From 7434149006143a4d75b82a2f411ef15b03ccc2d7 Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Fri, 26 Sep 2025 19:36:42 +0000 Subject: [PATCH 01/18] Upgrade Node.js version to 24. This requires creating a new major-version (v4) of codeql-action. --- .github/actions/check-sarif/action.yml | 2 +- .github/workflows/pr-checks.yml | 2 +- CONTRIBUTING.md | 2 +- README.md | 3 +- analyze/action.yml | 2 +- autobuild/action.yml | 2 +- build.mjs | 2 +- init/action.yml | 2 +- package-lock.json | 24 +++++------ package.json | 4 +- resolve-environment/action.yml | 2 +- src/autobuild.ts | 6 +-- src/init-action-post-helper.test.ts | 24 +++++------ src/workflow.test.ts | 58 +++++++++++++------------- start-proxy/action.yml | 2 +- upload-sarif/action.yml | 2 +- 16 files changed, 69 insertions(+), 70 deletions(-) diff --git a/.github/actions/check-sarif/action.yml b/.github/actions/check-sarif/action.yml index 89ff9d703e..bfa1c3b9d1 100644 --- a/.github/actions/check-sarif/action.yml +++ b/.github/actions/check-sarif/action.yml @@ -16,5 +16,5 @@ inputs: Comma separated list of query ids that should NOT be included in this SARIF file. runs: - using: node20 + using: node24 main: index.js diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 2fd737de86..67974422e8 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -72,7 +72,7 @@ jobs: run: npm run lint-ci - name: Upload sarif - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: matrix.os == 'ubuntu-latest' with: sarif_file: eslint.sarif diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 493ae847cf..13614cb011 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -13,7 +13,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c ## Development and Testing -Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`. +Before you start, ensure that you have a recent version of node (24 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`. ### Common tasks diff --git a/README.md b/README.md index c5b8eab811..c6ab9ff1a9 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,8 @@ For compiled languages: The following versions of the CodeQL Action are currently supported: -- v3 (latest) +- v3 +- v4 (latest) ## Supported versions of the CodeQL Bundle on GitHub Enterprise Server diff --git a/analyze/action.yml b/analyze/action.yml index b7880be179..7fc118b156 100644 --- a/analyze/action.yml +++ b/analyze/action.yml @@ -92,6 +92,6 @@ outputs: sarif-id: description: The ID of the uploaded SARIF file. runs: - using: node20 + using: node24 main: "../lib/analyze-action.js" post: "../lib/analyze-action-post.js" diff --git a/autobuild/action.yml b/autobuild/action.yml index 80d8c1c31e..c820fb5aff 100644 --- a/autobuild/action.yml +++ b/autobuild/action.yml @@ -15,5 +15,5 @@ inputs: $GITHUB_WORKSPACE as its working directory. required: false runs: - using: node20 + using: node24 main: '../lib/autobuild-action.js' diff --git a/build.mjs b/build.mjs index 05f7e05021..2e014e81d2 100644 --- a/build.mjs +++ b/build.mjs @@ -68,7 +68,7 @@ const context = await esbuild.context({ outdir: OUT_DIR, platform: "node", plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin], - target: ["node20"], + target: ["node24"], }); await context.rebuild(); diff --git a/init/action.yml b/init/action.yml index ba5d6efcc1..57d5a99402 100644 --- a/init/action.yml +++ b/init/action.yml @@ -165,6 +165,6 @@ outputs: codeql-version: description: The version of the CodeQL binary used for analysis runs: - using: node20 + using: node24 main: '../lib/init-action.js' post: '../lib/init-action-post.js' diff --git a/package-lock.json b/package-lock.json index 46ec821b83..c13f510c1b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "3.30.6", + "version": "4.30.6", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "3.30.6", + "version": "4.30.6", "license": "MIT", "dependencies": { "@actions/artifact": "^2.3.1", @@ -47,7 +47,7 @@ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -2660,13 +2660,13 @@ "license": "MIT" }, "node_modules/@types/node": { - "version": "20.19.9", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz", - "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==", + "version": "24.6.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-24.6.0.tgz", + "integrity": "sha512-F1CBxgqwOMc4GKJ7eY22hWhBVQuMYTtqI8L0FcszYcpYX0fzfDGpez22Xau8Mgm7O9fI+zA/TYIdq3tGWfweBA==", "dev": true, "license": "MIT", "dependencies": { - "undici-types": "~6.21.0" + "undici-types": "~7.13.0" } }, "node_modules/@types/node-forge": { @@ -4200,9 +4200,7 @@ "license": "MIT" }, "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.11", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0", @@ -9197,9 +9195,9 @@ } }, "node_modules/undici-types": { - "version": "6.21.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", - "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "version": "7.13.