Skip to content

Merge releases/v4 into releases/v3#3952

Merged
henrymercer merged 32 commits into
releases/v3from
backport-v3.36.2-8aad20d15
Jun 4, 2026
Merged

Merge releases/v4 into releases/v3#3952
henrymercer merged 32 commits into
releases/v3from
backport-v3.36.2-8aad20d15

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jun 4, 2026

Merging 8aad20d into releases/v3.

Conductor for this PR is @henrymercer.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v3 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.

robertbrignull and others added 30 commits May 28, 2026 11:15
@robertbrignull
Change waitForProcessing to use exponential backoff
dfc1411
@henrymercer
Add FF to force JGit-based Git backend
948a63a
@robertbrignull
Only do initial wait when not running tests
d40e417
@github-actions
Update changelog and version after v4.36.1
25c25b5
@github-actions
Rebuild
0ad7c1f
@henrymercer
Merge pull request #3941 from github/mergeback/v4.36.1-to-main-87557b9c
8ed7f7c 
Mergeback v4.36.1 refs/heads/releases/v4 into main
@henrymercer
Cache CLI version information across Actions steps
bab673d
@henrymercer
Pin first-party Actions
87f4948
@henrymercer
Update sync-back script
fd3f108 
This is intended as a workaround until #3556 is merged.
@henrymercer
Merge pull request #3945 from github/henrymercer/pin-actions-to-shas
2ceebd6 
Pin first-party Actions to SHAs
@henrymercer
Address review comments
5ccef82
@dependabot
Bump the npm-minor group across 1 directory with 2 updates
dd9e36c 
Bumps the npm-minor group with 2 updates in the / directory: [semver](https://github.com/npm/node-semver) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `semver` from 7.8.0 to 7.8.1
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.8.0...v7.8.1)

Updates `typescript-eslint` from 8.59.4 to 8.60.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: semver
  dependency-version: 7.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: typescript-eslint
  dependency-version: 8.60.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
acb38f7
@dependabot
Bump ruby/setup-ruby
3569f75 
Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby).


Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@6aaa311...afeafc3)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-version: 1.310.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
af7b8f3
@robertbrignull
Merge branch 'main' into robertbrignull/waitForProcessing_backoff
6047ac7
@henrymercer
Merge pull request #3938 from github/henrymercer/git-client-feature-flag
5be8119 
Add FF to force JGit-based Git backend
@henrymercer
Merge pull request #3943 from github/henrymercer/cache-cli-version-info
ba47406 
Cache CLI version information across Actions steps
@robertbrignull
Merge pull request #3937 from github/robertbrignull/waitForProcessing…
cb1a588 
…_backoff

Change waitForProcessing to use exponential backoff
@henrymercer
Merge pull request #3947 from github/dependabot/github_actions/dot-gi…
c35d1b1 
…thub/workflows/actions-minor-3d0b6ad432

Bump ruby/setup-ruby from 1.307.0 to 1.310.0 in /.github/workflows in the actions-minor group across 1 directory
@henrymercer
Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-mino…
423b570 
…r-5d507a028b

Bump the npm-minor group across 1 directory with 2 updates
@github-actions
Update default bundle to codeql-bundle-v2.25.6
62953c1
@github-actions
Add changelog note
c251bce
@henrymercer
Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
dcb947c 
Update default bundle to 2.25.6
@github-actions
Update changelog for v4.36.2
8aeff0f
@henrymercer
Add additional changelog notes
f521b08
@henrymercer
Merge pull request #3949 from github/update-v4.36.2-dcb947ce1
8aad20d 
Merge main into releases/v4
@github-actions
Revert "Update version and changelog for v3.36.1"
72c906d 
This reverts commit b6eff7b.
@github-actions
Revert "Rebuild"
6016976 
This reverts commit e816d2e.
@github-actions
Merge remote-tracking branch 'origin/releases/v4' into backport-v3.36…
7d9a983 
….2-8aad20d15
@henrymercer henrymercer marked this pull request as ready for review June 4, 2026 14:32
@henrymercer henrymercer requested a review from a team as a code owner June 4, 2026 14:32
Copilot AI review requested due to automatic review settings June 4, 2026 14:32
@github-actions github-actions Bot added the size/L May be hard to review label Jun 4, 2026
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR merges changes from releases/v4 into releases/v3, bringing over recent release work (performance/operational tweaks, feature-flagged overrides, dependency bumps, and workflow hardening) and updating the releases/v3 changelog/versioning accordingly.

