Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Merge main into releases/v4#3949

Merged
henrymercer merged 26 commits into
releases/v4github/codeql-action:releases/v4from
update-v4.36.2-dcb947ce1github/codeql-action:update-v4.36.2-dcb947ce1Copy head branch name to clipboard
Jun 4, 2026
Merged

Merge main into releases/v4#3949
henrymercer merged 26 commits into
releases/v4github/codeql-action:releases/v4from
update-v4.36.2-dcb947ce1github/codeql-action:update-v4.36.2-dcb947ce1Copy head branch name to clipboard

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jun 4, 2026

Merging dcb947c into releases/v4.

Conductor for this PR is @henrymercer.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v4 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
  • Merge the mergeback PR that will automatically be created once this PR is merged.
  • Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

robertbrignull and others added 25 commits May 28, 2026 11:15
@robertbrignull
Change waitForProcessing to use exponential backoff
dfc1411
@henrymercer
Add FF to force JGit-based Git backend
948a63a
@robertbrignull
Only do initial wait when not running tests
d40e417
@github-actions
Update changelog and version after v4.36.1
25c25b5
@github-actions
Rebuild
0ad7c1f
@henrymercer
Merge pull request #3941 from github/mergeback/v4.36.1-to-main-87557b9c
8ed7f7c 
Mergeback v4.36.1 refs/heads/releases/v4 into main
@henrymercer
Cache CLI version information across Actions steps
bab673d
@henrymercer
Pin first-party Actions
87f4948
@henrymercer
Update sync-back script
fd3f108 
This is intended as a workaround until #3556 is merged.
@henrymercer
Merge pull request #3945 from github/henrymercer/pin-actions-to-shas
2ceebd6 
Pin first-party Actions to SHAs
@henrymercer
Address review comments
5ccef82
@dependabot
Bump the npm-minor group across 1 directory with 2 updates
dd9e36c 
Bumps the npm-minor group with 2 updates in the / directory: [semver](https://github.com/npm/node-semver) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `semver` from 7.8.0 to 7.8.1
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.8.0...v7.8.1)

Updates `typescript-eslint` from 8.59.4 to 8.60.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: semver
  dependency-version: 7.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: typescript-eslint
  dependency-version: 8.60.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
acb38f7
@dependabot
Bump ruby/setup-ruby
3569f75 
Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby).


Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@6aaa311...afeafc3)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-version: 1.310.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
af7b8f3
@robertbrignull
Merge branch 'main' into robertbrignull/waitForProcessing_backoff
6047ac7
@henrymercer
Merge pull request #3938 from github/henrymercer/git-client-feature-flag
5be8119 
Add FF to force JGit-based Git backend
@henrymercer
Merge pull request #3943 from github/henrymercer/cache-cli-version-info
ba47406 
Cache CLI version information across Actions steps
@robertbrignull
Merge pull request #3937 from github/robertbrignull/waitForProcessing…
cb1a588 
…_backoff

Change waitForProcessing to use exponential backoff
@henrymercer
Merge pull request #3947 from github/dependabot/github_actions/dot-gi…
c35d1b1 
…thub/workflows/actions-minor-3d0b6ad432

Bump ruby/setup-ruby from 1.307.0 to 1.310.0 in /.github/workflows in the actions-minor group across 1 directory
@henrymercer
Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-mino…
423b570 
…r-5d507a028b

Bump the npm-minor group across 1 directory with 2 updates
@github-actions
Update default bundle to codeql-bundle-v2.25.6
62953c1
@github-actions
Add changelog note
c251bce
@henrymercer
Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
dcb947c 
Update default bundle to 2.25.6
@github-actions
Update changelog for v4.36.2
8aeff0f
@henrymercer henrymercer marked this pull request as ready for review June 4, 2026 12:19
@henrymercer henrymercer requested a review from a team as a code owner June 4, 2026 12:19
Copilot AI review requested due to automatic review settings June 4, 2026 12:19
henrymercer
henrymercer previously approved these changes Jun 4, 2026
View reviewed changes
@github-actions github-actions Bot added the size/L May be hard to review label Jun 4, 2026
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Release-PR merging main into releases/v4 and preparing the 4.36.2 release by bumping the action version, updating the default CodeQL bundle, and bringing along several operational/performance changes and workflow/action pinning updates.