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.13.0.tgz", + "integrity": "sha512-Ov2Rr9Sx+fRgagJ5AX0qvItZG/JKKoBRAVITs1zk7IqZGTJUwgUr7qoYBpWwakpWilTZFM98rG/AFRocu10iIQ==", "dev": true, "license": "MIT" }, diff --git a/package.json b/package.json index 31389bb802..60a1f009c6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.30.6", + "version": "4.30.6", "private": true, "description": "CodeQL action", "scripts": { @@ -62,7 +62,7 @@ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", diff --git a/resolve-environment/action.yml b/resolve-environment/action.yml index 188e5fd174..0734fcfa44 100644 --- a/resolve-environment/action.yml +++ b/resolve-environment/action.yml @@ -21,5 +21,5 @@ outputs: environment: description: The inferred build environment configuration. runs: - using: node20 + using: node24 main: '../lib/resolve-environment-action.js' diff --git a/src/autobuild.ts b/src/autobuild.ts index 1812e35017..ce3d45cc4e 100644 --- a/src/autobuild.ts +++ b/src/autobuild.ts @@ -52,11 +52,11 @@ export async function determineAutobuildLanguages( * For example, consider a user with the following workflow file: * * ```yml - * - uses: github/codeql-action/init@v3 + * - uses: github/codeql-action/init@v4 * with: * languages: go, java - * - uses: github/codeql-action/autobuild@v3 - * - uses: github/codeql-action/analyze@v3 + * - uses: github/codeql-action/autobuild@v4 + * - uses: github/codeql-action/analyze@v4 * ``` * * - With Go extraction disabled, we will run the Java autobuilder in the diff --git a/src/init-action-post-helper.test.ts b/src/init-action-post-helper.test.ts index 72a828a33f..1c1cbcb684 100644 --- a/src/init-action-post-helper.test.ts +++ b/src/init-action-post-helper.test.ts @@ -84,14 +84,14 @@ test("uploads failed SARIF run with `diagnostics export` if feature flag is off" }, { name: "Initialize CodeQL", - uses: "github/codeql-action/init@v3", + uses: "github/codeql-action/init@v4", with: { languages: "javascript", }, }, { name: "Perform CodeQL Analysis", - uses: "github/codeql-action/analyze@v3", + uses: "github/codeql-action/analyze@v4", with: { category: "my-category", }, @@ -108,14 +108,14 @@ test("uploads failed SARIF run with `diagnostics export` if the database doesn't }, { name: "Initialize CodeQL", - uses: "github/codeql-action/init@v3", + uses: "github/codeql-action/init@v4", with: { languages: "javascript", }, }, { name: "Perform CodeQL Analysis", - uses: "github/codeql-action/analyze@v3", + uses: "github/codeql-action/analyze@v4", with: { category: "my-category", }, @@ -135,14 +135,14 @@ test("uploads failed SARIF run with database export-diagnostics if the database }, { name: "Initialize CodeQL", - uses: "github/codeql-action/init@v3", + uses: "github/codeql-action/init@v4", with: { languages: "javascript", }, }, { name: "Perform CodeQL Analysis", - uses: "github/codeql-action/analyze@v3", + uses: "github/codeql-action/analyze@v4", with: { category: "my-category", }, @@ -192,14 +192,14 @@ for (const { uploadInput, shouldUpload } of UPLOAD_INPUT_TEST_CASES) { }, { name: "Initialize CodeQL", - uses: "github/codeql-action/init@v3", + uses: "github/codeql-action/init@v4", with: { languages: "javascript", }, }, { name: "Perform CodeQL Analysis", - uses: "github/codeql-action/analyze@v3", + uses: "github/codeql-action/analyze@v4", with: { category: "my-category", upload: uploadInput, @@ -227,14 +227,14 @@ test("uploading failed SARIF run succeeds when workflow uses an input with a mat }, { name: "Initialize CodeQL", - uses: "github/codeql-action/init@v3", + uses: "github/codeql-action/init@v4", with: { languages: "javascript", }, }, { name: "Perform CodeQL Analysis", - uses: "github/codeql-action/analyze@v3", + uses: "github/codeql-action/analyze@v4", with: { category: "/language:${{ matrix.language }}", }, @@ -254,14 +254,14 @@ test("uploading failed SARIF run fails when workflow uses a complex upload input }, { name: "Initialize CodeQL", - uses: "github/codeql-action/init@v3", + uses: "github/codeql-action/init@v4", with: { languages: "javascript", }, }, { name: "Perform CodeQL Analysis", - uses: "github/codeql-action/analyze@v3", + uses: "github/codeql-action/analyze@v4", with: { upload: "${{ matrix.language != 'csharp' }}", }, diff --git a/src/workflow.test.ts b/src/workflow.test.ts index 9af81459ef..e922d8079c 100644 --- a/src/workflow.test.ts +++ b/src/workflow.test.ts @@ -395,9 +395,9 @@ async function testLanguageAliases( }, }, steps: [ - { uses: "actions/checkout@v3" }, - { uses: "github/codeql-action/init@v3" }, - { uses: "github/codeql-action/analyze@v3" }, + { uses: "actions/checkout@v4" }, + { uses: "github/codeql-action/init@v4" }, + { uses: "github/codeql-action/analyze@v4" }, ], }, }, @@ -666,7 +666,7 @@ test("getWorkflowErrors() should report a warning if different versions of the C analyze: steps: - uses: github/codeql-action/init@v2 - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/analyze@v4 `) as Workflow, await getCodeQLForTesting(), ); @@ -686,8 +686,8 @@ test("getWorkflowErrors() should not report a warning if the same versions of th jobs: analyze: steps: - - uses: github/codeql-action/init@v3 - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/init@v4 + - uses: github/codeql-action/analyze@v4 `) as Workflow, await getCodeQLForTesting(), ); @@ -706,7 +706,7 @@ test("getWorkflowErrors() should not report a warning involving versions of othe analyze: steps: - uses: actions/checkout@v5 - - uses: github/codeql-action/init@v3 + - uses: github/codeql-action/init@v4 `) as Workflow, await getCodeQLForTesting(), ); @@ -723,9 +723,9 @@ test("getCategoryInputOrThrow returns category for simple workflow with category analysis: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v3 - - uses: github/codeql-action/analyze@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v4 + - uses: github/codeql-action/analyze@v4 with: category: some-category `) as Workflow, @@ -745,9 +745,9 @@ test("getCategoryInputOrThrow returns undefined for simple workflow without cate analysis: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v3 - - uses: github/codeql-action/analyze@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v4 + - uses: github/codeql-action/analyze@v4 `) as Workflow, "analysis", {}, @@ -765,19 +765,19 @@ test("getCategoryInputOrThrow returns category for workflow with multiple jobs", foo: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v4 - runs: ./build foo - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/analyze@v4 with: category: foo-category bar: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v4 - runs: ./build bar - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/analyze@v4 with: category: bar-category `) as Workflow, @@ -800,11 +800,11 @@ test("getCategoryInputOrThrow finds category for workflow with language matrix", matrix: language: [javascript, python] steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v4 with: language: \${{ matrix.language }} - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/analyze@v4 with: category: "/language:\${{ matrix.language }}" `) as Workflow, @@ -824,9 +824,9 @@ test("getCategoryInputOrThrow throws error for workflow with dynamic category", jobs: analysis: steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v3 - - uses: github/codeql-action/analyze@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v4 + - uses: github/codeql-action/analyze@v4 with: category: "\${{ github.workflow }}" `) as Workflow, @@ -851,12 +851,12 @@ test("getCategoryInputOrThrow throws error for workflow with multiple calls to a analysis: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v3 - - uses: github/codeql-action/analyze@v3 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v4 + - uses: github/codeql-action/analyze@v4 with: category: some-category - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/analyze@v4 with: category: another-category `) as Workflow, diff --git a/start-proxy/action.yml b/start-proxy/action.yml index 14d2cd1f89..6d520259f8 100644 --- a/start-proxy/action.yml +++ b/start-proxy/action.yml @@ -26,6 +26,6 @@ outputs: proxy_urls: description: A stringified JSON array of objects containing the types and URLs of the configured registries. runs: - using: node20 + using: node24 main: "../lib/start-proxy-action.js" post: "../lib/start-proxy-action-post.js" diff --git a/upload-sarif/action.yml b/upload-sarif/action.yml index cd61886c69..2827891b2e 100644 --- a/upload-sarif/action.yml +++ b/upload-sarif/action.yml @@ -41,6 +41,6 @@ outputs: { "code-scanning": "some-id", "code-quality": "some-other-id" } runs: - using: node20 + using: node24 main: '../lib/upload-sarif-action.js' post: '../lib/upload-sarif-action-post.js' From 30445af89f63da37c830d906b47c90c6e94e8d3c Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Fri, 26 Sep 2025 16:18:59 -0500 Subject: [PATCH 02/18] Rebuild JS after upgrading to Node.js 24. --- lib/analyze-action-post.js | 6 +++--- lib/analyze-action.js | 6 +++--- lib/autobuild-action.js | 6 +++--- lib/init-action-post.js | 6 +++--- lib/init-action.js | 6 +++--- lib/resolve-environment-action.js | 6 +++--- lib/start-proxy-action-post.js | 6 +++--- lib/start-proxy-action.js | 4 ++-- lib/upload-lib.js | 6 +++--- lib/upload-sarif-action-post.js | 6 +++--- lib/upload-sarif-action.js | 6 +++--- 11 files changed, 32 insertions(+), 32 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index dc7b7a8403..17d28f6616 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 58f61c096b..a8a3d8589c 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index f9b6ebdfe7..7f12059f35 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 210a6f5010..c4fd6f812d 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/init-action.js b/lib/init-action.js index 6940d87af4..49775e6ffb 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 8ace1ec0bc..9d53cdbe60 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index e0ff1691ae..2d262137b9 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 1b934050d1..e2d9666366 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44966,7 +44966,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -45028,7 +45028,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 27ad934088..78763e9cc8 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33584,7 +33584,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -33646,7 +33646,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -35688,7 +35688,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 1e61b3bc54..6ffda0583a 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -106366,7 +106366,7 @@ var require_brace_expansion3 = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 317e6290bc..2e6a676dc7 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "4.30.6", private: true, description: "CodeQL action", scripts: { @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "20.19.9", + "@types/node": "^24.5.2", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,(?!,).*\}/)) { + if (m.post.match(/,.*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } From d7ada03e0280f776b82f810731bcbec65691d7b4 Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Fri, 26 Sep 2025 16:38:11 -0500 Subject: [PATCH 03/18] Downgrade upload-sarif@v4 -> v3 I got ahead of myself; v4 hasn't been tagged yet. --- .github/workflows/pr-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 67974422e8..2fd737de86 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -72,7 +72,7 @@ jobs: run: npm run lint-ci - name: Upload sarif - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@v3 if: matrix.os == 'ubuntu-latest' with: sarif_file: eslint.sarif From 180438161ed057dbe254fbe4b9e065448fbe1c40 Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Mon, 29 Sep 2025 11:22:30 -0500 Subject: [PATCH 04/18] Specify Node.js v24 in actions/setup-node steps. --- .github/workflows/codescanning-config-cli.yml | 2 +- .github/workflows/pr-checks.yml | 2 +- .github/workflows/query-filters.yml | 2 +- .github/workflows/update-bundle.