Merge main into releases/v4 by github-actions[bot] · Pull Request #3867 · github/codeql-action · GitHub
Skip to content

Merge main into releases/v4#3867

Merged
mbg merged 87 commits into
releases/v4from
update-v4.35.3-8c6e48dbe
May 1, 2026
Merged

Merge main into releases/v4#3867
mbg merged 87 commits into
releases/v4from
update-v4.35.3-8c6e48dbe

Conversation

@github-actions

@github-actions github-actions Bot commented May 1, 2026
edited by mbg
Loading

Copy link
Copy Markdown
Contributor

Merging 8c6e48d into releases/v4.

Conductor for this PR is @mbg.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v4 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
  • Merge the mergeback PR that will automatically be created once this PR is merged.
  • Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

henrymercer and others added 30 commits April 10, 2026 19:09
@henrymercer
Store all built-in languages
bad0a74 
While we want the CodeQL Action to work with third-party language support, having a list of all built-in languages can help us create better type-level checks to ensure that we don't miss things that we want to customize for each of our built-in languages.
@henrymercer
Refactoring: Rename KnownLanguage to BuiltInLanguage
e6c21da
@henrymercer
Move script to pr-checks directory
97bcdd8
@henrymercer
Fix casing mismatch
8cf2dc5
@henrymercer
Improve JSDoc
130ab2d
@henrymercer
Add constant for builtin languages file path
7c9e131
@henrymercer
Refactoring: Split up script
cb52ba6
@henrymercer
Exclude new TypeScript code from package tests
1aef4ed 
Avoid new source code changing expected output
@henrymercer
Merge branch 'main' into henrymercer/record-all-builtin-languages
90d7616
@henrymercer
Include experimental languages
f8b6213
@github-actions
Update changelog and version after v4.35.2
8d9c36a
@github-actions
Rebuild
ca7d6d3
@henrymercer
Merge pull request #3825 from github/mergeback/v4.35.2-to-main-95e58e9a
f820c80 
Mergeback v4.35.2 refs/heads/releases/v4 into main
@dependabot
Bump follow-redirects from 1.15.11 to 1.16.0
6847a42 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
9df9e91
@henrymercer
Merge pull request #3827 from github/dependabot/npm_and_yarn/follow-r…
e2d518d 
…edirects-1.16.0

Bump follow-redirects from 1.15.11 to 1.16.0
@henrymercer
Add workflow to rerun potentially transient failures
9f95de4
@henrymercer
Rename job
3b3a775 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@henrymercer
Merge remote-tracking branch 'origin/main' into henrymercer/record-al…
79f9c05 
…l-builtin-languages

# Conflicts:
#	lib/start-proxy-action.js
#	src/known-language-aliases.json
@henrymercer
Merge pull request #3811 from github/henrymercer/record-all-builtin-l…
6777c89 
…anguages

Store all built-in languages
@dependabot
Bump the npm-minor group across 1 directory with 2 updates
d64d81d 
Bumps the npm-minor group with 2 updates in the / directory: [@eslint/compat](https://github.com/eslint/rewrite/tree/HEAD/packages/compat) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `@eslint/compat` from 2.0.4 to 2.0.5
- [Release notes](https://github.com/eslint/rewrite/releases)
- [Changelog](https://github.com/eslint/rewrite/blob/main/packages/compat/CHANGELOG.md)
- [Commits](https://github.com/eslint/rewrite/commits/compat-v2.0.5/packages/compat)

Updates `typescript-eslint` from 8.58.0 to 8.58.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.58.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: "@eslint/compat"
  dependency-version: 2.0.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: typescript-eslint
  dependency-version: 8.58.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump eslint-import-resolver-typescript from 3.8.7 to 4.4.4
5019ed0 
Bumps [eslint-import-resolver-typescript](https://github.com/import-js/eslint-import-resolver-typescript) from 3.8.7 to 4.4.4.
- [Release notes](https://github.com/import-js/eslint-import-resolver-typescript/releases)
- [Changelog](https://github.com/import-js/eslint-import-resolver-typescript/blob/master/CHANGELOG.md)
- [Commits](import-js/eslint-import-resolver-typescript@v3.8.7...v4.4.4)

