See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between v2
and v3
of the CodeQL Action is the node version they support, with v3
running on node 20 while we continue to release v2
to support running on node 16. For example 3.22.11
was the first v3
release and is functionally identical to 2.22.11
. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
No user facing changes.
- The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. #2573
- Update default CodeQL bundle version to 2.19.3. #2576
- Bump the minimum CodeQL bundle version to 2.14.6. #2549
- Fix an issue where the
upload-sarif
Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by theupload-sarif
Action. #2557 - Update default CodeQL bundle version to 2.19.2. #2552
No user facing changes.
-
Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. #2520
-
If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace
github/codeql-action/*@v3
bygithub/codeql-action/*@v3.26.11
andgithub/codeql-action/*@v2
bygithub/codeql-action/*@v2.26.11
in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
-
-
Upcoming breaking change: Add support for using
actions/download-artifact@v4
to programmatically consume CodeQL Action debug artifacts.Starting November 30, 2024, GitHub.com customers will no longer be able to use
actions/download-artifact@v3
. Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set theCODEQL_ACTION_ARTIFACT_V4_UPGRADE
environment variable totrue
and bumpactions/download-artifact@v3
toactions/download-artifact@v4
in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped toactions/download-artifact@v3
toactions/download-artifact@v4
will begin failing then.This change is currently unavailable for GitHub Enterprise Server customers, as
actions/upload-artifact@v4
andactions/download-artifact@v4
are not yet compatible with GHES. -
Update default CodeQL bundle version to 2.19.1. #2519
- We are rolling out a feature in September/October 2024 that sets up CodeQL using a bundle compressed with Zstandard. Our aim is to improve the performance of setting up CodeQL. #2502
No user facing changes.
- Update default CodeQL bundle version to 2.19.0. #2483
- Update default CodeQL bundle version to 2.18.4. #2471
- Update default CodeQL bundle version to 2.18.3. #2449
- Fix an issue where the
csrutil
system call used for telemetry would fail on macOS ARM machines with System Integrity Protection disabled. #2441
- Deprecation: The
add-snippets
input on theanalyze
Action is deprecated and will be removed in the first release in August 2025. #2436 - Fix an issue where the disk usage system call used for telemetry would fail on macOS ARM machines with System Integrity Protection disabled, and then surface a warning. The system call is now disabled for these machines. #2434
- Fix an issue where the CodeQL Action could not write diagnostic messages on Windows. This issue did not impact analysis quality. #2430
- Update default CodeQL bundle version to 2.18.2. #2417
No user facing changes.
- Deprecation: Swift analysis on Ubuntu runner images is no longer supported. Please migrate to a macOS runner if this affects you. #2403
- Bump the minimum CodeQL bundle version to 2.13.5. #2408
- Update default CodeQL bundle version to 2.18.1. #2385
- Experimental: add a new
start-proxy
action which starts the same HTTP proxy as used bygithub/dependabot-action
. Do not use this in production as it is part of an internal experiment and subject to change at any time. #2376
- Add
codeql-version
to outputs. #2368 - Add a deprecation warning for customers using CodeQL version 2.13.4 and earlier. These versions of CodeQL were discontinued on 9 July 2024 alongside GitHub Enterprise Server 3.9, and will be unsupported by CodeQL Action versions 3.26.0 and later and versions 2.26.0 and later. #2375
- If you are using one of these versions, please update to CodeQL CLI version 2.13.5 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
- Alternatively, if you want to continue using a version of the CodeQL CLI between 2.12.6 and 2.13.4, you can replace
github/codeql-action/*@v3
bygithub/codeql-action/*@v3.25.13
andgithub/codeql-action/*@v2
bygithub/codeql-action/*@v2.25.13
in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
- Improve the reliability and performance of analyzing code when analyzing a compiled language with the
autobuild
build mode on GitHub Enterprise Server. This feature is already available to GitHub.com users. #2353 - Update default CodeQL bundle version to 2.18.0. #2364
- Avoid failing the workflow run if there is an error while uploading debug artifacts. #2349
- Update default CodeQL bundle version to 2.17.6. #2352
- Update default CodeQL bundle version to 2.17.5. #2327
- Avoid failing database creation if the database folder already exists and contains some unexpected files. Requires CodeQL 2.18.0 or higher. #2330
- The init Action will attempt to clean up the database cluster directory before creating a new database and at the end of the job. This will help to avoid issues where the database cluster directory is left in an inconsistent state. #2332
- Update default CodeQL bundle version to 2.17.4. #2321
- We are rolling out a feature in May/June 2024 that will reduce the Actions cache usage of the Action by keeping only the newest TRAP cache for each language. #2306
