diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index f014d2cf68..f44a512f85 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -49,10 +49,6 @@ jobs: fail-fast: false matrix: include: - - os: ubuntu-latest - version: stable-v2.17.6 - - os: ubuntu-latest - version: stable-v2.18.4 - os: ubuntu-latest version: stable-v2.19.4 - os: ubuntu-latest @@ -61,6 +57,10 @@ jobs: version: stable-v2.21.4 - os: ubuntu-latest version: stable-v2.22.4 + - os: ubuntu-latest + version: stable-v2.23.9 + - os: ubuntu-latest + version: stable-v2.24.3 - os: ubuntu-latest version: default - os: ubuntu-latest diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index 4b4782572b..aae22d8c01 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -49,10 +49,6 @@ jobs: fail-fast: false matrix: include: - - os: ubuntu-latest - version: stable-v2.17.6 - - os: ubuntu-latest - version: stable-v2.18.4 - os: ubuntu-latest version: stable-v2.19.4 - os: ubuntu-latest @@ -61,6 +57,10 @@ jobs: version: stable-v2.21.4 - os: ubuntu-latest version: stable-v2.22.4 + - os: ubuntu-latest + version: stable-v2.23.9 + - os: ubuntu-latest + version: stable-v2.24.3 - os: ubuntu-latest version: default - os: ubuntu-latest diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index 101ad8024d..cce0102575 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -49,10 +49,6 @@ jobs: fail-fast: false matrix: include: - - os: ubuntu-latest - version: stable-v2.17.6 - - os: ubuntu-latest - version: stable-v2.18.4 - os: ubuntu-latest version: stable-v2.19.4 - os: ubuntu-latest @@ -61,6 +57,10 @@ jobs: version: stable-v2.21.4 - os: ubuntu-latest version: stable-v2.22.4 + - os: ubuntu-latest + version: stable-v2.23.9 + - os: ubuntu-latest + version: stable-v2.24.3 - os: ubuntu-latest version: default - os: ubuntu-latest diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index ff54c07ebe..8115b66ee2 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -59,14 +59,6 @@ jobs: fail-fast: false matrix: include: - - os: ubuntu-latest - version: stable-v2.17.6 - - os: macos-latest-xlarge - version: stable-v2.17.6 - - os: ubuntu-latest - version: stable-v2.18.4 - - os: macos-latest-xlarge - version: stable-v2.18.4 - os: ubuntu-latest version: stable-v2.19.4 - os: macos-latest-xlarge @@ -83,6 +75,14 @@ jobs: version: stable-v2.22.4 - os: macos-latest-xlarge version: stable-v2.22.4 + - os: ubuntu-latest + version: stable-v2.23.9 + - os: macos-latest-xlarge + version: stable-v2.23.9 + - os: ubuntu-latest + version: stable-v2.24.3 + - os: macos-latest-xlarge + version: stable-v2.24.3 - os: ubuntu-latest version: default - os: macos-latest-xlarge diff --git a/.github/workflows/__rust.yml b/.github/workflows/__rust.yml index 92793f54ae..1c3d18d16e 100644 --- a/.github/workflows/__rust.yml +++ b/.github/workflows/__rust.yml @@ -40,7 +40,7 @@ jobs: matrix: include: - os: ubuntu-latest - version: stable-v2.19.3 + version: stable-v2.19.4 - os: ubuntu-latest version: stable-v2.22.1 - os: ubuntu-latest diff --git a/CHANGELOG.md b/CHANGELOG.md index 17d47706f2..6bbc73b676 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th - For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791) - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892) - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) +- _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894) ## 4.35.4 - 07 May 2026 diff --git a/README.md b/README.md index bee9072a07..530c028f97 100644 --- a/README.md +++ b/README.md @@ -78,8 +78,6 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | | | `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | | | `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | | -| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | | -| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | | See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server). diff --git a/lib/entry-points.js b/lib/entry-points.js index 041ec4f637..079b8eee5a 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -148304,7 +148304,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.6"; + return "4.36.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -153719,7 +153719,7 @@ async function getCombinedTracerConfig(codeql, config) { // src/codeql.ts var cachedCodeQL = void 0; -var CODEQL_MINIMUM_VERSION = "2.17.6"; +var CODEQL_MINIMUM_VERSION = "2.19.4"; var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; @@ -153846,10 +153846,6 @@ async function getCodeQLForCmd(cmd, checkVersion) { if (qlconfigFile !