From dd8914320f183a2820ffe1a91b9fc453164493e6 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Wed, 3 Dec 2025 09:15:15 +0100 Subject: [PATCH 01/13] CodeQL: Add resolveDatabase method --- lib/analyze-action-post.js | 17 +++++++++++++++++ lib/analyze-action.js | 17 +++++++++++++++++ lib/autobuild-action.js | 17 +++++++++++++++++ lib/init-action-post.js | 17 +++++++++++++++++ lib/init-action.js | 17 +++++++++++++++++ lib/resolve-environment-action.js | 17 +++++++++++++++++ lib/setup-codeql-action.js | 17 +++++++++++++++++ lib/upload-lib.js | 17 +++++++++++++++++ lib/upload-sarif-action.js | 17 +++++++++++++++++ src/codeql.ts | 26 ++++++++++++++++++++++++++ 10 files changed, 179 insertions(+) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index b4ee3c8d5b..4b90e5a46d 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -120735,6 +120735,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 1ba7f39e93..e05bbd8c8e 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90887,6 +90887,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 10b30f64d5..20325380ce 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -84973,6 +84973,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index b6a4215af5..99780c4156 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -125350,6 +125350,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/init-action.js b/lib/init-action.js index 8f5b7f8871..939cab918e 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -89147,6 +89147,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 6e159d31a4..ffaf4d1621 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -84672,6 +84672,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 74b84a122f..4f9d6af4fc 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -85975,6 +85975,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 4f3f1fa46b..aacb1837df 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88697,6 +88697,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index ba2c9118cf..5908e956ef 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89215,6 +89215,23 @@ ${output}` ); } }, + async resolveDatabase(databasePath) { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]) + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + try { + return JSON.parse(output); + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}` + ); + } + }, async mergeResults(sarifFiles, outputFile, { mergeRunsFromEqualCategory = false }) { diff --git a/src/codeql.ts b/src/codeql.ts index 2b86d843f3..f597931931 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -206,6 +206,7 @@ export interface CodeQL { * Run 'codeql resolve queries --format=startingpacks'. */ resolveQueriesStartingPacks(queries: string[]): Promise; + resolveDatabase(databasePath: string): Promise; /** * Run 'codeql github merge-results'. */ @@ -230,6 +231,10 @@ export interface VersionInfo { overlayVersion?: number; } +export interface ResolveDatabaseOutput { + [key: string]: string | [string]; +} + export interface ResolveLanguagesOutput { [language: string]: [string]; } @@ -493,6 +498,7 @@ export function createStubCodeQL(partialCodeql: Partial): CodeQL { partialCodeql, "resolveQueriesStartingPacks", ), + resolveDatabase: resolveFunction(partialCodeql, "resolveDatabase"), mergeResults: resolveFunction(partialCodeql, "mergeResults"), }; } @@ -1003,6 +1009,26 @@ async function getCodeQLForCmd( ); } }, + async resolveDatabase( + databasePath: string, + ): Promise { + const codeqlArgs = [ + "resolve", + "database", + databasePath, + "--format=json", + ...getExtraOptionsFromEnv(["resolve", "database"]), + ]; + const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true }); + + try { + return JSON.parse(output) as ResolveDatabaseOutput; + } catch (e) { + throw new Error( + `Unexpected output from codeql resolve database --format=json: ${e}`, + ); + } + }, async mergeResults( sarifFiles: string[], outputFile: string, From c4efbda2999d6895931c401bf16d97750bd3650e Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Wed, 3 Dec 2025 09:16:45 +0100 Subject: [PATCH 02/13] Overlay: Check database metadata for overlayBaseSpecifier --- lib/analyze-action.js | 22 +++++++++++++-- lib/init-action.js | 22 +++++++++++++-- src/overlay-database-utils.test.ts | 44 ++++++++++++++++++++++++++++-- src/overlay-database-utils.ts | 35 +++++++++++++++++++++--- 4 files changed, 112 insertions(+), 11 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index e05bbd8c8e..c4d488ab8a 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88512,7 +88512,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) { var CACHE_VERSION = 1; var CACHE_PREFIX = "codeql-overlay-base-database"; var