From dd8914320f183a2820ffe1a91b9fc453164493e6 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Wed, 3 Dec 2025 09:15:15 +0100 Subject: [PATCH 01/13] CodeQL: Add resolveDatabase method --- lib/analyze-action-post.js | 17 +++++++++++++++++ lib/analyze-action.js | 17 +++++++++++++++++ lib/autobuild-action.js | 17 +++++++++++++++++ lib/init-action-post.js | 17 +++++++++++++++++ lib/init-action.js | 17 +++++++++++++++++ lib/resolve-environment-action.js | 17 +++++++++++++++++ lib/setup-codeql-action.js | 17 +++++++++++++++++ lib/upload-lib.js | 17 +++++++++++++++++ lib/upload-sarif-action.js | 17 +++++++++++++++++ src/codeql.ts | 26 ++++++++++++++++++++++++++ 10 files changed, 179 insertions(+) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index b4ee3c8d5..4b90e5a46 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -120735,6 +120735,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 1ba7f39e9..e05bbd8c8 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90887,6 +90887,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 10b30f64d..20325380c 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -84973,6 +84973,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index b6a4215af..99780c415 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -125350,6 +125350,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/init-action.js b/lib/init-action.js index 8f5b7f887..939cab918 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -89147,6 +89147,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 6e159d31a..ffaf4d162 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -84672,6 +84672,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 74b84a122..4f9d6af4f 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -85975,6 +85975,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 4f3f1fa46..aacb1837d 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88697,6 +88697,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index ba2c9118c..5908e956e 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89215,6 +89215,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/src/codeql.ts b/src/codeql.ts index 2b86d843f..f59793193 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -206,6 +206,7 @@ export interface CodeQL { * Run 'codeql resolve queries --format=startingpacks'. */ resolveQueriesStartingPacks(queries: string[]): Promise; + resolveDatabase(databasePath: string): Promise; /** * Run 'codeql github merge-results'. */ @@ -230,6 +231,10 @@ export interface VersionInfo { overlayVersion?: number; } +export interface ResolveDatabaseOutput { + [key: string]: string | [string]; +} + export interface ResolveLanguagesOutput { [language: string]: [string]; } @@ -493,6 +498,7 @@ export function createStubCodeQL(partialCodeql: Partial): CodeQL { partialCodeql, "resolveQueriesStartingPacks", ), + resolveDatabase: resolveFunction(partialCodeql, "resolveDatabase"), mergeResults: resolveFunction(partialCodeql, "mergeResults"), }; } @@ -1003,6 +1009,26 @@ async function getCodeQLForCmd( ); } }, + async resolveDatabase( + databasePath: string, + ): Promise { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]), + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + + try { + return JSON.parse(output) as ResolveDatabaseOutput; + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}`, + ); + } + }, async mergeResults( sarifFiles: string[], outputFile: string, From c4efbda2999d6895931c401bf16d97750bd3650e Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Wed, 3 Dec 2025 09:16:45 +0100 Subject: [PATCH 02/13] Overlay: Check database metadata for overlayBaseSpecifier --- lib/analyze-action.js | 22 +++++++++++++-- lib/init-action.js | 22 +++++++++++++-- src/overlay-database-utils.test.ts | 44 ++++++++++++++++++++++++++++-- src/overlay-database-utils.ts | 35 +++++++++++++++++++++--- 4 files changed, 112 insertions(+), 11 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index e05bbd8c8..c4d488ab8 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88512,7 +88512,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) { var CACHE_VERSION = 1; var CACHE_PREFIX = "codeql-overlay-base-database"; var MAX_CACHE_OPERATION_MS = 6e5; -function checkOverlayBaseDatabase(config, logger, warningPrefix) { +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); if (!fs3.existsSync(baseDatabaseOidsFilePath)) { logger.warning( @@ -88520,6 +88520,23 @@ function checkOverlayBaseDatabase(config, logger, warningPrefix) { ); return false; } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.info( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } return true; } async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { @@ -88542,7 +88559,8 @@ async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger ); return false; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Abort uploading overlay-base database to cache" diff --git a/lib/init-action.js b/lib/init-action.js index 939cab918..0af2f67e8 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -85914,7 +85914,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) { var CACHE_VERSION = 1; var CACHE_PREFIX = "codeql-overlay-base-database"; var MAX_CACHE_OPERATION_MS = 6e5; -function checkOverlayBaseDatabase(config, logger, warningPrefix) { +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); if (!fs3.existsSync(baseDatabaseOidsFilePath)) { logger.warning( @@ -85922,6 +85922,23 @@ function checkOverlayBaseDatabase(config, logger, warningPrefix) { ); return false; } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.info( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } return true; } async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { @@ -86009,7 +86026,8 @@ async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { ); return void 0; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Downloaded overlay-base database is invalid" diff --git a/src/overlay-database-utils.test.ts b/src/overlay-database-utils.test.ts index cee0d45f1..db47d4d87 100644 --- a/src/overlay-database-utils.test.ts +++ b/src/overlay-database-utils.test.ts @@ -7,7 +7,9 @@ import * as sinon from "sinon"; import * as actionsUtil from "./actions-util"; import * as apiClient from "./api-client"; +import { ResolveDatabaseOutput } from "./codeql"; import * as gitUtils from "./git-utils"; +import { KnownLanguage } from "./languages"; import { getRunnerLogger } from "./logging"; import { downloadOverlayBaseDatabaseFromCache, @@ -95,6 +97,7 @@ interface DownloadOverlayBaseDatabaseTestCase { hasBaseDatabaseOidsFile: boolean; tryGetFolderBytesSucceeds: boolean; codeQLVersion: string; + resolveDatabaseOutput: ResolveDatabaseOutput | Error; } const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = { @@ -105,6 +108,7 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = { hasBaseDatabaseOidsFile: true, tryGetFolderBytesSucceeds: true, codeQLVersion: "2.20.5", + resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" }, }; const testDownloadOverlayBaseDatabaseFromCache = test.macro({ @@ -119,9 +123,11 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({ await fs.promises.mkdir(dbLocation, { recursive: true }); const logger = getRunnerLogger(true); - const config = createTestConfig({ dbLocation }); - const testCase = { ...defaultDownloadTestCase, ...partialTestCase }; + const config = createTestConfig({ + dbLocation, + languages: [KnownLanguage.java], + }); config.overlayDatabaseMode = testCase.overlayDatabaseMode; config.useOverlayDatabaseCaching = testCase.useOverlayDatabaseCaching; @@ -163,9 +169,23 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({ .resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined); stubs.push(tryGetFolderBytesStub); + const codeql = mockCodeQLVersion(testCase.codeQLVersion); + + if (testCase.resolveDatabaseOutput instanceof Error) { + const resolveDatabaseStub = sinon + .stub(codeql, "resolveDatabase") + .rejects(testCase.resolveDatabaseOutput); + stubs.push(resolveDatabaseStub); + } else { + const resolveDatabaseStub = sinon + .stub(codeql, "resolveDatabase") + .resolves(testCase.resolveDatabaseOutput); + stubs.push(resolveDatabaseStub); + } + try { const result = await downloadOverlayBaseDatabaseFromCache( - mockCodeQLVersion(testCase.codeQLVersion), + codeql, config, logger, ); @@ -255,6 +275,24 @@ test( false, ); +test( + testDownloadOverlayBaseDatabaseFromCache, + "returns undefined when downloaded database doesn't have an overlayBaseSpecifier", + { + resolveDatabaseOutput: {}, + }, + false, +); + +test( + testDownloadOverlayBaseDatabaseFromCache, + "returns undefined when resolving database metadata fails", + { + resolveDatabaseOutput: new Error("Failed to resolve database metadata"), + }, + false, +); + test( testDownloadOverlayBaseDatabaseFromCache, "returns undefined when filesystem error occurs", diff --git a/src/overlay-database-utils.ts b/src/overlay-database-utils.ts index a340bfe2b..7db248bd1 100644 --- a/src/overlay-database-utils.ts +++ b/src/overlay-database-utils.ts @@ -17,6 +17,7 @@ import { getCommitOid, getFileOidsUnderPath } from "./git-utils"; import { Logger, withGroupAsync } from "./logging"; import { CleanupLevel, + getCodeQLDatabasePath, getErrorMessage, isInTestMode, tryGetFolderBytes, @@ -176,11 +177,12 @@ const MAX_CACHE_OPERATION_MS = 600_000; * @param warningPrefix Prefix for the check failure warning message * @returns True if the verification succeeded, false otherwise */ -function checkOverlayBaseDatabase( +async function checkOverlayBaseDatabase( + codeql: CodeQL, config: Config, logger: Logger, warningPrefix: string, -): boolean { +): Promise { // An overlay-base database should contain the base database OIDs file. const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); if (!fs.existsSync(baseDatabaseOidsFilePath)) { @@ -189,6 +191,29 @@ function checkOverlayBaseDatabase( ); return false; } + + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if ( + resolveDatabaseOutput === undefined || + !