From 8c29faa7ab94eb85932a883fde8695e54444d731 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 09:43:12 +0000 Subject: [PATCH 01/16] Update default bundle to codeql-bundle-v2.25.1 --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 6 +++--- lib/autobuild-action.js | 6 +++--- lib/defaults.json | 8 ++++---- lib/init-action-post.js | 6 +++--- lib/init-action.js | 6 +++--- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 6 +++--- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 6 +++--- lib/upload-lib.js | 6 +++--- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 6 +++--- package-lock.json | 4 ++-- package.json | 2 +- src/defaults.json | 8 ++++---- 16 files changed, 39 insertions(+), 39 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index e19f114fb8..a5d53ec4c3 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -161551,7 +161551,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 12c603c751..a1c31c2ca0 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -106719,7 +106719,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -107635,8 +107635,8 @@ var path5 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var fs3 = __toESM(require("fs")); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 27c3473e68..61ccf23864 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -103525,7 +103525,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -104128,8 +104128,8 @@ var path4 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var fs2 = __toESM(require("fs")); diff --git a/lib/defaults.json b/lib/defaults.json index 9b6ec84bd4..33f577571a 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.24.3", - "cliVersion": "2.24.3", - "priorBundleVersion": "codeql-bundle-v2.24.2", - "priorCliVersion": "2.24.2" + "bundleVersion": "codeql-bundle-v2.25.1", + "cliVersion": "2.25.1", + "priorBundleVersion": "codeql-bundle-v2.24.3", + "priorCliVersion": "2.24.3" } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 0aadb6ba4f..a817e1b35f 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -164658,7 +164658,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -165552,8 +165552,8 @@ var path5 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var fs3 = __toESM(require("fs")); diff --git a/lib/init-action.js b/lib/init-action.js index 83f74f084f..f12c224ef9 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -104086,7 +104086,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -105189,8 +105189,8 @@ var path6 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var fs3 = __toESM(require("fs")); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 21991dd76f..4b7b1ebb1a 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -103533,7 +103533,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 81c5227922..05238bcc7c 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -103629,7 +103629,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -103984,8 +103984,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var fs3 = __toESM(require("fs")); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index d9c4ba3dd2..90b1a9f524 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -161498,7 +161498,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 028f92ccf9..c673ef504c 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -120677,7 +120677,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -120924,8 +120924,8 @@ var path = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var actionsCache = __toESM(require_cache5()); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 3c1aebaf1d..2c9ba4dfbb 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -106425,7 +106425,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -107243,8 +107243,8 @@ var fs4 = __toESM(require("fs")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var fs3 = __toESM(require("fs")); diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 96f211c050..3321e057ba 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -161498,7 +161498,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 7fd39fed95..17d26b9ab8 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -106453,7 +106453,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.34.2"; + return "4.35.0"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); @@ -106925,8 +106925,8 @@ var path4 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.24.3"; -var cliVersion = "2.24.3"; +var bundleVersion = "codeql-bundle-v2.25.1"; +var cliVersion = "2.25.1"; // src/overlay/index.ts var fs3 = __toESM(require("fs")); diff --git a/package-lock.json b/package-lock.json index d8a113b877..3157f84cca 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.34.2", + "version": "4.35.