Changes:

  • Persist CodeQL CLI version info across steps and reuse it to avoid repeated codeql version calls.
  • Reduce SARIF processing polling requests by switching to exponential backoff with a capped number of checks.
  • Update defaults/dependencies and pin various GitHub Actions workflow uses: references to commit SHAs.
Show a summary per file
File Description
src/util.ts Adds persisted/in-process caching for CodeQL CLI version info.
src/util.test.ts Adds unit tests for persisted CodeQL CLI version info parsing/validation.
src/upload-lib.ts Switches SARIF processing polling to exponential backoff with capped tries.
src/testing-utils.ts Resets the in-process CodeQL CLI version cache between tests.
src/init-action.ts Adds feature-flagged emergency override to force JGit git backend.
src/feature-flags.ts Introduces ForceJGit feature flag wiring and env var mapping.
src/environment.ts Adds env var for persisting CLI version info across steps.
src/defaults.json Bumps default CodeQL bundle/CLI version to 2.25.6.
src/codeql.ts Uses persisted CLI version cache; avoids re-running CLI for printVersion().
pr-checks/sync.ts Pins first-party Actions uses: to SHAs with version comments via helper.
pr-checks/sync-back.ts Updates sync-back logic to handle SHA-pinned pinnedUses(...) references.
pr-checks/sync-back.test.ts Adds test coverage for updating SHA-pinned pinnedUses(...) references.
pr-checks/checks/with-checkout-path.yml Pins actions/checkout to a SHA.
pr-checks/checks/submit-sarif-failure.yml Pins actions/checkout to a SHA.
pr-checks/checks/rubocop-multi-language.yml Updates ruby/setup-ruby to a newer SHA/version.
pr-checks/checks/multi-language-autodetect.yml Pins actions/setup-python to a SHA.
pr-checks/checks/job-run-uuid-sarif.yml Pins actions/upload-artifact to a SHA.
pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml Pins actions/github-script to a SHA.
pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml Pins actions/setup-go and actions/github-script to SHAs.
pr-checks/checks/export-file-baseline-information.yml Pins actions/upload-artifact to a SHA.
pr-checks/checks/diagnostics-export.yml Pins actions/upload-artifact and actions/github-script to SHAs.
pr-checks/checks/config-export.yml Pins actions/upload-artifact and actions/github-script to SHAs.
pr-checks/checks/bundle-zstd.yml Pins actions/github-script and actions/upload-artifact to SHAs.
pr-checks/checks/bundle-toolcache.yml Pins actions/github-script to a SHA in multiple steps.
pr-checks/checks/bundle-from-toolcache.yml Pins actions/github-script to a SHA in multiple steps.
pr-checks/checks/analysis-kinds.yml Pins actions/upload-artifact and actions/github-script to SHAs.
package.json Bumps action package version and updates semver/typescript-eslint.
package-lock.json Updates dependency lockfile (but currently has a version mismatch vs package.json).
lib/entry-points.js Generated output update (not reviewed).
lib/defaults.json Generated output update (not reviewed).
CHANGELOG.md Adds 3.36.2 entry for user-facing changes.
.github/workflows/update-supported-enterprise-server-versions.yml Pins setup-python/checkout to SHAs.
.github/workflows/update-release-branch.yml Pins checkout and create-github-app-token to SHAs.
.github/workflows/update-bundle.yml Pins checkout/setup-python/setup-node to SHAs.
.github/workflows/test-codeql-bundle-all.yml Pins checkout/setup-dotnet to SHAs.
.github/workflows/rollback-release.yml Pins checkout/create-github-app-token to SHAs.
.github/workflows/rebuild.yml Pins checkout/setup-node to SHAs.
.github/workflows/query-filters.yml Pins checkout/setup-node to SHAs.
.github/workflows/python312-windows.yml Pins setup-python/checkout to SHAs.
.github/workflows/publish-immutable-action.yml Pins checkout/publish-immutable-action to SHAs.
.github/workflows/prepare-release.yml Pins checkout to a SHA.
.github/workflows/pr-checks.yml Pins checkout/setup-node/upload-artifact/download-artifact to SHAs.
.github/workflows/post-release-mergeback.yml Pins checkout/setup-node/setup-python/create-github-app-token to SHAs.
.github/workflows/debug-artifacts-safe.yml Pins checkout/setup-go/setup-dotnet/download-artifact to SHAs.
.github/workflows/debug-artifacts-failure-safe.yml Pins checkout/setup-go/setup-dotnet/download-artifact to SHAs.
.github/workflows/codescanning-config-cli.yml Pins checkout/setup-node to SHAs.
.github/workflows/codeql.yml Pins checkout to a SHA in multiple jobs.
.github/workflows/check-expected-release-files.yml Pins checkout to a SHA.
.github/workflows/__with-checkout-path.yml Generated workflow update (not reviewed).
.github/workflows/__upload-sarif.yml Generated workflow update (not reviewed).
.github/workflows/__upload-ref-sha-input.yml Generated workflow update (not reviewed).
.github/workflows/__unset-environment.yml Generated workflow update (not reviewed).
.github/workflows/__swift-custom-build.yml Generated workflow update (not reviewed).
.github/workflows/__swift-autobuild.yml Generated workflow update (not reviewed).
.github/workflows/__submit-sarif-failure.yml Generated workflow update (not reviewed).