---
updated-dependencies:
- dependency-name: eslint-import-resolver-typescript
  dependency-version: 4.4.4
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@henrymercer
Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-f46f1f14d7
0ac8596
@henrymercer
Merge pull request #3831 from github/dependabot/npm_and_yarn/npm-mino…
0b7b740 
…r-f46f1f14d7

Bump the npm-minor group across 1 directory with 2 updates
@henrymercer
Merge pull request #3830 from github/henrymercer/deflake
1dcdb94 
Add workflow to rerun potentially transient failures
@henrymercer
Escape "+"s in on.workflow_run.workflows
f6a5638
@henrymercer
Merge pull request #3839 from github/henrymercer/workflow-run-triggers
4cbe7be 
Escape "+"s in `on.workflow_run.workflows`
@dependabot
Bump the npm-minor group across 1 directory with 3 updates
c2574ef 
Bumps the npm-minor group with 3 updates in the / directory: [globals](https://github.com/sindresorhus/globals), [sinon](https://github.com/sinonjs/sinon) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `globals` from 17.4.0 to 17.5.0
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](sindresorhus/globals@v17.4.0...v17.5.0)

Updates `sinon` from 21.0.3 to 21.1.2
- [Release notes](https://github.com/sinonjs/sinon/releases)
- [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md)
- [Commits](sinonjs/sinon@v21.0.3...v21.1.2)

Updates `typescript-eslint` from 8.58.1 to 8.58.2
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.58.2/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: globals
  dependency-version: 17.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: sinon
  dependency-version: 21.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: typescript-eslint
  dependency-version: 8.58.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@henrymercer
Merge pull request #3835 from github/dependabot/npm_and_yarn/eslint-i…
4fb8483 
…mport-resolver-typescript-4.4.4

Bump eslint-import-resolver-typescript from 3.8.7 to 4.4.4
@henrymercer
Merge pull request #3840 from github/dependabot/npm_and_yarn/npm-mino…
860353f 
…r-580efa6e3b

Bump the npm-minor group across 1 directory with 3 updates
mbg and others added 17 commits April 30, 2026 11:46
@mbg
Improve validateSchema comment
91fbc51
@mbg
Modify FromSchema so that optional properties are actually optional
7a6ed56
@mbg
Make it clearer what the expectations for isUsernamePassword are
549683c
@henrymercer
Merge branch 'main' into dependabot/npm_and_yarn/ava/typescript-7.0.0
1fed3e9
@henrymercer
Merge pull request #3862 from github/dependabot/github_actions/dot-gi…
fcf29e3 
…thub/workflows/actions-minor-933f87fbf1

Bump ruby/setup-ruby from 1.301.0 to 1.305.0 in /.github/workflows in the actions-minor group across 1 directory
@mbg
Fix permutations comment
b779832
@henrymercer
Merge pull request #3859 from github/dependabot/npm_and_yarn/ava/type…
facd53f 
…script-7.0.0