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.34.2", + "version": "4.35.0", "license": "MIT", "workspaces": [ "pr-checks" diff --git a/package.json b/package.json index f185cc8b08..755f88ad0d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.34.2", + "version": "4.35.0", "private": true, "description": "CodeQL action", "scripts": { diff --git a/src/defaults.json b/src/defaults.json index 9b6ec84bd4..33f577571a 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.24.3", - "cliVersion": "2.24.3", - "priorBundleVersion": "codeql-bundle-v2.24.2", - "priorCliVersion": "2.24.2" + "bundleVersion": "codeql-bundle-v2.25.1", + "cliVersion": "2.25.1", + "priorBundleVersion": "codeql-bundle-v2.24.3", + "priorCliVersion": "2.24.3" } From fa7a15b90916827b125d32ba043c0a19186d1aba Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 09:43:23 +0000 Subject: [PATCH 02/16] Add changelog note --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7283c0fb06..0ff989007a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] - Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767) +- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773) ## 4.34.1 - 20 Mar 2026 From 22eba96a28aedee09e9f47ce40c8605c048515f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:25:06 +0000 Subject: [PATCH 03/16] Bump node-forge from 1.3.3 to 1.4.0 Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.3 to 1.4.0. - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](https://github.com/digitalbazaar/forge/compare/v1.3.3...v1.4.0) --- updated-dependencies: - dependency-name: node-forge dependency-version: 1.4.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3157f84cca..be60ed5b64 100644 --- a/package-lock.json +++ b/package-lock.json @@ -32,7 +32,7 @@ "js-yaml": "^4.1.1", "jsonschema": "1.4.1", "long": "^5.3.2", - "node-forge": "^1.3.3", + "node-forge": "^1.4.0", "semver": "^7.7.4", "uuid": "^13.0.0" }, @@ -7495,9 +7495,9 @@ } }, "node_modules/node-forge": { - "version": "1.3.3", - "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.3.tgz", - "integrity": "sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==", + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.4.0.tgz", + "integrity": "sha512-LarFH0+6VfriEhqMMcLX2F7SwSXeWwnEAJEsYm5QKWchiVYVvJyV9v7UDvUv+w5HO23ZpQTXDv/GxdDdMyOuoQ==", "license": "(BSD-3-Clause OR GPL-2.0)", "engines": { "node": ">= 6.13.0" diff --git a/package.json b/package.json index 755f88ad0d..54cc617ec1 100644 --- a/package.json +++ b/package.json @@ -39,7 +39,7 @@ "js-yaml": "^4.1.1", "jsonschema": "1.4.1", "long": "^5.3.2", - "node-forge": "^1.3.3", + "node-forge": "^1.4.0", "semver": "^7.7.4", "uuid": "^13.0.0" }, From 36791d8d6609078dde4aba8d7c35226f40cfe874 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:27:12 +0000 Subject: [PATCH 04/16] Rebuild --- lib/start-proxy-action.js | 55 ++++++++++++++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index c673ef504c..f806004cda 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -102716,6 +102716,7 @@ var require_oids = __commonJS({ _IN("2.5.4.15", "businessCategory"); _IN("2.5.4.17", "postalCode"); _IN("2.5.4.42", "givenName"); + _IN("2.5.4.65", "pseudonym"); _IN("1.3.6.1.4.1.311.60.2.1.2", "jurisdictionOfIncorporationStateOrProvinceName"); _IN("1.3.6.1.4.1.311.60.2.1.3", "jurisdictionOfIncorporationCountryName"); _IN("2.16.840.1.113730.1.1", "nsCertType"); @@ -106328,6 +106329,11 @@ var require_jsbn = __commonJS({ this.multiplyTo(a, r); return r; } + function bnSquare() { + var r = nbi(); + this.squareTo(r); + return r; + } function bnDivide(a) { var r = nbi(); this.divRemTo(a, r, null); @@ -106551,6 +106557,9 @@ var require_jsbn = __commonJS({ return r; } function bnModInverse(m) { + if (this.signum() == 0) { + return BigInteger.ZERO; + } var ac = m.isEven(); if (this.isEven() && ac || m.signum() == 0) return BigInteger.ZERO; var u = m.clone(), v = this.clone(); @@ -106595,7 +106604,7 @@ var require_jsbn = __commonJS({ if (d.signum() < 0) return d.add(m); else return d; } - var lowprimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509]; + var lowprimes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997]; var lplim = (1 << 26) / lowprimes[lowprimes.length - 1]; function bnIsProbablePrime(t) { var i, x = this.abs(); @@ -106693,6 +106702,7 @@ var require_jsbn = __commonJS({ BigInteger.prototype.pow = bnPow; BigInteger.prototype.gcd = bnGCD; BigInteger.prototype.isProbablePrime = bnIsProbablePrime; + BigInteger.prototype.square = bnSquare; } }); @@ -107888,22 +107898,26 @@ var require_rsa = __commonJS({ } if (options === void 0) { options = { - _parseAllDigestBytes: true + _parseAllDigestBytes: true, + _skipPaddingChecks: false }; } if (!("_parseAllDigestBytes" in options)) { options._parseAllDigestBytes = true; } + if (!("_skipPaddingChecks" in options)) { + options._skipPaddingChecks = false; + } if (scheme === "RSASSA-PKCS1-V1_5") { scheme = { verify: function(digest2, d2) { - d2 = _decodePkcs1_v1_5(d2, key, true); + d2 = _decodePkcs1_v1_5(d2, key, true, void 0, options); var obj = asn1.fromDer(d2, { parseAllBytes: options._parseAllDigestBytes }); var capture = {}; var errors = []; - if (!asn1.validate(obj, digestInfoValidator, capture, errors)) { + if (!asn1.validate(obj, digestInfoValidator, capture, errors) || obj.value.length !== 2) { var error3 = new Error( "ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value." ); @@ -107931,7 +107945,7 @@ var require_rsa = __commonJS({ } else if (scheme === "NONE" || scheme === "NULL" || scheme === null) { scheme = { verify: function(digest2, d2) { - d2 = _decodePkcs1_v1_5(d2, key, true); + d2 = _decodePkcs1_v1_5(d2, key, true, void 0, options); return digest2 === d2; } }; @@ -108223,12 +108237,12 @@ var require_rsa = __commonJS({ eb.putBytes(m); return eb; } - function _decodePkcs1_v1_5(em, key, pub, ml) { + function _decodePkcs1_v1_5(em, key, pub, ml, options) { var k = Math.ceil(key.n.bitLength() / 8); var eb = forge.util.createBuffer(em); var first = eb.getByte(); var bt = eb.getByte(); - if (first !