- Update default CodeQL bundle version to 2.17.3. #2295
- Add a compatibility matrix of supported CodeQL Action, CodeQL CLI, and GitHub Enterprise Server versions to the README.md. #2273
- Avoid printing out a warning for a missing
on.push
trigger when the CodeQL Action is triggered via aworkflow_call
event. #2274 - The
tools: latest
input to theinit
Action has been renamed totools: linked
. This option specifies that the Action should use the tools shipped at the same time as the Action. The old name will continue to work for backwards compatibility, but we recommend that new workflows use the new name. #2281
- Update default CodeQL bundle version to 2.17.2. #2270
- Update default CodeQL bundle version to 2.17.1. #2247
- Workflows running on
macos-latest
using CodeQL CLI versions before v2.15.1 will need to either upgrade their CLI version to v2.15.1 or newer, or change the platform to an Intel macOS runner, such asmacos-12
. ARM machines with SIP disabled, including the newestmacos-latest
image, are unsupported for CLI versions before 2.15.1. #2261
No user facing changes.
- We are rolling out a feature in April/May 2024 that improves the reliability and performance of analyzing code when analyzing a compiled language with the
autobuild
build mode. #2235 - Fix a bug where the
init
Action would fail if--overwrite
was specified inCODEQL_ACTION_EXTRA_OPTIONS
. #2245
-
The deprecated feature for extracting dependencies for a Python analysis has been removed. #2224
As a result, the following inputs and environment variables are now ignored:
- The
setup-python-dependencies
input to theinit
Action - The
CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION
environment variable
We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
- The
-
Automatically overwrite an existing database if found on the filesystem. #2229
-
Bump the minimum CodeQL bundle version to 2.12.6. #2232
-
A more relevant log message and a diagnostic are now emitted when the
file
program is not installed on a Linux runner, but is required for Go tracing to succeed. #2234
- Update default CodeQL bundle version to 2.17.0. #2219
- Add a deprecation warning for customers using CodeQL version 2.12.5 and earlier. These versions of CodeQL were discontinued on 26 March 2024 alongside GitHub Enterprise Server 3.8, and will be unsupported by CodeQL Action versions 3.25.0 and later and versions 2.25.0 and later. #2220
- If you are using one of these versions, please update to CodeQL CLI version 2.12.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
- Alternatively, if you want to continue using a version of the CodeQL CLI between 2.11.6 and 2.12.5, you can replace
github/codeql-action/*@v3
bygithub/codeql-action/*@v3.24.10
andgithub/codeql-action/*@v2
bygithub/codeql-action/*@v2.24.10
in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
- Update default CodeQL bundle version to 2.16.5. #2203
- Improve the ease of debugging extraction issues by increasing the verbosity of the extractor logs when running in debug mode. #2195
- Update default CodeQL bundle version to 2.16.4. #2185
No user facing changes.
- Update default CodeQL bundle version to 2.16.3. #2156
- Fix an issue where an existing, but empty,
/sys/fs/cgroup/cpuset.cpus
file always resulted in a single-threaded run. #2151
- Fix an issue where the CodeQL Action would fail to load a configuration specified by the
config
input to theinit
Action. #2147
- Enable improved multi-threaded performance on larger runners for GitHub Enterprise Server users. This feature is already available to GitHub.com users. #2141
- Update default CodeQL bundle version to 2.16.2. #2124
- The CodeQL action no longer fails if it can't write to the telemetry api endpoint. #2121
- CodeQL Python analysis will no longer install dependencies on GitHub Enterprise Server, as is already the case for GitHub.com. See release notes for 3.23.0 for more details. #2106
- On Linux, the maximum possible value for the
--threads
option now respects the CPU count as specified incgroup
files to more accurately reflect the number of available cores when running in containers. #2083 - Update default CodeQL bundle version to 2.16.1. #2096
- Update default CodeQL bundle version to 2.16.0. #2073
- Change the retention period for uploaded debug artifacts to 7 days. Previously, this was whatever the repository default was. #2079
- We are rolling out a feature in January 2024 that will disable Python dependency installation by default for all users. This improves the speed of analysis while having only a very minor impact on results. You can override this behavior by setting
CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION=false
in your workflow, however we plan to remove this ability in future versions of the CodeQL Action. #2031 - The CodeQL Action now requires CodeQL version 2.11.6 or later. For more information, see the corresponding changelog entry for CodeQL Action version 2.22.7. #2009
- Update default CodeQL bundle version to 2.15.5. #2047
- [v3+ only] The CodeQL Action now runs on Node.js v20. #2006
- Update default CodeQL bundle version to 2.15.4. #2016
No user facing changes.