MAX_CACHE_OPERATION_MS = 6e5; -function checkOverlayBaseDatabase(config, logger, warningPrefix) { +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); if (!fs3.existsSync(baseDatabaseOidsFilePath)) { logger.warning( @@ -88520,6 +88520,23 @@ function checkOverlayBaseDatabase(config, logger, warningPrefix) { ); return false; } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.info( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } return true; } async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { @@ -88542,7 +88559,8 @@ async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger ); return false; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Abort uploading overlay-base database to cache" diff --git a/lib/init-action.js b/lib/init-action.js index 939cab918e..0af2f67e84 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -85914,7 +85914,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) { var CACHE_VERSION = 1; var CACHE_PREFIX = "codeql-overlay-base-database"; var MAX_CACHE_OPERATION_MS = 6e5; -function checkOverlayBaseDatabase(config, logger, warningPrefix) { +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); if (!fs3.existsSync(baseDatabaseOidsFilePath)) { logger.warning( @@ -85922,6 +85922,23 @@ function checkOverlayBaseDatabase(config, logger, warningPrefix) { ); return false; } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.info( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } return true; } async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { @@ -86009,7 +86026,8 @@ async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { ); return void 0; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Downloaded overlay-base database is invalid" diff --git a/src/overlay-database-utils.test.ts b/src/overlay-database-utils.test.ts index cee0d45f13..db47d4d879 100644 --- a/src/overlay-database-utils.test.ts +++ b/src/overlay-database-utils.test.ts @@ -7,7 +7,9 @@ import * as sinon from "sinon"; import * as actionsUtil from "./actions-util"; import * as apiClient from "./api-client"; +import { ResolveDatabaseOutput } from "./codeql"; import * as gitUtils from "./git-utils"; +import { KnownLanguage } from "./languages"; import { getRunnerLogger } from "./logging"; import { downloadOverlayBaseDatabaseFromCache, @@ -95,6 +97,7 @@ interface DownloadOverlayBaseDatabaseTestCase { hasBaseDatabaseOidsFile: boolean; tryGetFolderBytesSucceeds: boolean; codeQLVersion: string; + resolveDatabaseOutput: ResolveDatabaseOutput | Error; } const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = { @@ -105,6 +108,7 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = { hasBaseDatabaseOidsFile: true, tryGetFolderBytesSucceeds: true, codeQLVersion: "2.20.5", + resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" }, }; const testDownloadOverlayBaseDatabaseFromCache = test.macro({ @@ -119,9 +123,11 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({ await fs.promises.mkdir(dbLocation, { recursive: true }); const logger = getRunnerLogger(true); - const config = createTestConfig({ dbLocation }); - const testCase = { ...defaultDownloadTestCase, ...partialTestCase }; + const config = createTestConfig({ + dbLocation, + languages: [KnownLanguage.java], + }); config.overlayDatabaseMode = testCase.overlayDatabaseMode; config.useOverlayDatabaseCaching = testCase.useOverlayDatabaseCaching; @@ -163,9 +169,23 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({ .resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined); stubs.push(tryGetFolderBytesStub); + const codeql = mockCodeQLVersion(testCase.codeQLVersion); + + if (testCase.resolveDatabaseOutput instanceof Error) { + const resolveDatabaseStub = sinon + .stub(codeql, "resolveDatabase") + .rejects(testCase.resolveDatabaseOutput); + stubs.push(resolveDatabaseStub); + } else { + const resolveDatabaseStub = sinon + .stub(codeql, "resolveDatabase") + .resolves(testCase.resolveDatabaseOutput); + stubs.push(resolveDatabaseStub); + } + try { const result = await downloadOverlayBaseDatabaseFromCache( - mockCodeQLVersion(testCase.codeQLVersion), + codeql, config, logger, ); @@ -255,6 +275,24 @@ test( false, ); +test( + testDownloadOverlayBaseDatabaseFromCache, + "returns undefined when downloaded database doesn't have an overlayBaseSpecifier", + { + resolveDatabaseOutput: {}, + }, + false, +); + +test( + testDownloadOverlayBaseDatabaseFromCache, + "returns undefined when resolving database metadata fails", + { + resolveDatabaseOutput: new Error("Failed to resolve database metadata"), + }, + false, +); + test( testDownloadOverlayBaseDatabaseFromCache, "returns undefined when filesystem error occurs", diff --git a/src/overlay-database-utils.ts b/src/overlay-database-utils.ts index a340bfe2b0..7db248bd1d 100644 --- a/src/overlay-database-utils.ts +++ b/src/overlay-database-utils.ts @@ -17,6 +17,7 @@ import { getCommitOid, getFileOidsUnderPath } from "./git-utils"; import { Logger, withGroupAsync } from "./logging"; import { CleanupLevel, + getCodeQLDatabasePath, getErrorMessage, isInTestMode, tryGetFolderBytes, @@ -176,11 +177,12 @@ const MAX_CACHE_OPERATION_MS = 600_000; * @param warningPrefix Prefix for the check failure warning message * @returns True if the verification succeeded, false otherwise */ -function checkOverlayBaseDatabase( +async function checkOverlayBaseDatabase( + codeql: CodeQL, config: Config, logger: Logger, warningPrefix: string, -): boolean { +): Promise { // An overlay-base database should contain the base database OIDs file. const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); if (!fs.existsSync(baseDatabaseOidsFilePath)) { @@ -189,6 +191,29 @@ function checkOverlayBaseDatabase( ); return false; } + + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if ( + resolveDatabaseOutput === undefined || + !("overlayBaseSpecifier" in resolveDatabaseOutput) + ) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.info( + `Overlay base specifier for ${language} overlay-base database found: ` + + `${resolveDatabaseOutput.overlayBaseSpecifier}`, + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; } @@ -232,7 +257,8 @@ export async function cleanupAndUploadOverlayBaseDatabaseToCache( return false; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Abort uploading overlay-base database to cache", @@ -415,7 +441,8 @@ export async function downloadOverlayBaseDatabaseFromCache( return undefined; } - const databaseIsValid = checkOverlayBaseDatabase( + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, config, logger, "Downloaded overlay-base database is invalid", From b93926dc35101e6ea6a689056a46b740c274ea87 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 5 Dec 2025 17:19:09 +0000 Subject: [PATCH 03/13] Update changelog and version after v4.31.7 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd5fb920f6..253485dd4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343) diff --git a/package-lock.json b/package-lock.json index 8cc15a5f5c..3d3718239d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.31.7", + "version": "4.31.8", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.31.7", + "version": "4.31.8", "license": "MIT", "dependencies": { "@actions/artifact": "^4.0.0", diff --git a/package.json b/package.json index 32ea9facb1..6d892ecbb2 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.31.7", + "version": "4.31.8", "private": true, "description": "CodeQL action", "scripts": { From 97c2630b10bd11032a1791444ba86763b11a21e1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 5 Dec 2025 17:21:46 +0000 Subject: [PATCH 04/13] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 88d0665c53..e333304f12 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 95d689b058..29ce929c4c 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 58ebe893fe..b1c5ece965 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 1dc7861144..1855833c5d 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 94cb71839a..8898c1eb8d 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 95681d88aa..095d85e390 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 757a371df9..437b605f60 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index ac38fef38e..7f461a22c9 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 7d282a3d29..16f308b6a7 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -47321,7 +47321,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 421bf23ebc..b35c4d665f 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -28924,7 +28924,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index ab66301a4b..8c466d1a3a 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index d0f6b08e23..3a822f9a96 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.7", + version: "4.31.8", private: true, description: "CodeQL action", scripts: { From 5b7e7fcc9c5a25e1129581e9733c0f6fb5078a71 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Tue, 9 Dec 2025 09:41:33 +0100 Subject: [PATCH 05/13] Update src/codeql.ts Co-authored-by: Henry Mercer --- src/codeql.