Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Merge releases/v4 into releases/v3#3952

Merged
henrymercer merged 32 commits into
releases/v3github/codeql-action:releases/v3from
backport-v3.36.2-8aad20d15github/codeql-action:backport-v3.36.2-8aad20d15Copy head branch name to clipboard
Jun 4, 2026
Merged

Merge releases/v4 into releases/v3#3952
henrymercer merged 32 commits into
releases/v3github/codeql-action:releases/v3from
backport-v3.36.2-8aad20d15github/codeql-action:backport-v3.36.2-8aad20d15Copy head branch name to clipboard

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jun 4, 2026

Merging 8aad20d into releases/v3.

Conductor for this PR is @henrymercer.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v3 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.

robertbrignull and others added 30 commits May 28, 2026 11:15
@robertbrignull
Change waitForProcessing to use exponential backoff
dfc1411
@henrymercer
Add FF to force JGit-based Git backend
948a63a
@robertbrignull
Only do initial wait when not running tests
d40e417
@github-actions
Update changelog and version after v4.36.1
25c25b5
@github-actions
Rebuild
0ad7c1f
@henrymercer
Merge pull request #3941 from github/mergeback/v4.36.1-to-main-87557b9c
8ed7f7c 
Mergeback v4.36.1 refs/heads/releases/v4 into main
@henrymercer
Cache CLI version information across Actions steps
bab673d
@henrymercer
Pin first-party Actions
87f4948
@henrymercer
Update sync-back script
fd3f108 
This is intended as a workaround until #3556 is merged.
@henrymercer
Merge pull request #3945 from github/henrymercer/pin-actions-to-shas
2ceebd6 
Pin first-party Actions to SHAs
@henrymercer
Address review comments
5ccef82
@dependabot
Bump the npm-minor group across 1 directory with 2 updates
dd9e36c 
Bumps the npm-minor group with 2 updates in the / directory: [semver](https://github.com/npm/node-semver) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `semver` from 7.8.0 to 7.8.1
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.8.0...v7.8.1)

Updates `typescript-eslint` from 8.59.4 to 8.60.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: semver
  dependency-version: 7.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: typescript-eslint
  dependency-version: 8.60.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
acb38f7
@dependabot
Bump ruby/setup-ruby
3569f75 
Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby).


Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@6aaa311...afeafc3)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-version: 1.310.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
af7b8f3
@robertbrignull
Merge branch 'main' into robertbrignull/waitForProcessing_backoff
6047ac7
@henrymercer
Merge pull request #3938 from github/henrymercer/git-client-feature-flag
5be8119 
Add FF to force JGit-based Git backend
@henrymercer
Merge pull request #3943 from github/henrymercer/cache-cli-version-info
ba47406 
Cache CLI version information across Actions steps
@robertbrignull
Merge pull request #3937 from github/robertbrignull/waitForProcessing…
cb1a588 
…_backoff

Change waitForProcessing to use exponential backoff
@henrymercer
Merge pull request #3947 from github/dependabot/github_actions/dot-gi…
c35d1b1 
…thub/workflows/actions-minor-3d0b6ad432

Bump ruby/setup-ruby from 1.307.0 to 1.310.0 in /.github/workflows in the actions-minor group across 1 directory
@henrymercer
Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-mino…
423b570 
…r-5d507a028b

Bump the npm-minor group across 1 directory with 2 updates
@github-actions
Update default bundle to codeql-bundle-v2.25.6
62953c1
@github-actions
Add changelog note
c251bce
@henrymercer
Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
dcb947c 
Update default bundle to 2.25.6
@github-actions
Update changelog for v4.36.2
8aeff0f
@henrymercer
Add additional changelog notes
f521b08
@henrymercer
Merge pull request #3949 from github/update-v4.36.2-dcb947ce1
8aad20d 
Merge main into releases/v4
@github-actions
Revert "Update version and changelog for v3.36.1"
72c906d 
This reverts commit b6eff7b.
@github-actions
Revert "Rebuild"
6016976 
This reverts commit e816d2e.
@github-actions
Merge remote-tracking branch 'origin/releases/v4' into backport-v3.36…
7d9a983 
….2-8aad20d15
@henrymercer henrymercer marked this pull request as ready for review June 4, 2026 14:32
@henrymercer henrymercer requested a review from a team as a code owner June 4, 2026 14:32
Copilot AI review requested due to automatic review settings June 4, 2026 14:32
@github-actions github-actions Bot added the size/L May be hard to review label Jun 4, 2026
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR merges changes from releases/v4 into releases/v3, bringing over recent release work (performance/operational tweaks, feature-flagged overrides, dependency bumps, and workflow hardening) and updating the releases/v3 changelog/versioning accordingly.

