Merge pull request #3447 from github/update-v4.32.1-f52cbc830

Merge main into releases/v4
Add a couple of change notes
2026-05-04 04:40:09 +00:00 · 2026-02-02 07:09:16 -08:00 · 2026-02-02 14:32:28 +00:00 · 2026-02-02 12:13:48 +00:00 · 2026-02-02 03:49:48 -08:00 · 2026-02-02 10:51:35 +00:00
150 changed files with 785498 additions and 542662 deletions
@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node24
+  main: index.js
+  post: post.js
@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");
@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");
@@ -4,14 +4,15 @@ updates:
    directory: "/"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "@actions/*"
    labels:
      - Rebuild
    # Ignore incompatible dependency updates
    ignore:
-      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
-      - dependency-name: "@octokit/plugin-retry"
-        versions: ["~6.0.0"]
-      # This is broken due to the way configuration files have changed. 
+      # This is broken due to the way configuration files have changed.
      # This might be fixed when we move to eslint v9.
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
@@ -28,6 +29,10 @@ updates:
      - "/.github/actions"
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
+      exclude:
+        - "actions/*"
    labels:
      - Rebuild
    groups:
@@ -34,7 +34,7 @@ Products:

 Environments:

- **Dotcom** - Impacts CodeQL workflows on `github.com`.
+- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
 - **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
 - **Testing/None** - This change does not impact any CodeQL workflows in production.

