Update changelog and version after v4.35.5

CHANGELOG.md

@@ -2,12 +2,13 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## 4.35.5 - 15 May 2026
+## [UNRELEASED]
 
-- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
-- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
-- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
-- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+No user facing changes.
+
+## v4.35.5 - 14 May 2026
+
+This release rolls back 4.35.4 due to issues with that release. It is identical to 0.0.0.
 
 ## 4.35.4 - 07 May 2026
 
@@ -1208,3 +1209,4 @@ No user facing changes.
 - Add this changelog file. [#507](https://github.com/github/codeql-action/pull/507)
 - Improve grouping of analysis logs. Add a new log group containing a summary of metrics and diagnostics, if they were produced by CodeQL builtin queries. [#515](https://github.com/github/codeql-action/pull/515)
 - Add metrics and diagnostics summaries from custom query suites to the analysis summary log group. [#532](https://github.com/github/codeql-action/pull/532)
+

analyze/action.yml

@@ -95,5 +95,5 @@ outputs:
     description: The ID of the uploaded SARIF file.
 runs:
   using: node24
-  main: "../lib/analyze-entry.js"
-  post: "../lib/analyze-post-entry.js"
+  main: "../lib/analyze-action.js"
+  post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -16,4 +16,4 @@ inputs:
     required: false
 runs:
   using: node24
-  main: '../lib/autobuild-entry.js'
+  main: '../lib/autobuild-action.js'

build.mjs

@@ -1,5 +1,5 @@
-import { copyFile, readFile, rm, writeFile } from "node:fs/promises";
-import { basename, dirname, join } from "node:path";
+import { copyFile, rm, writeFile } from "node:fs/promises";
+import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import * as esbuild from "esbuild";
@@ -62,123 +62,18 @@ const onEndPlugin = {
   },
 };
 
-/** The name of the virtual `entry-points` module. */
-const SHARED_ENTRYPOINT = "entry-points";
-
-/**
- * This plugin finds all source files that contain action entry points.
- * It then generates the virtual `entry-points` module which imports all identifies files,
- * and re-exports their `runWrapper` functions with suitable aliases.
- * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle
- * and calls the respective entry point.
- *
- * @type {esbuild.Plugin}
- */
-const entryPointsPlugin = {
-  name: "entry-points",
-  setup(build) {
-    const namespace = "actions";
-    const actions = [];
-
-    const toPascal = (s) =>
-      s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase());
-
-    // Find the source files containing action entry points.
-    build.onStart(() => {
-      const actionFiles = globSync("src/*-action{,-post}.ts");
-      for (const actionFile of actionFiles) {
-        const match = basename(actionFile).match(/(.*)-action(-post)?/);
-
-        if (match.length < 2) {
-          throw new Error(`'${actionFile}' didn't match expected pattern.`);
-        }
-
-        const actionName = match[1];
-        const isPost = match[2] !== undefined;
-
-        actions.push({
-          path: actionFile,
-          name: actionName,
-          isPost,
-          pascalCaseName: `${toPascal(actionName)}${isPost ? "Post" : ""}Action`,
-        });
-      }
-    });
-
-    // Resolve the virtual `entry-points` file and set the corresponding namespace.
-    // Ideally, we'd `RegExp.escape` the entrypoint here, but that API isn't supported in Node 20.
-    // Since we're dealing with a hardcoded string, this isn't too much of a problem.
-    build.onResolve({ filter: new RegExp(`^${SHARED_ENTRYPOINT}$`) }, () => {
-      return { path: SHARED_ENTRYPOINT, namespace };
-    });
-
-    // Generate the virtual `entry-points` file based on the actions we discovered.
-    // Restrict using the namespace. The path filter does not need to discriminate any further.
-    build.onLoad({ filter: /.*/, namespace }, async () => {
-      const wrapperTemplatePath = "entry-wrapper.js.tpl";
-      const wrapperTemplate = await readFile(
-        join(SRC_DIR, wrapperTemplatePath),
-        "utf-8",
-      );
-
-      const actionsSorted = actions.sort((a, b) =>
-        a.name.localeCompare(b.name),
-      );
-      const imports = actionsSorted
-        .map(
-          (action) =>
-            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}"`,
-        )
-        .join("\n");
-      const wrappers = actionsSorted
-        .map((action) =>
-          wrapperTemplate.replaceAll("__ACTION__", action.pascalCaseName),
-        )
-        .join("\n\n");
-
-      return {
-        contents: `"use strict";\n${imports}\n\n${wrappers}\n`,
-        resolveDir: ".",
-        loader: "ts",
-      };
-    });
-
-    // Emit entry point stubs for each action using the entry template.
-    build.onEnd(async (result) => {
-      // Read the entry point template.
-      const templatePath = "action-entry.js.tpl";
-      const template = await readFile(join(SRC_DIR, templatePath), "utf-8");
-
-      const makeHeader = (sourceFile) =>
-        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
-
-      // Write entry point stubs for each action.
-      for (const action of actions) {
-        await writeFile(
-          join(
-            OUT_DIR,
-            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
-          ),
-          makeHeader(action.path) +
-            template.replaceAll("__ACTION__", action.pascalCaseName),
-        );
-      }
-    });
-  },
-};
-
 const context = await esbuild.context({
   // Include upload-lib.ts as an entry point for use in testing environments.
-  entryPoints: [
-    { in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT },
-    join(SRC_DIR, "upload-lib.ts"),
-  ],
+  entryPoints: globSync([
+    `${SRC_DIR}/*-action.ts`,
+    `${SRC_DIR}/*-action-post.ts`,
+    "src/upload-lib.ts",
+  ]),
   bundle: true,
   format: "cjs",
   outdir: OUT_DIR,
   platform: "node",
-  external: ["./entry-points"],
-  plugins: [cleanPlugin, copyDefaultsPlugin, entryPointsPlugin, onEndPlugin],
+  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
   target: ["node20"],
   define: {
     __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),

