Merge releases/v4 into releases/v3#3907
Merged
mbg merged 84 commits intoMay 15, 2026
releases/v3github/codeql-action:releases/v3from
backport-v3.35.5-9e0d7b8d2github/codeql-action:backport-v3.35.5-9e0d7b8d2Copy head branch name to clipboard
Merged
Merge releases/v4 into releases/v3#3907mbg merged 84 commits intoreleases/v3github/codeql-action:releases/v3from backport-v3.35.5-9e0d7b8d2github/codeql-action:backport-v3.35.5-9e0d7b8d2Copy head branch name to clipboard
mbg merged 84 commits into
releases/v3github/codeql-action:releases/v3from
backport-v3.35.5-9e0d7b8d2github/codeql-action:backport-v3.35.5-9e0d7b8d2Copy head branch name to clipboard
Conversation
…is is unavailable
Bumps the npm-minor group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint), [typescript](https://github.com/microsoft/TypeScript) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `@types/node` from 20.19.9 to 20.19.39 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.39.2 to 9.39.4 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.39.2...v9.39.4) Updates `typescript` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v6.0.2...v6.0.3) Updates `typescript-eslint` from 8.58.2 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 20.19.39 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: eslint dependency-version: 9.39.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Do not run `bundle-metadata.ts` as part of `npm run build`
Tests: Run slow `scanArtifactsForTokens` test in CI only by default
Co-authored-by: Michael B. Gale <mbg@github.com>
Reduce duplication across JS bundles by creating one bundle with smaller entry point wrappers
Merge main into releases/v4
This reverts commit 19f4654.
This reverts commit ea18e99.
….5-9e0d7b8d2 # Conflicts: # analyze/action.yml # autobuild/action.yml # init/action.yml # resolve-environment/action.yml # setup-codeql/action.yml # start-proxy/action.yml # upload-sarif/action.yml
Contributor
Author
|
Pushed a commit to rebuild the Action. Please mark the PR as ready for review to trigger PR checks. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR merges changes from releases/v4 into releases/v3, bringing along recent release work such as the new shared JavaScript bundling layout (entry-point stubs + shared bundle), incremental-analysis behavior adjustments (diff-informed gating / overlay fallback), feature-flag/default CLI version selection updates, and routine dependency/version bumps for the v3 line.
Changes:
- Switch action entrypoints to lightweight
*-entry.jswrappers backed by a sharedentry-pointsbundle to reduce duplicated bundled code. - Update incremental-analysis behavior to compute diff ranges up-front and disable overlay analysis when diff-informed analysis isn’t available.
- Refactor feature-flag default CLI selection to return an ordered set of enabled versions, and apply new selection logic (including overlay-aware version preference behind feature flags).
Show a summary per file
| File | Description |
|---|---|
| upload-sarif/action.yml | Point main/post to new upload-sarif-*-entry.js wrappers. |
| start-proxy/action.yml | Point main/post to new start-proxy-*-entry.js wrappers. |
| src/workflow.test.ts | Test typing cleanup (remove type assertion). |
| src/upload-sarif.test.ts | Test update for new analysis-kind typing/indexing. |
| src/upload-sarif-action.ts | Export runWrapper (entrypoint now invoked via wrapper). |
| src/upload-sarif-action-post.ts | Export runWrapper (post entrypoint now invoked via wrapper). |
| src/upload-lib.ts | Update default CLI lookup API and pass new init/setup parameters. |
| src/testing-utils.ts | Update test fixtures/helpers for new default CLI version shape/API. |
| src/start-proxy.ts | Update default CLI selection and adapt to enabled-versions list. |
| src/start-proxy.test.ts | Update stubs for renamed CLI default API and enabled-versions shape. |
| src/start-proxy-action.ts | Export runWrapper (entrypoint now invoked via wrapper). |
| src/start-proxy-action-post.ts | Export runWrapper (post entrypoint now invoked via wrapper). |
| src/setup-codeql.ts | Add overlay-aware default CLI version selection and new parameters. |
| src/setup-codeql.test.ts | Add/adjust tests for overlay-aware default CLI selection. |
| src/setup-codeql-action.ts | Pass raw languages / analysis kinds into init for version selection. |
| src/resolve-environment-action.ts | Export runWrapper (entrypoint now invoked via wrapper). |
| src/overlay/diagnostics.ts | Add a new overlay-disabled reason for missing diff-informed analysis. |
| src/overlay/caching.ts | Deduplicate resolved language aliases before building cache key prefix. |
| src/overlay/caching.test.ts | Add test ensuring language alias de-duplication behavior. |
| src/init.ts | Thread raw languages / overlay-aware version selection through init. |
| src/init-action.ts | Use new analysis-kinds signature; compute diff ranges moved out; export wrapper. |
| src/init-action-post.ts | Export runWrapper (post entrypoint now invoked via wrapper). |
| src/init-action-post-helper.test.ts | Remove type assertion in test fixture. |
| src/feature-flags.ts | Refactor default CLI selection to return ordered enabled version set; add new FFs. |
| src/feature-flags.test.ts | Update tests for enabled-versions default CLI selection behavior. |
| src/entry-wrapper.js.tpl | New template for per-action wrapper exports inside shared bundle. |