== 0 || pub && bt !== 0 && bt !== 1 || !pub && bt != 2 || pub && bt === 0 && typeof ml === "undefined") { + if (first !== 0 || pub && bt !== 0 && bt !== 1 || !pub && bt !== 2 || pub && bt === 0 && typeof ml === "undefined") { throw new Error("Encryption block is invalid."); } var padNum = 0; @@ -108248,6 +108262,9 @@ var require_rsa = __commonJS({ } ++padNum; } + if (padNum < 8 && !(options ? options._skipPaddingChecks : false)) { + throw new Error("Encryption block is invalid."); + } } else if (bt === 2) { padNum = 0; while (eb.length() > 1) { @@ -108257,6 +108274,9 @@ var require_rsa = __commonJS({ } ++padNum; } + if (padNum < 8 && !(options ? options._skipPaddingChecks : false)) { + throw new Error("Encryption block is invalid."); + } } var zero = eb.getByte(); if (zero !== 0 || padNum !== k - 3 - eb.length()) { @@ -111714,6 +111734,12 @@ var require_x509 = __commonJS({ }; } } + if (error3 === null && bcExt === null) { + error3 = { + message: "Certificate is missing basicConstraints extension and cannot be used as a CA.", + error: pki2.certificateError.bad_certificate + }; + } if (error3 === null && bcExt !== null && !bcExt.cA) { error3 = { message: "Certificate basicConstraints indicates the certificate is not a CA.", @@ -115765,6 +115791,9 @@ var require_ed25519 = __commonJS({ if (unpackneg(q, pk)) { return -1; } + if (!_isCanonicalSignatureScalar(sm, 32)) { + return -1; + } for (i = 0; i < n; ++i) { m[i] = sm[i]; } @@ -115790,6 +115819,18 @@ var require_ed25519 = __commonJS({ mlen = n; return mlen; } + function _isCanonicalSignatureScalar(bytes, offset) { + var i; + for (i = 31; i >= 0; --i) { + if (bytes[offset + i] < L[i]) { + return true; + } + if (bytes[offset + i] > L[i]) { + return false; + } + } + return false; + } function modL(r, x) { var carry, i, j, k; for (i = 63; i >= 32; --i) { From e9cf68bb3391a754f18e75e148d9fdb5bbb0c10e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 11:44:34 +0000 Subject: [PATCH 05/16] Update changelog for v4.35.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ff989007a..14321ee56f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.35.0 - 27 Mar 2026 - Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767) - Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773) From 7c510606312e5c68ac8b27c009e5254f226f5dfa Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 12:14:07 +0000 Subject: [PATCH 06/16] Update changelog and version after v4.35.0 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14321ee56f..f0cf91057d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.35.0 - 27 Mar 2026 - Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767) diff --git a/package-lock.json b/package-lock.json index 3157f84cca..ba590c6158 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.35.0", + "version": "4.35.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.35.0", + "version": "4.35.1", "license": "MIT", "workspaces": [ "pr-checks" diff --git a/package.json b/package.json index 755f88ad0d..c4712d1b96 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.35.0", + "version": "4.35.1", "private": true, "description": "CodeQL action", "scripts": { From 24448c98434f429f901d27db7ddae55eec5cc1c4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 12:23:25 +0000 Subject: [PATCH 07/16] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index a5d53ec4c3..36459185f0 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -161551,7 +161551,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index a1c31c2ca0..e1ec9d8d52 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -106719,7 +106719,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 61ccf23864..9925fd9c31 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -103525,7 +103525,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index a817e1b35f..14c8dcea17 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -164658,7 +164658,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/init-action.js b/lib/init-action.js index f12c224ef9..ac160fc379 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -104086,7 +104086,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 4b7b1ebb1a..55c389a98c 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -103533,7 +103533,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 05238bcc7c..6e3523fa68 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -103629,7 +103629,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 90b1a9f524..b07eba4724 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -161498,7 +161498,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index c673ef504c..1fc25c0233 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -120677,7 +120677,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 2c9ba4dfbb..792a97335c 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -106425,7 +106425,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 3321e057ba..3fed842e53 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -161498,7 +161498,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 17d26b9ab8..79713cb786 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -106453,7 +106453,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.0"; + return "4.35.1"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); From 7dcea06663f437dc773df9d5867a7d7965b8499b Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 27 Mar 2026 13:57:52 +0000 Subject: [PATCH 08/16] Remove unused `@schemastore/package` dependency --- package-lock.json | 5 ----- package.json | 1 - 2 files changed, 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3157f84cca..c70e1b20d8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -23,7 +23,6 @@ "@actions/io": "^2.0.0", "@actions/tool-cache": "^3.0.1", "@octokit/plugin-retry": "^8.0.0", - "@schemastore/package": "0.0.10", "archiver": "^7.0.1", "fast-deep-equal": "^3.1.3", "follow-redirects": "^1.15.11", @@ -2359,10 +2358,6 @@ "dev": true, "license": "MIT" }, - "node_modules/@schemastore/package": { - "version": "0.0.10", - "license": "MIT" - }, "node_modules/@sec-ant/readable-stream": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz", diff --git a/package.json b/package.json index 755f88ad0d..f7fe71ff8d 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,6 @@ "@actions/io": "^2.0.0", "@actions/tool-cache": "^3.0.1", "@octokit/plugin-retry": "^8.0.0", - "@schemastore/package": "0.0.10", "archiver": "^7.0.1", "fast-deep-equal": "^3.1.3", "follow-redirects": "^1.15.11", From f13c600724deee5b4c34f84e7bcd0107850005b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 13:58:43 +0000 Subject: [PATCH 09/16] Bump brace-expansion from 1.1.12 to 1.1.13 Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.12 to 1.1.13. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](https://github.com/juliangruber/brace-expansion/compare/v1.1.12...v1.1.13) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- package-lock.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index ba590c6158..9c804a2ce1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3789,9 +3789,9 @@ "license": "MIT" }, "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.13", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz", + "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0", @@ -5160,16 +5160,16 @@ } }, "node_modules/eslint-plugin-import-x/node_modules/brace-expansion": { - "version": "5.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz", - "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==", + "version": "5.0.5", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz", + "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==", "dev": true, "license": "MIT", "dependencies": { "balanced-match": "^4.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" } }, "node_modules/eslint-plugin-import-x/node_modules/minimatch": { @@ -6112,9 +6112,9 @@ } }, "node_modules/glob/node_modules/brace-expansion": { - "version": "5.0.3", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz", - "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==", + "version": "5.0.5", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz", + "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==", "license": "MIT", "dependencies": { "balanced-match": "^4.0.2" From 2437b20ab31021229573a66717323dd5c6ce9319 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 27 Mar 2026 13:26:43 +0000 Subject: [PATCH 10/16] Update minimum git version for overlay to 2.36.0 --- lib/init-action.js | 2 +- src/git-utils.ts | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/init-action.js b/lib/init-action.js index ac160fc379..00a62df885 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -105203,7 +105203,7 @@ var core8 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); var semver3 = __toESM(require_semver2()); -var GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.11.0"; +var GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.36.0"; var GitVersionInfo = class { constructor(truncatedVersion, fullVersion) { this.truncatedVersion = truncatedVersion; diff --git a/src/git-utils.ts b/src/git-utils.ts index 80e49f2f63..a1cfab8be0 100644 --- a/src/git-utils.ts +++ b/src/git-utils.ts @@ -14,11 +14,11 @@ import { import { ConfigurationError, getRequiredEnvParam } from "./util"; /** - * Minimum Git version required for overlay analysis. The - * `git ls-files --recurse-submodules` option, which is used by - * `getFileOidsUnderPath`, was introduced in Git 2.11.0. + * Minimum Git version required for overlay analysis. Support for using the `git ls-files + * --recurse-submodules` option with `--stage` was added in Git 2.36.0. For more information, see + * `getFileOidsUnderPath`. */ -export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.11.0"; +export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.36.0"; /** * Git version information @@ -261,8 +261,8 @@ export const getFileOidsUnderPath = async function ( // Without the --full-name flag, the path is relative to the current working // directory of the git command, which is basePath. // - // We use --stage rather than --format here because --stage has been available since Git 2.11.0, - // while --format was only introduced in Git 2.38.0, which would limit overlay rollout. + // We use --stage rather than --format here because --stage has been available since Git 2.36.0, + // while --format was only