Bump @ava/typescript from 6.0.0 to 7.0.0
@mbg
Improve replaces-base validation and add tests
d1edf2e
@mbg
Add changelog entry
0a4d574
@mbg
Merge remote-tracking branch 'origin/main' into mbg/private-registry/…
022ff3c 
…cloudsmith-gcp
@mbg
Merge pull request #3853 from github/mbg/start-proxy/improved-checks
a6109b1 
Improve connection tests
@mbg
Add generic non-printable chars test for OIDC configs
262a15f
@mbg
Merge pull request #3850 from github/mbg/private-registry/cloudsmith-gcp
7851e55 
Private registries: Add support for Cloudsmith and GCP OIDC configurations
@github-actions
Update default bundle to codeql-bundle-v2.25.3
2bb2095
@github-actions
Add changelog note
7190983
@henrymercer
Merge pull request #3865 from github/update-bundle/codeql-bundle-v2.25.3
8c6e48d 
Update default bundle to 2.25.3
@github-actions
Update changelog for v4.35.3
ec298da
@mbg mbg marked this pull request as ready for review May 1, 2026 13:10
@mbg mbg requested a review from a team as a code owner May 1, 2026 13:10
Copilot AI review requested due to automatic review settings May 1, 2026 13:10
@github-actions github-actions Bot added the size/XXL May be extremely hard to review label May 1, 2026
Copilot AI reviewed May 1, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Merge main into releases/v4 for the v4.35.3 release, bringing the release branch up to date with recent user-facing improvements (private registry support, diagnostics robustness, supported-version updates) plus routine dependency and workflow maintenance.

Changes:

  • Bump release version to 4.35.3 and add the 4.35.3 CHANGELOG entry (dated 01 May 2026).
  • Improve private-registry handling (new OIDC config types/validation, reachability tests) and related internal typing/utilities (e.g., built-in languages list).
  • Update the default CodeQL bundle to 2.25.3 and refresh various dependencies/workflows.
Show a summary per file
File Description
tests/multi-language-repo/.github/codeql/codeql-config-packaging3.yml Adjusts ignored paths for packaging test config (adds pr-checks).
tests/multi-language-repo/.github/codeql/codeql-config-packaging2.yml Adjusts ignored paths for packaging test config (adds pr-checks).
tests/multi-language-repo/.github/codeql/codeql-config-packaging.yml Adjusts ignored paths for packaging test config (adds pr-checks).
src/trap-caching.test.ts Updates tests to use BuiltInLanguage instead of KnownLanguage.
src/tracer-config.test.ts Updates tests to use BuiltInLanguage instead of KnownLanguage.
src/status-report.test.ts Updates tests to use BuiltInLanguage instead of KnownLanguage.
src/start-proxy/validation.ts Adds auth-config extraction + schema-based credential cloning for start-proxy.
src/start-proxy/validation.test.ts Adds unit tests for new auth-config extraction logic.
src/start-proxy/types.ts Introduces JSON-schema-backed credential types; adds Cloudsmith/GCP OIDC; adds replaces-base.
src/start-proxy/types.test.ts Expands tests for new type guards and credential string formatting.
src/start-proxy/reachability.ts Uses GET instead of HEAD; adds per-registry test URL config; improves logging grouping.
src/start-proxy/reachability.test.ts Adds coverage for registry-specific URL path appending behavior.
src/start-proxy/environment.ts Switches language checks to BuiltInLanguage.
src/start-proxy/environment.test.ts Updates tests and terminology to “built-in languages”.
src/start-proxy.ts Refactors credential parsing/validation; adds replaces-base validation; removes old language parsing.
src/start-proxy.test.ts Updates tests for new OIDC schema handling and replaces-base; removes parseLanguage tests.
src/start-proxy-action.ts Uses parseBuiltInLanguage; improves wording around best-effort registry checks; outputs replaces-base.
src/overlay/caching.test.ts Updates tests to use BuiltInLanguage.
src/languages/index.ts Adds curated built-in language list + alias parsing and guards.
src/languages/index.test.ts Adds unit tests for built-in language parsing and set consistency.
src/languages/builtin.json Adds built-in language/alias data source for the action.
src/languages.ts Removes old KnownLanguage/JavaEnvVars definitions (migrated to new module).
src/known-language-aliases.json Removes old alias JSON (replaced by src/languages/builtin.json).
src/json/testing-util.ts Adds schema-based test helpers for generating objects and permutation matrices.
src/json/index.ts Adds lightweight schema/validator types plus validateSchema.
src/json/index.test.ts Adds unit tests for validateSchema.
src/init.ts Updates Python-specific checks to use BuiltInLanguage.
src/init.test.ts Updates tests/types to use BuiltInLanguage.
src/init-action.ts Updates language checks; adds a log group around overlay-base cache lookup.
src/doc-url.ts Adds documentation URL for private registry diagnostic logs.
src/diagnostics.ts Avoids diagnostic filename collisions via counter suffix + timestamp sanitization.
src/dependency-caching.ts Updates language-specific feature gating to use BuiltInLanguage.
src/dependency-caching.test.ts Updates tests to use BuiltInLanguage.
src/defaults.json Bumps default bundle/CLI versions to 2.25.3 (and updates prior versions).
src/database-upload.test.ts Updates tests to use BuiltInLanguage.
src/config/db-config.test.ts Updates tests to use BuiltInLanguage.
src/config-utils.ts Updates built-in language checks and Go overlay exception to BuiltInLanguage.
src/config-utils.test.ts Updates tests to use BuiltInLanguage.
src/codeql.ts Updates next minimum CodeQL version + GHES deprecation metadata.
src/codeql.test.ts Updates tests to use BuiltInLanguage.
src/autobuild.ts Updates language comparisons to BuiltInLanguage.
src/api-compatibility.json Updates supported GHES version range (minimumVersion to 3.16).
src/analyze.ts Renames mapped key type to BuiltInLanguageKey; simplifies diff-extension pack creation return type.
src/analyze.test.ts Updates tests to use BuiltInLanguage.
src/analyze-action.ts Updates Go extraction output checks to use BuiltInLanguage.
pr-checks/update-builtin-languages.ts Adds script to generate/update src/languages/builtin.json from the CLI.
pr-checks/sync.ts Updates PR-check workflow generation code to use BuiltInLanguage.
pr-checks/config.ts Adds constant for built-in languages JSON path.
pr-checks/checks/rubocop-multi-language.yml Updates pinned ruby/setup-ruby version used in PR checks.
package.json Bumps action version to 4.35.3 and updates dependencies/devDependencies.
package-lock.json Updates lockfile for version/dependency changes.
lib/defaults.json Updates compiled distribution defaults to match src/defaults.json (generated output).
README.md Updates GHES compatibility table (adds ES 3.21 mapping entry).
CHANGELOG.md Adds 4.35.3 release notes entry dated 01 May 2026.
.github/workflows/update-bundle.yml Switches to updating “built-in languages” via new generator script.
.github/workflows/deflake.yml Adds workflow to rerun failed jobs once for merge-group/main/release runs.
.github/workflows/__rubocop-multi-language.yml Generated workflow update (sync output).
.github/codeql/codeql-config-javascript.yml Fixes formatting and expands ignored paths for JS CodeQL config.

Copilot's findings

  • Files reviewed: 55/70 changed files
  • Comments generated: 1

Comment thread package.json
"devDependencies": {
"@ava/typescript": "6.0.0",
"@eslint/compat": "^2.0.4",
"@ava/typescript": "7.0.0",

Copilot AI May 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ava/typescript was bumped to 7.0.0, but that package declares Node.js engine support starting at 22.20+/24.12+ (per the lockfile metadata). This repo’s unit test workflow still runs npm ci and npm test on Node 20, so this upgrade is likely to break the Node 20 CI leg (either at install-time with strict engines, or at runtime). Consider pinning @ava/typescript to a Node-20-compatible version or updating the CI Node matrix to drop Node 20 before merging this bump.

Suggested change

Copilot uses AI. Check for mistakes.

@mbg mbg May 1, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The checks with Node 20 seem to be working fine: https://github.com/github/codeql-action/actions/runs/25215460498/job/73934772408?pr=3867

@mbg mbg merged commit e46ed2c into releases/v4 May 1, 2026
276 of 451 checks passed
@mbg mbg deleted the update-v4.35.3-8c6e48dbe branch May 1, 2026 14:05
@github-actions github-actions Bot mentioned this pull request May 1, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@mbg mbg mbg approved these changes

Assignees

@mbg mbg

Labels

size/XXL May be extremely hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbg @henrymercer