From 6e162a0930800b47a9211fd1ad0bb93aec5d6221 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 23 Jan 2026 13:53:17 +0000 Subject: [PATCH 01/11] Update changelog and version after v4.31.11 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3369fc4cc6..dd0029b637 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.31.11 - 23 Jan 2026 - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409) diff --git a/package-lock.json b/package-lock.json index bd0a3d3a6e..a4792f7fdf 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.31.11", + "version": "4.31.12", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.31.11", + "version": "4.31.12", "license": "MIT", "dependencies": { "@actions/artifact": "^5.0.2", diff --git a/package.json b/package.json index 24d23fe3d9..b09ef89db9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.31.11", + "version": "4.31.12", "private": true, "description": "CodeQL action", "scripts": { From 7381f9750d1cf0a353c0fa189ef786f4b2b41c22 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 23 Jan 2026 14:48:27 +0000 Subject: [PATCH 02/11] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index beab5657dc..d0e16267ca 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index f2f71755f2..126b0f7ec9 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index bf18e8f556..2e37724d49 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 3d35e98242..272e6ee6f1 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 34a3a1086f..8dfb854c64 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 239f35bcdb..0f6546ca92 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 6af67bc086..914aad87da 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 87fd6605d7..6d42e77685 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 16809bda36..39350b8091 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -45284,7 +45284,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 480b83cd56..a59f2e93f4 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -27975,7 +27975,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index ba1e4ac450..c7e1156f3e 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 6bd0faaded..1855fc99c4 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.11", + version: "4.31.12", private: true, description: "CodeQL action", scripts: { From efea9cca026eff7fe5311a32572d0b8eda9bfdd5 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Sat, 24 Jan 2026 13:43:15 +0000 Subject: [PATCH 03/11] Add `installYq` option to `sync.py` and cache downloads --- .github/workflows/__build-mode-autobuild.yml | 17 ++++++++++----- pr-checks/checks/build-mode-autobuild.yml | 6 +----- pr-checks/sync.py | 22 ++++++++++++++++++++ 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 39ec213811..09fa8aee58 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -76,6 +76,18 @@ jobs: with: java-version: ${{ inputs.java-version || '17' }} distribution: temurin + - name: Restore choco cache + if: runner.os == 'Windows' + uses: actions/cache@v5 + with: + key: windows-choco-cache + path: ${{ runner.temp }}/windows-choco-cache + - name: Install yq + if: runner.os == 'Windows' + shell: pwsh + env: + CACHE_DIR: ${{ runner.temp }}/windows-choco-cache + run: choco install yq -y --stoponfirstfailure --cache-location=${env:CACHE_DIR} - name: Set up Java test repo configuration run: | mv * .github ../action/tests/multi-language-repo/ @@ -90,11 +102,6 @@ jobs: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} - - name: Install yq - if: runner.os == 'Windows' - run: | - choco install yq -y - - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 26b8626f22..8a51926faa 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -3,6 +3,7 @@ description: "An end-to-end integration test of a Java repository built using 'b operatingSystems: ["ubuntu", "windows"] versions: ["linked", "nightly-latest"] installJava: "true" +installYq: "true" steps: - name: Set up Java test repo configuration run: | @@ -18,11 +19,6 @@ steps: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} - - name: Install yq - if: runner.os == 'Windows' - run: | - choco install yq -y - - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 9d1296a549..fbaca470d5 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -223,6 +223,28 @@ def writeHeader(checkStream): } }) + installYq = is_truthy(checkSpecification.get('installYq', '')) + + if installYq: + steps.append({ + 'name': "Restore choco cache", + 'if': "runner.os == 'Windows'", + 'uses': 'actions/cache@v5', + 'with': { + 'key': 'windows-choco-cache', + 'path': '${{ runner.temp }}/windows-choco-cache' + } + }) + steps.append({ + 'name': 'Install yq', + 'if': "runner.os == 'Windows'", + 'shell': 'pwsh', + 'env': { + 'CACHE_DIR': '${{ runner.temp }}/windows-choco-cache' + }, + 'run': 'choco install yq -y --stoponfirstfailure --cache-location=${env:CACHE_DIR}', + }) + # If container initialisation steps are present in the check specification, # make sure to execute them first. if 'container' in checkSpecification and 'container-init-steps' in checkSpecification: From 605d404db0cf675582be6ebf20124de53bf13043 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Sat, 24 Jan 2026 14:09:33 +0000 Subject: [PATCH 04/11] Install `yq` directly from GitHub release --- .github/workflows/__build-mode-autobuild.yml | 13 ++++--------- pr-checks/sync.py | 19 ++++++------------- 2 files changed, 10 insertions(+), 22 deletions(-) diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 09fa8aee58..4347905ed3 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -76,18 +76,13 @@ jobs: with: java-version: ${{ inputs.java-version || '17' }} distribution: temurin - - name: Restore choco cache - if: runner.os == 'Windows' - uses: actions/cache@v5 - with: - key: windows-choco-cache - path: ${{ runner.temp }}/windows-choco-cache - name: Install yq if: runner.os == 'Windows' - shell: pwsh env: - CACHE_DIR: ${{ runner.temp }}/windows-choco-cache - run: choco install yq -y --stoponfirstfailure --cache-location=${env:CACHE_DIR} + YQ_PATH: ${{ runner.temp }}/yq + run: |- + gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" v4.50.1 -O "$YQ_PATH/yq.exe" + echo "$YQ_PATH" >> "$GITHUB_PATH" - name: Set up Java test repo configuration run: | mv * .github ../action/tests/multi-language-repo/ diff --git a/pr-checks/sync.py b/pr-checks/sync.py index fbaca470d5..71f86ef521 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -1,7 +1,7 @@ #!/usr/bin/env python import ruamel.yaml -from ruamel.yaml.scalarstring import SingleQuotedScalarString +from ruamel.yaml.scalarstring import SingleQuotedScalarString, LiteralScalarString import pathlib import os @@ -226,23 +226,16 @@ def writeHeader(checkStream): installYq = is_truthy(checkSpecification.get('installYq', '')) if installYq: - steps.append({ - 'name': "Restore choco cache", - 'if': "runner.os == 'Windows'", - 'uses': 'actions/cache@v5', - 'with': { - 'key': 'windows-choco-cache', - 'path': '${{ runner.temp }}/windows-choco-cache' - } - }) steps.append({ 'name': 'Install yq', 'if': "runner.os == 'Windows'", - 'shell': 'pwsh', 'env': { - 'CACHE_DIR': '${{ runner.temp }}/windows-choco-cache' + 'YQ_PATH': '${{ runner.temp }}/yq' }, - 'run': 'choco install yq -y --stoponfirstfailure --cache-location=${env:CACHE_DIR}', + 'run': LiteralScalarString( + 'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" v4.50.1 -O "$YQ_PATH/yq.exe"\n' + 'echo "$YQ_PATH" >> "$GITHUB_PATH"' + ), }) # If container initialisation steps are present in the check specification, From 3657da1eac4b11c83691b98b74175187b905100a Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 26 Jan 2026 10:59:43 +0000 Subject: [PATCH 05/11] Move `yq` version into env var and add comment --- .github/workflows/__build-mode-autobuild.yml | 3 ++- pr-checks/sync.py | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 4347905ed3..749def27ec 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -80,8 +80,9 @@ jobs: if: runner.os == 'Windows' env: YQ_PATH: ${{ runner.temp }}/yq + YQ_VERSION: v4.50.1 run: |- - gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" v4.50.1 -O "$YQ_PATH/yq.exe" + gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe" echo "$YQ_PATH" >> "$GITHUB_PATH" - name: Set up Java test repo configuration run: | diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 71f86ef521..77696b91fd 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -230,10 +230,14 @@ def writeHeader(checkStream): 'name': 'Install yq', 'if': "runner.os == 'Windows'", 'env': { - 'YQ_PATH': '${{ runner.temp }}/yq' + 'YQ_PATH': '${{ runner.temp }}/yq', + # This is essentially an arbitrary version of `yq`, which happened to be the one that + # `choco` fetched when we moved away from using that here. + # See https://github.com/github/codeql-action/pull/3423 + 'YQ_VERSION': 'v4.50.1' }, 'run': LiteralScalarString( - 'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" v4.50.1 -O "$YQ_PATH/yq.exe"\n' + 'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n' 'echo "$YQ_PATH" >> "$GITHUB_PATH"' ), }) From c62c214723e7c0cdfb907bede6988df3a0640c7e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 26 Jan 2026 12:16:14 +0000 Subject: [PATCH 06/11] Update default bundle to codeql-bundle-v2.24.0 --- lib/analyze-action.js | 4 ++-- lib/autobuild-action.js | 4 ++-- lib/defaults.json | 8 ++++---- lib/init-action-post.js | 4 ++-- lib/init-action.js | 4 ++-- lib/setup-codeql-action.js | 4 ++-- lib/start-proxy-action.js | 4 ++-- lib/upload-lib.js | 4 ++-- lib/upload-sarif-action.js | 4 ++-- src/defaults.json | 8 ++++---- 10 files changed, 24 insertions(+), 24 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 126b0f7ec9..c0e72696bd 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90695,8 +90695,8 @@ var path5 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 2e37724d49..60ce9439b0 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -87198,8 +87198,8 @@ var path3 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs2 = __toESM(require("fs")); diff --git a/lib/defaults.json b/lib/defaults.json index 8c5ef57bf1..916c098591 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.9", - "cliVersion": "2.23.9", - "priorBundleVersion": "codeql-bundle-v2.23.8", - "priorCliVersion": "2.23.8" + "bundleVersion": "codeql-bundle-v2.24.0", + "cliVersion": "2.24.0", + "priorBundleVersion": "codeql-bundle-v2.23.9", + "priorCliVersion": "2.23.9" } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 272e6ee6f1..6ed8113abf 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -127658,8 +127658,8 @@ var path4 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/init-action.js b/lib/init-action.js index 8dfb854c64..1cf78215a0 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -88149,8 +88149,8 @@ var path6 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 914aad87da..e3f31944ca 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -87072,8 +87072,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 39350b8091..27045eb9b3 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -103963,8 +103963,8 @@ function getActionsLogger() { var core7 = __toESM(require_core()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/languages.ts var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index a59f2e93f4..d8bb3e5db2 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -90225,8 +90225,8 @@ var path4 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 1855fc99c4..4edc2ce813 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89992,8 +89992,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.9"; -var cliVersion = "2.23.9"; +var bundleVersion = "codeql-bundle-v2.24.0"; +var cliVersion = "2.24.0"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/src/defaults.json b/src/defaults.json index 8c5ef57bf1..916c098591 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.9", - "cliVersion": "2.23.9", - "priorBundleVersion": "codeql-bundle-v2.23.8", - "priorCliVersion": "2.23.8" + "bundleVersion": "codeql-bundle-v2.24.0", + "cliVersion": "2.24.0", + "priorBundleVersion": "codeql-bundle-v2.23.9", + "priorCliVersion": "2.23.9" } From 975286947045be7e8b204a16b36b1b04b9feef86 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 26 Jan 2026 12:16:22 +0000 Subject: [PATCH 07/11] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd0029b637..f83b28424e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425) ## 4.31.11 - 23 Jan 2026 From b748848f27bc46a97bbb965c606bbc298e760a9a Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 26 Jan 2026 15:45:24 +0000 Subject: [PATCH 08/11] Bump the Action minor version number on new CodeQL minor version series --- .github/workflows/update-bundle.yml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 951b89066d..fc693cb7bf 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -57,6 +57,20 @@ jobs: - name: Update bundle uses: ./.github/actions/update-bundle + - name: Bump action minor version for new CodeQL minor version series + id: bump-action-version + run: | + cli_version=$(jq -r '.cliVersion' src/defaults.json) + # Check if this is a new minor version series (patch version is 0) + if [[ "$cli_version" =~ ^[0-9]+\.[0-9]+\.0$ ]]; then + echo "New CodeQL minor version series detected ($cli_version), bumping action minor version" + npm version minor --no-git-tag-version + echo "bumped=true" >> "$GITHUB_OUTPUT" + else + echo "Not a new minor version series ($cli_version), skipping action version bump" + echo "bumped=false" >> "$GITHUB_OUTPUT" + fi + - name: Rebuild Action run: npm run build @@ -71,11 +85,21 @@ jobs: - name: Open pull request env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ACTION_VERSION_BUMPED: ${{ steps.bump-action-version.outputs.bumped }} run: | cli_version=$(jq -r '.cliVersion' src/defaults.json) + action_version=$(jq -r '.version' package.json) + + pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." + if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then + pr_body="$pr_body + + Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version." + fi + pr_url=$(gh pr create \ --title "Update default bundle to $cli_version" \ - --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \ + --body "$pr_body" \ --assignee "$GITHUB_ACTOR" \ --draft \ ) From 80e142568fc335997bbf78abac097448213bd9ae Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 26 Jan 2026 15:46:05 +0000 Subject: [PATCH 09/11] Bump minor version for CLI v2.24.0 --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- package-lock.json | 4 ++-- package.json | 2 +- 14 files changed, 15 insertions(+), 15 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index d0e16267ca..de5021a781 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c0e72696bd..c62dec3359 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 60ce9439b0..efc4724a3d 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 6ed8113abf..edaf472afd 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 1cf78215a0..a87042d50a 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 0f6546ca92..30e8b608c6 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index e3f31944ca..c0d786ba9d 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 6d42e77685..b4ee6be2e1 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 27045eb9b3..56d8bd8bea 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -45284,7 +45284,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index d8bb3e5db2..c41bf42246 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -27975,7 +27975,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index c7e1156f3e..6d2240326c 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 4edc2ce813..075f1593bf 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -26678,7 +26678,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.12", + version: "4.32.0", private: true, description: "CodeQL action", scripts: { diff --git a/package-lock.json b/package-lock.json index a4792f7fdf..34cce42f4f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.31.12", + "version": "4.32.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.31.12", + "version": "4.32.0", "license": "MIT", "dependencies": { "@actions/artifact": "^5.0.2", diff --git a/package.json b/package.json index b09ef89db9..c824dc2b6c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.31.12", + "version": "4.32.0", "private": true, "description": "CodeQL action", "scripts": { From 8a01181ce209b3e3f51c6add1b9e1e744bdf0064 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 26 Jan 2026 16:50:11 +0000 Subject: [PATCH 10/11] Compare minor version number This deals with the case that we skip `x.y.0` and go straight to `x.y.1`. --- .github/workflows/update-bundle.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index fc693cb7bf..04703c592e 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -57,17 +57,21 @@ jobs: - name: Update bundle uses: ./.github/actions/update-bundle - - name: Bump action minor version for new CodeQL minor version series + - name: Bump Action minor version if new CodeQL minor version series id: bump-action-version run: | + prior_cli_version=$(jq -r '.priorCliVersion' src/defaults.json) cli_version=$(jq -r '.cliVersion' src/defaults.json) - # Check if this is a new minor version series (patch version is 0) - if [[ "$cli_version" =~ ^[0-9]+\.[0-9]+\.0$ ]]; then - echo "New CodeQL minor version series detected ($cli_version), bumping action minor version" + + prior_minor=$(echo "$prior_cli_version" | cut -d. -f2) + current_minor=$(echo "$cli_version" | cut -d. -f2) + + if [[ "$current_minor" != "$prior_minor" ]]; then + echo "New CodeQL minor version series ($prior_cli_version -> $cli_version), bumping Action minor version" npm version minor --no-git-tag-version echo "bumped=true" >> "$GITHUB_OUTPUT" else - echo "Not a new minor version series ($cli_version), skipping action version bump" + echo "Same minor version series ($prior_cli_version -> $cli_version), skipping Action version bump" echo "bumped=false" >> "$GITHUB_OUTPUT" fi @@ -92,9 +96,7 @@ jobs: pr_body="This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." if [[ "$ACTION_VERSION_BUMPED" == "true" ]]; then - pr_body="$pr_body - - Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version." + pr_body+=$'\n\n'"Since this is a new CodeQL minor version series, this PR also bumps the Action version to $action_version." fi pr_url=$(gh pr create \ From c9aa45dd0f8ba0b0433386779eb4798c2545156b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 26 Jan 2026 17:52:31 +0000 Subject: [PATCH 11/11] Update changelog for v4.32.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f83b28424e..958f841933 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.32.0 - 26 Jan 2026 - Update default CodeQL bundle version to [2.24.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://github.com/github/codeql-action/pull/3425)