- Update default CodeQL bundle version to 2.15.3. #2001
- Add a deprecation warning for customers using CodeQL version 2.11.5 and earlier. These versions of CodeQL were discontinued on 8 November 2023 alongside GitHub Enterprise Server 3.7, and will be unsupported by CodeQL Action v2.23.0 and later. #1993
- If you are using one of these versions, please update to CodeQL CLI version 2.11.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
- Alternatively, if you want to continue using a version of the CodeQL CLI between 2.10.5 and 2.11.5, you can replace
github/codeql-action/*@v2
bygithub/codeql-action/*@v2.22.7
in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
- Customers running Python analysis on macOS using version 2.14.6 or earlier of the CodeQL CLI should upgrade to CodeQL CLI version 2.15.0 or later. If you do not wish to upgrade the CodeQL CLI, ensure that you are using Python version 3.11 or earlier, as CodeQL version 2.14.6 and earlier do not support Python 3.12. You can achieve this by adding a
setup-python
step to your code scanning workflow before the step that invokesgithub/codeql-action/init
. - Update default CodeQL bundle version to 2.15.2. #1978
No user facing changes.
- Update default CodeQL bundle version to 2.15.1. #1953
- Users will begin to see warnings on Node.js 16 deprecation in their Actions logs on code scanning runs starting October 23, 2023.
- All code scanning workflows should continue to succeed regardless of the warning.
- The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20.
- For more information, and to communicate with the maintaining team, please use this issue.
- Provide an authentication token when downloading the CodeQL Bundle from the API of a GitHub Enterprise Server instance. #1945
- Update default CodeQL bundle version to 2.15.0. #1938
- Improve the log output when an error occurs in an invocation of the CodeQL CLI. #1927
- Add a workaround for Python 3.12, which is not supported in CodeQL CLI version 2.14.6 or earlier. If you are running an analysis on Windows and using Python 3.12 or later, the CodeQL Action will switch to running Python 3.11. In this case, if Python 3.11 is not found, then the workflow will fail. #1928
- The CodeQL Action now requires CodeQL version 2.10.5 or later. For more information, see the corresponding changelog entry for CodeQL Action version 2.21.8. #1907
- The CodeQL Action no longer runs ML-powered queries. For more information, including details on our investment in AI-powered security technology, see "CodeQL code scanning deprecates ML-powered alerts." #1910
- Fix a bug which prevented tracing of projects using Go 1.21 and above on Linux. #1909
- Update default CodeQL bundle version to 2.14.6. #1897
- We are rolling out a feature in October 2023 that will improve the success rate of C/C++ autobuild. #1889
- We are rolling out a feature in October 2023 that will provide specific file coverage information for C and C++, Java and Kotlin, and JavaScript and TypeScript. Currently file coverage information for each of these pairs of languages is grouped together. #1903
- Add a warning to help customers avoid inadvertently analyzing the same CodeQL language in multiple matrix jobs. #1901
- Add a deprecation warning for customers using CodeQL version 2.10.4 and earlier. These versions of CodeQL were discontinued on 12 September 2023 alongside GitHub Enterprise Server 3.6, and will be unsupported by the next minor release of the CodeQL Action. #1884
- If you are using one of these versions, please update to CodeQL CLI version 2.10.5 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
- Alternatively, if you want to continue using a version of the CodeQL CLI between 2.9.5 and 2.10.4, you can replace
github/codeql-action/*@v2
bygithub/codeql-action/*@v2.21.7
in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