init/action.yml

@@ -171,5 +171,5 @@ outputs:
     description: The version of the CodeQL binary used for analysis
 runs:
   using: node24
-  main: '../lib/init-entry.js'
-  post: '../lib/init-post-entry.js'
+  main: '../lib/init-action.js'
+  post: '../lib/init-action-post.js'

lib/analyze-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzeAction)();

lib/analyze-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/analyze-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAnalyzePostAction)();

lib/autobuild-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/autobuild-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runAutobuildAction)();

lib/init-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitAction)();

lib/init-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/init-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runInitPostAction)();

lib/resolve-environment-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/resolve-environment-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runResolveEnvironmentAction)();

lib/setup-codeql-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/setup-codeql-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runSetupCodeqlAction)();

lib/start-proxy-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runStartProxyAction)();

lib/start-proxy-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/start-proxy-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runStartProxyPostAction)();

lib/upload-sarif-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runUploadSarifAction)();

lib/upload-sarif-post-entry.js

@@ -1,6 +0,0 @@
-// Automatically generated from 'action-entry.js.tpl' for 'src/upload-sarif-action-post.ts'.
-
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.runUploadSarifPostAction)();

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.35.6",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.35.5",
+      "version": "4.35.6",
       "license": "MIT",
       "workspaces": [
         "pr-checks"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.35.5",
+  "version": "4.35.6",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

resolve-environment/action.yml

@@ -22,4 +22,4 @@ outputs:
     description: The inferred build environment configuration.
 runs:
   using: node24
-  main: '../lib/resolve-environment-entry.js'
+  main: '../lib/resolve-environment-action.js'

setup-codeql/action.yml

@@ -55,4 +55,4 @@ outputs:
     description: The version of the CodeQL binary that was installed.
 runs:
   using: node24
-  main: '../lib/setup-codeql-entry.js'
+  main: '../lib/setup-codeql-action.js'

src/action-entry.js.tpl

@@ -1,4 +0,0 @@
-"use strict";
-
-const import_entry_points = require("./entry-points");
-void (0, import_entry_points.run__ACTION__)();

src/analyze-action-env.test.ts

@@ -3,7 +3,6 @@ import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
 import * as analyze from "./analyze";
-import { runWrapper } from "./analyze-action";
 import * as api from "./api-client";
 import * as configUtils from "./config-utils";
 import * as gitUtils from "./git-utils";
@@ -63,8 +62,14 @@ test("analyze action with RAM & threads from environment variables", async (t) =
 
     const runFinalizeStub = sinon.stub(analyze, "runFinalize");
     const runQueriesStub = sinon.stub(analyze, "runQueries");
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const analyzeAction = require("./analyze-action");
 
-    await runWrapper();
+    // When analyze-action.ts loads, it runs an async function from the top
+    // level but does not wait for it to finish. To ensure that calls to
+    // runFinalize and runQueries are correctly captured by spies, we explicitly
+    // wait for the action promise to complete before starting verification.
+    await analyzeAction.runPromise;
 
     t.assert(
       runFinalizeStub.calledOnceWith(

src/analyze-action-input.test.ts

@@ -3,7 +3,6 @@ import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
 import * as analyze from "./analyze";
-import { runWrapper } from "./analyze-action";
 import * as api from "./api-client";
 import * as configUtils from "./config-utils";
 import * as gitUtils from "./git-utils";
@@ -61,8 +60,14 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
 
     const runFinalizeStub = sinon.stub(analyze, "runFinalize");
     const runQueriesStub = sinon.stub(analyze, "runQueries");
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const analyzeAction = require("./analyze-action");
 
-    await runWrapper();
+    // When analyze-action.ts loads, it runs an async function from the top
+    // level but does not wait for it to finish. To ensure that calls to
+    // runFinalize and runQueries are correctly captured by spies, we explicitly
+    // wait for the action promise to complete before starting verification.
+    await analyzeAction.runPromise;
 
     t.assert(
       runFinalizeStub.calledOnceWith(

src/analyze-action-post.ts

@@ -20,7 +20,7 @@ import { EnvVar } from "./environment";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
 
-export async function runWrapper() {
+async function runWrapper() {
   // To capture errors appropriately, keep as much code within the try-catch as
   // possible, and only use safe functions outside.
 