Changes:

  • Persist CodeQL CLI version info across steps and reuse it to avoid repeated codeql version calls.
  • Reduce SARIF processing polling requests by switching to exponential backoff with a capped number of checks.
  • Update defaults/dependencies and pin various GitHub Actions workflow uses: references to commit SHAs.
Show a summary per file
File Description
src/util.ts Adds persisted/in-process caching for CodeQL CLI version info.
src/util.test.ts Adds unit tests for persisted CodeQL CLI version info parsing/validation.
src/upload-lib.ts Switches SARIF processing polling to exponential backoff with capped tries.
src/testing-utils.ts Resets the in-process CodeQL CLI version cache between tests.
src/init-action.ts Adds feature-flagged emergency override to force JGit git backend.
src/feature-flags.ts Introduces ForceJGit feature flag wiring and env var mapping.
src/environment.ts Adds env var for persisting CLI version info across steps.
src/defaults.json Bumps default CodeQL bundle/CLI version to 2.25.6.
src/codeql.ts Uses persisted CLI version cache; avoids re-running CLI for printVersion().
pr-checks/sync.ts Pins first-party Actions uses: to SHAs with version comments via helper.
pr-checks/sync-back.ts Updates sync-back logic to handle SHA-pinned pinnedUses(...) references.
pr-checks/sync-back.test.ts Adds test coverage for updating SHA-pinned pinnedUses(...) references.
pr-checks/checks/with-checkout-path.yml Pins actions/checkout to a SHA.
pr-checks/checks/submit-sarif-failure.yml Pins actions/checkout to a SHA.
pr-checks/checks/rubocop-multi-language.yml Updates ruby/setup-ruby to a newer SHA/version.
pr-checks/checks/multi-language-autodetect.yml Pins actions/setup-python to a SHA.
pr-checks/checks/job-run-uuid-sarif.yml Pins actions/upload-artifact to a SHA.
pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml Pins actions/github-script to a SHA.
pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml Pins actions/setup-go and actions/github-script to SHAs.
pr-checks/checks/export-file-baseline-information.yml Pins actions/upload-artifact to a SHA.
pr-checks/checks/diagnostics-export.yml Pins actions/upload-artifact and actions/github-script to SHAs.
pr-checks/checks/config-export.yml Pins actions/upload-artifact and actions/github-script to SHAs.
pr-checks/checks/bundle-zstd.yml Pins actions/github-script and actions/upload-artifact to SHAs.
pr-checks/checks/bundle-toolcache.yml Pins actions/github-script to a SHA in multiple steps.
pr-checks/checks/bundle-from-toolcache.yml Pins actions/github-script to a SHA in multiple steps.
pr-checks/checks/analysis-kinds.yml Pins actions/upload-artifact and actions/github-script to SHAs.
package.json Bumps action package version and updates semver/typescript-eslint.
package-lock.json Updates dependency lockfile (but currently has a version mismatch vs package.json).
lib/entry-points.js Generated output update (not reviewed).
lib/defaults.json Generated output update (not reviewed).
CHANGELOG.md Adds 3.36.2 entry for user-facing changes.
.github/workflows/update-supported-enterprise-server-versions.yml Pins setup-python/checkout to SHAs.
.github/workflows/update-release-branch.yml Pins checkout and create-github-app-token to SHAs.
.github/workflows/update-bundle.yml Pins checkout/setup-python/setup-node to SHAs.
.github/workflows/test-codeql-bundle-all.yml Pins checkout/setup-dotnet to SHAs.
.github/workflows/rollback-release.yml Pins checkout/create-github-app-token to SHAs.
.github/workflows/rebuild.yml Pins checkout/setup-node to SHAs.
.github/workflows/query-filters.yml Pins checkout/setup-node to SHAs.
.github/workflows/python312-windows.yml Pins setup-python/checkout to SHAs.
.github/workflows/publish-immutable-action.yml Pins checkout/publish-immutable-action to SHAs.
.github/workflows/prepare-release.yml Pins checkout to a SHA.
.github/workflows/pr-checks.yml Pins checkout/setup-node/upload-artifact/download-artifact to SHAs.
.github/workflows/post-release-mergeback.yml Pins checkout/setup-node/setup-python/create-github-app-token to SHAs.
.github/workflows/debug-artifacts-safe.yml Pins checkout/setup-go/setup-dotnet/download-artifact to SHAs.
.github/workflows/debug-artifacts-failure-safe.yml Pins checkout/setup-go/setup-dotnet/download-artifact to SHAs.
.github/workflows/codescanning-config-cli.yml Pins checkout/setup-node to SHAs.
.github/workflows/codeql.yml Pins checkout to a SHA in multiple jobs.
.github/workflows/check-expected-release-files.yml Pins checkout to a SHA.
.github/workflows/__with-checkout-path.yml Generated workflow update (not reviewed).
.github/workflows/__upload-sarif.yml Generated workflow update (not reviewed).
.github/workflows/__upload-ref-sha-input.yml Generated workflow update (not reviewed).
.github/workflows/__unset-environment.yml Generated workflow update (not reviewed).
.github/workflows/__swift-custom-build.yml Generated workflow update (not reviewed).
.github/workflows/__swift-autobuild.yml Generated workflow update (not reviewed).
.github/workflows/__submit-sarif-failure.yml Generated workflow update (not reviewed).