Changes:

  • Bump action version to 4.36.2 and update CHANGELOG.md for the release.
  • Update the default CodeQL bundle/CLI to 2.25.6.
  • Reduce repeated work/requests via CodeQL CLI version caching across steps and exponential backoff for SARIF processing polling; plus pin various GitHub Actions to SHAs.
Show a summary per file
File Description
src/util.ts Persist CodeQL CLI version info via env var and add cache reset helper.
src/util.test.ts Add tests for persisted CodeQL version cache behavior.
src/upload-lib.ts Change SARIF processing polling to exponential backoff with max tries.
src/testing-utils.ts Reset cached CodeQL version between tests.
src/init-action.ts Add feature-flagged env var export to force JGit backend.
src/feature-flags.ts Introduce ForceJGit feature flag configuration.
src/environment.ts Add CODEQL_ACTION_CLI_VERSION_INFO env var constant.
src/defaults.json Bump default bundle/CLI versions to 2.25.6.
src/codeql.ts Reuse cached version for printVersion() and cache keyed by CLI path.
pr-checks/sync.ts Pin selected uses: actions to SHAs with version comments.
pr-checks/sync-back.ts Teach sync-back to update both inline uses and pinnedUses(...) references.
pr-checks/sync-back.test.ts Add coverage for updating pinnedUses(...)-style references.
pr-checks/checks/with-checkout-path.yml Pin actions/checkout to a SHA.
pr-checks/checks/submit-sarif-failure.yml Pin actions/checkout to a SHA.
pr-checks/checks/rubocop-multi-language.yml Update/pin ruby/setup-ruby SHA/version.
pr-checks/checks/multi-language-autodetect.yml Pin actions/setup-python to a SHA.
pr-checks/checks/job-run-uuid-sarif.yml Pin actions/upload-artifact to a SHA.
pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml Pin actions/github-script to a SHA.
pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml Pin actions/setup-go and actions/github-script to SHAs.
pr-checks/checks/export-file-baseline-information.yml Pin actions/upload-artifact to a SHA.
pr-checks/checks/diagnostics-export.yml Pin actions/upload-artifact and actions/github-script to SHAs.
pr-checks/checks/config-export.yml Pin actions/upload-artifact and actions/github-script to SHAs.
pr-checks/checks/bundle-zstd.yml Pin actions/github-script and actions/upload-artifact to SHAs.
pr-checks/checks/bundle-toolcache.yml Pin actions/github-script to a SHA.
pr-checks/checks/bundle-from-toolcache.yml Pin actions/github-script to a SHA.
pr-checks/checks/analysis-kinds.yml Pin actions/upload-artifact and actions/github-script to SHAs.
package.json Bump package version to 4.36.2 and update dependencies/devDependencies.
package-lock.json Update lockfile for version bump and dependency updates.
lib/entry-points.js Generated JS output updates corresponding to TS changes.
lib/defaults.json Generated defaults JSON update to 2.25.6.
CHANGELOG.md Add 4.36.2 release entry (needs additional items).
.github/workflows/update-supported-enterprise-server-versions.yml Pin actions/setup-python and actions/checkout to SHAs.
.github/workflows/update-release-branch.yml Pin actions/checkout and actions/create-github-app-token to SHAs.
.github/workflows/update-bundle.yml Pin actions/checkout, actions/setup-python, actions/setup-node to SHAs.
.github/workflows/test-codeql-bundle-all.yml Pin actions/checkout and actions/setup-dotnet to SHAs.
.github/workflows/rollback-release.yml Pin actions/checkout and actions/create-github-app-token to SHAs.
.github/workflows/rebuild.yml Pin actions/checkout and actions/setup-node to SHAs.
.github/workflows/query-filters.yml Pin actions/checkout and actions/setup-node to SHAs.
.github/workflows/python312-windows.yml Pin actions/setup-python and actions/checkout to SHAs.
.github/workflows/publish-immutable-action.yml Pin actions/checkout and actions/publish-immutable-action to SHAs.
.github/workflows/prepare-release.yml Pin actions/checkout to a SHA.
.github/workflows/pr-checks.yml Pin multiple actions (checkout, setup-node, upload-artifact, download-artifact) to SHAs.
.github/workflows/post-release-mergeback.yml Pin checkout, setup-node, setup-python, create-github-app-token to SHAs.
.github/workflows/debug-artifacts-safe.yml Pin checkout, setup-go, setup-dotnet, download-artifact to SHAs.
.github/workflows/debug-artifacts-failure-safe.yml Pin checkout, setup-go, setup-dotnet, download-artifact to SHAs.
.github/workflows/codescanning-config-cli.yml Pin checkout and setup-node to SHAs.
.github/workflows/codeql.yml Pin actions/checkout to a SHA in all jobs.
.github/workflows/check-expected-release-files.yml Pin actions/checkout to a SHA.
.github/workflows/__with-checkout-path.yml Generated workflow update reflecting pinned actions.
.github/workflows/__upload-sarif.yml Generated workflow update reflecting pinned actions.
.github/workflows/__upload-ref-sha-input.yml Generated workflow update reflecting pinned actions.
.github/workflows/__unset-environment.yml Generated workflow update reflecting pinned actions.
.github/workflows/__swift-custom-build.yml Generated workflow update reflecting pinned actions.
.github/workflows/__swift-autobuild.yml Generated workflow update reflecting pinned actions.
.github/workflows/__submit-sarif-failure.yml Generated workflow update reflecting pinned actions.
.github/workflows/__start-proxy.yml Generated workflow update reflecting pinned actions.
.github/workflows/__split-workflow.yml Generated workflow update reflecting pinned actions.
