Skip to content

Merge main into releases/v4#3905

Merged
mbg merged 77 commits into
releases/v4from
update-v4.35.5-d4b485515
May 15, 2026
Merged

Merge main into releases/v4#3905
mbg merged 77 commits into
releases/v4from
update-v4.35.5-d4b485515

Conversation

@ghost
Copy link
Copy Markdown
Contributor

@ghost ghost commented May 15, 2026
edited by mbg
Loading

Merging d4b4855 into releases/v4.

Conductor for this PR is @mbg.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v4 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
  • Merge the mergeback PR that will automatically be created once this PR is merged.
  • Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

sam-robson and others added 30 commits April 23, 2026 12:10
@sam-robson
refactor: fall back to non-overlay analysis when diff-informed analys…
5d1c584 
…is is unavailable
@sam-robson
refactor: address review feedback on overlay fallback
faca00d
@sam-robson
Merge branch 'main' into sam-robson/overlay-fallback
5ded561
@sam-robson
refactor: report missing PR diff ranges via OverlayDisabledReason and…
3cc8dd3 
… disable overlay
@sam-robson
Merge branch 'main' into sam-robson/overlay-fallback
4ed52dc
@sam-robson
test: drop codescanning-config-cli scenario for overlay without diff-…
e9e36ae 
…informed
@sam-robson
fix: re-import withGroupAsync in init-action.ts after merge
80a7298
@sam-robson
Merge branch 'main' into sam-robson/overlay-fallback
f8b93c3
@sam-robson
Merge branch 'main' into sam-robson/overlay-fallback
8ab64a2
@henrymercer
Add OverlayAnalysisMatchCodeqlVersion feature flag
a796e3e
@henrymercer
Expose all enabled default CLI versions
b094211
@henrymercer
Match CLI version to cached overlay-base database
55d6319
@henrymercer
Add dry run mode so we can dark ship
b967fdf
@henrymercer
Tests: Run slow scanArtifactsForTokens test in CI only by default
2c9cd77
@dependabot
Bump the npm-minor group across 1 directory with 4 updates
d1e9792 
Bumps the npm-minor group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint), [typescript](https://github.com/microsoft/TypeScript) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `@types/node` from 20.19.9 to 20.19.39
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint` from 9.39.2 to 9.39.4
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v9.39.2...v9.39.4)

Updates `typescript` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v6.0.2...v6.0.3)

Updates `typescript-eslint` from 8.58.2 to 8.59.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 20.19.39
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: eslint
  dependency-version: 9.39.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: typescript-eslint
  dependency-version: 8.59.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
1848b73
@henrymercer
Add changelog note
1b56327
@henrymercer
Merge branch 'main' into henrymercer/overlay-match-codeql-version
817b684
@sam-robson
refactor: rename overlay-disabled reason and add changelog entry
e259d26
@sam-robson
Merge branch 'main' into sam-robson/overlay-fallback
9d6b456
@henrymercer
Filter to code scanning only
01bc9be
@henrymercer
Nit: Dedupe languages
7525c68
@mbg
Do not run bundle-metadata.ts as part of npm run build
d032ee8
@henrymercer
Add explicit error on Windows
0c80cee
@mbg
Merge pull request #3884 from github/mbg/dev/no-build-metadata
a16cb53 
Do not run `bundle-metadata.ts` as part of `npm run build`
@henrymercer
Merge pull request #3874 from github/henrymercer/slow-tests-ci-only
b81d0d2 
Tests: Run slow `scanArtifactsForTokens` test in CI only by default
@github-actions
Update changelog and version after v4.35.4
1627096
@github-actions
Merge remote-tracking branch 'origin/main' into mergeback/v4.35.4-to-…
610a668 
…main-68bde559
@github-actions
Rebuild
272ada6
@henrymercer @mbg
Improve changelog note
efc9b0a 
Co-authored-by: Michael B. Gale <mbg@github.com>
sam-robson and others added 18 commits May 14, 2026 13:39
@sam-robson
Merge remote-tracking branch 'origin/main' into sam-robson/overlay-fa…
9d72430 
…llback

