Skip to content

Bump github/codeql-action from 4 to 4.35.1#351

Merged
emlowe merged 1 commit into
mainfrom
dependabot/github_actions/github/codeql-action-4.35.1
Apr 22, 2026
Merged

Bump github/codeql-action from 4 to 4.35.1#351
emlowe merged 1 commit into
mainfrom
dependabot/github_actions/github/codeql-action-4.35.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 21, 2026
edited by cursor Bot
Loading

Bumps github/codeql-action from 4 to 4.35.1.

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

v4.35.0

v4.34.1

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

  • Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
  • Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
  • Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
  • The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

v4.32.4

  • Update default CodeQL bundle version to 2.24.2. #3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v4.32.3

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

  • Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
  • Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
  • Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
  • The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

  • Update default CodeQL bundle version to 2.24.2. #3493

... (truncated)

Commits
  • c10b806 Merge pull request #3782 from github/update-v4.35.1-d6d1743b8
  • c5ffd06 Update changelog for v4.35.1
  • d6d1743 Merge pull request #3781 from github/henrymercer/update-git-minimum-version
  • 65d2efa Add changelog note
  • 2437b20 Update minimum git version for overlay to 2.36.0
  • ea5f719 Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.0
  • 45ceeea Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
  • 24448c9 Rebuild
  • 7c51060 Update changelog and version after v4.35.0
  • b8bb9f2 Merge pull request #3776 from github/update-v4.35.0-0078ad667
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Low risk: this only pins the CodeQL GitHub Action to a newer patch version in the CI workflow; the main impact is potential changes to CodeQL scanning behavior or performance.

Overview
Updates the CodeQL GitHub Actions workflow to pin github/codeql-action from v4 to v4.35.1 for both the init and analyze steps, keeping code scanning on the latest patch release.

Reviewed by Cursor Bugbot for commit c706c12. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump github/codeql-action from 4 to 4.35.1
c706c12 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v4...v4.35.1)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Apr 21, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 21, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how this repo references github/codeql-action to ground the review.

Verdict: benign

Why this looks safe

  1. Publisher and name — The action is github/codeql-action under the github org. That is the canonical CodeQL Action, not a typosquat.

  2. What your repo actually changes — In this tree, CodeQL is only wired through .github/workflows/codeql-analysis.yml, with init and analyze pinned to @v4.35.1 (see lines 47 and 67). That is a normal Dependabot-style pin from a floating @v4 to a specific patch tag; no extra steps, secrets, or odd hosts were added in that workflow.

  3. Malware scan vs. checklist — The report shows 0 unicode, 0 confusable, and 0 IOC findings. The large heuristic count is almost entirely codepoint_decoder hits on charCodeAt / fromCodePoint / codePointAt in ordinary TypeScript and in bundled lib/*.js (e.g. HTTP/SARIF parsing). That pattern matches benign minified/bundled code, not GlassWorm-style hidden payloads; the scanner is noisy here, not indicative of compromise.

  4. “Many files” context — The 65 changed files and lockfile note apply to the upstream codeql-action diff between tags (your .upstream-dependency mirror), not to a flood of edits inside chiavdf. A consumer PR typically only updates uses: versions; that is consistent with low blast radius.

  5. Release narrative — Changelog items (Git minimum for incremental analysis, default CodeQL bundle bumps, PR file-coverage behavior) are standard product changes from GitHub’s own release notes, not red flags for supply-chain malware.

Residual risk (operational, not malware) — Newer action versions can change behavior (e.g. default CodeQL bundle, PR file coverage after April 2026). Merge if CI/CodeQL passes; treat any new warnings in logs as product changes, not as compromise signals.

Scanner interpretation — Heuristic volume disagrees with a malicious reading: those hits are expected in this codebase and are not corroborated by unicode/Bidi/IOC signals.

Compatibility Analysis

Searching the repo for github/codeql-action usage and scanning workflow files for context.

1) Where it’s used

Only in .github/workflows/codeql-analysis.yml: github/codeql-action/init@v4.35.1 and github/codeql-action/analyze@v4.35.1 (lines 47 and 67). There is no other github/codeql-action reference in this repo’s own workflows or app code (no start-proxy, separate upload-sarif, etc.). There is also no repo-level CodeQL config under .github/codeql/ in this project (only examples live under .upstream-dependency).

