Bump github/codeql-action from 4.35.1 to 4.35.3

[dependabot]

Bumps github/codeql-action from 4.35.1 to 4.35.3.

Release notes

Sourced from github/codeql-action's releases.

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Commits

• e46ed2c Merge pull request #3867 from github/update-v4.35.3-8c6e48dbe
• b73d1d1 Add changelog entry for #3853
• 24e0bb0 Reorder changelog entries
• ec298da Update changelog for v4.35.3
• 8c6e48d Merge pull request #3865 from github/update-bundle/codeql-bundle-v2.25.3
• 7190983 Add changelog note
• 2bb2095 Update default bundle to codeql-bundle-v2.25.3
• 7851e55 Merge pull request #3850 from github/mbg/private-registry/cloudsmith-gcp
• 262a15f Add generic non-printable chars test for OIDC configs
• a6109b1 Merge pull request #3853 from github/mbg/start-proxy/improved-checks
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk CI-only change that just updates the github/codeql-action version used for CodeQL scanning; impact is limited to analysis behavior in GitHub Actions.

Overview
Updates the CodeQL GitHub Actions workflow to use github/codeql-action v4.35.3 (both init and analyze) instead of v4.35.1, with no other workflow logic changes.

^{Reviewed by Cursor Bugbot for commit 90a4973. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how this repo references codeql-action so the review matches the actual PR surface.

Verdict: benign

Why this looks safe

1. Identity / typosquatting — The workflow uses github/codeql-action/init and analyze under the official github org. A patch bump 4.35.1 → 4.35.3 is normal for that action.

2. What actually changes in this repo — Only the pinned action versions in .github/workflows/codeql-analysis.yml (two uses: lines at 47 and 67). There is no vendored copy of the action in your tree; GitHub runs the published action.

3. Malware scanner vs. interpretation — The report shows no post-allowlist Unicode, confusable, or IOC hits. The large heuristic count (codepoint_decoder, ~8k) matches routine string/HTTP parsing in compiled JS (charCodeAt, fromCodePoint, etc.), including trivial matches like comments. That pattern is a broad heuristic, not evidence of hidden Unicode payloads. Your checklist’s “decoder patterns” item is meant to flag abusive assembly of secrets; here the hits are consistent with a normal dependency bundle, not a targeted anomaly.

4. Checklist items — No evidence in this PR of obfuscation, unexpected third-party hosts in your workflow, persistence paths, or new npm lifecycle scripts in your repo. Upstream release notes describe normal product changes (bundle 2.25.3, registry/OIDC fixes, diagnostics bugfix). The “upcoming breaking change” warning applies to very old pinned CodeQL (≤2.19.3); default init/analyze on GitHub.com uses the action’s current bundle, not something you manually pin to 2.19.3 unless you opted in.

5. Dependabot context — For a consumer repo, only updating uses: github/codeql-action/...@v4.35.x is expected. The long list of changed files in the report reflects a full diff of the upstream codeql-action repo (.upstream-dependency), not files that Dependabot would commit into chiavdf.

Actionable review note: Merge after CI passes; if you ever pin tools: to an ancient CodeQL CLI, heed the deprecation warning in the release notes and plan an upgrade before the next minor action release.

Compatibility Analysis

Searching the repo for CodeQL Action usage and checking workflow configuration.

1) Where it’s used

Only in .github/workflows/codeql-analysis.yml: github/codeql-action/init and github/codeql-action/analyze (both pinned to the same tag). No upload-sarif, composite actions, or other workflow references under .github.

Matches under .upstream-dependency/ are vendored upstream CodeQL Action sources, not this project’s consumption of the dependency.

2) Overlap with release-note / upstream changes

Usage is the default init → build → analyze path with languages: ${{ matrix.language }} (cpp, python), default checkout, and no custom tools:, no registries / private-package/OIDC config, no CODEQL_ACTION_CLEANUP_TRAP_CACHES, no submodules: on checkout.

So the notable upstream changes do not touch configured features here:

Change (4.35.2 / 4.35.3)	Relevant here?
Warning for CodeQL ≤ 2.19.3	No — you use the action’s default bundle (now 2.25.x per notes), not a pinned legacy tools URL.
Private registry / Cloudsmith / GCP OIDC, GET vs HEAD checks	No — no registry config.
Diagnostics file collision fix	Yes — passive improvement.
Default bundle → 2.25.3	Yes — you inherit it; behavior is “newer scanner,” not a workflow API change.
TRAP cache env deprecation	No — not used.
Git ≥ 2.36 only for submodule incremental paths	No — no submodule checkout; even if submodules existed, this is runner/GitHub-hosted, not a workflow input break.
Python-on-GHES extraction change	No — standard github.com runners unless you also run this on GHES (workflow doesn’t indicate that).