.github/workflows/__start-proxy.yml Generated workflow update (not reviewed).
.github/workflows/__split-workflow.yml Generated workflow update (not reviewed).
.github/workflows/__rust.yml Generated workflow update (not reviewed).
.github/workflows/__ruby.yml Generated workflow update (not reviewed).
.github/workflows/__rubocop-multi-language.yml Generated workflow update (not reviewed).
.github/workflows/__resolve-environment-action.yml Generated workflow update (not reviewed).
.github/workflows/__remote-config.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-inputs-js.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-config-js.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-config-inputs-js.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-codescanning-config-inputs-js.yml Generated workflow update (not reviewed).
.github/workflows/__overlay-init-fallback.yml Generated workflow update (not reviewed).
.github/workflows/__multi-language-autodetect.yml Generated workflow update (not reviewed).
.github/workflows/__local-bundle.yml Generated workflow update (not reviewed).
.github/workflows/__language-aliases.yml Generated workflow update (not reviewed).
.github/workflows/__job-run-uuid-sarif.yml Generated workflow update (not reviewed).
.github/workflows/__javascript-source-root.yml Generated workflow update (not reviewed).
.github/workflows/__init-with-registries.yml Generated workflow update (not reviewed).
.github/workflows/__go-tracing-legacy-workflow.yml Generated workflow update (not reviewed).
.github/workflows/__go-tracing-custom-build-steps.yml Generated workflow update (not reviewed).
.github/workflows/__go-tracing-autobuilder.yml Generated workflow update (not reviewed).
.github/workflows/__go-indirect-tracing-workaround.yml Generated workflow update (not reviewed).
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml Generated workflow update (not reviewed).
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml Generated workflow update (not reviewed).
.github/workflows/__go-custom-queries.yml Generated workflow update (not reviewed).
.github/workflows/__global-proxy.yml Generated workflow update (not reviewed).
.github/workflows/__extractor-ram-threads.yml Generated workflow update (not reviewed).
.github/workflows/__export-file-baseline-information.yml Generated workflow update (not reviewed).
.github/workflows/__diagnostics-export.yml Generated workflow update (not reviewed).
.github/workflows/__cpp-deptrace-enabled.yml Generated workflow update (not reviewed).
.github/workflows/__cpp-deptrace-enabled-on-macos.yml Generated workflow update (not reviewed).
.github/workflows/__cpp-deptrace-disabled.yml Generated workflow update (not reviewed).
.github/workflows/__config-input.yml Generated workflow update (not reviewed).
.github/workflows/__config-export.yml Generated workflow update (not reviewed).
.github/workflows/__cleanup-db-cluster-dir.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-zstd.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-toolcache.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-from-toolcache.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-from-nightly.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-rollback.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-none.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-manual.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-autobuild.yml Generated workflow update (not reviewed).
.github/workflows/__autobuild-working-dir.yml Generated workflow update (not reviewed).
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml Generated workflow update (not reviewed).
.github/workflows/__autobuild-action.yml Generated workflow update (not reviewed).
.github/workflows/__analyze-ref-input.yml Generated workflow update (not reviewed).
.github/workflows/__analysis-kinds.yml Generated workflow update (not reviewed).
.github/workflows/__all-platform-bundle.yml Generated workflow update (not reviewed).
.github/actions/release-initialise/action.yml Pins setup-node/setup-python to SHAs in the composite action.

Copilot's findings

  • Files reviewed: 46/105 changed files
  • Comments generated: 3

Comment thread src/util.ts
Comment thread src/upload-lib.ts
Comment thread CHANGELOG.md

- Cache CodeQL CLI version information across Actions steps. [#3943](https://github.com/github/codeql-action/pull/3943)
- Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. [#3937](https://github.com/github/codeql-action/pull/3937)
- Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948)
@henrymercer henrymercer merged commit dd903d2 into releases/v3 Jun 4, 2026
230 checks passed
@henrymercer henrymercer deleted the backport-v3.36.2-8aad20d15 branch June 4, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer henrymercer approved these changes

Assignees

@henrymercer henrymercer

Labels

size/L May be hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@henrymercer @robertbrignull
Morty Proxy This is a proxified and sanitized view of the page, visit original site.