Sourced from github/codeql-action/init's changelog.
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
[UNRELEASED]
No user facing changes.
4.36.3 - 01 Jul 2026
No user facing changes.
4.36.2 - 04 Jun 2026
- Cache CodeQL CLI version information across Actions steps. #3943
- Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
- Update default CodeQL bundle version to 2.25.6. #3948
4.36.1 - 02 Jun 2026
No user facing changes.
4.36.0 - 22 May 2026
- Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
- Add support for SHA-256 Git object IDs. #3893
- Update default CodeQL bundle version to 2.25.5. #3926
4.35.5 - 15 May 2026
- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
- For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
- If multiple inputs are provided for the GitHub-internal
analysis-kindsinput, onlycode-scanningwill be enabled. Theanalysis-kindsinput is experimental, for GitHub-internal use only, and may change without notice at any time. #3892- Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880
4.35.4 - 07 May 2026
4.35.3 - 01 May 2026
- Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
- Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
- Best-effort connection tests for private registries now use
GETrequests instead ofHEADfor better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853- Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
- Update default CodeQL bundle version to 2.25.3. #3865
4.35.2 - 15 Apr 2026
- The undocumented TRAP cache cleanup feature that could be enabled using the
CODEQL_ACTION_CLEANUP_TRAP_CACHESenvironment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing thetrap-caching: falseinput to theinitAction. #3795
... (truncated)
54f647b
Merge pull request #3984
from github/update-v4.36.3-1f34ec164e78819e
Trigger checks2c9d3d6
Update changelog for v4.36.31f34ec1
Merge pull request #3983
from github/mbg/repo-props/ff-for-config-file-propd5f0145
Log when repository property has a value but is ignoredf27f563
Add test for when the FF is off0025d0f
Use FFf7fa18f
Add FF for config file repo property628fc3f
Merge pull request #3979
from github/henrymercer/overlay-db-cleanup-size-tele...9cfb67b
Add clarifying comments