.github/workflows/__rust.yml Generated workflow update reflecting pinned actions.
.github/workflows/__ruby.yml Generated workflow update reflecting pinned actions.
.github/workflows/__rubocop-multi-language.yml Generated workflow update reflecting pinned Ruby setup action.
.github/workflows/__resolve-environment-action.yml Generated workflow update reflecting pinned actions.
.github/workflows/__remote-config.yml Generated workflow update reflecting pinned actions.
.github/workflows/__packaging-inputs-js.yml Generated workflow update reflecting pinned actions.
.github/workflows/__packaging-config-js.yml Generated workflow update reflecting pinned actions.
.github/workflows/__packaging-config-inputs-js.yml Generated workflow update reflecting pinned actions.
.github/workflows/__packaging-codescanning-config-inputs-js.yml Generated workflow update reflecting pinned actions.
.github/workflows/__overlay-init-fallback.yml Generated workflow update reflecting pinned actions.
.github/workflows/__multi-language-autodetect.yml Generated workflow update reflecting pinned actions.
.github/workflows/__local-bundle.yml Generated workflow update reflecting pinned actions.
.github/workflows/__language-aliases.yml Generated workflow update reflecting pinned actions.
.github/workflows/__job-run-uuid-sarif.yml Generated workflow update reflecting pinned actions.
.github/workflows/__javascript-source-root.yml Generated workflow update reflecting pinned actions.
.github/workflows/__init-with-registries.yml Generated workflow update reflecting pinned actions.
.github/workflows/__go-tracing-legacy-workflow.yml Generated workflow update reflecting pinned actions.
.github/workflows/__go-tracing-custom-build-steps.yml Generated workflow update reflecting pinned actions.
.github/workflows/__go-tracing-autobuilder.yml Generated workflow update reflecting pinned actions.
.github/workflows/__go-indirect-tracing-workaround.yml Generated workflow update reflecting pinned actions.
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml Generated workflow update reflecting pinned actions.
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml Generated workflow update reflecting pinned actions.
.github/workflows/__go-custom-queries.yml Generated workflow update reflecting pinned actions.
.github/workflows/__global-proxy.yml Generated workflow update reflecting pinned actions.
.github/workflows/__extractor-ram-threads.yml Generated workflow update reflecting pinned actions.
.github/workflows/__export-file-baseline-information.yml Generated workflow update reflecting pinned actions.
.github/workflows/__diagnostics-export.yml Generated workflow update reflecting pinned actions.
.github/workflows/__cpp-deptrace-enabled.yml Generated workflow update reflecting pinned actions.
.github/workflows/__cpp-deptrace-enabled-on-macos.yml Generated workflow update reflecting pinned actions.
.github/workflows/__cpp-deptrace-disabled.yml Generated workflow update reflecting pinned actions.
.github/workflows/__config-input.yml Generated workflow update reflecting pinned actions.
.github/workflows/__config-export.yml Generated workflow update reflecting pinned actions.
.github/workflows/__cleanup-db-cluster-dir.yml Generated workflow update reflecting pinned actions.
.github/workflows/__bundle-zstd.yml Generated workflow update reflecting pinned actions.
.github/workflows/__bundle-toolcache.yml Generated workflow update reflecting pinned actions.
.github/workflows/__bundle-from-toolcache.yml Generated workflow update reflecting pinned actions.
.github/workflows/__bundle-from-nightly.yml Generated workflow update reflecting pinned actions.
.github/workflows/__build-mode-rollback.yml Generated workflow update reflecting pinned actions.
.github/workflows/__build-mode-none.yml Generated workflow update reflecting pinned actions.
.github/workflows/__build-mode-manual.yml Generated workflow update reflecting pinned actions.
.github/workflows/__build-mode-autobuild.yml Generated workflow update reflecting pinned actions.
.github/workflows/__autobuild-working-dir.yml Generated workflow update reflecting pinned actions.
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml Generated workflow update reflecting pinned actions.
.github/workflows/__autobuild-action.yml Generated workflow update reflecting pinned actions.
.github/workflows/__analyze-ref-input.yml Generated workflow update reflecting pinned actions.
.github/workflows/__analysis-kinds.yml Generated workflow update reflecting pinned actions.
.github/workflows/__all-platform-bundle.yml Generated workflow update reflecting pinned actions.
.github/actions/release-initialise/action.yml Pin setup-node and setup-python to SHAs in the composite action.

Copilot's findings

  • Files reviewed: 46/105 changed files
  • Comments generated: 1

Comment thread CHANGELOG.md
@henrymercer henrymercer enabled auto-merge June 4, 2026 14:12
@henrymercer henrymercer merged commit 8aad20d into releases/v4 Jun 4, 2026
226 checks passed
@henrymercer henrymercer deleted the update-v4.36.2-dcb947ce1 branch June 4, 2026 14:25
@github-actions github-actions Bot mentioned this pull request Jun 4, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer henrymercer approved these changes

Assignees

@henrymercer henrymercer

Labels

size/L May be hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@henrymercer @robertbrignull
Morty Proxy This is a proxified and sanitized view of the page, visit original site.