See the releases page for the relevant changes to the CodeQL CLI and language packs.
Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
[UNRELEASED]
No user facing changes.
3.26.2 - 14 Aug 2024
Update default CodeQL bundle version to 2.18.2. #2417
3.26.1 - 13 Aug 2024
No user facing changes.
3.26.0 - 06 Aug 2024
Deprecation: Swift analysis on Ubuntu runner images is no longer supported. Please migrate to a macOS runner if this affects you. #2403
Bump the minimum CodeQL bundle version to 2.13.5. #2408
3.25.15 - 26 Jul 2024
Update default CodeQL bundle version to 2.18.1. #2385
3.25.14 - 25 Jul 2024
Experimental: add a new start-proxy action which starts the same HTTP proxy as used by github/dependabot-action. Do not use this in production as it is part of an internal experiment and subject to change at any time. #2376
Add a deprecation warning for customers using CodeQL version 2.13.4 and earlier. These versions of CodeQL were discontinued on 9 July 2024 alongside GitHub Enterprise Server 3.9, and will be unsupported by CodeQL Action versions 3.26.0 and later and versions 2.26.0 and later. #2375
If you are using one of these versions, please update to CodeQL CLI version 2.13.5 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
Alternatively, if you want to continue using a version of the CodeQL CLI between 2.12.6 and 2.13.4, you can replace github/codeql-action/*@v3 by github/codeql-action/*@v3.25.13 and github/codeql-action/*@v2 by github/codeql-action/*@v2.25.13 in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
3.25.12 - 12 Jul 2024
Improve the reliability and performance of analyzing code when analyzing a compiled language with the autobuildbuild mode on GitHub Enterprise Server. This feature is already available to GitHub.com users. #2353
Update default CodeQL bundle version to 2.18.0. #2364
3.25.11 - 28 Jun 2024
Avoid failing the workflow run if there is an error while uploading debug artifacts. #2349
Update default CodeQL bundle version to 2.17.6. #2352
3.25.10 - 13 Jun 2024
... (truncated)
Commits
429e197 Merge pull request #2425 from github/update-v3.26.2-a93f8c2fd
fix(ci): update all failing workflows by @mayeut in actions/setup-python#863
This update ensures compatibility and optimal performance of workflows on the latest macOS version.
docs(configuration): correct GHA parameter name for commit email (#981)
git_committer_name was repeated; replace one instance of it with
git_committer_email (ce9ffdb)
Fix
fix(version-cmd): resolve build command execution in powershell (#980)
Fixes the command line option for passing a shell command to Powershell. Also included a similar shell detection result for
pwsh (Powershell Core) (32c8e70)
v9.8.5 (2024-07-06)
Fix
fix: enable --print-last-released* when in detached head or non-release branch (#926)
test(version-cmd): add tests to print when detached or non-release branch
perf: improve git history processing for changelog generation (#972)
perf(changelog): improve git history parser changelog generation
This converts the double for-loop (O(n^2)) down to O(n) using a
lookup table to match the current commit with a known tag rather than
iterating through all the tags of the repository every time.
fix(changelog): resolve commit ordering issue when dates are similar (bfda159)
v9.8.4 (2024-07-04)
Fix
fix(changelog-cmd): remove usage strings when error occured
In #241, @br3ndonland💰 added a Docker label linking the container image to this repository for GHCR to display it nicely. This is preparatory work for a big performance-focused refactoring he's working on in #230.
🙏 Special Thanks to @pradyunsg💰 for promptly unblocking this release to Marketplace as GitHub started asking for yet another developer agreement signature from the organization admins.
This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.
We now use uv's new uv cache prune --ci to only cache downloaded files. This makes the cache smaller and faster to pack/unpack. #135
Fixed
Turns out, the default location of uv's cache cannot be cached and actions/cache fails silently with an opaque "Path(s) specified in the action for caching do(es) not exist, hence no cache is being saved." log message. We have moved the cache to /tmp. #135
v2.7.0
Added
A header before package contents in the summary. Especially useful together with a preceding build provenance attestation. #131
Use uv's new uv cache prune --ci to only cache downloaded files.