("overlayBaseSpecifier" in resolveDatabaseOutput) + ) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.info( + `Overlay base specifier for ${language} overlay-base database found: ` + + `${resolveDatabaseOutput.overlayBaseSpecifier}`, + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; } @@ -232,7 +257,8 @@ export async function cleanupAndUploadOverlayBaseDatabaseToCache( return false; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Abort uploading overlay-base database to cache", @@ -415,7 +441,8 @@ export async function downloadOverlayBaseDatabaseFromCache( return undefined; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Downloaded overlay-base database is invalid", From b93926dc35101e6ea6a689056a46b740c274ea87 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 5 Dec 2025 17:19:09 +0000 Subject: [PATCH 03/13] Update changelog and version after v4.31.7 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd5fb920f..253485dd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343) diff --git a/package-lock.json b/package-lock.json index 8cc15a5f5..3d3718239 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.31.7", + "version": "4.31.8", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.31.7", + "version": "4.31.8", "license": "MIT", "dependencies": { "@actions/artifact": "^4.0.0", diff --git a/package.json b/package.json index 32ea9facb..6d892ecbb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.31.7", + "version": "4.31.8", "private": true, "description": "CodeQL action", "scripts": { From 97c2630b10bd11032a1791444ba86763b11a21e1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 5 Dec 2025 17:21:46 +0000 Subject: [PATCH 04/13] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 88d0665c5..e333304f1 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 95d689b05..29ce929c4 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 58ebe893f..b1c5ece96 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 1dc786114..1855833c5 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 94cb71839..8898c1eb8 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 95681d88a..095d85e39 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 757a371df..437b605f6 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index ac38fef38..7f461a22c 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 7d282a3d2..16f308b6a 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -47321,7 +47321,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 421bf23eb..b35c4d665 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -28924,7 +28924,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index ab66301a4..8c466d1a3 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index d0f6b08e2..3a822f9a9 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { From 5b7e7fcc9c5a25e1129581e9733c0f6fb5078a71 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Tue, 9 Dec 2025 09:41:33 +0100 Subject: [PATCH 05/13] Update src/codeql.ts Co-authored-by: Henry Mercer --- src/codeql.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/codeql.ts b/src/codeql.ts index f59793193..33dd0db98 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -232,7 +232,7 @@ export interface VersionInfo { } export interface ResolveDatabaseOutput { - [key: string]: string | [string]; + overlayBaseSpecifier?: string; } export interface ResolveLanguagesOutput { From 002a7f25fdbaa5bc68ab7b87a336015eebea0b1f Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Tue, 9 Dec 2025 09:44:56 +0100 Subject: [PATCH 06/13] Overlay: log overlayBaseSpecifier at debug log-level --- lib/analyze-action.js | 2 +- lib/init-action.js | 2 +- src/overlay-database-utils.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c4d488ab8..070787928 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88528,7 +88528,7 @@ async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); return false; } else { - logger.info( + logger.debug( `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` ); } diff --git a/lib/init-action.js b/lib/init-action.js index 0af2f67e8..e74d27c82 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -85930,7 +85930,7 @@ async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); return false; } else { - logger.info( + logger.debug( `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` ); } diff --git a/src/overlay-database-utils.ts b/src/overlay-database-utils.ts index 7db248bd1..921fd0b8e 100644 --- a/src/overlay-database-utils.ts +++ b/src/overlay-database-utils.ts @@ -203,7 +203,7 @@ async function checkOverlayBaseDatabase( logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); return false; } else { - logger.info( + logger.debug( `Overlay base specifier for ${language} overlay-base database found: ` + `${resolveDatabaseOutput.overlayBaseSpecifier}`, ); From 2930dba17ac868bf1d3114f09837dbfb9619aa05 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:46:14 +0000 Subject: [PATCH 07/13] Update default bundle to codeql-bundle-v2.23.8 --- lib/analyze-action.js | 4 ++-- lib/autobuild-action.js | 4 ++-- lib/defaults.json | 8 ++++---- lib/init-action-post.js | 4 ++-- lib/init-action.js | 4 ++-- lib/setup-codeql-action.js | 4 ++-- lib/start-proxy-action.js | 4 ++-- lib/upload-lib.js | 4 ++-- lib/upload-sarif-action.js | 4 ++-- src/defaults.json | 8 ++++---- 10 files changed, 24 insertions(+), 24 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 48520792c..7ba381fc2 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88211,8 +88211,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index c7b2d5909..36f094bde 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -83701,8 +83701,8 @@ var path3 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs2 = __toESM(require("fs")); diff --git a/lib/defaults.json b/lib/defaults.json index 04929fab3..6f3dc42bf 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.7", - "cliVersion": "2.23.7", - "priorBundleVersion": "codeql-bundle-v2.23.6", - "priorCliVersion": "2.23.6" + "bundleVersion": "codeql-bundle-v2.23.8", + "cliVersion": "2.23.8", + "priorBundleVersion": "codeql-bundle-v2.23.7", + "priorCliVersion": "2.23.7" } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 6699c08ca..04c9c69fe 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -123084,8 +123084,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/init-action.js b/lib/init-action.js index 77524b00a..d1beb6611 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -85635,8 +85635,8 @@ var path5 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 4b4c28abc..49ab3bf48 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -83589,8 +83589,8 @@ var path4 = __toESM(require("path")); var semver3 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 16f308b6a..e70a7412b 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -99720,8 +99720,8 @@ function getActionsLogger() { var core7 = __toESM(require_core()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/languages.ts var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 3ee72bb5c..245288bc2 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -86724,8 +86724,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 2efce8797..fd314e6ac 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -86505,8 +86505,8 @@ var path4 = __toESM(require("path")); var semver3 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/src/defaults.json b/src/defaults.json index 04929fab3..6f3dc42bf 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.7", - "cliVersion": "2.23.7", - "priorBundleVersion": "codeql-bundle-v2.23.6", - "priorCliVersion": "2.23.6" + "bundleVersion": "codeql-bundle-v2.23.8", + "cliVersion": "2.23.8", + "priorBundleVersion": "codeql-bundle-v2.23.7", + "priorCliVersion": "2.23.7" } From db812c1ae639aa466b2b1f4a921f823c54371173 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:46:24 +0000 Subject: [PATCH 08/13] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 253485dd4..0589f45cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354) ## 4.31.7 - 05 Dec 2025 From 120f277b1613fcef1261eb850ba9b01ca444bbef Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 17:23:34 +0000 Subject: [PATCH 09/13] Update changelog for v4.31.8 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0589f45cd..f91b413d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354) From 827017f97be1b865f90ba42239a3a5a257228b31 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:46:31 +0000 Subject: [PATCH 10/13] Revert "Update version and changelog for v3.31.7" This reverts commit 793f7006bb3c6eeffc198e247d501ec4e76593bb. --- CHANGELOG.md | 31 +++++++++++++++++++------------ package.json | 2 +- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c42359f6a..bd5fb920f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,52 +2,52 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## 3.31.7 - 05 Dec 2025 +## 4.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343) -## 3.31.6 - 01 Dec 2025 +## 4.31.6 - 01 Dec 2025 No user facing changes. -## 3.31.5 - 24 Nov 2025 +## 4.31.5 - 24 Nov 2025 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321) -## 3.31.4 - 18 Nov 2025 +## 4.31.4 - 18 Nov 2025 No user facing changes. -## 3.31.3 - 13 Nov 2025 +## 4.31.3 - 13 Nov 2025 - CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/). - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288) -## 3.31.2 - 30 Oct 2025 +## 4.31.2 - 30 Oct 2025 No user facing changes. -## 3.31.1 - 30 Oct 2025 +## 4.31.1 - 30 Oct 2025 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced. -## 3.31.0 - 24 Oct 2025 +## 4.31.0 - 24 Oct 2025 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223) - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222) -## 3.30.9 - 17 Oct 2025 +## 4.30.9 - 17 Oct 2025 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205) - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204) -## 3.30.8 - 10 Oct 2025 +## 4.30.8 - 10 Oct 2025 No user facing changes. -## 3.30.7 - 06 Oct 2025 +## 4.30.7 - 06 Oct 2025 -No user facing changes. +- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) ## 3.30.6 - 02 Oct 2025 @@ -283,13 +283,17 @@ No user facing changes. ## 3.26.12 - 07 Oct 2024 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520) + - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. + - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action. ## 3.26.11 - 03 Oct 2024 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. + Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then. + This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519) @@ -412,9 +416,12 @@ No user facing changes. ## 3.25.0 - 15 Apr 2024 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224) + As a result, the following inputs and environment variables are now ignored: + - The `setup-python-dependencies` input to the `init` Action - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable + We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0. - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229) - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232) diff --git a/package.json b/package.json index b52362232..32ea9facb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.31.7", + "version": "4.31.7", "private": true, "description": "CodeQL action", "scripts": { From 2d9c0b97afc12b9e39058e3926f2d2a8c0dbdba1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:46:32 +0000 Subject: [PATCH 11/13] Revert "Rebuild" This reverts commit 817dbfb39b59fdd720cf48a800d33a21ed4ed3a2. --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 54ee7cf67..88d0665c5 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 376e49aae..95d689b05 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 7ae64e64c..58ebe893f 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 4e850acb3..1dc786114 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 04809ab6d..94cb71839 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index ce4216b8c..95681d88a 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index bbd253732..757a371df 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 2f0880052..ac38fef38 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index cc727363e..7d282a3d2 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -47321,7 +47321,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 8f403a7b1..421bf23eb 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -28924,7 +28924,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 778876762..ab66301a4 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index aefec4ba5..d0f6b08e2 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { From 5676d1f64a56d2c4aba43ef28f5b89fbacb47f96 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:46:33 +0000 Subject: [PATCH 12/13] Update version and changelog for v3.31.8 --- CHANGELOG.md | 33 +++++++++++++-------------------- package.json | 2 +- 2 files changed, 14 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f91b413d6..223e81f02 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,56 +2,56 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## 4.31.8 - 11 Dec 2025 +## 3.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354) -## 4.31.7 - 05 Dec 2025 +## 3.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343) -## 4.31.6 - 01 Dec 2025 +## 3.31.6 - 01 Dec 2025 No user facing changes. -## 4.31.5 - 24 Nov 2025 +## 3.31.5 - 24 Nov 2025 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321) -## 4.31.4 - 18 Nov 2025 +## 3.31.4 - 18 Nov 2025 No user facing changes. -## 4.31.3 - 13 Nov 2025 +## 3.31.3 - 13 Nov 2025 - CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/). - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288) -## 4.31.2 - 30 Oct 2025 +## 3.31.2 - 30 Oct 2025 No user facing changes. -## 4.31.1 - 30 Oct 2025 +## 3.31.1 - 30 Oct 2025 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced. -## 4.31.0 - 24 Oct 2025 +## 3.31.0 - 24 Oct 2025 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223) - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222) -## 4.30.9 - 17 Oct 2025 +## 3.30.9 - 17 Oct 2025 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205) - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204) -## 4.30.8 - 10 Oct 2025 +## 3.30.8 - 10 Oct 2025 No user facing changes. -## 4.30.7 - 06 Oct 2025 +## 3.30.7 - 06 Oct 2025 -- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) +No user facing changes. ## 3.30.6 - 02 Oct 2025 @@ -287,17 +287,13 @@ No user facing changes. ## 3.26.12 - 07 Oct 2024 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520) - - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. - - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action. ## 3.26.11 - 03 Oct 2024 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. - Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then. - This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519) @@ -420,12 +416,9 @@ No user facing changes. ## 3.25.0 - 15 Apr 2024 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224) - As a result, the following inputs and environment variables are now ignored: - - The `setup-python-dependencies` input to the `init` Action - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable - We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0. - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229) - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232) diff --git a/package.json b/package.json index 6d892ecbb..cde9ef43c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.31.8", + "version": "3.31.8", "private": true, "description": "CodeQL action", "scripts": { From 74951318a2c267206a15275c44c77d5ba2e15e8b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:53:47 +0000 Subject: [PATCH 13/13] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index ffcc4512d..9aa87ae0a 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 7ba381fc2..6e41faafe 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 36f094bde..1474f4c85 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 04c9c69fe..97f0a97ab 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index d1beb6611..1c5229c30 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 8f176bce1..0a0d253a4 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 49ab3bf48..21cc1ead5 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 7f461a22c..bd64d3a25 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index e70a7412b..57d068867 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -47321,7 +47321,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 245288bc2..2e14fc3de 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -28924,7 +28924,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 8c466d1a3..7aa28c4b8 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index fd314e6ac..258657711 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: {