@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  all-platform-bundle:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  analyze-ref-input:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
 jobs:
  autobuild-action:
    strategy:
@@ -38,8 +38,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-working-dir-${{github.ref}}
 jobs:
  autobuild-working-dir:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
 jobs:
  build-mode-autobuild:
    strategy:
@@ -76,6 +76,14 @@ jobs:
        with:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
+      - name: Install yq
+        if: runner.os == 'Windows'
+        env:
+          YQ_PATH: ${{ runner.temp }}/yq
+          YQ_VERSION: v4.50.1
+        run: |-
+          gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
+          echo "$YQ_PATH" >> "$GITHUB_PATH"
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -90,11 +98,6 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - name: Install yq
-        if: runner.os == 'Windows'
-        run: |
-          choco install yq -y
-
      - name: Validate database build mode
        run: |
          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  build-mode-manual:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-none-${{github.ref}}
 jobs:
  build-mode-none:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-rollback-${{github.ref}}
 jobs:
  build-mode-rollback:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-from-toolcache-${{github.ref}}
 jobs:
  bundle-from-toolcache:
    strategy:
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
      - name: Check toolcache contains CodeQL
        continue-on-error: true
        uses: actions/github-script@v8
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-toolcache-${{github.ref}}
 jobs:
  bundle-toolcache:
    strategy:
@@ -68,7 +68,7 @@ jobs:
            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
            fs.rmdirSync(codeqlPath, { recursive: true });
      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
+        run: npm install @actions/tool-cache@3
      - name: Check toolcache does not contain CodeQL
        uses: actions/github-script@v8
        with:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-zstd-${{github.ref}}
 jobs:
  bundle-zstd:
    strategy:
@@ -79,7 +79,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -0,0 +1,87 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - CCR
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ccr-${{github.ref}}
+jobs:
+  ccr:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: CCR
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+
+    env:
+      CODEQL_ACTION_ANALYSIS_KEY: dynamic/copilot-pull-request-reviewer/codeql-action-test
+      CODEQL_ACTION_TEST_MODE: true
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cleanup-db-cluster-dir-${{github.ref}}
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-export-${{github.ref}}
 jobs:
  config-export:
    strategy:
@@ -67,7 +67,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-input-${{github.ref}}
 jobs:
  config-input:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-disabled-${{github.ref}}
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-${{github.ref}}
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: diagnostics-export-${{github.ref}}
 jobs:
  diagnostics-export:
    strategy:
@@ -78,7 +78,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  export-file-baseline-information:
    strategy:
@@ -99,7 +100,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -124,5 +125,6 @@ jobs:
            fi
          done
    env:
+      CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
      CODEQL_ACTION_TEST_MODE: true
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: extractor-ram-threads-${{github.ref}}
 jobs:
  extractor-ram-threads:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: global-proxy-${{github.ref}}
 jobs:
  global-proxy:
    strategy:
@@ -48,18 +48,6 @@ jobs:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
-      - name: Set up GitHub CLI
-        run: |
-          apt update
-          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-add-repository https://cli.github.com/packages
-          apt install -y gh
-        env: {}
      - name: Check out repository
        uses: actions/checkout@v6
      - name: Prepare test
@@ -76,6 +64,7 @@ jobs:
      - uses: ./../action/analyze
    env:
      https_proxy: http://squid-proxy:3128
+      CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
      CODEQL_ACTION_TEST_MODE: true
    container:
      image: ubuntu:22.04
@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  go-custom-queries:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -38,8 +38,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -38,8 +38,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: init-with-registries-${{github.ref}}
 jobs:
  init-with-registries:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: javascript-source-root-${{github.ref}}
 jobs:
  javascript-source-root:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: job-run-uuid-sarif-${{github.ref}}
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -64,7 +64,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: language-aliases-${{github.ref}}
 jobs:
  language-aliases:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  local-bundle:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  multi-language-autodetect:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: overlay-init-fallback-${{github.ref}}
 jobs:
  overlay-init-fallback:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-config-js:
    strategy:
@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  packaging-inputs-js:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: quality-queries-${{github.ref}}
 jobs:
  quality-queries:
    strategy:
@@ -83,7 +83,7 @@ jobs:
          post-processed-sarif-path: ${{ runner.temp }}/post-processed
      - name: Upload security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,14 +91,14 @@ jobs:
          retention-days: 7
      - name: Upload quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
          path: ${{ runner.temp }}/results/javascript.quality.sarif
          retention-days: 7
      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: |
            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  remote-config:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: resolve-environment-action-${{github.ref}}
 jobs:
  resolve-environment-action:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rubocop-multi-language-${{github.ref}}
 jobs:
  rubocop-multi-language:
    strategy:
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
+        uses: ruby/setup-ruby@90be1154f987f4dc0fe0dd0feedac9e473aa4ba8 # v1.286.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ruby-${{github.ref}}
 jobs:
  ruby:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rust-${{github.ref}}
 jobs:
  rust:
    strategy:
@@ -48,8 +48,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  split-workflow:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: start-proxy-${{github.ref}}
 jobs:
  start-proxy:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: submit-sarif-failure-${{github.ref}}
 jobs:
  submit-sarif-failure:
    strategy:
@@ -28,8 +28,8 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: swift-autobuild-${{github.ref}}
 jobs:
  swift-autobuild:
    strategy:
@@ -48,8 +48,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
  swift-custom-build:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  unset-environment:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  upload-sarif:
    strategy:
@@ -58,8 +58,9 @@ defaults:
  run:
    shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
  with-checkout-path:
    strategy:
@@ -6,6 +6,11 @@ env:
  # Diff informed queries add an additional query filter which is not yet
  # taken into account by these tests.
  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
+  # query filter. Here we only enable for the default code scanning suite.
+  CODEQL_ACTION_OVERLAY_ANALYSIS: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true

 on:
  push:
@@ -58,6 +58,8 @@ jobs:
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -83,7 +85,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
@@ -54,6 +54,8 @@ jobs:
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        id: init
        with:
@@ -77,7 +79,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
@@ -123,26 +123,15 @@ jobs:
      - name: Prepare partial Changelog
        env:
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
          echo "::endgroup::"

-      - name: Create mergeback branch and PR
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
-
      - name: Generate token
-        uses: actions/create-github-app-token@v2.2.0
+        uses: actions/create-github-app-token@v2.2.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -161,3 +150,13 @@ jobs:
            --latest=false \
            --title "$VERSION" \
            --notes-file "$PARTIAL_CHANGELOG"
+
+      - name: Create mergeback branch and PR
+        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
@@ -127,9 +127,8 @@ jobs:
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ needs.prepare.outputs.version }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG "$VERSION" > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG > $PARTIAL_CHANGELOG

          echo "::group::Partial CHANGELOG"
          cat $PARTIAL_CHANGELOG
@@ -137,7 +136,7 @@ jobs:

      - name: Generate token
        if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.2.0
+        uses: actions/create-github-app-token@v2.2.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -1,9 +1,14 @@
+#!/usr/bin/env python3
 import os
 import re