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index c6dc41f299..0c6213e9e7 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -58,7 +58,7 @@ jobs: - name: Set up Node.js uses: actions/setup-node@v5 with: - node-version: '20' + node-version: 24 cache: 'npm' - name: Install dependencies diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 2fd737de86..3a4bca4ec2 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -36,7 +36,7 @@ jobs: - name: Set up Node.js uses: actions/setup-node@v5 with: - node-version: '20.x' + node-version: 24 cache: 'npm' - name: Set up Python diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml index aabcc144b0..fa89d2d935 100644 --- a/.github/workflows/query-filters.yml +++ b/.github/workflows/query-filters.yml @@ -34,7 +34,7 @@ jobs: - name: Install Node.js uses: actions/setup-node@v5 with: - node-version: 20.x + node-version: 24 cache: npm - name: Install dependencies diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index e64135d841..6705d7d14b 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -43,7 +43,7 @@ jobs: - name: Set up Node.js uses: actions/setup-node@v5 with: - node-version: '20.x' + node-version: 24 cache: 'npm' - name: Install dependencies From d4bbcb74ca9400cb92146ef4ea5e441eafd2edce Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Mon, 29 Sep 2025 11:26:46 -0500 Subject: [PATCH 05/18] Implement simultaneous PR checks for Node.js v20, v24. Copied from #2006. --- .github/workflows/pr-checks.yml | 12 ++++++-- .github/workflows/script/check-js-20.sh | 37 +++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 3 deletions(-) create mode 100755 .github/workflows/script/check-js-20.sh diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 3a4bca4ec2..4d87e15fb5 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -20,6 +20,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] + node-version: [20, 24] permissions: contents: read security-events: write # needed to upload ESLint results @@ -36,7 +37,7 @@ jobs: - name: Set up Node.js uses: actions/setup-node@v5 with: - node-version: 24 + node-version: ${{ matrix.node-version }} cache: 'npm' - name: Set up Python @@ -51,7 +52,12 @@ jobs: npm config set script-shell bash npm ci - - name: Verify compiled JS up to date + - name: Verify compiled JS up to date (Node.js 20) + if: matrix.node-version == 20 + run: .github/workflows/script/check-js-20.sh + + - name: Verify compiled JS up to date (Node.js 24) + if: matrix.node-version == 24 run: .github/workflows/script/check-js.sh - name: Verify PR checks up to date @@ -73,7 +79,7 @@ jobs: - name: Upload sarif uses: github/codeql-action/upload-sarif@v3 - if: matrix.os == 'ubuntu-latest' + if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24 with: sarif_file: eslint.sarif category: eslint diff --git a/.github/workflows/script/check-js-20.sh b/.github/workflows/script/check-js-20.sh new file mode 100755 index 0000000000..02ed8557a6 --- /dev/null +++ b/.github/workflows/script/check-js-20.sh @@ -0,0 +1,37 @@ +#!/bin/bash +set -eu + +# Change @types/node to v20 temporarily to check that the generated JS files are correct. +contents=$(jq '.devDependencies."@types/node" = "^20.0.0"' package.json) +echo "${contents}" > package.json + +npm install + +if [ ! -z "$(git status --porcelain)" ]; then + git config --global user.email "github-actions@github.com" + git config --global user.name "github-actions[bot]" + # The period in `git add --all .` ensures that we stage deleted files too. + git add --all . + git commit -m "Use @types/node v20" +fi + +# Wipe the lib directory in case there are extra unnecessary files in there +rm -rf lib + +# Generate the JavaScript files +npm run-script build + +# Check that repo is still clean. +# The downgrade of @types/node means that we expect certain changes to the generated JS files. +# Therefore, we should ignore these changes to @types/node and check for outstanding changes. +if [[ $(git diff | grep --perl-regexp '^-(?!--)' | grep --count --invert-match --perl-regexp '"@types/node": "\^24') -gt 0 || \ + $(git diff | grep --perl-regexp '^\+(?!\+\+)' | grep --count --invert-match --perl-regexp '"@types/node": "\^20') -gt 0 ]] +then + >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update" + git diff + exit 1 +fi +echo "Success: JavaScript files are up to date" + +# Clean up changes to package.json, package-lock.json, and lib/*.js. +git reset --hard HEAD~1 From d4b5380db47e283a94c5a85c4c6cf1f677d2530e Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Tue, 30 Sep 2025 13:45:06 -0500 Subject: [PATCH 06/18] Document Node.js 24 change in CHANGELOG.md. --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65af5e0af6..dc29f203ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ No user facing changes. - We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107) - You can now run the latest CodeQL nightly bundle by passing `tools: nightly` to the `init` action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. [#3130](https://github.com/github/codeql-action/pull/3130) - Update default CodeQL bundle version to 2.23.1. [#3118](https://github.com/github/codeql-action/pull/3118) +- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) ## 3.30.3 - 10 Sep 2025 From 3adb1ff7b88abf82e97c2c42d9ac29a62769ba63 Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Wed, 1 Oct 2025 09:04:18 -0500 Subject: [PATCH 07/18] Reorder supported tags in descending order Co-authored-by: Henry Mercer --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c6ab9ff1a9..d4e5320b3b 100644 --- a/README.md +++ b/README.md @@ -62,8 +62,8 @@ For compiled languages: The following versions of the CodeQL Action are currently supported: -- v3 - v4 (latest) +- v3 ## Supported versions of the CodeQL Bundle on GitHub Enterprise Server From 205744e04feff7038d2f6efa0a56ccf2311ae33b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 2 Oct 2025 13:53:03 +0000 Subject: [PATCH 08/18] Update changelog and version after v3.30.6 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 41d89f885d..3b0da85e36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 3.30.6 - 02 Oct 2025 - Update default CodeQL bundle version to 2.23.2. [#3168](https://github.com/github/codeql-action/pull/3168) diff --git a/package-lock.json b/package-lock.json index 46ec821b83..911e99ad4d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "3.30.6", + "version": "3.30.7", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "3.30.6", + "version": "3.30.7", "license": "MIT", "dependencies": { "@actions/artifact": "^2.3.1", diff --git a/package.json b/package.json index 31389bb802..32b427bb41 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.30.6", + "version": "3.30.7", "private": true, "description": "CodeQL action", "scripts": { From 70836b1ec4ecbd0baa6b1e69566c54c946fc2729 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 2 Oct 2025 13:55:07 +0000 Subject: [PATCH 09/18] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index e5ccfa9f98..a9b163bc16 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c60a3692a9..d873c64dc8 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index b65cb80434..316585f7fd 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index ff5a35731f..0c352bbd7b 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 8e246aebb0..8ad9767743 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 8ace1ec0bc..1413b95935 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index e0ff1691ae..a52eadfc51 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 91a4880ef2..1366fbcadf 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44974,7 +44974,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index fb3980402d..a6342ff212 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33584,7 +33584,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index e9b083b3c3..233b73d473 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 9efd8515be..12ad80cd9b 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.6", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { From 65e9e640eee8bd9544d635018b785e3902144ccd Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 2 Oct 2025 17:45:08 +0100 Subject: [PATCH 10/18] Make `matrix` available to `start-proxy` action --- start-proxy/action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/start-proxy/action.yml b/start-proxy/action.yml index 14d2cd1f89..17fc3bbe64 100644 --- a/start-proxy/action.yml +++ b/start-proxy/action.yml @@ -16,6 +16,9 @@ inputs: language: description: The programming language to setup the proxy for the correct ecosystem required: false + matrix: + default: ${{ toJson(matrix) }} + required: false outputs: proxy_host: description: The IP address of the proxy From 54ae8ba5b132f38656616b37ff939c55700d519b Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Thu, 2 Oct 2025 13:46:44 -0500 Subject: [PATCH 11/18] Simplify PR check by reverting changes to `@types/node`. --- .github/workflows/pr-checks.yml | 7 +---- .github/workflows/script/check-js-20.sh | 37 ------------------------- build.mjs | 6 ++-- lib/analyze-action-post.js | 4 +-- lib/analyze-action.js | 4 +-- lib/autobuild-action.js | 4 +-- lib/init-action-post.js | 4 +-- lib/init-action.js | 4 +-- lib/resolve-environment-action.js | 4 +-- lib/start-proxy-action-post.js | 4 +-- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 4 +-- lib/upload-sarif-action-post.js | 4 +-- lib/upload-sarif-action.js | 4 +-- package-lock.json | 20 +++++++------ package.json | 2 +- 16 files changed, 37 insertions(+), 77 deletions(-) delete mode 100755 .github/workflows/script/check-js-20.sh diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 4d87e15fb5..376730e386 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -52,12 +52,7 @@ jobs: npm config set script-shell bash npm ci - - name: Verify compiled JS up to date (Node.js 20) - if: matrix.node-version == 20 - run: .github/workflows/script/check-js-20.sh - - - name: Verify compiled JS up to date (Node.js 24) - if: matrix.node-version == 24 + - name: Verify compiled JS up to date run: .github/workflows/script/check-js.sh - name: Verify PR checks up to date diff --git a/.github/workflows/script/check-js-20.sh b/.github/workflows/script/check-js-20.sh deleted file mode 100755 index 02ed8557a6..0000000000 --- a/.github/workflows/script/check-js-20.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -set -eu - -# Change @types/node to v20 temporarily to check that the generated JS files are correct. -contents=$(jq '.devDependencies."