Sourced from github/codeql-action/init's releases.
v4.37.0
- Update default CodeQL bundle version to 2.26.0. #3995
- In addition to the existing input format, the
config-fileinput for thecodeql-action/initstep will soon support a new[owner/]repo[@ref][:path]format. All components except the repository name are optional. If omitted,ownerdefaults to the same owner as the repository the analysis is running for,reftomain, andpathto.github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #3973
Sourced from github/codeql-action/init's changelog.
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
[UNRELEASED]
- Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.20.6 and earlier. These versions of CodeQL were discontinued on 1 July 2026 alongside GitHub Enterprise Server 3.16, and will be unsupported by the next minor release of the CodeQL Action. #3956
4.37.0 - 08 Jul 2026
- Update default CodeQL bundle version to 2.26.0. #3995
- In addition to the existing input format, the
config-fileinput for thecodeql-action/initstep will soon support a new[owner/]repo[@ref][:path]format. All components except the repository name are optional. If omitted,ownerdefaults to the same owner as the repository the analysis is running for,reftomain, andpathto.github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #39734.36.3 - 01 Jul 2026
No user facing changes.
4.36.2 - 04 Jun 2026
- Cache CodeQL CLI version information across Actions steps. #3943
- Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
- Update default CodeQL bundle version to 2.25.6. #3948
4.36.1 - 02 Jun 2026
No user facing changes.
4.36.0 - 22 May 2026
- Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
- Add support for SHA-256 Git object IDs. #3893
- Update default CodeQL bundle version to 2.25.5. #3926
4.35.5 - 15 May 2026
- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
- For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
- If multiple inputs are provided for the GitHub-internal
analysis-kindsinput, onlycode-scanningwill be enabled. Theanalysis-kindsinput is experimental, for GitHub-internal use only, and may change without notice at any time. #3892- Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880
4.35.4 - 07 May 2026
4.35.3 - 01 May 2026
- Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
- Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
- Best-effort connection tests for private registries now use
GETrequests instead ofHEADfor better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853- Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
... (truncated)
99df26d
Merge pull request #3996
from github/update-v4.37.0-c7c896d7131c2707
Add changenote for #397372df218
Update changelog for v4.37.0c7c896d
Merge pull request #3995
from github/update-bundle/codeql-bundle-v2.26.03f34ff0
Add changelog note43bec09
Update default bundle to codeql-bundle-v2.26.0f58f0d1
Merge pull request #3973
from github/mbg/repo-props/config-file-shorthands7dc37cb
Merge remote-tracking branch 'origin/main' into
mbg/repo-props/config-file-sh...8e22350
Thread ActionState to initConfig69c9e8c
Mark some status-report imports as type-only
to avoid circular dependencies