+cli_version = os.environ['CLI_VERSION']
+
+# The GitHub Release for the new bundle version.
+bundle_release_url = f"https://github.com/github/codeql-action/releases/tag/codeql-bundle-v{cli_version}"
 # Get the PR number from the PR URL.
 pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+changelog_note = f"- Update default CodeQL bundle version to [{cli_version}]({bundle_release_url}). [#{pr_number}]({os.environ['PR_URL']})"

 # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
 with open('CHANGELOG.md', 'r') as f:
@@ -1,3 +1,4 @@
+#!/usr/bin/env python3
 import os
 import sys

@@ -6,7 +7,7 @@ EMPTY_CHANGELOG = 'No changes.\n\n'
 # Prepare the changelog for the new release
 # This function will extract the part of the changelog that
 # we want to include in the new release.
-def extract_changelog_snippet(changelog_file, version_tag):
+def extract_changelog_snippet(changelog_file):
  output = ''
  if (not os.path.exists(changelog_file)):
    output = EMPTY_CHANGELOG
@@ -15,23 +16,20 @@ def extract_changelog_snippet(changelog_file, version_tag):
    with open(changelog_file, 'r') as f:
      lines = f.readlines()

-      # Include everything up to, but excluding the second heading
+      # Include only the contents of the first section
      found_first_section = False
-      for i, line in enumerate(lines):
+      for line in lines:
        if line.startswith('## '):
          if found_first_section:
            break
          found_first_section = True
-        output += line
+        elif found_first_section:
+          output += line

-  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
-
-  return output
+  return output.strip()


-if len(sys.argv) < 3:
-  raise Exception('Expecting argument: changelog_file version_tag')
+if len(sys.argv) < 2:
+  raise Exception('Expecting argument: changelog_file')
 changelog_file = sys.argv[1]
-version_tag = sys.argv[2]
-
-print(extract_changelog_snippet(changelog_file, version_tag))
+print(extract_changelog_snippet(changelog_file))
@@ -57,6 +57,24 @@ jobs:
      - name: Update bundle
        uses: ./.github/actions/update-bundle

+      - name: Bump Action minor version if new CodeQL minor version series
+        id: bump-action-version
+        run: |
+          prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json)
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+
+          prior_minor=$(echo "$prior_cli_version" | cut -d. -f2)
+          current_minor=$(echo "$cli_version" | cut -d. -f2)
+
+          if [[ "$current_minor" != "$prior_minor" ]]; then
+            echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version"
+            npm version minor --no-git-tag-version
+            echo "bumped=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump"
+            echo "bumped=false" >> "$GITHUB_OUTPUT"
+          fi
+
      - name: Rebuild Action
        run: npm run build

@@ -71,11 +89,19 @@ jobs:
      - name: Open pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }}
        run: |
          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          action_version=$(jq -r '.version' package.json)
+
+          pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version."
+          if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then
+            pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version."
+          fi
+
          pr_url=$(gh pr create \
            --title "Update default bundle to $cli_version" \
-            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
+            --body "$pr_body" \
            --assignee "$GITHUB_ACTOR" \
            --draft \
          )
@@ -93,7 +93,7 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v2.2.0
+      uses: actions/create-github-app-token@v2.2.1
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -2,10 +2,34 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

-## [UNRELEASED]
+## 4.32.1 - 02 Feb 2026
+
+- A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://github.com/github/codeql-action/pull/3422)
+- Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://github.com/github/codeql-action/pull/3421)
+
+## 4.32.0 - 26 Jan 2026
+
+- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
+
+## 4.31.11 - 23 Jan 2026
+
+- When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
+- Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
+- Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
+- The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)
+
+## 4.31.10 - 12 Jan 2026
+
+- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
+
+## 4.31.9 - 16 Dec 2025

 No user facing changes.

+## 4.31.8 - 11 Dec 2025
+
+- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
+
 ## 4.31.7 - 05 Dec 2025