@types/node" = "^20.0.0"' package.json) -echo "${contents}" > package.json - -npm install - -if [ ! -z "$(git status --porcelain)" ]; then - git config --global user.email "github-actions@github.com" - git config --global user.name "github-actions[bot]" - # The period in `git add --all .` ensures that we stage deleted files too. - git add --all . - git commit -m "Use @types/node v20" -fi - -# Wipe the lib directory in case there are extra unnecessary files in there -rm -rf lib - -# Generate the JavaScript files -npm run-script build - -# Check that repo is still clean. -# The downgrade of @types/node means that we expect certain changes to the generated JS files. -# Therefore, we should ignore these changes to @types/node and check for outstanding changes. -if [[ $(git diff | grep --perl-regexp '^-(?!--)' | grep --count --invert-match --perl-regexp '"@types/node": "\^24') -gt 0 || \ - $(git diff | grep --perl-regexp '^\+(?!\+\+)' | grep --count --invert-match --perl-regexp '"@types/node": "\^20') -gt 0 ]] -then - >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update" - git diff - exit 1 -fi -echo "Success: JavaScript files are up to date" - -# Clean up changes to package.json, package-lock.json, and lib/*.js. -git reset --hard HEAD~1 diff --git a/build.mjs b/build.mjs index 2e014e81d2..9e28acbd74 100644 --- a/build.mjs +++ b/build.mjs @@ -13,7 +13,7 @@ const OUT_DIR = join(__dirname, "lib"); /** * Clean the output directory before building. - * + * * @type {esbuild.Plugin} */ const cleanPlugin = { @@ -27,7 +27,7 @@ const cleanPlugin = { /** * Copy defaults.json to the output directory since other projects depend on it. - * + * * @type {esbuild.Plugin} */ const copyDefaultsPlugin = { @@ -68,7 +68,7 @@ const context = await esbuild.context({ outdir: OUT_DIR, platform: "node", plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin], - target: ["node24"], + target: ["node20"], }); await context.rebuild(); diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 506c3886b5..9608f9f58a 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/analyze-action.js b/lib/analyze-action.js index d4d77251f2..f17cde2492 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 86634cdf83..30c9abb8fb 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 504e33abcf..fdf055f090 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/init-action.js b/lib/init-action.js index 01f7dcdbda..901cbda3f8 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 9d53cdbe60..d3edabe93e 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 2d262137b9..ee1a6ba945 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -28542,7 +28542,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index a194b3d5f4..c6c18fc06b 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -45036,7 +45036,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 9a9e6e6bc2..dde7db14cf 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33646,7 +33646,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -35688,7 +35688,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index ac0a6da671..5ec030a15b 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26500,7 +26500,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -106366,7 +106366,7 @@ var require_brace_expansion3 = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index cc9874e266..dc7506af36 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32349,7 +32349,7 @@ var require_package = __commonJS({ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -34391,7 +34391,7 @@ var require_brace_expansion = __commonJS({ var isSequence = isNumericSequence || isAlphaSequence; var isOptions = m.body.indexOf(",") >= 0; if (!isSequence && !isOptions) { - if (m.post.match(/,.*\}/)) { + if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; return expand(str2); } diff --git a/package-lock.json b/package-lock.json index c13f510c1b..cb01080570 100644 --- a/package-lock.json +++ b/package-lock.json @@ -47,7 +47,7 @@ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", @@ -2660,13 +2660,13 @@ "license": "MIT" }, "node_modules/@types/node": { - "version": "24.6.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.6.0.tgz", - "integrity": "sha512-F1CBxgqwOMc4GKJ7eY22hWhBVQuMYTtqI8L0FcszYcpYX0fzfDGpez22Xau8Mgm7O9fI+zA/TYIdq3tGWfweBA==", + "version": "20.19.9", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz", + "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==", "dev": true, "license": "MIT", "dependencies": { - "undici-types": "~7.13.0" + "undici-types": "~6.21.0" } }, "node_modules/@types/node-forge": { @@ -4200,7 +4200,9 @@ "license": "MIT" }, "node_modules/brace-expansion": { - "version": "1.1.11", + "version": "1.1.12", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", + "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0", @@ -9195,9 +9197,9 @@ } }, "node_modules/undici-types": { - "version": "7.13.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.13.0.tgz", - "integrity": "sha512-Ov2Rr9Sx+fRgagJ5AX0qvItZG/JKKoBRAVITs1zk7IqZGTJUwgUr7qoYBpWwakpWilTZFM98rG/AFRocu10iIQ==", + "version": "6.21.