Merge pull request #3951 from github/mergeback/v4.36.2-to-main-8aad20d1

Mergeback v4.36.2 refs/heads/releases/v4 into main

CHANGELOG.md

@@ -4,6 +4,12 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 4.36.2 - 04 Jun 2026
+
+- Cache CodeQL CLI version information across Actions steps. [#3943](https://github.com/github/codeql-action/pull/3943)
+- Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. [#3937](https://github.com/github/codeql-action/pull/3937)
 - Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948)
 
 ## 4.36.1 - 02 Jun 2026

lib/entry-points.js

@@ -148398,7 +148398,7 @@ function getDiffRangesJsonFilePath() {
   return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.36.2";
+  return "4.36.3";
 }
 function getWorkflowEventName() {
   return getRequiredEnvParam("GITHUB_EVENT_NAME");

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.36.2",
+  "version": "4.36.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.36.2",
+      "version": "4.36.3",
       "license": "MIT",
       "workspaces": [
         "pr-checks"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.36.2",
+  "version": "4.36.3",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

src/codeql.ts

@@ -736,26 +736,21 @@ async function getCodeQLForCmd(
       await runCli(cmd, args);
     },
     async resolveLanguages() {
-      let result = util.getCachedCodeQlResolveLanguages(cmd);
-      if (result === undefined) {
-        const codeqlArgs = [
-          "resolve",
-          "languages",
-          "--format=json",
-          ...getExtraOptionsFromEnv(["resolve", "languages"]),
-        ];
-        const output = await runCli(cmd, codeqlArgs);
+      const codeqlArgs = [
+        "resolve",
+        "languages",
+        "--format=json",
+        ...getExtraOptionsFromEnv(["resolve", "languages"]),
+      ];
+      const output = await runCli(cmd, codeqlArgs);
 
-        try {
-          result = JSON.parse(output) as ResolveLanguagesOutput;
-        } catch (e) {
-          throw new Error(
-            `Unexpected output from codeql resolve languages: ${e}`,
-          );
-        }
-        util.cacheCodeQlResolveLanguages(cmd, result);
+      try {
+        return JSON.parse(output) as ResolveLanguagesOutput;
+      } catch (e) {
+        throw new Error(
+          `Unexpected output from codeql resolve languages: ${e}`,
+        );
       }
-      return result;
     },
     async betterResolveLanguages(
       {
@@ -974,11 +969,32 @@ async function getCodeQLForCmd(
       await new toolrunner.ToolRunner(cmd, args).exec();
     },
     async resolveExtractor(language: Language): Promise<string> {
-      // A previous implementation executed `codeql resolve extractor`.
-      // This can be a bit slow due to the JVM startup cost. Instead, get
-      // the extractor path from resolveLanguages(), which caches its output.
-      const extractors = await this.resolveLanguages();
-      return extractors[language][0];
+      // Request it using `format=json` so we don't need to strip the trailing new line generated by
+      // the CLI.
+      let extractorPath = "";
+      await new toolrunner.ToolRunner(
+        cmd,
+        [
+          "resolve",
+          "extractor",
+          "--format=json",
+          `--language=${language}`,
+          "--extractor-include-aliases",
+          ...getExtraOptionsFromEnv(["resolve", "extractor"]),
+        ],
+        {
+          silent: true,
+          listeners: {
+            stdout: (data) => {
+              extractorPath += data.toString();
+            },
+            stderr: (data) => {
+              process.stderr.write(data);
+            },
+          },
+        },
+      ).exec();
+      return JSON.parse(extractorPath) as string;
     },
     async resolveQueriesStartingPacks(queries: string[]): Promise<string[]> {
       const codeqlArgs = [

src/environment.ts

@@ -23,12 +23,6 @@ export enum EnvVar {
    */
   CODEQL_VERSION_INFO = "CODEQL_ACTION_CLI_VERSION_INFO",
 
-  /**
-   * `ResolveLanguagesOutput` for the CodeQL CLI, so later Actions steps can reuse it instead of
-   * invoking `codeql resolve languages` again.
-   */
-  CODEQL_RESOLVE_LANGUAGES = "CODEQL_ACTION_CLI_RESOLVE_LANGUAGES",
-
   /** Whether the CodeQL Action has invoked the Go autobuilder. */
   DID_AUTOBUILD_GOLANG = "CODEQL_ACTION_DID_AUTOBUILD_GOLANG",
 

src/util.ts

@@ -10,7 +10,7 @@ import * as yaml from "js-yaml";
 import * as semver from "semver";
 
 import * as apiCompatibility from "./api-compatibility.json";
-import type { CodeQL, VersionInfo, ResolveLanguagesOutput } from "./codeql";
+import type { CodeQL, VersionInfo } from "./codeql";
 import type { Pack } from "./config/db-config";
 import type { Config } from "./config-utils";
 import { EnvVar } from "./environment";
@@ -701,75 +701,6 @@ export function getCachedCodeQlVersion(cmd?: string): undefined | VersionInfo {
   return cachedCodeQlVersion;
 }
 
-let cachedCodeQlResolveLanguages: undefined | ResolveLanguagesOutput =
-  undefined;
-
-interface PersistedResolveLanguagesOutput {
-  cmd: string;
-  output: ResolveLanguagesOutput;
-}
-
-export function cacheCodeQlResolveLanguages(
-  cmd: string,
-  output: ResolveLanguagesOutput,
-): void {
-  if (cachedCodeQlResolveLanguages !== undefined) {
-    throw new Error("cacheCodeQlResolveLanguages() should be called only once");
-  }
-  cachedCodeQlResolveLanguages = output;
-  // Persist the output so that subsequent Actions steps, which run in separate
-  // processes, can reuse it rather than invoking `codeql resolve languages` again. We
-  // record the CLI path so that a different step using a different CodeQL bundle
-  // doesn't pick up a stale output.
-  core.exportVariable(
-    EnvVar.CODEQL_RESOLVE_LANGUAGES,
-    JSON.stringify({ cmd, output }),
-  );
-}
-
-function isPersistedResolveLanguagesOutput(
-  value: unknown,
-): value is PersistedResolveLanguagesOutput {
-  return (
-    typeof value === "object" &&
-    value !== null &&
-    typeof (value as Record<string, unknown>).cmd === "string" &&
-    typeof (value as Record<string, unknown>).output === "object" &&
-    (value as Record<string, unknown>).output !== null
-  );
-}
-
-export function getCachedCodeQlResolveLanguages(
-  cmd?: string,
-): undefined | ResolveLanguagesOutput {
-  if (cachedCodeQlResolveLanguages !== undefined) {
-    return cachedCodeQlResolveLanguages;
-  }
-  // Fall back to the value persisted by an earlier Actions step, if any. This is
-  // best-effort: any malformed or mismatched value is ignored so that the caller
-  // invokes `codeql resolve languages` instead.
-  const serialized = process.env[EnvVar.CODEQL_RESOLVE_LANGUAGES];
-  if (!serialized) {
-    return undefined;
-  }
-  let persisted: unknown;
-  try {
-    persisted = JSON.parse(serialized);
-  } catch {
-    return undefined;
-  }
-  if (
-    !isPersistedResolveLanguagesOutput(persisted) ||
-    (cmd !== undefined && persisted.cmd !== cmd)
-  ) {
-    return undefined;
-  }
-  // Memoize the parsed value so that subsequent calls in this process don't
-  // re-parse the environment variable.
-  cachedCodeQlResolveLanguages = persisted.output;
-  return cachedCodeQlResolveLanguages;
-}
-
 export async function codeQlVersionAtLeast(
   codeql: CodeQL,
   requiredVersion: string,