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/codeql.ts b/src/codeql.ts index f597931931..33dd0db981 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -232,7 +232,7 @@ export interface VersionInfo { } export interface ResolveDatabaseOutput { - [key: string]: string | [string]; + overlayBaseSpecifier?: string; } export interface ResolveLanguagesOutput { From 002a7f25fdbaa5bc68ab7b87a336015eebea0b1f Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Tue, 9 Dec 2025 09:44:56 +0100 Subject: [PATCH 06/13] Overlay: log overlayBaseSpecifier at debug log-level --- lib/analyze-action.js | 2 +- lib/init-action.js | 2 +- src/overlay-database-utils.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c4d488ab8a..0707879283 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88528,7 +88528,7 @@ async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); return false; } else { - logger.info( + logger.debug( `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` ); } diff --git a/lib/init-action.js b/lib/init-action.js index 0af2f67e84..e74d27c82a 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -85930,7 +85930,7 @@ async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); return false; } else { - logger.info( + logger.debug( `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` ); } diff --git a/src/overlay-database-utils.ts b/src/overlay-database-utils.ts index 7db248bd1d..921fd0b8eb 100644 --- a/src/overlay-database-utils.ts +++ b/src/overlay-database-utils.ts @@ -203,7 +203,7 @@ async function checkOverlayBaseDatabase( logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); return false; } else { - logger.info( + logger.debug( `Overlay base specifier for ${language} overlay-base database found: ` + `${resolveDatabaseOutput.overlayBaseSpecifier}`, ); From 2930dba17ac868bf1d3114f09837dbfb9619aa05 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:46:14 +0000 Subject: [PATCH 07/13] Update default bundle to codeql-bundle-v2.23.8 --- lib/analyze-action.js | 4 ++-- lib/autobuild-action.js | 4 ++-- lib/defaults.json | 8 ++++---- lib/init-action-post.js | 4 ++-- lib/init-action.js | 4 ++-- lib/setup-codeql-action.js | 4 ++-- lib/start-proxy-action.js | 4 ++-- lib/upload-lib.js | 4 ++-- lib/upload-sarif-action.js | 4 ++-- src/defaults.json | 8 ++++---- 10 files changed, 24 insertions(+), 24 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 48520792c9..7ba381fc20 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88211,8 +88211,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index c7b2d59091..36f094bde6 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -83701,8 +83701,8 @@ var path3 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs2 = __toESM(require("fs")); diff --git a/lib/defaults.json b/lib/defaults.json index 04929fab3e..6f3dc42bf8 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.7", - "cliVersion": "2.23.7", - "priorBundleVersion": "codeql-bundle-v2.23.6", - "priorCliVersion": "2.23.6" + "bundleVersion": "codeql-bundle-v2.23.8", + "cliVersion": "2.23.8", + "priorBundleVersion": "codeql-bundle-v2.23.7", + "priorCliVersion": "2.23.7" } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 6699c08cab..04c9c69fef 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -123084,8 +123084,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/init-action.js b/lib/init-action.js index 77524b00ab..d1beb6611d 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -85635,8 +85635,8 @@ var path5 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 4b4c28abca..49ab3bf481 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -83589,8 +83589,8 @@ var path4 = __toESM(require("path")); var semver3 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 16f308b6a7..e70a7412bc 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -99720,8 +99720,8 @@ function getActionsLogger() { var core7 = __toESM(require_core()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/languages.ts var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 3ee72bb5cf..245288bc2f 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -86724,8 +86724,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 2efce87979..fd314e6acc 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -86505,8 +86505,8 @@ var path4 = __toESM(require("path")); var semver3 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.7"; -var cliVersion = "2.23.7"; +var bundleVersion = "codeql-bundle-v2.23.8"; +var cliVersion = "2.23.8"; // src/overlay-database-utils.ts var fs3 = __toESM(require("fs")); diff --git a/src/defaults.json b/src/defaults.json index 04929fab3e..6f3dc42bf8 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.7", - "cliVersion": "2.23.7", - "priorBundleVersion": "codeql-bundle-v2.23.6", - "priorCliVersion": "2.23.6" + "bundleVersion": "codeql-bundle-v2.23.8", + "cliVersion": "2.23.8", + "priorBundleVersion": "codeql-bundle-v2.23.7", + "priorCliVersion": "2.23.7" } From db812c1ae639aa466b2b1f4a921f823c54371173 