github · henrymercer · May 18, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
@@ -4,6 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

+- _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
 - Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)

 ## 4.35.5 - 15 May 2026

@@ -78,8 +78,6 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).


@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.35.6",
+  "version": "4.36.0",
  "private": true,
  "description": "CodeQL action",
  "scripts": {

@@ -2,7 +2,7 @@ name: "Rust analysis"
 description: "Tests creation of a Rust database"
 versions:
  # experimental rust support introduced, requires action to set `CODEQL_ENABLE_EXPERIMENTAL_FEATURES`
-  - stable-v2.19.3
+  - stable-v2.19.4
  # first public preview version
  - stable-v2.22.1
  - linked

@@ -115,17 +115,17 @@ type LanguageSetups = Partial<Record<BuiltInLanguage, LanguageSetup>>;
 // The default set of CodeQL Bundle versions to use for the PR checks.
 const defaultTestVersions = [
  // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
-  "stable-v2.17.6",
-  // The last CodeQL release in the 2.18 series.
-  "stable-v2.18.4",
-  // The last CodeQL release in the 2.19 series.
  "stable-v2.19.4",
  // The last CodeQL release in the 2.20 series.
  "stable-v2.20.7",
  // The last CodeQL release in the 2.21 series.
  "stable-v2.21.4",
  // The last CodeQL release in the 2.22 series.
  "stable-v2.22.4",
+  // The last CodeQL release in the 2.23 series.
+  "stable-v2.23.9",
+  // The last CodeQL release in the 2.24 series.
+  "stable-v2.24.3",
  // The default version of CodeQL for Dotcom, as determined by feature flags.
  "default",
  // The version of CodeQL shipped with the Action in `defaults.json`. During the release process

@@ -1072,15 +1072,15 @@ test.serial(
 );

 test.serial(
-  "Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
+  "Avoids duplicating --force-overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
  async (t) => {
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await stubCodeql();
    // io throws because of the test CodeQL object.
    sinon.stub(io, "which").resolves("");

    process.env["CODEQL_ACTION_EXTRA_OPTIONS"] =
-      '{ "database": { "init": ["--overwrite"] } }';
+      '{ "database": { "init": ["--force-overwrite"] } }';

    await codeqlObject.databaseInitCluster(
      stubConfig,
@@ -1093,9 +1093,9 @@ test.serial(
    t.true(runnerConstructorStub.calledOnce);
    const args = runnerConstructorStub.firstCall.args[1] as string[];
    t.is(
-      args.filter((option: string) => option === "--overwrite").length,
+      args.filter((option: string) => option === "--force-overwrite").length,
      1,
-      "--overwrite should only be passed once",
+      "--force-overwrite should only be passed once",
    );

    // Clean up