github · github-actions · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 24, 2026
@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 4.31.12 - 26 Jan 2026
+
+- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)
+
 ## 4.31.11 - 23 Jan 2026
 
 - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.9",
-  "cliVersion": "2.23.9",
-  "priorBundleVersion": "codeql-bundle-v2.23.8",
-  "priorCliVersion": "2.23.8"
+  "bundleVersion": "codeql-bundle-v2.24.0",
+  "cliVersion": "2.24.0",
+  "priorBundleVersion": "codeql-bundle-v2.23.9",
+  "priorCliVersion": "2.23.9"
 }
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.11",
+  "version": "4.31.12",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

@@ -3,6 +3,7 @@ description: "An end-to-end integration test of a Java repository built using 'b
 operatingSystems: ["ubuntu", "windows"]
 versions: ["linked", "nightly-latest"]
 installJava: "true"
+installYq: "true"
 steps:
   - name: Set up Java test repo configuration
     run: |
@@ -18,11 +19,6 @@ steps:
       languages: java
       tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-  - name: Install yq
-    if: runner.os == 'Windows'
-    run: |
-      choco install yq -y
-
   - name: Validate database build mode
     run: |
       metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"

@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 import ruamel.yaml
-from ruamel.yaml.scalarstring import SingleQuotedScalarString
+from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString
 import pathlib
 import os
 
@@ -223,6 +223,25 @@ def writeHeader(checkStream):
             }
         })
 
+    installYq = is_truthy(checkSpecification.get('installYq', ''))
+
+    if installYq:
+        steps.append({
+            'name': 'Install yq',
+            'if': "runner.os == 'Windows'",
+            'env': {
+                'YQ_PATH': '${{ runner.temp }}/yq',
+                # This is essentially an arbitrary version of `yq`, which happened to be the one that
+                # `choco` fetched when we moved away from using that here.
+                # See https://github.com/github/codeql-action/pull/3423
+                'YQ_VERSION': 'v4.50.1'
+            },
+            'run': LiteralScalarString(
+                'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n'
+                'echo "$YQ_PATH" >> "$GITHUB_PATH"'
+            ),
+        })
+
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.9",
-  "cliVersion": "2.23.9",
-  "priorBundleVersion": "codeql-bundle-v2.23.8",
-  "priorCliVersion": "2.23.8"
+  "bundleVersion": "codeql-bundle-v2.24.0",
+  "cliVersion": "2.24.0",
+  "priorBundleVersion": "codeql-bundle-v2.23.9",
+  "priorCliVersion": "2.23.9"
 }