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 15:46:24 +0000 Subject: [PATCH 08/13] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 253485dd4f..0589f45cd6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354) ## 4.31.7 - 05 Dec 2025 From 120f277b1613fcef1261eb850ba9b01ca444bbef Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 17:23:34 +0000 Subject: [PATCH 09/13] Update changelog for v4.31.8 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0589f45cd6..f91b413d6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354) From 827017f97be1b865f90ba42239a3a5a257228b31 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:46:31 +0000 Subject: [PATCH 10/13] Revert "Update version and changelog for v3.31.7" This reverts commit 793f7006bb3c6eeffc198e247d501ec4e76593bb. --- CHANGELOG.md | 31 +++++++++++++++++++------------ package.json | 2 +- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c42359f6ad..bd5fb920f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,52 +2,52 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## 3.31.7 - 05 Dec 2025 +## 4.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343) -## 3.31.6 - 01 Dec 2025 +## 4.31.6 - 01 Dec 2025 No user facing changes. -## 3.31.5 - 24 Nov 2025 +## 4.31.5 - 24 Nov 2025 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321) -## 3.31.4 - 18 Nov 2025 +## 4.31.4 - 18 Nov 2025 No user facing changes. -## 3.31.3 - 13 Nov 2025 +## 4.31.3 - 13 Nov 2025 - CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/). - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288) -## 3.31.2 - 30 Oct 2025 +## 4.31.2 - 30 Oct 2025 No user facing changes. -## 3.31.1 - 30 Oct 2025 +## 4.31.1 - 30 Oct 2025 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced. -## 3.31.0 - 24 Oct 2025 +## 4.31.0 - 24 Oct 2025 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223) - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222) -## 3.30.9 - 17 Oct 2025 +## 4.30.9 - 17 Oct 2025 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205) - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204) -## 3.30.8 - 10 Oct 2025 +## 4.30.8 - 10 Oct 2025 No user facing changes. -## 3.30.7 - 06 Oct 2025 +## 4.30.7 - 06 Oct 2025 -No user facing changes. +- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) ## 3.30.6 - 02 Oct 2025 @@ -283,13 +283,17 @@ No user facing changes. ## 3.26.12 - 07 Oct 2024 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520) + - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. + - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action. ## 3.26.11 - 03 Oct 2024 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. + Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then. + This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519) @@ -412,9 +416,12 @@ No user facing changes. ## 3.25.0 - 15 Apr 2024 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224) + As a result, the following inputs and environment variables are now ignored: + - The `setup-python-dependencies` input to the `init` Action - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable + We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0. - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229) - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232) diff --git a/package.json b/package.json index b523622324..32ea9facb1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.31.7", + "version": "4.31.7", "private": true, "description": "CodeQL action", "scripts": { From 2d9c0b97afc12b9e39058e3926f2d2a8c0dbdba1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:46:32 +0000 Subject: [PATCH 11/13] Revert "Rebuild" This reverts commit 817dbfb39b59fdd720cf48a800d33a21ed4ed3a2. --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 54ee7cf670..88d0665c53 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 376e49aae4..95d689b058 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 7ae64e64c2..58ebe893fe 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 4e850acb3d..1dc7861144 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 04809ab6dd..94cb71839a 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index ce4216b8c2..95681d88aa 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index bbd253732a..757a371df9 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 2f08800528..ac38fef38e 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index cc727363e9..7d282a3d29 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -47321,7 +47321,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 8f403a7b1e..421bf23ebc 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -28924,7 +28924,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 