@@ -72,3 +72,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

src/analyze-action.ts

@@ -523,11 +523,14 @@ async function run(startedAt: Date) {
   }
 }
 
-export async function runWrapper() {
-  const startedAt = new Date();
+// Module-level startedAt so it can be accessed by runWrapper for error reporting
+const startedAt = new Date();
+export const runPromise = run(startedAt);
+
+async function runWrapper() {
   const logger = getActionsLogger();
   try {
-    await run(startedAt);
+    await runPromise;
   } catch (error) {
     core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
     await sendUnhandledErrorStatusReport(
@@ -539,3 +542,5 @@ export async function runWrapper() {
   }
   await util.checkForTimeout();
 }
+
+void runWrapper();

src/autobuild-action.ts

@@ -142,7 +142,7 @@ async function run(startedAt: Date) {
   await sendCompletedStatusReport(config, logger, startedAt, languages ?? []);
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -157,3 +157,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

src/entry-wrapper.js.tpl

@@ -1,3 +0,0 @@
-export async function run__ACTION__() {
-  return await __ACTION__.runWrapper();
-}

src/init-action-post.ts

@@ -207,7 +207,7 @@ function getJobStatusFromEnvironment(): JobStatus | undefined {
   return undefined;
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -222,3 +222,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

src/init-action.ts

@@ -838,7 +838,7 @@ async function recordZstdAvailability(
   );
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -854,3 +854,5 @@ export async function runWrapper() {
   }
   await checkForTimeout();
 }
+
+void runWrapper();

src/resolve-environment-action.ts

@@ -117,7 +117,7 @@ async function run(startedAt: Date) {
   }
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -137,3 +137,5 @@ export async function runWrapper() {
   }
   await checkForTimeout();
 }
+
+void runWrapper();

src/setup-codeql-action.ts

@@ -196,7 +196,7 @@ async function run(startedAt: Date): Promise<void> {
 }
 
 /** Run the action and catch any unhandled errors. */
-export async function runWrapper(): Promise<void> {
+async function runWrapper(): Promise<void> {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -212,3 +212,5 @@ export async function runWrapper(): Promise<void> {
   }
   await checkForTimeout();
 }
+
+void runWrapper();

src/start-proxy-action-post.ts

@@ -12,7 +12,7 @@ import { uploadArtifacts } from "./debug-artifacts";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
 
-export async function runWrapper() {
+async function runWrapper() {
   // To capture errors appropriately, keep as much code within the try-catch as
   // possible, and only use safe functions outside.
 
@@ -62,3 +62,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

src/start-proxy-action.ts

@@ -128,7 +128,7 @@ async function run(startedAt: Date) {
   }
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
 
@@ -204,3 +204,5 @@ async function startProxy(
 
   return { host, port, cert: config.ca.cert, registries: registry_urls };
 }
+
+void runWrapper();

src/upload-sarif-action-post.ts

@@ -12,7 +12,7 @@ import { EnvVar } from "./environment";
 import { getActionsLogger, withGroup } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
 
-export async function runWrapper() {
+async function runWrapper() {
   // To capture errors appropriately, keep as much code within the try-catch as
   // possible, and only use safe functions outside.
 
@@ -48,3 +48,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

src/upload-sarif-action.ts

@@ -165,7 +165,7 @@ async function run(startedAt: Date) {
   }
 }
 
-export async function runWrapper() {
+async function runWrapper() {
   const startedAt = new Date();
   const logger = getActionsLogger();
   try {
@@ -182,3 +182,5 @@ export async function runWrapper() {
     );
   }
 }
+
+void runWrapper();

start-proxy/action.yml

@@ -30,5 +30,5 @@ outputs:
     description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
   using: node24
-  main: "../lib/start-proxy-entry.js"
-  post: "../lib/start-proxy-post-entry.js"
+  main: "../lib/start-proxy-action.js"
+  post: "../lib/start-proxy-action-post.js"

upload-sarif/action.yml

@@ -42,5 +42,5 @@ outputs:
       { "code-scanning": "some-id", "code-quality": "some-other-id" }
 runs:
   using: node24
-  main: '../lib/upload-sarif-entry.js'
-  post: '../lib/upload-sarif-post-entry.js'
+  main: '../lib/upload-sarif-action.js'
+  post: '../lib/upload-sarif-action-post.js'