== void 0) { extraArgs.push(`--qlconfig-file=${qlconfigFile}`); } - const overwriteFlag = isSupportedToolsFeature( - await this.getVersion(), - "forceOverwrite" /* ForceOverwrite */ - ) ? "--force-overwrite" : "--overwrite"; const overlayDatabaseMode = config.overlayDatabaseMode; if (overlayDatabaseMode === "overlay" /* Overlay */) { const overlayChangesFile = await writeOverlayChangesFile( @@ -153870,7 +153866,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { [ "database", "init", - ...overlayDatabaseMode === "overlay" /* Overlay */ ? [] : [overwriteFlag], + ...overlayDatabaseMode === "overlay" /* Overlay */ ? [] : ["--force-overwrite"], "--db-cluster", config.dbLocation, `--source-root=${sourceRoot}`, @@ -153881,7 +153877,14 @@ async function getCodeQLForCmd(cmd, checkVersion) { // Some user configs specify `--no-calculate-baseline` as an additional // argument to `codeql database init`. Therefore ignore the baseline file // options here to avoid specifying the same argument twice and erroring. - ignoringOptions: ["--overwrite", ...baselineFilesOptions] + // + // Ignore `--overwrite` to avoid passing both `--force-overwrite` and `--overwrite` if + // the user has configured `--overwrite`. + ignoringOptions: [ + "--force-overwrite", + "--overwrite", + ...baselineFilesOptions + ] }) ], { stdin: externalRepositoryToken } @@ -154046,7 +154049,7 @@ ${output}` "--sarif-group-rules-by-pack", "--sarif-include-query-help=always", "--sublanguage-file-coverage", - ...await getJobRunUuidSarifOptions(this), + ...await getJobRunUuidSarifOptions(), ...getExtraOptionsFromEnv(["database", "interpret-results"]) ]; if (sarifRunPropertyFlag !== void 0) { @@ -154327,11 +154330,9 @@ function applyAutobuildAzurePipelinesTimeoutFix() { "-Dmaven.wagon.http.pool=false" ].join(" "); } -async function getJobRunUuidSarifOptions(codeql) { +async function getJobRunUuidSarifOptions() { const jobRunUuid = process.env["JOB_RUN_UUID" /* JOB_RUN_UUID */]; - return jobRunUuid && await codeql.supportsFeature( - "databaseInterpretResultsSupportsSarifRunProperty" /* DatabaseInterpretResultsSupportsSarifRunProperty */ - ) ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; + return jobRunUuid ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; } // src/autobuild.ts diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 1e39030717..d355fedf43 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88509,7 +88509,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.6"; + return "4.36.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -91212,7 +91212,7 @@ async function shouldEnableIndirectTracing(codeql, config) { // src/codeql.ts var cachedCodeQL = void 0; -var CODEQL_MINIMUM_VERSION = "2.17.6"; +var CODEQL_MINIMUM_VERSION = "2.19.4"; var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; @@ -91339,10 +91339,6 @@ async function getCodeQLForCmd(cmd, checkVersion) { if (qlconfigFile !== void 0) { extraArgs.push(`--qlconfig-file=${qlconfigFile}`); } - const overwriteFlag = isSupportedToolsFeature( - await this.getVersion(), - "forceOverwrite" /* ForceOverwrite */ - ) ? "--force-overwrite" : "--overwrite"; const overlayDatabaseMode = config.overlayDatabaseMode; if (overlayDatabaseMode === "overlay" /* Overlay */) { const overlayChangesFile = await writeOverlayChangesFile( @@ -91363,7 +91359,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { [ "database", "init", - ...overlayDatabaseMode === "overlay" /* Overlay */ ? [] : [overwriteFlag], + ...overlayDatabaseMode === "overlay" /* Overlay */ ? [] : ["--force-overwrite"], "--db-cluster", config.dbLocation, `--source-root=${sourceRoot}`, @@ -91374,7 +91370,14 @@ async function getCodeQLForCmd(cmd, checkVersion) { // Some user configs specify `--no-calculate-baseline` as an additional // argument to `codeql database init`. Therefore ignore the baseline file // options here to avoid specifying the same argument twice and erroring. - ignoringOptions: ["--overwrite", ...baselineFilesOptions] + // + // Ignore `--overwrite` to avoid passing both `--force-overwrite` and `--overwrite` if + // the user has configured `--overwrite`. + ignoringOptions: [ + "--force-overwrite", + "--overwrite", + ...baselineFilesOptions + ] }) ], { stdin: externalRepositoryToken } @@ -91539,7 +91542,7 @@ ${output}` "--sarif-group-rules-by-pack", "--sarif-include-query-help=always", "--sublanguage-file-coverage", - ...await getJobRunUuidSarifOptions(this), + ...await getJobRunUuidSarifOptions(), ...getExtraOptionsFromEnv(["database", "interpret-results"]) ]; if (sarifRunPropertyFlag !