- Enable the following language aliases when using CodeQL 2.14.4 and later:
c-cpp
for C/C++ analysis,java-kotlin
for Java/Kotlin analysis, andjavascript-typescript
for JavaScript/TypeScript analysis. #1883
- Update default CodeQL bundle version to 2.14.5. #1882
- Better error message when there is a failure to determine the merge base of the code to analysis. #1860
- Improve the calculation of default amount of RAM used for query execution on GitHub Enterprise Server. This now reduces in proportion to the runner's total memory to better account for system memory usage, helping to avoid out-of-memory failures on larger runners. This feature is already available to GitHub.com users. #1866
- Enable improved file coverage information for GitHub Enterprise Server users. This feature is already available to GitHub.com users. #1867
- Update default CodeQL bundle version to 2.14.4. #1873
- Update default CodeQL bundle version to 2.14.3. #1845
- Fixed a bug in CodeQL Action 2.21.3 onwards that affected beta support for Project Lombok when analyzing Java. The environment variable
CODEQL_EXTRACTOR_JAVA_RUN_ANNOTATION_PROCESSORS
will now be respected if it was manually configured in the workflow. #1844 - Enable support for Kotlin 1.9.20 when running with CodeQL CLI v2.13.4 through v2.14.3. #1853
- Update default CodeQL bundle version to 2.14.2. #1831
- Log a warning if the amount of available disk space runs low during a code scanning run. #1825
- When downloading CodeQL bundle version 2.13.4 and later, cache these bundles in the Actions tool cache using a simpler version number. #1832
- Fix an issue that first appeared in CodeQL Action v2.21.2 that prevented CodeQL invocations from being logged. #1833
- We are rolling out a feature in August 2023 that will improve the quality of file coverage information. #1835
- We are rolling out a feature in August 2023 that will improve multi-threaded performance on larger runners. #1817
- We are rolling out a feature in August 2023 that adds beta support for Project Lombok when analyzing Java. #1809
- Reduce disk space usage when downloading the CodeQL bundle. #1820
- Update default CodeQL bundle version to 2.14.1. #1797
- Avoid duplicating the analysis summary within the logs. #1811
- Improve the handling of fatal errors from the CodeQL CLI. #1795
- Add the
sarif-output
output to the analyze action that contains the path to the directory of the generated SARIF. #1799
- CodeQL Action now requires CodeQL CLI 2.9.4 or later. For more information, see the corresponding changelog entry for CodeQL Action version 2.20.4. #1724
- This is the last release of the Action that supports CodeQL CLI versions 2.8.5 to 2.9.3. These versions of the CodeQL CLI were deprecated on June 20, 2023 alongside GitHub Enterprise Server 3.5 and will not be supported by the next release of the CodeQL Action (2.21.0).
- If you are using one of these versions, please update to CodeQL CLI version 2.9.4 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
- Alternatively, if you want to continue using a version of the CodeQL CLI between 2.8.5 and 2.9.3, you can replace 'github/codeql-action/@v2' by 'github/codeql-action/@v2.20.4' in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
- We are rolling out a feature in July 2023 that will slightly reduce the default amount of RAM used for query execution, in proportion to the runner's total memory. This will help to avoid out-of-memory failures on larger runners. #1760
- Update default CodeQL bundle version to 2.14.0. #1762
- Update default CodeQL bundle version to 2.13.5. #1743
No user facing changes.
- Update default CodeQL bundle version to 2.13.4. #1721
- Experimental: add a new
resolve-environment
action which attempts to infer a configuration for the build environment that is required to build a given project. Do not use this in production as it is part of an internal experiment and subject to change at any time.