* origin/main: (40 commits)
  Bump the npm-minor group across 1 directory with 3 updates
  Bump actions/create-github-app-token
  Nit: Tweak JSDoc for `getRawLanguagesNoAutodetect`
  Enable only `code-scanning`
  Use overlay-aware version for code scanning exclusively
  Add changelog entry
  Rebuild
  Bump five transitive dependencies
  Throw error if multiple analysis kinds are specified
  Bump fast-xml-builder from 1.1.5 to 1.2.0
  Improve tests
  Improve error message
  Remove dead code
  Remove `makeOverlayMatchFeatures` indirection
  Add JSDoc for `getRawLanguagesNoAutodetect`
  Enable overlay-aware version selection in `setup-codeql`
  Minor: Introduce constant to avoid duplication
  Improve changelog note
  Rebuild
  Update changelog and version after v4.35.4
  ...

# Conflicts:
#	lib/init-action.js
#	src/diff-informed-analysis-utils.test.ts
@henrymercer
Reduce size of test debug artifacts
2e20236
@mbg
Update action specs for new entry points
f0489ab
@henrymercer
Remove now unnecessary test skipping
4795ef8
@mbg
Add remaining new entry points
2f137c9
@henrymercer
Merge pull request #3901 from github/henrymercer/minify-test-debug-ar…
3368848 
…tifacts

Minify test debug artifacts
@mbg
Avoid top-level promise in analyze-action
bb30f31
@mbg
Fix linter errors
d7e50c2
@sam-robson
Merge branch 'main' into sam-robson/overlay-fallback
a41c444
@sam-robson
Merge pull request #3791 from github/sam-robson/overlay-fallback
eb17ca4 
Fall back to non-overlay analysis when diff-informed analysis is unavailable
@mbg
Auto-generate entry points
14085a6
@mbg
Auto-generate shared bundle
0d08c01
@mbg
Import and call runWrapper normally in analyze tests
52aafec
@mbg
Improve pattern matching and error handling
dfa61e7
@mbg
Use src + basename in header to avoid issues on Windows
7fde13f
@mbg
Merge remote-tracking branch 'origin/main' into mbg/esbuild/split
127de81
@mbg
Merge pull request #3899 from github/mbg/esbuild/split
d4b4855 
Reduce duplication across JS bundles by creating one bundle with smaller entry point wrappers
@github-actions
Update changelog for v4.35.5
51f7e38
@mbg mbg marked this pull request as ready for review May 15, 2026 10:59
Copilot AI review requested due to automatic review settings May 15, 2026 10:59
@mbg mbg requested a review from a team as a code owner May 15, 2026 10:59
@mbg mbg enabled auto-merge May 15, 2026 11:01
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This release PR merges recent main changes into releases/v4, preparing version 4.35.5. The changelog and package version are consistent with the release date of 15 May 2026.

Changes:

  • Adds 4.35.5 changelog entries for bundle-size reduction, incremental analysis fallback behavior, internal analysis-kinds handling, and overlay-aware CLI selection.
  • Bumps package version to 4.35.5 and updates build/dependency metadata.
  • Includes generated bundle entry-point restructuring and related source/test updates from already-reviewed PRs.
Show a summary per file
File Description
CHANGELOG.md Adds the 4.35.5 release notes and date.
package.json Bumps package version and updates build/dependency declarations.
package-lock.json Reflects version and dependency updates.
build.mjs Updates bundling to use shared entry points and generated stubs.
src/action-entry.js.tpl Adds template for generated action entry stubs.
src/entry-wrapper.js.tpl Adds template for shared entry-point wrappers.
autobuild/action.yml Points action metadata at new entry stub.
analyze/action.yml Points action metadata at new entry stubs.
init/action.yml Points action metadata at new entry stubs.
resolve-environment/action.yml Points action metadata at new entry stub.
setup-codeql/action.yml Adds setup inputs and points at new entry stub.
start-proxy/action.yml Points action metadata at new entry stubs.
upload-sarif/action.yml Points action metadata at new entry stubs.
.github/workflows/codescanning-config-cli.yml Adjusts code scanning config test workflow expectations.
.github/workflows/post-release-mergeback.yml Updates GitHub App token action version.
.github/workflows/rollback-release.yml Updates GitHub App token action version.
.github/workflows/update-release-branch.yml Updates GitHub App token action version.
pr-checks/package.json Updates pr-check dependency versions.
src/analyses.ts Restricts multiple analysis kinds outside test mode.
src/analyses.test.ts Updates analysis-kind tests.
src/analyze-action.ts Exports runWrapper for new entry-point structure.
src/analyze-action-env.test.ts Calls exported analyze wrapper in tests.
src/analyze-action-input.test.ts Calls exported analyze wrapper in tests.
src/analyze-action-post.ts Exports post-action wrapper.
src/artifact-scanner.ts Adds Windows guard for archive scanning.
src/artifact-scanner.test.ts Skips unsupported archive test on Windows.
src/autobuild-action.ts Exports action wrapper.
src/codeql.ts Passes overlay-aware CLI selection inputs through setup.
src/codeql.test.ts Updates tests for default CLI version shape.
src/config-utils.ts Moves diff-informed preparation into config initialization.
src/config-utils.test.ts Adds incremental analysis fallback tests.
src/debug-artifacts.ts Removes unnecessary type assertion.
src/diff-informed-analysis-utils.ts Adds diff range preparation helper.
src/diff-informed-analysis-utils.test.ts Updates and adds diff-informed analysis tests.
src/feature-flags.ts Adds feature flags and multi-version default CLI handling.
src/feature-flags.test.ts Updates feature flag tests for enabled CLI versions.
src/init.ts Passes CLI selection inputs into CodeQL setup.
src/init-action.ts Uses new analysis-kind and diff-informed setup flow.
src/init-action-post.ts Exports post-action wrapper.
src/init-action-post-helper.test.ts Removes unnecessary type assertion.
src/overlay/caching.ts Deduplicates resolved overlay cache languages.
src/overlay/caching.test.ts Adds overlay cache language deduplication test.
src/overlay/diagnostics.ts Adds overlay fallback disabled reason.
src/resolve-environment-action.ts Exports action wrapper.
src/setup-codeql.ts Adds overlay-aware default CLI version resolution.
src/setup-codeql.test.ts Adds overlay-aware CLI selection tests.
src/setup-codeql-action.ts Passes language and analysis-kind inputs to setup.
src/start-proxy.ts Uses enabled default CLI version list.
src/start-proxy.test.ts Updates proxy CLI version feature stub.
src/start-proxy-action.ts Exports action wrapper.
src/start-proxy-action-post.ts Exports post-action wrapper.
src/testing-utils.ts Updates test helpers for default CLI version shape.
src/upload-lib.ts Uses enabled default CLI versions for upload SARIF CLI setup.
src/upload-sarif-action.ts Exports action wrapper.
src/upload-sarif-action-post.ts Exports post-action wrapper.
src/upload-sarif.test.ts Removes unnecessary type assertion.
src/workflow.test.ts Removes unnecessary type assertion.
lib/*.js Generated JavaScript outputs for the TypeScript/source changes.

Copilot's findings

  • Files reviewed: 56/81 changed files
  • Comments generated: 0

@mbg mbg merged commit 9e0d7b8 into releases/v4 May 15, 2026
271 of 446 checks passed
@mbg mbg deleted the update-v4.35.5-d4b485515 branch May 15, 2026 11:22
@github-actions github-actions Bot mentioned this pull request May 15, 2026
Merged
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mbg mbg mbg approved these changes

Assignees

@mbg mbg

Labels

size/XXL May be extremely hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mbg @sam-robson @henrymercer @navntoft