This makes the cache smaller and faster to pack/unpack.
#135
Fixed
Turns out, the default location of uv's cache cannot be cached and actions/cache fails silently with an opaque "Path(s) specified in the action for caching do(es) not exist, hence no cache is being saved." log message.
We have moved the cache to /tmp.
#135
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the github-actions group with 9 updates in the / directory:
4.1.6
4.1.7
3.25.5
3.26.2
5.1.0
5.1.1
9.7.3
9.8.6
0f96c02a48278aff14251e9f1a0d73122a8c638b
0dcddac3ba7b691d7a3fd4586b640d7b214a0016
1.8.14
1.9.0
2.3.3
2.4.0
2.5.0
2.8.0
6.0.5
6.1.0
Updates
actions/checkout
from 4.1.6 to 4.1.7Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
692973e
Prepare 4.1.7 release (#1775)6ccd57f
Pin actions/checkout's own workflows to a known, good, stable version. (#1776)b17fe1e
Handle hidden refs (#1774)b80ff79
Bump actions/checkout from 3 to 4 (#1697)b1ec302
Bump the minor-npm-dependencies group across 1 directory with 4 updates (#1739)Updates
github/codeql-action
from 3.25.5 to 3.26.2Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
429e197
Merge pull request #2425 from github/update-v3.26.2-a93f8c2fd9eec338
Update changelog for v3.26.2a93f8c2
Merge pull request #2423 from github/mergeback/v3.26.1-to-main-29d86d22af1f2e8
Address incorrect CHANGELOG.md2bc3b83
Update checked-in dependenciesdd9700c
Reapply "Merge pull request #2417 from github/update-bundle/codeql-bundle-v2....ece28a8
Update changelog and version after v3.26.129d86d2
Merge pull request #2422 from github/update-v3.26.1-0d5982aa35b15b9e
Revert "Merge pull request #2417 from github/update-bundle/codeql-bundle-v2.1...18ac79e
Update changelog for v3.26.1Updates
actions/setup-python
from 5.1.0 to 5.1.1Release notes
Sourced from actions/setup-python's releases.
Commits
39cd149
Documentation update for cache (#873)a0d74c0
fix(ci): update all failing workflows (#863)4eb7dbc
Bump braces from 3.0.2 to 3.0.3 (#893)Updates
python-semantic-release/python-semantic-release
from 9.7.3 to 9.8.6Release notes
Sourced from python-semantic-release/python-semantic-release's releases.
... (truncated)
Changelog
Sourced from python-semantic-release/python-semantic-release's changelog.
... (truncated)
Commits
dec06aa
9.8.632c8e70
fix(version-cmd): resolve build command execution in powershell (#980)ce9ffdb
docs(configuration): correct GHA parameter name for commit email (#981)3ba5346
9.8.5782c0a6
fix: enable--print-last-released*
when in detached head or non-release bra...bfda159
perf: improve git history processing for changelog generation (#972)e02a9bd
9.8.47342484
style: beautify 348a51db8a837d951966aff3789aa0c93d473829348a51d
fix(changelog-cmd): remove usage strings when error occuredafbb187
fix(publish-cmd): remove usage strings when error occuredUpdates
python-semantic-release/upload-to-gh-release
from 0f96c02a48278aff14251e9f1a0d73122a8c638b to 0dcddac3ba7b691d7a3fd4586b640d7b214a0016Changelog
Sourced from python-semantic-release/upload-to-gh-release's changelog.
Commits
0dcddac
9.8.623d348d
build(deps): bump python-semantic-release from 9.8.5 to 9.8.6 (#19)1b1cde2
ci(deps): bump python-semantic-release action from 9.8.5 to 9.8.6 (#20)e2355e1
ci(deps): bump python-semantic-release from 9.8.3 to 9.8.5 (#18)fe6cc89
9.8.5637a381
build(deps): bump python-semantic-release from 9.8.4 to 9.8.5 (#17)ab38ab6
9.8.4bc1d48b
build(deps): bump python-semantic-release from 9.8.3 to 9.8.4 (#16)1521494
ci(deps): bumppython-semantic-release
from 9.8.2 to 9.8.3 (#15)c7c3b69
9.8.3Updates
pypa/gh-action-pypi-publish
from 1.8.14 to 1.9.0Release notes
Sourced from pypa/gh-action-pypi-publish's releases.
Commits
ec4db0b
Merge PR #243 into unstable/v1e790844
oidc-exchange: link to status dashboard87b624f
💅Update homepage @ Dockerfile to GH Marketplaceda2f9bb
Merge pull request #241 from br3ndonland/ghcr-labelabbea2d
Add Docker label for GHCR2734d07
build(deps): bump requests from 2.31.0 to 2.32.0 in /requirements (#240)a54b9b8
---699cd61
⇪📦 Bump the runtime dep lockfile8414fc2
[pre-commit.ci] pre-commit autoupdate (#225)67a07eb
Disable the progress bar when runningtwine upload
Updates
ossf/scorecard-action
from 2.3.3 to 2.4.0Release notes
Sourced from ossf/scorecard-action's releases.
Commits
62b2cac
bump docker tag to v2.4.0 for release (#1414)c09630c
lower license score alert threshold to 9 (#1411)cf8594c
:seedling: Bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 (#1413)de5fcb9
:seedling: Bump the github-actions group with 2 updates (#1412)a46b90b
bump scorecard to v5.0.0 release (#1410)9fc518d
:seedling: Bump golang in the docker-images group (#1407)a8eaa1b
:seedling: Bump the github-actions group with 2 updates (#1408)873d5fd
:seedling: Bump the github-actions group across 1 directory with 2 updates (#...54cc1fe
:seedling: Bump the docker-images group with 2 updates (#1401)82bcb91
:seedling: Bump golang.org/x/net from 0.26.0 to 0.27.0 (#1400)Updates
hynek/build-and-inspect-python-package
from 2.5.0 to 2.8.0Release notes
Sourced from hynek/build-and-inspect-python-package's releases.
Changelog
Sourced from hynek/build-and-inspect-python-package's changelog.
... (truncated)
Commits
2dbbf2b
v2.8.012cdfb4
Automated dependency upgrades (#136)0b18de8
Prune uv's CI cache (#135)e2e1d19
Start new cyclefdf1c7d77
Fix CI7880597
v2.7.02937224
Automated dependency upgrades (#134)a2f7fd4
Automated dependency upgrades (#132)5afaeb9
Add provenance header to summary for nicer readability (#131)8f18e33
Automated dependency upgrades (#130)Updates
peter-evans/create-pull-request
from 6.0.5 to 6.1.0Release notes
Sourced from peter-evans/create-pull-request's releases.
Commits
c5a7806
feat: add branch name output (#2995)4383ba9
build: update distribution (#2990)36f7648
build(deps): bump undici from 6.18.2 to 6.19.2 (#2977)5f7c158
build(deps-dev): bump@types/node
from 18.19.34 to 18.19.36 (#2976)db1713d
build(deps-dev): bump ts-jest from 29.1.4 to 29.1.5 (#2975)ca98a71
build(deps-dev): bump ws from 8.11.0 to 8.17.1 (#2970)ce00808
build(deps-dev): bump braces from 3.0.2 to 3.0.3 (#2962)7318c0b
build(deps-dev): bump prettier from 3.3.0 to 3.3.2 (#2959)e30bbbb
build: update distribution (#2947)bad19b8
build(deps-dev): bump@types/node
from 18.19.33 to 18.19.34 (#2935)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show