- Bump the version of the Action to 2.20.0. This ensures that users who received a Dependabot upgrade to
cdcdbb5
, which was mistakenly marked as Action version 2.13.4, continue to receive updates to the CodeQL Action. Full details in #1729
- Update default CodeQL bundle version to 2.13.3. #1698
- Allow invalid URIs to be used as values to
artifactLocation.uri
properties. This reverses a change from #1668 that inadvertently led to stricter validation of some URI values. #1705 - Gracefully handle invalid URIs when fingerprinting. #1694
- Updated the SARIF 2.1.0 JSON schema file to the latest from oasis-tcs/sarif-spec. #1668
- We are rolling out a feature in May 2023 that will disable Python dependency installation for new users of the CodeQL Action. This improves the speed of analysis while having only a very minor impact on results. #1676
- We are improving the way that CodeQL bundles are tagged to make it possible to easily identify bundles by their CodeQL semantic version. #1682
- As of CodeQL CLI 2.13.4, CodeQL bundles will be tagged using semantic versions, for example
codeql-bundle-v2.13.4
, instead of timestamps, likecodeql-bundle-20230615
. - This change does not affect the majority of workflows, and we will not be changing tags for existing bundle releases.
- Some workflows with custom logic that depends on the specific format of the CodeQL bundle tag may need to be updated. For example, if your workflow matches CodeQL bundle tag names against a
codeql-bundle-yyyymmdd
pattern, you should update it to also recognizecodeql-bundle-vx.y.z
tags.
- As of CodeQL CLI 2.13.4, CodeQL bundles will be tagged using semantic versions, for example
- Remove the requirement for
on.push
andon.pull_request
to trigger on the same branches. #1675
- Update default CodeQL bundle version to 2.13.1. #1664
- You can now configure CodeQL within your code scanning workflow by passing a
config
input to theinit
Action. See Using a custom configuration file for more information about configuring code scanning. #1590
No user facing changes.
No user facing changes.
- Update default CodeQL bundle version to 2.13.0. #1649
- Bump the minimum CodeQL bundle version to 2.8.5. #1618
- Include the value of the
GITHUB_RUN_ATTEMPT
environment variable in the telemetry sent to GitHub. #1640 - Improve the ease of debugging failed runs configured using default setup. The CodeQL Action will now upload diagnostic information to Code Scanning from failed runs configured using default setup. You can view this diagnostic information on the tool status page. #1619
No user facing changes.
- Update default CodeQL bundle version to 2.12.6. #1629
- Customers post-processing the SARIF output of the
analyze
Action before uploading it to Code Scanning will benefit from an improved debugging experience. #1598- The CodeQL Action will now upload a SARIF file with debugging information to Code Scanning on failed runs for customers using
upload: false
. Previously, this was only available for customers using the default value of theupload
input. - The
upload
input to theanalyze
Action now accepts the following values:always
is the default value, which uploads the SARIF file to Code Scanning for successful and failed runs.failure-only
is recommended for customers post-processing the SARIF file before uploading it to Code Scanning. This option uploads debugging information to Code Scanning for failed runs to improve the debugging experience.never
avoids uploading the SARIF file to Code Scanning even if the code scanning run fails. This is not recommended for external users since it complicates debugging.- The legacy
true
andfalse
options will be interpreted asalways
andfailure-only
respectively.
- The CodeQL Action will now upload a SARIF file with debugging information to Code Scanning on failed runs for customers using
- Update default CodeQL bundle version to 2.12.5. #1585
No user facing changes.
- Update default CodeQL bundle version to 2.12.4. #1561
- Update default CodeQL bundle version to 2.12.3. #1543
No user facing changes.
- Update default CodeQL bundle version to 2.12.2. #1518
- Fix an issue where customers using the CodeQL Action with the CodeQL Action sync tool would not be able to obtain the CodeQL tools. #1517
No user facing changes.
- Improve stability when choosing the default version of CodeQL to use in code scanning workflow runs on Actions on GitHub.com. #1475
- This change addresses customer reports of code scanning alerts on GitHub.com being closed and reopened during the rollout of new versions of CodeQL in the GitHub Actions runner images.
- No change is required for the majority of workflows, including:
- Workflows on GitHub.com hosted runners using the latest version (
v2
) of the CodeQL Action. - Workflows on GitHub.com hosted runners that are pinned to specific versions of the CodeQL Action from
v2.2.0
onwards. - Workflows on GitHub Enterprise Server.
- Workflows on GitHub.com hosted runners using the latest version (
- A change may be required for workflows on GitHub.com hosted runners that are pinned to specific versions of the CodeQL Action before
v2.2.0
(e.g.v2.1.32
):- Previously, these workflows would obtain the latest version of CodeQL from the Actions runner image.