 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.7",
-  "cliVersion": "2.23.7",
-  "priorBundleVersion": "codeql-bundle-v2.23.6",
-  "priorCliVersion": "2.23.6"
+  "bundleVersion": "codeql-bundle-v2.24.0",
+  "cliVersion": "2.24.0",
+  "priorBundleVersion": "codeql-bundle-v2.23.9",
+  "priorCliVersion": "2.23.9"
 }
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.31.8",
+  "version": "4.32.1",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -24,17 +24,17 @@
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "^4.0.0",
+    "@actions/artifact": "^5.0.3",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
-    "@actions/cache": "^4.1.0",
-    "@actions/core": "^1.11.1",
-    "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
+    "@actions/cache": "^5.0.5",
+    "@actions/core": "^2.0.3",
+    "@actions/exec": "^2.0.0",
+    "@actions/github": "^8.0.0",
    "@actions/glob": "^0.5.0",
    "@actions/http-client": "^3.0.0",
    "@actions/io": "^2.0.0",
-    "@actions/tool-cache": "^2.0.2",
-    "@octokit/plugin-retry": "^6.0.0",
+    "@actions/tool-cache": "^3.0.1",
+    "@octokit/plugin-retry": "^8.0.0",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
    "fast-deep-equal": "^3.1.3",
@@ -43,15 +43,15 @@
    "js-yaml": "^4.1.1",
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
-    "node-forge": "^1.3.2",
+    "node-forge": "^1.3.3",
    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.0",
+    "@eslint/compat": "^2.0.1",
    "@eslint/eslintrc": "^3.3.3",
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^9.39.2",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -61,20 +61,20 @@
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.48.0",
+    "@typescript-eslint/eslint-plugin": "^8.53.1",
    "@typescript-eslint/parser": "^8.48.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.27.2",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
    "eslint-plugin-github": "^5.1.8",
    "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.4.1",
+    "eslint-plugin-jsdoc": "^62.3.0",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.1.0",
    "nock": "^14.0.10",
-    "sinon": "^21.0.0",
+    "sinon": "^21.0.1",
    "typescript": "^5.9.3"
  },
  "overrides": {
@@ -3,6 +3,7 @@ description: "An end-to-end integration test of a Java repository built using 'b
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
 installJava: "true"
+installYq: "true"
 steps:
  - name: Set up Java test repo configuration
    run: |
@@ -18,11 +19,6 @@ steps:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}

-  - name: Install yq
-    if: runner.os == 'Windows'
-    run: |
-      choco install yq -y
-
  - name: Validate database build mode
    run: |
      metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -4,7 +4,7 @@ versions:
  - toolcache
 steps:
  - name: Install @actions/tool-cache
-    run: npm install @actions/tool-cache
+    run: npm install @actions/tool-cache@3
  - name: Check toolcache contains CodeQL
    continue-on-error: true
    uses: actions/github-script@v8
@@ -16,7 +16,7 @@ steps:
        const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
        fs.rmdirSync(codeqlPath, { recursive: true });
  - name: Install @actions/tool-cache
-    run: npm install @actions/tool-cache
+    run: npm install @actions/tool-cache@3
  - name: Check toolcache does not contain CodeQL
    uses: actions/github-script@v8
    with:
@@ -27,7 +27,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
@@ -0,0 +1,16 @@
+name: "CCR"
+description: "A standard analysis in CCR mode"
+env:
+  CODEQL_ACTION_ANALYSIS_KEY: "dynamic/copilot-pull-request-reviewer/codeql-action-test"
+steps:
+  - uses: ./../action/init
+    id: init
+    with:
+      languages: javascript
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - uses: ./../action/analyze
+    id: analysis
+    with:
+      upload-database: false
+
@@ -12,7 +12,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -25,7 +25,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -5,6 +5,7 @@ versions: ["nightly-latest"]
 installGo: true
 installDotNet: true
 env:
+  CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS: false
  CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
 steps:
  - uses: ./../action/init
@@ -18,7 +19,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -3,19 +3,6 @@ description: "Tests using a proxy specified by the https_proxy environment varia
 versions: ["linked", "nightly-latest"]
 container:
  image: ubuntu:22.04
-container-init-steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL. 
-  name: Set up GitHub CLI
-  run: |
-    apt update
-    apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-    apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-    apt-add-repository https://cli.github.com/packages
-    apt install -y gh
-  env: {}
 services:
  squid-proxy:
    image: ubuntu/squid:latest
@@ -23,6 +10,7 @@ services:
      - 3128:3128
 env:
  https_proxy: http://squid-proxy:3128
+  CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION: true
 steps:
  - uses: ./../action/init
    with:
@@ -11,7 +11,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
@@ -39,7 +39,7 @@ steps:
      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
  - name: Upload security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,14 +47,14 @@ steps:
      retention-days: 7
  - name: Upload quality SARIF
    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
      path: "${{ runner.temp }}/results/javascript.quality.sarif"
      retention-days: 7
  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
    with:
      name: |
        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
+    uses: ruby/setup-ruby@90be1154f987f4dc0fe0dd0feedac9e473aa4ba8 # v1.286.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
@@ -1,7 +1,7 @@
 #!/usr/bin/env python

 import ruamel.yaml
-from ruamel.yaml.scalarstring import SingleQuotedScalarString
+from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString
 import pathlib
 import os