introduced in Git 2.38.0. const stdout = await runGitCommand( basePath, ["ls-files", "--recurse-submodules", "--stage"], From 65d2efa7333ad65f97cc54be40f4cd18630f884c Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 27 Mar 2026 13:52:52 +0000 Subject: [PATCH 11/16] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0cf91057d..dd5454e2c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781) ## 4.35.0 - 27 Mar 2026 From 999119ba45c966acd6cfe18a1ec95e45c1674680 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 14:00:54 +0000 Subject: [PATCH 12/16] Rebuild --- lib/analyze-action-post.js | 6 +++--- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 6 +++--- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 6 +++--- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 6 +++--- lib/upload-sarif-action.js | 2 +- 12 files changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 36459185f0..58a64f4910 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { @@ -117008,7 +117008,7 @@ var require_commonjs19 = __commonJS({ var openPattern = /\\{/g; var closePattern = /\\}/g; var commaPattern = /\\,/g; - var periodPattern = /\\./g; + var periodPattern = /\\\./g; exports2.EXPANSION_MAX = 1e5; function numeric(str2) { return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0); @@ -117103,7 +117103,7 @@ var require_commonjs19 = __commonJS({ const x = numeric(n[0]); const y = numeric(n[1]); const width = Math.max(n[0].length, n[1].length); - let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1; + let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; let test = lte; const reverse = y < x; if (reverse) { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index e1ec9d8d52..c12cf9593f 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 9925fd9c31..4084a26078 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 14c8dcea17..eb3261b3c4 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { @@ -117008,7 +117008,7 @@ var require_commonjs19 = __commonJS({ var openPattern = /\\{/g; var closePattern = /\\}/g; var commaPattern = /\\,/g; - var periodPattern = /\\./g; + var periodPattern = /\\\./g; exports2.EXPANSION_MAX = 1e5; function numeric(str2) { return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0); @@ -117103,7 +117103,7 @@ var require_commonjs19 = __commonJS({ const x = numeric(n[0]); const y = numeric(n[1]); const width = Math.max(n[0].length, n[1].length); - let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1; + let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; let test = lte; const reverse = y < x; if (reverse) { diff --git a/lib/init-action.js b/lib/init-action.js index ac160fc379..1cefb0eca5 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -49253,7 +49253,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 55c389a98c..855c1205d7 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 6e3523fa68..86df382519 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -47805,7 +47805,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index b07eba4724..e89267b90c 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { @@ -115635,7 +115635,7 @@ var require_commonjs19 = __commonJS({ var openPattern = /\\{/g; var closePattern = /\\}/g; var commaPattern = /\\,/g; - var periodPattern = /\\./g; + var periodPattern = /\\\./g; exports2.EXPANSION_MAX = 1e5; function numeric(str2) { return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0); @@ -115730,7 +115730,7 @@ var require_commonjs19 = __commonJS({ const x = numeric(n[0]); const y = numeric(n[1]); const width = Math.max(n[0].length, n[1].length); - let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1; + let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; let test = lte; const reverse = y < x; if (reverse) { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 1fc25c0233..b4882f507d 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -47805,7 +47805,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 792a97335c..2e19241ec7 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -49102,7 +49102,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 3fed842e53..680bbf72fb 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -107819,7 +107819,7 @@ var require_commonjs19 = __commonJS({ var openPattern = /\\{/g; var closePattern = /\\}/g; var commaPattern = /\\,/g; - var periodPattern = /\\./g; + var periodPattern = /\\\./g; exports2.EXPANSION_MAX = 1e5; function numeric(str2) { return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0); @@ -107914,7 +107914,7 @@ var require_commonjs19 = __commonJS({ const x = numeric(n[0]); const y = numeric(n[1]); const width = Math.max(n[0].length, n[1].length); - let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1; + let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; let test = lte; const reverse = y < x; if (reverse) { @@ -151293,7 +151293,7 @@ var require_brace_expansion2 = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 79713cb786..19a4b8b7a8 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -47805,7 +47805,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { From c5ffd0683786820677d054e3505e1c5bb4b8c227 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 15:39:16 +0000 Subject: [PATCH 13/16] Update changelog for v4.35.1 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd5454e2c7..0dd2949187 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.35.1 - 27 Mar 2026 - Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781) From 6010f9d8e2639ca9b09ba64d31385958c5ce9af6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 16:10:47 +0000 Subject: [PATCH 14/16] Update changelog and version after v4.35.1 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dd2949187..1ad9149219 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.35.1 - 27 Mar 2026 - Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781) diff --git a/package-lock.json b/package-lock.json index b0fabc74da..2743bd7f6d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.35.1", + "version": "4.35.