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", "dev": true, "license": "MIT" }, diff --git a/package.json b/package.json index 60a1f009c6..e4ddef3411 100644 --- a/package.json +++ b/package.json @@ -62,7 +62,7 @@ "@types/console-log-level": "^1.4.5", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^24.5.2", + "@types/node": "20.19.9", "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", From dddf033776a9a0e008719a5c64a93dcac144838f Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Thu, 2 Oct 2025 14:32:40 -0500 Subject: [PATCH 12/18] Revert changes to build.mjs --- build.mjs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.mjs b/build.mjs index 9e28acbd74..05f7e05021 100644 --- a/build.mjs +++ b/build.mjs @@ -13,7 +13,7 @@ const OUT_DIR = join(__dirname, "lib"); /** * Clean the output directory before building. - * + * * @type {esbuild.Plugin} */ const cleanPlugin = { @@ -27,7 +27,7 @@ const cleanPlugin = { /** * Copy defaults.json to the output directory since other projects depend on it. - * + * * @type {esbuild.Plugin} */ const copyDefaultsPlugin = { From 7fb8378d93a9c48917835b918be8813792a0dd26 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 3 Oct 2025 11:59:36 +0100 Subject: [PATCH 13/18] Re-throw exception in `createStatusReportBase` when in test mode --- lib/analyze-action.js | 3 +++ lib/autobuild-action.js | 3 +++ lib/init-action-post.js | 3 +++ lib/init-action.js | 3 +++ lib/resolve-environment-action.js | 3 +++ lib/start-proxy-action.js | 3 +++ lib/upload-sarif-action.js | 3 +++ src/status-report.ts | 6 ++++++ 8 files changed, 27 insertions(+) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index d873c64dc8..c2788900b3 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -94123,6 +94123,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.` ); + if (isInTestMode()) { + throw e; + } return void 0; } } diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 316585f7fd..4cde47d65b 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -79872,6 +79872,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.` ); + if (isInTestMode()) { + throw e; + } return void 0; } } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 0c352bbd7b..e138420a3e 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -131599,6 +131599,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.` ); + if (isInTestMode()) { + throw e; + } return void 0; } } diff --git a/lib/init-action.js b/lib/init-action.js index 8ad9767743..2f509ad0ee 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -90274,6 +90274,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.` ); + if (isInTestMode()) { + throw e; + } return void 0; } } diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 1413b95935..67cb394e74 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -79499,6 +79499,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.` ); + if (isInTestMode()) { + throw e; + } return void 0; } } diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 1366fbcadf..f262402cf9 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -95649,6 +95649,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.` ); + if (isInTestMode()) { + throw e; + } return void 0; } } diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 12ad80cd9b..7ad72583b5 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89910,6 +89910,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.` ); + if (isInTestMode()) { + throw e; + } return void 0; } } diff --git a/src/status-report.ts b/src/status-report.ts index b0e39aa54b..9bfd14677d 100644 --- a/src/status-report.ts +++ b/src/status-report.ts @@ -375,6 +375,12 @@ export async function createStatusReportBase( logger.warning( `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.`, ); + + // Re-throw the exception in test mode. While testing, we want to know if something goes wrong here. + if (isInTestMode()) { + throw e; + } + return undefined; } } From b66db86c847a6b3b82d6036b8ef090a869d23fcd Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Mon, 6 Oct 2025 11:40:43 -0500 Subject: [PATCH 14/18] Hoist CHANGELOG note back to "UNRELEASED" section. --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 322b76a844..37bca4058a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) ## 3.30.6 - 02 Oct 2025 @@ -20,7 +20,6 @@ No user facing changes. - We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107) - You can now run the latest CodeQL nightly bundle by passing `tools: nightly` to the `init` action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. [#3130](https://github.com/github/codeql-action/pull/3130) - Update default CodeQL bundle version to 2.23.1. [#3118](https://github.com/github/codeql-action/pull/3118) -- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) ## 3.30.3 - 10 Sep 2025 From 93c16735fa0c27d771c77818dac729edc5a9cd19 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 18:19:26 +0000 Subject: [PATCH 15/18] Update changelog for v4.30.7 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37bca4058a..692c42bf3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.30.7 - 06 Oct 2025 - [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) From b264e152591cf9e60453d86f7644cc602e2d2770 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 7 Oct 2025 15:23:05 +0000 Subject: [PATCH 16/18] Update version and changelog for v3.30.7 --- CHANGELOG.md | 11 ++--------- package.json | 2 +- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 692c42bf3b..b28a41390c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,9 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## 4.30.7 - 06 Oct 2025 +## 3.30.7 - 06 Oct 2025 -- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169) +No user facing changes. ## 3.30.6 - 02 