7788767628..ab66301a4b 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index aefec4ba5d..d0f6b08e23 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.31.7", + version: "4.31.7", private: true, description: "CodeQL action", scripts: { From 5676d1f64a56d2c4aba43ef28f5b89fbacb47f96 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:46:33 +0000 Subject: [PATCH 12/13] Update version and changelog for v3.31.8 --- CHANGELOG.md | 33 +++++++++++++-------------------- package.json | 2 +- 2 files changed, 14 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f91b413d6d..223e81f020 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,56 +2,56 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## 4.31.8 - 11 Dec 2025 +## 3.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354) -## 4.31.7 - 05 Dec 2025 +## 3.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343) -## 4.31.6 - 01 Dec 2025 +## 3.31.6 - 01 Dec 2025 No user facing changes. -## 4.31.5 - 24 Nov 2025 +## 3.31.5 - 24 Nov 2025 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321) -## 4.31.4 - 18 Nov 2025 +## 3.31.4 - 18 Nov 2025 No user facing changes. -## 4.31.3 - 13 Nov 2025 +## 3.31.3 - 13 Nov 2025 - CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/). - Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288) -## 4.31.2 - 30 Oct 2025 +## 3.31.2 - 30 Oct 2025 No user facing changes. -## 4.31.1 - 30 Oct 2025 +## 3.31.1 - 30 Oct 2025 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced. -## 4.31.0 - 24 Oct 2025 +## 3.31.0 - 24 Oct 2025 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223) - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222) -## 4.30.9 - 17 Oct 2025 +## 3.30.9 - 17 Oct 2025 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205) - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204) -## 4.30.8 - 10 Oct 2025 +## 3.30.8 - 10 Oct 2025 No user facing changes. -## 4.30.7 - 06 Oct 2025 +## 3.30.7 - 06 Oct 2025 -- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) +No user facing changes. ## 3.30.6 - 02 Oct 2025 @@ -287,17 +287,13 @@ No user facing changes. ## 3.26.12 - 07 Oct 2024 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520) - - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. - - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action. ## 3.26.11 - 03 Oct 2024 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. - Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then. - This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519) @@ -420,12 +416,9 @@ No user facing changes. ## 3.25.0 - 15 Apr 2024 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224) - As a result, the following inputs and environment variables are now ignored: - - The `setup-python-dependencies` input to the `init` Action - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable - We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0. - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229) - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232) diff --git a/package.json b/package.json index 6d892ecbb2..cde9ef43c9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.31.8", + "version": "3.31.8", "private": true, "description": "CodeQL action", "scripts": { From 74951318a2c267206a15275c44c77d5ba2e15e8b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 08:53:47 +0000 Subject: [PATCH 13/13] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index ffcc4512d8..9aa87ae0a4 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 7ba381fc20..6e41faafe0 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 36f094bde6..1474f4c85a 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 04c9c69fef..97f0a97ab0 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index d1beb6611d..1c5229c308 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 8f176bce16..0a0d253a47 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 49ab3bf481..21cc1ead56 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 7f461a22c9..bd64d3a25d 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index e70a7412bc..57d0688676 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -47321,7 +47321,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 245288bc2f..2e14fc3de6 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -28924,7 +28924,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 8c466d1a3a..7aa28c4b82 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index fd314e6acc..2586577118 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -27627,7 +27627,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.31.8", + version: "3.31.8", private: true, description: "CodeQL action", scripts: {