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.35.1", + "version": "4.35.2", "license": "MIT", "workspaces": [ "pr-checks" diff --git a/package.json b/package.json index b432e963b6..1531b9867c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.35.1", + "version": "4.35.2", "private": true, "description": "CodeQL action", "scripts": { From cc7db4a1f992552c129f50430bc5aff4dd011b74 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 16:20:01 +0000 Subject: [PATCH 15/16] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 36459185f0..ba536cd935 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -161551,7 +161551,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index e1ec9d8d52..9bab1cbcb3 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -106719,7 +106719,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 9925fd9c31..68ba601eae 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -103525,7 +103525,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 14c8dcea17..028a1736b3 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -164658,7 +164658,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/init-action.js b/lib/init-action.js index 00a62df885..5c5dca4d0f 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -104086,7 +104086,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 55c389a98c..143eaaa178 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -103533,7 +103533,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 6e3523fa68..184bf8742a 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -103629,7 +103629,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index b07eba4724..4546e2a5fb 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -161498,7 +161498,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 43e6bd10f3..be7908ecfb 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -120718,7 +120718,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 792a97335c..03847e5b55 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -106425,7 +106425,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 3fed842e53..0af9808612 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -161498,7 +161498,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 79713cb786..e478eb645b 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -106453,7 +106453,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.1"; + return "4.35.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); From 353802f9f2ccc0ea3944d5d3cd4e82b589d19bf0 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 27 Mar 2026 16:22:19 +0000 Subject: [PATCH 16/16] Move time-sensitive Actions workflows to `ubuntu-latest` We originally moved these to `ubuntu-slim`, but there is a significant performance difference. Since we often find ourselves waiting on these jobs, let's use the faster runners. --- .github/workflows/post-release-mergeback.yml | 2 +- .github/workflows/prepare-release.yml | 2 +- .github/workflows/update-bundle.yml | 2 +- .github/workflows/update-release-branch.yml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index 1a85cfd197..fb28d5e13b 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -24,7 +24,7 @@ defaults: jobs: merge-back: - runs-on: ubuntu-slim + runs-on: ubuntu-latest environment: Automation if: github.repository == 'github/codeql-action' env: diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index 7e9486bb49..fbddee3d52 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -29,7 +29,7 @@ defaults: jobs: prepare: name: "Prepare release" - runs-on: ubuntu-slim + runs-on: ubuntu-latest if: github.repository == 'github/codeql-action' permissions: diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 04703c592e..fb4c4ea481 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -20,7 +20,7 @@ defaults: jobs: update-bundle: if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-') - runs-on: ubuntu-slim + runs-on: ubuntu-latest permissions: contents: write # needed to push commits pull-requests: write # needed to create pull requests diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index 5465396664..bcfcf02310 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -26,7 +26,7 @@ jobs: update: timeout-minutes: 45 - runs-on: ubuntu-slim + runs-on: ubuntu-latest if: github.event_name == 'workflow_dispatch' needs: [prepare] env: @@ -77,7 +77,7 @@ jobs: backport: timeout-minutes: 45 - runs-on: ubuntu-slim + runs-on: ubuntu-latest environment: Automation needs: [prepare] if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}