== void 0) { @@ -91820,11 +91823,9 @@ function applyAutobuildAzurePipelinesTimeoutFix() { "-Dmaven.wagon.http.pool=false" ].join(" "); } -async function getJobRunUuidSarifOptions(codeql) { +async function getJobRunUuidSarifOptions() { const jobRunUuid = process.env["JOB_RUN_UUID" /* JOB_RUN_UUID */]; - return jobRunUuid && await codeql.supportsFeature( - "databaseInterpretResultsSupportsSarifRunProperty" /* DatabaseInterpretResultsSupportsSarifRunProperty */ - ) ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; + return jobRunUuid ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; } // src/fingerprints.ts diff --git a/package-lock.json b/package-lock.json index 197514d779..6608c05602 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.35.6", + "version": "4.36.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.35.6", + "version": "4.36.0", "license": "MIT", "workspaces": [ "pr-checks" diff --git a/package.json b/package.json index d38012fdc0..39b7adc3d2 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.35.6", + "version": "4.36.0", "private": true, "description": "CodeQL action", "scripts": { diff --git a/pr-checks/checks/rust.yml b/pr-checks/checks/rust.yml index c19fc986da..8589ba80e5 100644 --- a/pr-checks/checks/rust.yml +++ b/pr-checks/checks/rust.yml @@ -2,7 +2,7 @@ name: "Rust analysis" description: "Tests creation of a Rust database" versions: # experimental rust support introduced, requires action to set `CODEQL_ENABLE_EXPERIMENTAL_FEATURES` - - stable-v2.19.3 + - stable-v2.19.4 # first public preview version - stable-v2.22.1 - linked diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index c810e7cbf8..27b1d92645 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -115,10 +115,6 @@ type LanguageSetups = Partial>; // The default set of CodeQL Bundle versions to use for the PR checks. const defaultTestVersions = [ // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts` - "stable-v2.17.6", - // The last CodeQL release in the 2.18 series. - "stable-v2.18.4", - // The last CodeQL release in the 2.19 series. "stable-v2.19.4", // The last CodeQL release in the 2.20 series. "stable-v2.20.7", @@ -126,6 +122,10 @@ const defaultTestVersions = [ "stable-v2.21.4", // The last CodeQL release in the 2.22 series. "stable-v2.22.4", + // The last CodeQL release in the 2.23 series. + "stable-v2.23.9", + // The last CodeQL release in the 2.24 series. + "stable-v2.24.3", // The default version of CodeQL for Dotcom, as determined by feature flags. "default", // The version of CodeQL shipped with the Action in `defaults.json`. During the release process diff --git a/src/codeql.test.ts b/src/codeql.test.ts index 77fce4d3b7..dea4cf04af 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -1072,7 +1072,7 @@ test.serial( ); test.serial( - "Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS", + "Avoids duplicating --force-overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS", async (t) => { const runnerConstructorStub = stubToolRunnerConstructor(); const codeqlObject = await stubCodeql(); @@ -1080,7 +1080,7 @@ test.serial( sinon.stub(io, "which").resolves(""); process.env["CODEQL_ACTION_EXTRA_OPTIONS"] = - '{ "database": { "init": ["--overwrite"] } }'; + '{ "database": { "init": ["--force-overwrite"] } }'; await codeqlObject.databaseInitCluster( stubConfig, @@ -1093,9 +1093,9 @@ test.serial( t.true(runnerConstructorStub.calledOnce); const args = runnerConstructorStub.firstCall.args[1] as string[]; t.is( - args.filter((option: string) => option === "--overwrite").length, + args.filter((option: string) => option === "--force-overwrite").length, 1, - "--overwrite should only be passed once", + "--force-overwrite should only be passed once", ); // Clean up diff --git a/src/codeql.ts b/src/codeql.ts index 66ed8cebe1..19f933c39a 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -277,7 +277,7 @@ let cachedCodeQL: CodeQL | undefined = undefined; * The version flags below can