3) Risks / unknowns

• Alert noise may shift slightly when the default CodeQL bundle moves (expected on any CodeQL Action bump that updates the bundle).
• GHES / self-hosted: release notes mention GHES-related behavior; if this same workflow is ever copied to an old GHES + old CodeQL stack, the new deprecation warnings could matter — not indicated by the current file.

4) Recommendation

Merge — low risk for this repo: only init/analyze with minimal inputs; changes are mostly internal fixes, broader registry support, and bundle refresh; nothing in your workflow maps to the breaking or specialized paths in the notes.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 101
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: c10b8064de6f491fea524254123dbe5e09572f13..e46ed2cbd01164d986452f91f178727624ae40d7
• Resolved refs: from=c10b8064de6f491fea524254123dbe5e09572f13 to=e46ed2cbd01164d986452f91f178727624ae40d7
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 8659

Top findings

• src/git-utils.ts:213 codepoint_decoder :: // Both String.fromCharCode() and String.fromCodePoint() works only
• lib/upload-sarif-action.js:1128 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
• lib/upload-sarif-action.js:1150 codepoint_decoder :: const code = key.charCodeAt(index);
• lib/upload-sarif-action.js:1634 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
• lib/upload-sarif-action.js:3091 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
• lib/upload-sarif-action.js:3697 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/upload-sarif-action.js:3699 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/upload-sarif-action.js:3779 codepoint_decoder :: while (lead < str2.length && predicate(str2.charCodeAt(lead))) lead++;
• lib/upload-sarif-action.js:3782 codepoint_decoder :: while (trail > 0 && predicate(str2.charCodeAt(trail))) trail--;
• lib/upload-sarif-action.js:4146 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
• lib/upload-sarif-action.js:4148 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
• lib/upload-sarif-action.js:4320 codepoint_decoder :: const code = url2.charCodeAt(i);
• lib/upload-sarif-action.js:4346 codepoint_decoder :: const c = statusText.charCodeAt(i);
• lib/upload-sarif-action.js:4900 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
• lib/upload-sarif-action.js:4913 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/upload-sarif-action.js:4927 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
• lib/upload-sarif-action.js:4940 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/upload-sarif-action.js:5039 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
• lib/upload-sarif-action.js:5048 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
• lib/upload-sarif-action.js:5387 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {

[hoffmang9]

Close to reopen for new CI run

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how this repo pins github/codeql-action so the review reflects the consumer PR scope.

Verdict: benign

Checklist

• Classic obfuscation: No credible signals in scope. The pinned action is github/codeql-action @ v4.35.3 (official GitHub org/action), i.e. not typosquatting. In this repo the effective change is init/analyze version bumps only in .github/workflows/codeql-analysis.yml (see 47:67:/home/runner/work/chiavdf/chiavdf/.github/workflows/codeql-analysis.yml). Release notes describe normal scanning/registry/OIDC/diagnostic fixes—not exfiltration, persistence, or odd hosts.

• Invisible Unicode / GlassWorm: Scanner agrees: 0 unicode, 0 confusable (post‑allowlist). The thousands of codepoint_decoder / charCodeAt heuristic hits align with bundled parser/HTTP code in upstream’s lib/upload-sarif-action.js-style artifacts—classic noise for that rule, not evidence of hidden payloads unless paired with IOCs (there were none).

• Dependency integrity: Patch semver 4.35.1 → 4.35.3 on a github/ published action, with changelog pointing at released tags/commits upstream. Consumer repo does not add npm lock churn for this bump; Dependabot surfaces upstream’s own package-lock.json churn only in upstream-diff malware scans, which is expected for rebuilding the action, not suspicious for your workflow pin PR.

• Dependabot-specific: Low concern. Your workflow edits are proportionate (two uses: lines); no unexplained node_modules/ churn in-repo for this dependency class. Extended .upstream-dependency/ content is tooling context for review, not what GitHub resolves at uses: time.

