diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 39ec21381..749def27e 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -76,6 +76,14 @@ jobs: with: java-version: ${{ inputs.java-version || '17' }} distribution: temurin + - name: Install yq + if: runner.os == 'Windows' + env: + YQ_PATH: ${{ runner.temp }}/yq + YQ_VERSION: v4.50.1 + run: |- + gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe" + echo "$YQ_PATH" >> "$GITHUB_PATH" - name: Set up Java test repo configuration run: | mv * .github ../action/tests/multi-language-repo/ @@ -90,11 +98,6 @@ jobs: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} - - name: Install yq - if: runner.os == 'Windows' - run: | - choco install yq -y - - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 951b89066..04703c592 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -57,6 +57,24 @@ jobs: - name: Update bundle uses: ./.github/actions/update-bundle + - name: Bump Action minor version if new CodeQL minor version series + id: bump-action-version + run: | + prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json) + cli_version=$(jq -r '.cliVersion' src/defaults.json) + + prior_minor=$(echo "$prior_cli_version" | cut -d. -f2) + current_minor=$(echo "$cli_version" | cut -d. -f2) + + if [[ "$current_minor" != "$prior_minor" ]]; then + echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version" + npm version minor --no-git-tag-version + echo "bumped=true" >> "$GITHUB_OUTPUT" + else + echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump" + echo "bumped=false" >> "$GITHUB_OUTPUT" + fi + - name: Rebuild Action run: npm run build @@ -71,11 +89,19 @@ jobs: - name: Open pull request env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }} run: | cli_version=$(jq -r '.cliVersion' src/defaults.json) + action_version=$(jq -r '.version' package.json) + + pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." + if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then + pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version." + fi + pr_url=$(gh pr create \ --title "Update default bundle to $cli_version" \ - --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \ + --body "$pr_body" \ --assignee "$GITHUB_ACTOR" \ --draft \ ) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd0029b63..61714b9a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th No user facing changes. +## 4.32.0 - 26 Jan 2026 + +- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425) + ## 4.31.11 - 23 Jan 2026 - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 4a0177d48..d17e7f2ea 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 126b0f7ec..a5be402c9 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -90695,8 +90695,8 @@ var path5 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 2e37724d4..1f957d568 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -87198,8 +87198,8 @@ var path3 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs2 = __toESM(require("fs")); diff --git a/lib/defaults.json b/lib/defaults.json index 8c5ef57bf..916c09859 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.9", - "cliVersion": "2.23.9", - "priorBundleVersion": "codeql-bundle-v2.23.8", - "priorCliVersion": "2.23.8" + "bundleVersion": "codeql-bundle-v2.24.0", + "cliVersion": "2.24.0", + "priorBundleVersion": "codeql-bundle-v2.23.9", + "priorCliVersion": "2.23.9" } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 999dd402d..4e0c14ff2 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -127658,8 +127658,8 @@ var path4 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/init-action.js b/lib/init-action.js index 8dfb854c6..2899ccbcb 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -88149,8 +88149,8 @@ var path6 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 0f6546ca9..5145fa5f6 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 914aad87d..4977dee9f 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -87072,8 +87072,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 163f3dbbb..ac09673f9 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index a6a44e031..83d722db5 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -45284,7 +45284,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -104006,8 +104006,8 @@ function isAuthToken(value, patterns = GITHUB_TOKEN_PATTERNS) { } // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/languages.ts var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index a59f2e93f..861117881 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -27975,7 +27975,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -90225,8 +90225,8 @@ var path4 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 0d6e2e984..3ab18a0a0 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 1855fc99c..7c7d1f879 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.1", private: true, description: "CodeQL action", scripts: { @@ -89992,8 +89992,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/package-lock.json b/package-lock.json index a4792f7fd..a50945cdb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.31.12", + "version": "4.32.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.31.12", + "version": "4.32.1", "license": "MIT", "dependencies": { "@actions/artifact": "^5.0.2", diff --git a/package.json b/package.json index b09ef89db..d28bdc93e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.31.12", + "version": "4.32.1", "private": true, "description": "CodeQL action", "scripts": { diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 26b8626f2..8a51926fa 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -3,6 +3,7 @@ description: "An end-to-end integration test of a Java repository built using 'b operatingSystems: ["ubuntu", "windows"] versions: ["linked", "nightly-latest"] installJava: "true" +installYq: "true" steps: - name: Set up Java test repo configuration run: | @@ -18,11 +19,6 @@ steps: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} - - name: Install yq - if: runner.os == 'Windows' - run: | - choco install yq -y - - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 9d1296a54..77696b91f 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -1,7 +1,7 @@ #!/usr/bin/env python import ruamel.yaml -from ruamel.yaml.scalarstring import SingleQuotedScalarString +from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString import pathlib import os @@ -223,6 +223,25 @@ for file in sorted((this_dir / 'checks').glob('*.yml')): } }) + installYq = is_truthy(checkSpecification.get('installYq', '')) + + if installYq: + steps.append({ + 'name': 'Install yq', + 'if': "runner.os == 'Windows'", + 'env': { + 'YQ_PATH': '${{ runner.temp }}/yq', + # This is essentially an arbitrary version of `yq`, which happened to be the one that + # `choco` fetched when we moved away from using that here. + # See https://github.com/github/codeql-action/pull/3423 + 'YQ_VERSION': 'v4.50.1' + }, + 'run': LiteralScalarString( + 'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n' + 'echo "$YQ_PATH" >> "$GITHUB_PATH"' + ), + }) + # If container initialisation steps are present in the check specification, # make sure to execute them first. if 'container' in checkSpecification and 'container-init-steps' in checkSpecification: diff --git a/src/defaults.json b/src/defaults.json index 8c5ef57bf..916c09859 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.9", - "cliVersion": "2.23.9", - "priorBundleVersion": "codeql-bundle-v2.23.8", - "priorCliVersion": "2.23.8" + "bundleVersion": "codeql-bundle-v2.24.0", + "cliVersion": "2.24.0", + "priorBundleVersion": "codeql-bundle-v2.23.9", + "priorCliVersion": "2.23.9" }