be used to conditionally enable certain features * on versions newer than this. */ -const CODEQL_MINIMUM_VERSION = "2.17.6"; +const CODEQL_MINIMUM_VERSION = "2.19.4"; /** * This version will shortly become the oldest version of CodeQL that the Action will run with. @@ -592,13 +592,6 @@ async function getCodeQLForCmd( extraArgs.push(`--qlconfig-file=${qlconfigFile}`); } - const overwriteFlag = isSupportedToolsFeature( - await this.getVersion(), - ToolsFeature.ForceOverwrite, - ) - ? "--force-overwrite" - : "--overwrite"; - const overlayDatabaseMode = config.overlayDatabaseMode; if (overlayDatabaseMode === OverlayDatabaseMode.Overlay) { const overlayChangesFile = await writeOverlayChangesFile( @@ -625,7 +618,7 @@ async function getCodeQLForCmd( "init", ...(overlayDatabaseMode === OverlayDatabaseMode.Overlay ? [] - : [overwriteFlag]), + : ["--force-overwrite"]), "--db-cluster", config.dbLocation, `--source-root=${sourceRoot}`, @@ -636,7 +629,14 @@ async function getCodeQLForCmd( // Some user configs specify `--no-calculate-baseline` as an additional // argument to `codeql database init`. Therefore ignore the baseline file // options here to avoid specifying the same argument twice and erroring. - ignoringOptions: ["--overwrite", ...baselineFilesOptions], + // + // Ignore `--overwrite` to avoid passing both `--force-overwrite` and `--overwrite` if + // the user has configured `--overwrite`. + ignoringOptions: [ + "--force-overwrite", + "--overwrite", + ...baselineFilesOptions, + ], }), ], { stdin: externalRepositoryToken }, @@ -853,7 +853,7 @@ async function getCodeQLForCmd( "--sarif-group-rules-by-pack", "--sarif-include-query-help=always", "--sublanguage-file-coverage", - ...(await getJobRunUuidSarifOptions(this)), + ...(await getJobRunUuidSarifOptions()), ...getExtraOptionsFromEnv(["database", "interpret-results"]), ]; if (sarifRunPropertyFlag !== undefined) { @@ -1283,13 +1283,8 @@ function applyAutobuildAzurePipelinesTimeoutFix() { ].join(" "); } -async function getJobRunUuidSarifOptions(codeql: CodeQL) { +async function getJobRunUuidSarifOptions() { const jobRunUuid = process.env[EnvVar.JOB_RUN_UUID]; - return jobRunUuid && - (await codeql.supportsFeature( - ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty, - )) - ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] - : []; + return jobRunUuid ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; } diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 145fa00cd4..6b40d04dab 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -26,6 +26,9 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; /** * The first version of the CodeQL Bundle that shipped with zstd-compressed bundles. + * + * This is now below the minimum version of CodeQL, but we keep this around because we currently set + * up CodeQL before checking that the version is new enough. */ export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; diff --git a/src/tools-features.test.ts b/src/tools-features.test.ts index 2192ea7a49..825b9c1eb3 100644 --- a/src/tools-features.test.ts +++ b/src/tools-features.test.ts @@ -6,9 +6,13 @@ import { ToolsFeature, isSupportedToolsFeature } from "./tools-features"; test("isSupportedToolsFeature", async (t) => { const versionInfo = makeVersionInfo("1.0.0"); - t.false(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite)); + t.false( + isSupportedToolsFeature(versionInfo, ToolsFeature.BundleSupportsOverlay), + ); - versionInfo.features = { forceOverwrite: true }; + versionInfo.features = { bundleSupportsOverlay: true }; - t.true(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite)); + t.true( + isSupportedToolsFeature(versionInfo, ToolsFeature.BundleSupportsOverlay), + ); }); diff --git a/src/tools-features.ts b/src/tools-features.ts index bba64de23a..ff87b754da 100644 --- a/src/tools-features.ts +++ b/src/tools-features.ts @@ -6,8 +6,6 @@ export enum ToolsFeature { BuiltinExtractorsSpecifyDefaultQueries = "builtinExtractorsSpecifyDefaultQueries", BundleSupportsIncludeOption = "bundleSupportsIncludeOption", BundleSupportsOverlay = "bundleSupportsOverlay", - DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty", - ForceOverwrite = "forceOverwrite", IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries", SuppressesMissingFileBaselineWarning = "suppressesMissingFileBaselineWarning", }