Scanner vs interpretation: Status warn is driven by noisy heuristics, while severity signals (IOC / unicode / confusable) are empty—consistent with treating this PR as routine.

Actionable: Merge if CI/CodeQL passes; optionally note GHES/old CodeQL deprecation warning in logs if your org pins very old tooling (per upstream release notes), which does not apply to ordinary GitHub-hosted ubuntu-latest default bundle behavior.

Compatibility Analysis

Searching the repository for github/codeql-action usage and reviewing workflow configuration.

1) Where it’s used

Project-owned usage is only in .github/workflows/codeql-analysis.yml: github/codeql-action/init and github/codeql-action/analyze (same version tag on both steps). Languages are cpp and python via a matrix; init only passes languages.

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v4.35.3
      with:
        languages: ${{ matrix.language }}
        # ...
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v4.35.3

Other codeql-action hits under .upstream-dependency/ are a vendored upstream clone, not how this repo invokes the action on GitHub.

There is no first-party .github/codeql/*.yml config in the repo root (only examples inside .upstream-dependency).

---

2) Overlap with likely changes (4.35.1 → 4.35.3)

Release-note area	Relevant here?
Private registries (Cloudsmith / GCP OIDC), GET vs HEAD checks	No — no registries input, no config-file pointing at registry-heavy config
Deprecation warning for pinned CodeQL ≤ 2.19.3	Unlikely — workflow does not pin an old tools: bundle; it uses the action default (now 2.25.3 per notes)
TRAP cache cleanup env / trap-caching	No — no custom env or trap-caching in this workflow
Git ≥ 2.36 for incremental analysis	Low relevance — only matters for submodule repos per notes; nothing in the workflow suggests submodule-specific CodeQL setup
Default bundle 2.25.2 → 2.25.3	Yes — this repo always rides the default bundle, so you do get the new patch bundle

So the only substantive intersection is the default CodeQL bundle bump (query/engine patch level). Everything else in the notes targets advanced/registry/GHES paths this workflow does not use.

---

3) Risks / unknowns

• Alert churn: A new bundle can slightly change C++ / Python results (rare but possible).
• GHES / pinned-tools operators: Not reflected in this file; if the org ever runs the same workflow on GHES with an old tools: URL, the upcoming deprecation would matter later — not indicated here.

---

4) Recommendation

Merge. This is a patch bump on the v4 line with a minimal workflow (init + analyze, languages only). No inputs or configs touch the areas called out in the release notes beyond inheriting the new default bundle, which is the normal and intended path for Dependabot on github/codeql-action. After merge, rely on the CodeQL workflow run on main (or the PR checks) as the functional smoke test.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 101
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: c10b8064de6f491fea524254123dbe5e09572f13..e46ed2cbd01164d986452f91f178727624ae40d7
• Resolved refs: from=c10b8064de6f491fea524254123dbe5e09572f13 to=e46ed2cbd01164d986452f91f178727624ae40d7
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 8659

Top findings

• src/git-utils.ts:213 codepoint_decoder :: // Both String.fromCharCode() and String.fromCodePoint() works only
• lib/upload-sarif-action.js:1128 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
• lib/upload-sarif-action.js:1150 codepoint_decoder :: const code = key.charCodeAt(index);
• lib/upload-sarif-action.js:1634 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
• lib/upload-sarif-action.js:3091 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
• lib/upload-sarif-action.js:3697 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/upload-sarif-action.js:3699 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• lib/upload-sarif-action.js:3779 codepoint_decoder :: while (lead < str2.length && predicate(str2.charCodeAt(lead))) lead++;
• lib/upload-sarif-action.js:3782 codepoint_decoder :: while (trail > 0 && predicate(str2.charCodeAt(trail))) trail--;
• lib/upload-sarif-action.js:4146 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
• lib/upload-sarif-action.js:4148 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
• lib/upload-sarif-action.js:4320 codepoint_decoder :: const code = url2.charCodeAt(i);
• lib/upload-sarif-action.js:4346 codepoint_decoder :: const c = statusText.charCodeAt(i);
• lib/upload-sarif-action.js:4900 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
• lib/upload-sarif-action.js:4913 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/upload-sarif-action.js:4927 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
• lib/upload-sarif-action.js:4940 codepoint_decoder :: const code = char.charCodeAt(0);
• lib/upload-sarif-action.js:5039 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
• lib/upload-sarif-action.js:5048 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
• lib/upload-sarif-action.js:5387 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {