ensure branch protection script targets all release branches

change to node20 for all actions

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: 'node20'
+  using: node20
   main: index.js

.github/workflows/debug-artifacts-failure.yml

@@ -39,11 +39,11 @@ jobs:
         uses: ./.github/actions/prepare-test
         with:
           version: latest
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1
       - name: Setup Python on MacOS
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         if: |
           matrix.os == 'macos-latest' && (
           matrix.version == 'stable-20220908' ||

.github/workflows/debug-artifacts.yml

@@ -46,11 +46,11 @@ jobs:
         uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1
       - name: Setup Python on MacOS
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         if: |
           matrix.os == 'macos-latest' && (
           matrix.version == 'stable-20220908' ||

.github/workflows/pr-checks.yml

@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-types-version: [16.11, current] # run tests on 16.11 while codeql-action v2 is still supported
+        node-types-version: [16.11, current] # run tests on 16.11 while CodeQL Action v2 is still supported
 
     steps:
       - name: Checkout
@@ -71,7 +71,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
 
@@ -96,7 +96,7 @@ jobs:
 
     steps:
       - name: Setup Python on MacOS
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         if: |
           matrix.os == 'macos-latest' && (
           matrix.version == 'stable-20220908' ||
@@ -115,44 +115,43 @@ jobs:
           npm config set script-shell bash
           npm test
 
-  check-backport-node-versions:
+  check-node-version:
     if: ${{ github.event.pull_request }}
-    name: Check node version for backports
+    name: Check Action Node versions
     runs-on: ubuntu-latest
     timeout-minutes: 45
     env:
-      BASE_REF: ${{ github.event.pull_request.base }}
+      BASE_REF: ${{ github.base_ref }}
 
     steps:
       - uses: actions/checkout@v4
       - id: head-version
-        name: check HEAD node version
+        name: Verify all Actions use the same Node version
         run: |
-          # NB we are matching the node version string both with and without single quotes
-          NODE_VERSION=$(find . -name "*.yml" -exec grep -oh "using: 'node[0-9][0-9]\|using: node[0-9][0-9]" {} \; | sed -e "s/using: '//g" -e "s/using: //g" | sort | uniq)
+          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
           echo "NODE_VERSION: ${NODE_VERSION}"
           if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
-            echo "Error: More than one node version used in actions."
+            echo "::error::More than one node version used in 'action.yml' files."
             exit 1
           fi
           echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
 
       - id: checkout-base
-        name: check out base ref for backport check
-        if: ${{ startsWith(github.ref_name, 'backport-v') }}
+        name: 'Backport: Check out base ref'
+        if: ${{ startsWith(github.head_ref, 'backport-') }}
         uses: actions/checkout@v4
         with:
           ref: ${{ env.BASE_REF }}
 
-      - name: compare with node version on base ref for backport check
+      - name: 'Backport: Verify Node versions unchanged'
         if: steps.checkout-base.outcome == 'success'
         env:
           HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
         run: |
-          BASE_VERSION=$(find . -name "*.yml" -exec grep -oh "using: 'node[0-9][0-9]\|using: node[0-9][0-9]" {} \; | sed -e "s/using: '//g" -e "s/using: //g" | sort | uniq)
+          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
           echo "HEAD_VERSION: ${HEAD_VERSION}"
           echo "BASE_VERSION: ${BASE_VERSION}"
           if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
-            echo "Error: Cannot change node version in a backport PR."
+            echo "::error::Cannot change the Node version of an Action in a backport PR."
             exit 1
           fi

.github/workflows/python-deps.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
     - name: Setup Python on MacOS
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       if: |
         matrix.os == 'macos-latest' && (
         matrix.version == 'stable-20220908' ||
@@ -151,7 +151,7 @@ jobs:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
     - uses: actions/checkout@v4
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python_version }}
 

.github/workflows/python312-windows.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: windows-latest
 
     steps:
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
       with:
         python-version: 3.12
 

.github/workflows/rebuild.yml

@@ -31,7 +31,7 @@ jobs:
           npm run build
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
 

.github/workflows/script/update-required-checks.sh

@@ -29,7 +29,10 @@ echo "$CHECKS" | jq
 
 echo "{\"contexts\": ${CHECKS}}" > checks.json
 
-for BRANCH in main releases/v2; do
+# retrieve lists of branches on origin that match releases/v[0-9]*, putting them on same line
+RELEASE_BRANCHES="$(git ls-remote --heads origin 'releases/v[0-9]*' | sed -e 's/.*refs\/heads\///' | sort -V | tr '\n' ' ')"
+
+for BRANCH in main $RELEASE_BRANCHES; do
   echo "Updating $BRANCH"
   gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
 done

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.7"
       - name: Checkout CodeQL Action

CHANGELOG.md

@@ -6,6 +6,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 - [v3+ only] The CodeQL Action now runs on Node.js v20. [#2006](https://github.com/github/codeql-action/pull/2006)
 
+## 2.22.10 - 12 Dec 2023
+
+- Update default CodeQL bundle version to 2.15.4. [#2016](https://github.com/github/codeql-action/pull/2016)
+
 ## 2.22.9 - 07 Dec 2023
 
 No user facing changes.

analyze/action.yml

@@ -84,6 +84,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: 'node20'
+  using: node20
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -13,5 +13,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: 'node20'
+  using: node20
   main: '../lib/autobuild-action.js'

init/action.yml

@@ -109,6 +109,6 @@ outputs:
   codeql-path:
     description: The path of the CodeQL binary used for analysis
 runs:
-  using: 'node20'
+  using: node20
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.15.3",
-    "cliVersion": "2.15.3",
-    "priorBundleVersion": "codeql-bundle-v2.15.2",
-    "priorCliVersion": "2.15.2"
+    "bundleVersion": "codeql-bundle-v2.15.4",
+    "cliVersion": "2.15.4",
+    "priorBundleVersion": "codeql-bundle-v2.15.3",
+    "priorCliVersion": "2.15.3"
 }

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.22.10",
+  "version": "3.22.11",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "3.22.10",
+  "version": "3.22.11",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "3.22.10",
+      "version": "3.22.11",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.2",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.22.10",
+  "version": "3.22.11",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

resolve-environment/action.yml

@@ -19,5 +19,5 @@ outputs:
   environment:
     description: The inferred build environment configuration.
 runs:
-  using: 'node20'
+  using: node20
   main: '../lib/resolve-environment-action.js'

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.15.3",
-  "cliVersion": "2.15.3",
-  "priorBundleVersion": "codeql-bundle-v2.15.2",
-  "priorCliVersion": "2.15.2"
+  "bundleVersion": "codeql-bundle-v2.15.4",
+  "cliVersion": "2.15.4",
+  "priorBundleVersion": "codeql-bundle-v2.15.3",
+  "priorCliVersion": "2.15.3"
 }

upload-sarif/action.yml

@@ -34,5 +34,5 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: 'node20'
+  using: node20
   main: '../lib/upload-sarif-action.js'