@@ -223,6 +223,25 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
            }
        })

+    installYq = is_truthy(checkSpecification.get('installYq', ''))
+
+    if installYq:
+        steps.append({
+            'name': 'Install yq',
+            'if': "runner.os == 'Windows'",
+            'env': {
+                'YQ_PATH': '${{ runner.temp }}/yq',
+                # This is essentially an arbitrary version of `yq`, which happened to be the one that
+                # `choco` fetched when we moved away from using that here.
+                # See https://github.com/github/codeql-action/pull/3423
+                'YQ_VERSION': 'v4.50.1'
+            },
+            'run': LiteralScalarString(
+                'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n'
+                'echo "$YQ_PATH" >> "$GITHUB_PATH"'
+            ),
+        })
+
    # If container initialisation steps are present in the check specification,
    # make sure to execute them first.
    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -271,6 +290,10 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):

    raw_file = this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml.raw"
    with open(raw_file, 'w', newline='\n') as output_stream:
+        extraGroupName = ""
+        for inputName in workflowInputs.keys():
+            extraGroupName += "-${{inputs." + inputName + "}}"
+
        writeHeader(output_stream)
        yaml.dump({
            'name': f"PR Check - {checkSpecification['name']}",
@@ -305,9 +328,15 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
                # For other events, the new workflows should wait until earlier ones have finished.
                # This should help reduce the number of concurrent workflows on the repo, and
                # consequently the number of concurrent API requests.
-                'cancel-in-progress': "${{ github.event_name == 'pull_request' }}",
-                # The group is determined by the workflow name + the ref
-                'group': "${{ github.workflow }}-${{ github.ref }}"
+                # Note, the `|| false` is intentional to rule out that this somehow ends up being
+                # `true` since we observed workflows for non-`pull_request` events getting cancelled.
+                'cancel-in-progress': "${{ github.event_name == 'pull_request' || false }}",
+                # The group is determined by the workflow name, the ref, and the input values.
+                # The base name is hard-coded to avoid issues when the workflow is triggered by
+                # a `workflow_call` event (where `github.workflow` would be the name of the caller).
+                # The input values are added, since they may result in different behaviour for a
+                # given workflow on the same ref.
+                'group': checkName + "-${{github.ref}}" + extraGroupName
            },
            'jobs': {
                checkName: checkJob
@@ -5,6 +5,9 @@ import {
  fixCodeQualityCategory,
  getPullRequestBranches,
  isAnalyzingPullRequest,
+  isCCR,
+  isDefaultSetup,
+  isDynamicWorkflow,
 } from "./actions-util";
 import { computeAutomationID } from "./api-client";
 import { EnvVar } from "./environment";
@@ -246,3 +249,24 @@ test("fixCodeQualityCategory", (t) => {
    },
  );
 });
+
+test("isDynamicWorkflow() returns true if event name is `dynamic`", (t) => {
+  process.env.GITHUB_EVENT_NAME = "dynamic";
+  t.assert(isDynamicWorkflow());
+  process.env.GITHUB_EVENT_NAME = "push";
+  t.false(isDynamicWorkflow());
+});
+
+test("isCCR() returns true when expected", (t) => {
+  process.env.GITHUB_EVENT_NAME = "dynamic";
+  process.env[EnvVar.ANALYSIS_KEY] = "dynamic/copilot-pull-request-reviewer";
+  t.assert(isCCR());
+  t.false(isDefaultSetup());
+});
+
+test("isDefaultSetup() returns true when expected", (t) => {
+  process.env.GITHUB_EVENT_NAME = "dynamic";
+  process.env[EnvVar.ANALYSIS_KEY] = "dynamic/github-code-scanning";
+  t.assert(isDefaultSetup());
+  t.false(isCCR());
+});
--- a/Show More
+++ b/Show More