| src/diff-informed-analysis-utils.ts | Refactor into “prepare diff-informed analysis” + persist diff ranges helper. |
| src/diff-informed-analysis-utils.test.ts | Update/expand tests for new diff-informed analysis preparation flow. |
| src/debug-artifacts.ts | Minor typing cleanup in matrix parsing. |
| src/config-utils.ts | Compute diff ranges during config init; apply overlay fallback + exclusions via helper. |
| src/config-utils.test.ts | Update existing overlay tests and add tests for incremental-analysis settings helper. |
| src/codeql.ts | Thread raw languages / overlay-aware version selection into setup pipeline. |
| src/codeql.test.ts | Update tests for new setup signature and default CLI version shape. |
| src/autobuild-action.ts | Export runWrapper (entrypoint now invoked via wrapper). |
| src/artifact-scanner.ts | Add Windows guard for archive scanning. |
| src/artifact-scanner.test.ts | Skip archive-scanning test on Windows; remove timeout override. |
| src/analyze-action.ts | Remove module-level execution; export wrapper and run action via wrapper. |
| src/analyze-action-post.ts | Export runWrapper (post entrypoint now invoked via wrapper). |
| src/analyze-action-input.test.ts | Invoke exported runWrapper instead of requiring module side effects. |
| src/analyze-action-env.test.ts | Invoke exported runWrapper instead of requiring module side effects. |
| src/analyses.ts | Require features in getAnalysisKinds; enforce single kind outside test mode unless FF enabled. |
| src/analyses.test.ts | Update tests for new getAnalysisKinds signature and new enforcement behavior. |
| src/action-entry.js.tpl | New template for per-action stub entry files requiring shared bundle. |
| setup-codeql/action.yml | Add languages + analysis-kinds inputs; point to setup-codeql-entry.js. |
| resolve-environment/action.yml | Point to resolve-environment-entry.js. |
| pr-checks/package.json | Bump yaml and @types/node. |
| package.json | Bump version to 3.35.5; remove bundle-metadata from build; bump dev deps. |
| package-lock.json | Update lockfile for dependency bumps (note: version metadata updated too). |
| lib/upload-sarif-post-entry.js | Generated entry stub (not reviewed). |
| lib/upload-sarif-entry.js | Generated entry stub (not reviewed). |
| lib/upload-lib.js | Generated JS output from TS (not reviewed). |
| lib/start-proxy-post-entry.js | Generated entry stub (not reviewed). |
| lib/start-proxy-entry.js | Generated entry stub (not reviewed). |
| lib/setup-codeql-entry.js | Generated entry stub (not reviewed). |
| lib/resolve-environment-entry.js | Generated entry stub (not reviewed). |
| lib/init-post-entry.js | Generated entry stub (not reviewed). |
| lib/init-entry.js | Generated entry stub (not reviewed). |
| lib/autobuild-entry.js | Generated entry stub (not reviewed). |
| lib/analyze-post-entry.js | Generated entry stub (not reviewed). |
| lib/analyze-entry.js | Generated entry stub (not reviewed). |
| init/action.yml | Point main/post to new init entry stubs. |
| CHANGELOG.md | Add v3.35.5 release notes. |
| build.mjs | Implement shared-bundle + per-action entry stub generation via esbuild plugin. |
| autobuild/action.yml | Point to autobuild-entry.js. |
| analyze/action.yml | Point main/post to new analyze entry stubs. |
| .github/workflows/update-release-branch.yml | Bump actions/create-github-app-token to v3.2.0. |
| .github/workflows/rollback-release.yml | Bump actions/create-github-app-token to v3.2.0. |
| .github/workflows/post-release-mergeback.yml | Bump actions/create-github-app-token to v3.2.0. |
| .github/workflows/codescanning-config-cli.yml | Simplify test workflow; remove overlay-specific env and PR/non-PR split. |
Copilot's findings
- Files reviewed: 56/81 changed files
- Comments generated: 3
Comment on lines
+159
to
+161
| if (process.platform === "win32") { | ||
| throw new Error("Scanning archives is not supported on Windows."); | ||
| } |
Member
There was a problem hiding this comment.
I believe this is OK, because the whole process is guarded by isInTestMode().
Comment on lines
+74
to
+78
| // If we cannot determine whether diff-informed analysis applies (for | ||
| // example, because a feature-flag lookup failed), treat it as not | ||
| // applicable rather than triggering the overlay fallback. | ||
| logger.warning( | ||
| `Failed to determine branch information for diff-informed analysis: ${getErrorMessage(e)}`, |
Comment on lines
1012
to
+1016
| const getDefaultCliVersion = sinon | ||
| .stub(features, "getDefaultCliVersion") | ||
| .resolves({ cliVersion: "2.20.1", tagName: expectedTag }); | ||
| .stub(features, "getEnabledDefaultCliVersions") | ||
| .resolves({ | ||
| enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }], | ||
| }); |
henrymercer
approved these changes
May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merging 9e0d7b8 into
releases/v3.Conductor for this PR is @mbg.
Contains the following pull requests:
scanArtifactsForTokenstest in CI only by default #3874 (@henrymercer)bundle-metadata.tsas part ofnpm run build#3884 (@mbg)code-scanningif multiple analysis kinds are specified #3892 (@mbg)Please do the following:
package.jsonfile contains the correct version.analyze/action.ymlautobuild/action.ymlinit/action.ymlresolve-environment/action.ymlsetup-codeql/action.ymlstart-proxy/action.ymlupload-sarif/action.ymlreleases/v3branch.Create a merge commitis selected rather thanSquash and mergeorRebase and merge.