Oct 2025 @@ -240,17 +240,13 @@ No user facing changes. ## 3.26.12 - 07 Oct 2024 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520) - - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. - - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action. ## 3.26.11 - 03 Oct 2024 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. - Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then. - This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519) @@ -373,12 +369,9 @@ No user facing changes. ## 3.25.0 - 15 Apr 2024 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224) - As a result, the following inputs and environment variables are now ignored: - - The `setup-python-dependencies` input to the `init` Action - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable - We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0. - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229) - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232) diff --git a/package.json b/package.json index 9dc0420b3f..32b427bb41 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.30.7", + "version": "3.30.7", "private": true, "description": "CodeQL action", "scripts": { From 01f1a240330d9e6f5ca474926558eaf11f43d7a1 Mon Sep 17 00:00:00 2001 From: Mario Campos Date: Tue, 7 Oct 2025 10:29:22 -0500 Subject: [PATCH 17/18] Downgrade action.yml to use Node.js 20 instead of Node.js 24 for v3 --- .github/actions/check-sarif/action.yml | 2 +- analyze/action.yml | 2 +- autobuild/action.yml | 2 +- init/action.yml | 2 +- resolve-environment/action.yml | 2 +- start-proxy/action.yml | 2 +- upload-sarif/action.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/actions/check-sarif/action.yml b/.github/actions/check-sarif/action.yml index bfa1c3b9d1..89ff9d703e 100644 --- a/.github/actions/check-sarif/action.yml +++ b/.github/actions/check-sarif/action.yml @@ -16,5 +16,5 @@ inputs: Comma separated list of query ids that should NOT be included in this SARIF file. runs: - using: node24 + using: node20 main: index.js diff --git a/analyze/action.yml b/analyze/action.yml index 7fc118b156..b7880be179 100644 --- a/analyze/action.yml +++ b/analyze/action.yml @@ -92,6 +92,6 @@ outputs: sarif-id: description: The ID of the uploaded SARIF file. runs: - using: node24 + using: node20 main: "../lib/analyze-action.js" post: "../lib/analyze-action-post.js" diff --git a/autobuild/action.yml b/autobuild/action.yml index c820fb5aff..80d8c1c31e 100644 --- a/autobuild/action.yml +++ b/autobuild/action.yml @@ -15,5 +15,5 @@ inputs: $GITHUB_WORKSPACE as its working directory. required: false runs: - using: node24 + using: node20 main: '../lib/autobuild-action.js' diff --git a/init/action.yml b/init/action.yml index 57d5a99402..ba5d6efcc1 100644 --- a/init/action.yml +++ b/init/action.yml @@ -165,6 +165,6 @@ outputs: codeql-version: description: The version of the CodeQL binary used for analysis runs: - using: node24 + using: node20 main: '../lib/init-action.js' post: '../lib/init-action-post.js' diff --git a/resolve-environment/action.yml b/resolve-environment/action.yml index 0734fcfa44..188e5fd174 100644 --- a/resolve-environment/action.yml +++ b/resolve-environment/action.yml @@ -21,5 +21,5 @@ outputs: environment: description: The inferred build environment configuration. runs: - using: node24 + using: node20 main: '../lib/resolve-environment-action.js' diff --git a/start-proxy/action.yml b/start-proxy/action.yml index 275841d9a8..17fc3bbe64 100644 --- a/start-proxy/action.yml +++ b/start-proxy/action.yml @@ -29,6 +29,6 @@ outputs: proxy_urls: description: A stringified JSON array of objects containing the types and URLs of the configured registries. runs: - using: node24 + using: node20 main: "../lib/start-proxy-action.js" post: "../lib/start-proxy-action-post.js" diff --git a/upload-sarif/action.yml b/upload-sarif/action.yml index 2827891b2e..cd61886c69 100644 --- a/upload-sarif/action.yml +++ b/upload-sarif/action.yml @@ -41,6 +41,6 @@ outputs: { "code-scanning": "some-id", "code-quality": "some-other-id" } runs: - using: node24 + using: node20 main: '../lib/upload-sarif-action.js' post: '../lib/upload-sarif-action-post.js' From c551c503105c15d89f503684e412da27997aa8e7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 7 Oct 2025 15:33:29 +0000 Subject: [PATCH 18/18] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 387d267412..a9b163bc16 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index f79eb441ee..c2788900b3 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index eaf12707cb..4cde47d65b 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 80a42870fe..e138420a3e 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index 878d7dacae..2f509ad0ee 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 8cd476ad47..67cb394e74 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 8b7af1f861..a52eadfc51 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 973e6bda1a..f262402cf9 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44974,7 +44974,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index df30877d4a..a6342ff212 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33584,7 +33584,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index ea63c44749..233b73d473 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 78a21eff3b..7ad72583b5 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "4.30.7", + version: "3.30.7", private: true, description: "CodeQL action", scripts: {