- Now, these workflows will download an older, compatible version of CodeQL from GitHub Releases. To use this older version, no change is required. To use the newest version of CodeQL, please update your workflows to reference the latest version of the CodeQL Action (
v2
).
- Internal changes
- These changes will not affect the majority of code scanning workflows. Continue reading only if your workflow uses @actions/tool-cache or relies on the precise location of CodeQL within the Actions tool cache.
- The tool cache now contains two recent CodeQL versions (previously one).
- Each CodeQL version is located under a directory named after the release date and version number, e.g. CodeQL 2.11.6 is now located under
CodeQL/2.11.6-20221211/x64/codeql
(previouslyCodeQL/0.0.0-20221211/x64/codeql
).
- The maximum number of SARIF runs per file has been increased from 15 to 20 for users uploading SARIF files to GitHub.com. This change will help ensure that Code Scanning can process SARIF files generated by third-party tools that have many runs. See the GitHub API documentation for a list of all the limits around uploading SARIF. This change will be released to GitHub Enterprise Server as part of GHES 3.9.
- Update default CodeQL bundle version to 2.12.1. #1498
- Fix a bug that forced the
init
Action to run for at least two minutes on JavaScript. #1494
- CodeQL Action v1 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see this changelog post. #1467
- Python automatic dependency installation will no longer fail for projects using Poetry that specify
virtualenvs.options.no-pip = true
in theirpoetry.toml
. #1431 - Avoid printing a stack trace and error message when the action fails to find the SHA at the current directory. This will happen in several non-error states and so we now avoid cluttering the log with this message. #1485
- Update default CodeQL bundle version to 2.12.0. #1466
- Update default CodeQL bundle version to 2.11.6. #1433
- Update default CodeQL bundle version to 2.11.5. #1412
- Add a step that tries to upload a SARIF file for the workflow run when that workflow run fails. This will help better surface failed code scanning workflow runs. #1393
- Python automatic dependency installation will no longer consider dependency code installed in venv as user-written, for projects using Poetry that specify
virtualenvs.in-project = true
in theirpoetry.toml
. #1419
No user facing changes.
- Update default CodeQL bundle version to 2.11.4. #1391
- Fixed a bug where some the
init
action and theanalyze
action would have different sets of experimental feature flags enabled. #1384
- Go is now analyzed in the same way as other compiled languages such as C/C++, C#, and Java. This completes the rollout of the feature described in CodeQL Action version 2.1.27. #1322
- Bump the minimum CodeQL bundle version to 2.6.3. #1358
- Update default CodeQL bundle version to 2.11.3. #1348
- Update the ML-powered additional query pack for JavaScript to version 0.4.0. #1351
- The
rb/weak-cryptographic-algorithm
Ruby query has been updated to no longer report uses of hash functions such asMD5
andSHA1
even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. For more information, see the corresponding change in the github/codeql repository. #1344
- Improve the error message when using CodeQL bundle version 2.7.2 and earlier in a workflow that runs on a runner image such as
ubuntu-22.04
that uses glibc version 2.34 and later. #1334
- Update default CodeQL bundle version to 2.11.2. #1320
- Update default CodeQL bundle version to 2.11.1. #1294
- Replace uses of GitHub Actions command
set-output
because it is now deprecated. See more information in the GitHub Changelog. #1301
- We are rolling out a feature of the CodeQL Action in October 2022 that changes the way that Go code is analyzed to be more consistent with other compiled languages like C/C++, C#, and Java. You do not need to alter your code scanning workflows. If you encounter any problems, please file an issue or open a private ticket with GitHub Support and request an escalation to engineering.
- Update default CodeQL bundle version to 2.11.0. #1267
- We will soon be rolling out a feature of the CodeQL Action that stores some information used to make future runs faster in the GitHub Actions cache. Initially, this will only be enabled on JavaScript repositories, but we plan to add more languages to this soon. The new feature can be disabled by passing the
trap-caching: false
option to your workflow'sinit
step, for example if you are already using the GitHub Actions cache for a different purpose and are near the storage limit for it. - Add support for Python automatic dependency installation with Poetry 1.2 #1258
No user facing changes.
- Allow CodeQL packs to be downloaded from GitHub Enterprise Server instances, using the new
registries
input for theinit
action. #1221 - Update default CodeQL bundle version to 2.10.5. #1240
- Downloading CodeQL packs has been moved to the
init
step. Previously, CodeQL packs were downloaded during theanalyze
step. #1218 - Update default CodeQL bundle version to 2.10.4. #1224
- The newly released Poetry 1.2 is not yet supported. In the most common case where the CodeQL Action is automatically installing Python dependencies, it will continue to install and use Poetry 1.1 on its own. However, in certain cases such as with self-hosted runners, you may need to ensure Poetry 1.1 is installed yourself.
- Improve error messages when the code scanning configuration file includes an invalid
queries
block or an invalidquery-filters
block. #1208 - Fix a bug where Go build tracing could fail on Windows. #1209
No user facing changes.
- Add the ability to filter queries from a code scanning run by using the
query-filters
option in the code scanning configuration file. #1098 - In debug mode, debug artifacts are now uploaded even if a step in the Actions workflow fails. #1159
- Update default CodeQL bundle version to 2.10.3. #1178
- The combination of python2 and Pipenv is no longer supported. #1181
- Update default CodeQL bundle version to 2.10.2. #1156
- Update default CodeQL bundle version to 2.10.1. #1143
- You can now quickly debug a job that uses the CodeQL Action by re-running the job from the GitHub UI and selecting the "Enable debug logging" option. #1132
- You can now see diagnostic messages produced by the analysis in the logs of the
analyze
Action by enabling debug mode. To enable debug mode, passdebug: true
to theinit
Action, or enable step debug logging. This feature is available for CodeQL CLI version 2.10.0 and later. #1133
- CodeQL query packs listed in the
packs
configuration field will be skipped if their target language is not being analyzed in the current Actions job. Previously, this would throw an error. #1116 - The combination of python2 and poetry is no longer supported. See actions/setup-python#374 for more details. #1124
- Update default CodeQL bundle version to 2.10.0. #1123
No user facing changes.
- Update default CodeQL bundle version to 2.9.4. #1100
- Update default CodeQL bundle version to 2.9.3. #1084
- Update default CodeQL bundle version to 2.9.2. #1074
- Update default CodeQL bundle version to 2.9.1. #1056
- When
wait-for-processing
is enabled, the workflow will now fail if there were any errors that occurred during processing of the analysis results.
- Add
working-directory
input to theautobuild
action. #1024 - The
analyze
andupload-sarif
actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting thewait-for-processing
action input to"false"
. #1007 - Update default CodeQL bundle version to 2.9.0.
- Fix a bug where status reporting fails on Windows. #1042
- Update default CodeQL bundle version to 2.8.5. #1014
- Fix error where the init action would fail due to a GitHub API request that was taking too long to complete #1025
- A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. #1018
- [v2+ only] The CodeQL Action now runs on Node.js v16. #1000
- Update default CodeQL bundle version to 2.8.4. #990
- Fix a bug where an invalid
commit_oid
was being sent to code scanning when a custom checkout path was being used. #956
- Update default CodeQL bundle version to 2.8.3.
- The CodeQL runner is now deprecated and no longer being released. For more information, see CodeQL runner deprecation.
- Fix two bugs that cause action failures with GHES 3.3 or earlier. #978
- Fix
not a permitted key
invalid requests with GHES 3.1 or earlier - Fix
RUNNER_ARCH environment variable must be set
errors with GHES 3.3 or earlier
- Fix
- Update default CodeQL bundle version to 2.8.2. #950
- Fix a bug where old results can be uploaded if the languages in a repository change when using a non-ephemeral self-hosted runner. #955
- Fix a bug where the CLR traces can continue tracing even after tracing should be stopped. #938
- Due to potential issues for GHES 3.1–3.3 customers who are using recent versions of the CodeQL Action via GHES Connect, the CodeQL Action now uses Node.js v12 rather than Node.js v16. #937
- The CodeQL CLI versions up to and including version 2.4.4 are not compatible with the CodeQL Action 1.1.1 and later. The Action will emit an error if it detects that it is being used by an incompatible version of the CLI. #931
- Update default CodeQL bundle version to 2.8.1. #925
- The CodeQL Action now uses Node.js v16. #909
- Beware that the CodeQL build tracer in this release (and in all earlier releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. As a result, analyzing these languages with the
windows-latest
orwindows-2022
Actions virtual environments is currently unsupported. If you use any of these languages, please use thewindows-2019
Actions virtual environment or otherwise avoid these specific Windows versions until a new release fixes this incompatibility.
- Add
sarif-id
as an output for theupload-sarif
andanalyze
actions. #889 - Add
ref
andsha
inputs to theanalyze
action, which override the defaults provided by the GitHub Action context. #889 - Update default CodeQL bundle version to 2.8.0. #911
- Remove
experimental
message when using custom CodeQL packages. #888 - Add a better warning message stating that experimental features will be disabled if the workflow has been triggered by a pull request from a fork or the
security-events: write
permission is not present. #882
- Display a better error message when encountering a workflow that runs the
codeql-action/init
action multiple times. #876 - Update default CodeQL bundle version to 2.7.6. #877
- The feature to wait for SARIF processing to complete after upload has been disabled by default due to a bug in its interaction with pull requests from forks.
- Update default CodeQL bundle version to 2.7.5. #866
- Fix a bug where SARIF files were failing upload due to an invalid test for unique categories. #872
- The
analyze
andupload-sarif
actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting thewait-for-processing
action input to"false"
. #855
- Update default CodeQL bundle version to 2.7.3. #842
No user facing changes.
- Update default CodeQL bundle version to 2.7.2. #827
- The
upload-sarif
action now allows multiple uploads in a single job, as long as they have different categories. #801 - Update default CodeQL bundle version to 2.7.1. #816
- The
init
step of the Action now supportsram
andthreads
inputs to limit resource use of CodeQL extractors. These inputs also serve as defaults to the subsequentanalyze
step, which finalizes the database and executes queries. #738 - When used with CodeQL 2.7.1 or above, the Action now includes custom query help in the analysis results uploaded to GitHub code scanning, if available. To add help text for a custom query, create a Markdown file next to the
.ql
file containing the query, using the same base name but the file extension.md
. #804
- Update default CodeQL bundle version to 2.7.0. #795
No user facing changes.
No user facing changes.
- Fixed a bug where some builds were no longer being traced correctly. #766
- Update default CodeQL bundle version to 2.6.3. #761
No user facing changes.
- Update default CodeQL bundle version to 2.6.2. #746
- Update default CodeQL bundle version to 2.6.1. #733
- Update default CodeQL bundle version to 2.6.0. #712
- Update baseline lines of code counter for python. All multi-line strings are counted as code. #714
- Remove old baseline LoC injection #715
- Update README to include a sample permissions block. #689
- Update default CodeQL bundle version to 2.5.9. #687
- Fix an issue where a summary of diagnostics information from CodeQL was not output to the logs of the
analyze
step of the Action. #672
No user facing changes.
- Update default CodeQL bundle version to 2.5.8. #631
No user facing changes.
- The
init
step of the Action now supports asource-root
input as a path to the root source-code directory. By default, the path is relative to$GITHUB_WORKSPACE
. #607 - The
init
step will now try to install a few Python tools needed by this Action when running on a self-hosted runner. #616
- The
analyze
step of the Action now supports askip-queries
option to merely build the CodeQL database without analyzing. This functionality is not present in the runner. Additionally, the step will no longer fail if it encounters a finalized database, and will instead continue with query execution. #602 - Update the warning message when the baseline lines of code count is unavailable. #608
- Fix
RUNNER_TEMP environment variable must be set
when using runner. #594 - Fix counting of lines of code for C# projects. #586
No user facing changes.
- Fix out of memory in hash computation. #550
- Clean up logging during analyze results. #557
- Add
--finalize-dataset
todatabase finalize
call, freeing up some disk space after database creation. #558
- Pass the
--sarif-group-rules-by-pack
argument to CodeQL CLI invocations that generate SARIF. This means the SARIF rule object for each query will now be found underneath its corresponding query pack inruns[].tool.extensions
. #546 - Output the location of CodeQL databases created in the analyze step. #543