2) Intersection with release-note / upstream changes

Usage is limited to init + analyze with languages: ${{ matrix.language }} for cpp and python, plus a manual Build step.

From the notes you quoted, the substantive changes are: default CodeQL bundle bumps/downgrades, improved incremental analysis / overlay (Git version checks, C/C++ build mode none rollout), TRAP cache behavior, PR file coverage, GHES/custom repo properties, registry/proxy paths.

Your workflow does not wire those advanced paths (no start-proxy, no autobuild action, no custom registries in the workflow, no explicit CodeQL config file in-repo). init / analyze remain stable in the sense of typical Dependabot bumps—there’s no indication you depend on removed inputs.

Minor intersection: you analyze C++ with a real build. The “build mode none” rollout is mainly relevant to workflows that use that mode; yours uses an explicit build, so that specific rollout is lower direct risk. Python + C++ still pick up bundle 2.25.1 and any global query/compiler behavior changes.

3) Risks / unknowns

Risk Notes
Finding churn New default bundle can change alerts (new/fixed findings). Expected on CodeQL upgrades.
CI time / cache TRAP cache / incremental-analysis behavior can shift performance; usually fine on ubuntu-latest.
actions/checkout with fetch-depth: 0 Aligns well with Git-based features; runners have Git ≥ 2.36, so the 2.36.0 overlay minimum in v4.35.1 is satisfied on hosted runners. Self-hosted runners with very old Git could behave differently for overlay features.
PR file coverage (April 2026) If you care about that UI signal on PRs, you may need the documented opt-in later—not a merge blocker for this pin.
4.34.1 bundle downgrade story Mentioned JS edge cases; your matrix has no JavaScript analysis.

4) Recommendation

Merge.

This is a standard patch pin of the official action (@v4@v4.35.1) on hosted ubuntu-latest, minimal surface (init/analyze only). v4.35.1 is the right end state for the Git minimum fix relative to v4.35.0.

Merge with caveats only if you must guarantee PR file-coverage behavior after April 2026 or you use self-hosted runners with Git < 2.36—then verify logs or set documented overrides; that is optional for most repos.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 65
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 1
  • Resolved upstream range: 95e58e9a2cdfd71adc6e0353d5c52f41a045d225..c10b8064de6f491fea524254123dbe5e09572f13
  • Resolved refs: from=95e58e9a2cdfd71adc6e0353d5c52f41a045d225 to=c10b8064de6f491fea524254123dbe5e09572f13
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 12236

Top findings

  • src/git-utils.ts:213 codepoint_decoder :: // Both String.fromCharCode() and String.fromCodePoint() works only
  • lib/upload-sarif-action.js:1112 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
  • lib/upload-sarif-action.js:1134 codepoint_decoder :: const code = key.charCodeAt(index);
  • lib/upload-sarif-action.js:1618 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
  • lib/upload-sarif-action.js:3066 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
  • lib/upload-sarif-action.js:3672 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • lib/upload-sarif-action.js:3674 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • lib/upload-sarif-action.js:3754 codepoint_decoder :: while (lead < str2.length && predicate(str2.charCodeAt(lead))) lead++;
  • lib/upload-sarif-action.js:3757 codepoint_decoder :: while (trail > 0 && predicate(str2.charCodeAt(trail))) trail--;
  • lib/upload-sarif-action.js:4121 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
  • lib/upload-sarif-action.js:4123 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
  • lib/upload-sarif-action.js:4295 codepoint_decoder :: const code = url2.charCodeAt(i);
  • lib/upload-sarif-action.js:4321 codepoint_decoder :: const c = statusText.charCodeAt(i);
  • lib/upload-sarif-action.js:4875 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
  • lib/upload-sarif-action.js:4888 codepoint_decoder :: const code = char.charCodeAt(0);
  • lib/upload-sarif-action.js:4902 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
  • lib/upload-sarif-action.js:4915 codepoint_decoder :: const code = char.charCodeAt(0);
  • lib/upload-sarif-action.js:5014 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
  • lib/upload-sarif-action.js:5023 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
  • lib/upload-sarif-action.js:5362 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {

@emlowe emlowe merged commit 835fb49 into main Apr 22, 2026
67 checks passed
@emlowe emlowe deleted the dependabot/github_actions/github/codeql-action-4.35.1 branch April 22, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emlowe emlowe emlowe approved these changes

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emlowe