b171c1c
Fix linter errors in `sync-back.ts`
mbg Mar 12, 2026
b4cb104
Fix linter errors in `sync-back.test.ts`
mbg Mar 12, 2026
3bc3228
Add explicit cache dependency paths in `pr-checks.yml`
mbg Mar 12, 2026
fc8d303
Add step (in root directory) to install dependencies
mbg Mar 12, 2026
dafe740
Merge pull request #3573 from github/mbg/esbuild/no-package-json
mbg Mar 13, 2026
a5aba59
Remove `package-lock.json` that's no longer needed
mbg Mar 13, 2026
136b8ab
Remove `cache-dependency-path` options as well
mbg Mar 13, 2026
b4937c1
Only emit one message with accumulated property names
mbg Mar 13, 2026
4c356c7
Merge pull request #3570 from github/mbg/repo-props/warn-on-unexpecte…
mbg Mar 13, 2026
e3200e3
Merge pull request #3563 from github/mbg/private-registry/oidc
mbg Mar 13, 2026
7dd76e6
Merge pull request #3572 from github/mbg/pr-checks/eslint
mbg Mar 13, 2026
59bcb60
Update changelog for v4.32.7
github-actions[bot] Mar 16, 2026
95be291
Bump minor version
mbg Mar 16, 2026
e682234
Add changelog entry for #3570
mbg Mar 16, 2026
b1bff81
Merge pull request #3574 from github/update-v4.32.7-7dd76e6bf
mbg Mar 16, 2026
ee6db5e
Revert "Update version and changelog for v3.32.6"
github-actions[bot] Mar 16, 2026
e50ab6d
Revert "Rebuild"
github-actions[bot] Mar 16, 2026
4ccf9a5
Merge remote-tracking branch 'origin/releases/v4' into backport-v3.33…
github-actions[bot] Mar 16, 2026
2da877a
Update version and changelog for v3.33.0
github-actions[bot] Mar 16, 2026
9ed0d75
Rebuild
github-actions[bot] Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Revert "Update version and changelog for v3.32.6" 
This reverts commit c0e7770.
  • Loading branch information
@github-actions
github-actions[bot] committed Mar 16, 2026
commit ee6db5e4f5b95fd845e313824f655b021f2964ce
53 changes: 30 additions & 23 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@

See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

## 3.32.6 - 05 Mar 2026
## 4.32.6 - 05 Mar 2026

- Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://github.com/github/codeql-action/pull/3548)

## 3.32.5 - 02 Mar 2026
## 4.32.5 - 02 Mar 2026

- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
- Added an experimental change so that when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://github.com/github/codeql-action/pull/3487)
Expand All @@ -16,96 +16,96 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
- The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://github.com/github/codeql-action/pull/3503), [#3504](https://github.com/github/codeql-action/pull/3504)

## 3.32.4 - 20 Feb 2026
## 4.32.4 - 20 Feb 2026

- Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://github.com/github/codeql-action/pull/3493)
- Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://github.com/github/codeql-action/pull/3473)
- When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#3486](https://github.com/github/codeql-action/pull/3486)
- Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://github.com/github/codeql-action/pull/3485)
- Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://github.com/github/codeql-action/pull/3484)

## 3.32.3 - 13 Feb 2026
## 4.32.3 - 13 Feb 2026

- Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://github.com/github/codeql-action/pull/3466)

## 3.32.2 - 05 Feb 2026
## 4.32.2 - 05 Feb 2026

- Update default CodeQL bundle version to [2.24.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://github.com/github/codeql-action/pull/3460)

## 3.32.1 - 02 Feb 2026
## 4.32.1 - 02 Feb 2026

- A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
- Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)

## 3.32.0 - 26 Jan 2026
## 4.32.0 - 26 Jan 2026

- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)

## 3.31.11 - 23 Jan 2026
## 4.31.11 - 23 Jan 2026

- When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
- Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
- Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
- The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)

## 3.31.10 - 12 Jan 2026
## 4.31.10 - 12 Jan 2026

- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)

## 3.31.9 - 16 Dec 2025
## 4.31.9 - 16 Dec 2025

No user facing changes.

## 3.31.8 - 11 Dec 2025
## 4.31.8 - 11 Dec 2025

- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)

## 3.31.7 - 05 Dec 2025
## 4.31.7 - 05 Dec 2025

- Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)

## 3.31.6 - 01 Dec 2025
## 4.31.6 - 01 Dec 2025

No user facing changes.

## 3.31.5 - 24 Nov 2025
## 4.31.5 - 24 Nov 2025

- Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)

## 3.31.4 - 18 Nov 2025
## 4.31.4 - 18 Nov 2025

No user facing changes.

## 3.31.3 - 13 Nov 2025
## 4.31.3 - 13 Nov 2025

- CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)

## 3.31.2 - 30 Oct 2025
## 4.31.2 - 30 Oct 2025

No user facing changes.

## 3.31.1 - 30 Oct 2025
## 4.31.1 - 30 Oct 2025

- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.

## 3.31.0 - 24 Oct 2025
## 4.31.0 - 24 Oct 2025

- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)

## 3.30.9 - 17 Oct 2025
## 4.30.9 - 17 Oct 2025

- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)

## 3.30.8 - 10 Oct 2025
## 4.30.8 - 10 Oct 2025

No user facing changes.

## 3.30.7 - 06 Oct 2025
## 4.30.7 - 06 Oct 2025

No user facing changes.
- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)

## 3.30.6 - 02 Oct 2025

Expand Down Expand Up @@ -341,13 +341,17 @@ No user facing changes.
## 3.26.12 - 07 Oct 2024

- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)

- If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.

- Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.

## 3.26.11 - 03 Oct 2024

- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.

Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.

This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
- Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)

Expand Down Expand Up @@ -470,9 +474,12 @@ No user facing changes.
## 3.25.0 - 15 Apr 2024

- The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)

As a result, the following inputs and environment variables are now ignored:

- The `setup-python-dependencies` input to the `init` Action
- The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable

We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
- Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
- Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "3.32.6",
"version": "4.32.6",
"private": true,
"description": "CodeQL action",
"scripts": {
Expand Down