.github/workflows/__start-proxy.yml Generated workflow update (not reviewed).
.github/workflows/__split-workflow.yml Generated workflow update (not reviewed).
.github/workflows/__rust.yml Generated workflow update (not reviewed).
.github/workflows/__ruby.yml Generated workflow update (not reviewed).
.github/workflows/__rubocop-multi-language.yml Generated workflow update (not reviewed).
.github/workflows/__resolve-environment-action.yml Generated workflow update (not reviewed).
.github/workflows/__remote-config.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-inputs-js.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-config-js.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-config-inputs-js.yml Generated workflow update (not reviewed).
.github/workflows/__packaging-codescanning-config-inputs-js.yml Generated workflow update (not reviewed).
.github/workflows/__overlay-init-fallback.yml Generated workflow update (not reviewed).
.github/workflows/__multi-language-autodetect.yml Generated workflow update (not reviewed).
.github/workflows/__local-bundle.yml Generated workflow update (not reviewed).
.github/workflows/__language-aliases.yml Generated workflow update (not reviewed).
.github/workflows/__job-run-uuid-sarif.yml Generated workflow update (not reviewed).
.github/workflows/__javascript-source-root.yml Generated workflow update (not reviewed).
.github/workflows/__init-with-registries.yml Generated workflow update (not reviewed).
.github/workflows/__go-tracing-legacy-workflow.yml Generated workflow update (not reviewed).
.github/workflows/__go-tracing-custom-build-steps.yml Generated workflow update (not reviewed).
.github/workflows/__go-tracing-autobuilder.yml Generated workflow update (not reviewed).
.github/workflows/__go-indirect-tracing-workaround.yml Generated workflow update (not reviewed).
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml Generated workflow update (not reviewed).
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml Generated workflow update (not reviewed).
.github/workflows/__go-custom-queries.yml Generated workflow update (not reviewed).
.github/workflows/__global-proxy.yml Generated workflow update (not reviewed).
.github/workflows/__extractor-ram-threads.yml Generated workflow update (not reviewed).
.github/workflows/__export-file-baseline-information.yml Generated workflow update (not reviewed).
.github/workflows/__diagnostics-export.yml Generated workflow update (not reviewed).
.github/workflows/__cpp-deptrace-enabled.yml Generated workflow update (not reviewed).
.github/workflows/__cpp-deptrace-enabled-on-macos.yml Generated workflow update (not reviewed).
.github/workflows/__cpp-deptrace-disabled.yml Generated workflow update (not reviewed).
.github/workflows/__config-input.yml Generated workflow update (not reviewed).
.github/workflows/__config-export.yml Generated workflow update (not reviewed).
.github/workflows/__cleanup-db-cluster-dir.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-zstd.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-toolcache.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-from-toolcache.yml Generated workflow update (not reviewed).
.github/workflows/__bundle-from-nightly.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-rollback.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-none.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-manual.yml Generated workflow update (not reviewed).
.github/workflows/__build-mode-autobuild.yml Generated workflow update (not reviewed).
.github/workflows/__autobuild-working-dir.yml Generated workflow update (not reviewed).
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml Generated workflow update (not reviewed).
.github/workflows/__autobuild-action.yml Generated workflow update (not reviewed).
.github/workflows/__analyze-ref-input.yml Generated workflow update (not reviewed).
.github/workflows/__analysis-kinds.yml Generated workflow update (not reviewed).
.github/workflows/__all-platform-bundle.yml Generated workflow update (not reviewed).
.github/actions/release-initialise/action.yml Pins setup-node/setup-python to SHAs in the composite action.

Copilot's findings

  • Files reviewed: 46/105 changed files
  • Comments generated: 3

Comment thread src/util.ts
Comment thread src/upload-lib.ts
Comment thread CHANGELOG.md

- Cache CodeQL CLI version information across Actions steps. [#3943](https://github.com/github/codeql-action/pull/3943)
- Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. [#3937](https://github.com/github/codeql-action/pull/3937)
- Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948)
@henrymercer henrymercer merged commit dd903d2 into releases/v3 Jun 4, 2026
230 checks passed
@henrymercer henrymercer deleted the backport-v3.36.2-8aad20d15 branch June 4, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer henrymercer approved these changes

Assignees

@henrymercer henrymercer

Labels

size/L May be hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@henrymercer @robertbrignull