Merge pull request #3430 from github/backport-v3.32.0-b20883b0c

Merge releases/v4 into releases/v3

.github/workflows/__build-mode-autobuild.yml

@@ -76,6 +76,14 @@ jobs:
         with:
           java-version: ${{ inputs.java-version || '17' }}
           distribution: temurin
+      - name: Install yq
+        if: runner.os == 'Windows'
+        env:
+          YQ_PATH: ${{ runner.temp }}/yq
+          YQ_VERSION: v4.50.1
+        run: |-
+          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
+          echo "$YQ_PATH" >> "$GITHUB_PATH"
       - name: Set up Java test repo configuration
         run: |
           mv * .github ../action/tests/multi-language-repo/
@@ -90,11 +98,6 @@ jobs:
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-      - name: Install yq
-        if: runner.os == 'Windows'
-        run: |
-          choco install yq -y
-
       - name: Validate database build mode
         run: |
           metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"

.github/workflows/update-bundle.yml

@@ -57,6 +57,24 @@ jobs:
       - name: Update bundle
         uses: ./.github/actions/update-bundle
 
+      - name: Bump Action minor version if new CodeQL minor version series
+        id: bump-action-version
+        run: |
+          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+
+          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
+          current_minor=$(echo "$cli_version" | cut -d. -f2)
+
+          if [[ "$current_minor" != "$prior_minor" ]]; then
+            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
+            npm version minor --no-git-tag-version
+            echo "bumped=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
+            echo "bumped=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Rebuild Action
         run: npm run build
 
@@ -71,11 +89,19 @@ jobs:
       - name: Open pull request
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
         run: |
           cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          action_version=$(jq -r '.version' package.json)
+
+          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
+          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
+            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
+          fi
+
           pr_url=$(gh pr create \
             --title "Update default bundle to $cli_version" \
-            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
+            --body "$pr_body" \
             --assignee "$GITHUB_ACTOR" \
             --draft \
           )

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 3.32.0 - 26 Jan 2026
+
+- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
+
 ## 3.31.11 - 23 Jan 2026
 
 - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)

lib/analyze-action-post.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/analyze-action.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -90695,8 +90695,8 @@ var path5 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));

lib/autobuild-action.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -87198,8 +87198,8 @@ var path3 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.9",
-  "cliVersion": "2.23.9",
-  "priorBundleVersion": "codeql-bundle-v2.23.8",
-  "priorCliVersion": "2.23.8"
+  "bundleVersion": "codeql-bundle-v2.24.0",
+  "cliVersion": "2.24.0",
+  "priorBundleVersion": "codeql-bundle-v2.23.9",
+  "priorCliVersion": "2.23.9"
 }

lib/init-action-post.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -127658,8 +127658,8 @@ var path4 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));

lib/init-action.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -88149,8 +88149,8 @@ var path6 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));

lib/resolve-environment-action.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/setup-codeql-action.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -87072,8 +87072,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));

lib/start-proxy-action-post.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/start-proxy-action.js

@@ -45284,7 +45284,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -103963,8 +103963,8 @@ function getActionsLogger() {
 var core7 = __toESM(require_core());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/languages.ts
 var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => {

lib/upload-lib.js

@@ -27975,7 +27975,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -90225,8 +90225,8 @@ var path4 = __toESM(require("path"));
 var semver5 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));

lib/upload-sarif-action-post.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/upload-sarif-action.js

@@ -26678,7 +26678,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.31.11",
+      version: "3.32.0",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -89992,8 +89992,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.9";
-var cliVersion = "2.23.9";
+var bundleVersion = "codeql-bundle-v2.24.0";
+var cliVersion = "2.24.0";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.31.11",
+  "version": "4.32.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.31.11",
+      "version": "4.32.0",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^5.0.2",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.31.11",
+  "version": "3.32.0",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/build-mode-autobuild.yml

@@ -3,6 +3,7 @@ description: "An end-to-end integration test of a Java repository built using 'b
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
 installJava: "true"
+installYq: "true"
 steps:
   - name: Set up Java test repo configuration
     run: |
@@ -18,11 +19,6 @@ steps:
       languages: java
       tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-  - name: Install yq
-    if: runner.os == 'Windows'
-    run: |
-      choco install yq -y
-
   - name: Validate database build mode
     run: |
       metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"

pr-checks/sync.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 import ruamel.yaml
-from ruamel.yaml.scalarstring import SingleQuotedScalarString
+from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString
 import pathlib
 import os
 
@@ -223,6 +223,25 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
+    installYq = is_truthy(checkSpecification.get('installYq', ''))
+
+    if installYq:
+        steps.append({
+            'name': 'Install yq',
+            'if': "runner.os == 'Windows'",
+            'env': {
+                'YQ_PATH': '${{ runner.temp }}/yq',
+                # This is essentially an arbitrary version of `yq`, which happened to be the one that
+                # `choco` fetched when we moved away from using that here.
+                # See https://github.com/github/codeql-action/pull/3423
+                'YQ_VERSION': 'v4.50.1'
+            },
+            'run': LiteralScalarString(
+                'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n'
+                'echo "$YQ_PATH" >> "$GITHUB_PATH"'
+            ),
+        })
+
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.9",
-  "cliVersion": "2.23.9",
-  "priorBundleVersion": "codeql-bundle-v2.23.8",
-  "priorCliVersion": "2.23.8"
+  "bundleVersion": "codeql-bundle-v2.24.0",
+  "cliVersion": "2.24.0",
+  "priorBundleVersion": "codeql-bundle-v2.23.9",
+  "priorCliVersion": "2.23.9"
 }