dependabot[bot] opened a new pull request, #69907: URL: https://github.com/apache/airflow/pull/69907
Bumps the github-actions-updates group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/setup-java](https://github.com/actions/setup-java) | `5.4.0` | `5.5.0` | | [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) | `3.0.3` | `3.0.5` | | [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `6.2.1` | `6.2.2` | | [github/codeql-action/init](https://github.com/github/codeql-action) | `4.36.2` | `4.37.0` | | [github/codeql-action/autobuild](https://github.com/github/codeql-action) | `4.36.2` | `4.37.0` | | [github/codeql-action/analyze](https://github.com/github/codeql-action) | `4.36.2` | `4.37.0` | | [actions/stale](https://github.com/actions/stale) | `10.3.0` | `10.4.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `8.2.0` | `8.3.2` | Updates `actions/setup-java` from 5.4.0 to 5.5.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-java/releases">actions/setup-java's releases</a>.</em></p> <blockquote> <h2>v5.5.0</h2> <h2>What's Changed</h2> <ul> <li>chore: enforce pre-PR validation (aggregate scripts, git hooks, PR checklist) by <a href="https://github.com/brunoborges"><code>@brunoborges</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1061">actions/setup-java#1061</a></li> <li>Bump github/codeql-action from 3 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-java/pull/1069">actions/setup-java#1069</a></li> <li>Bump actions/checkout from 6 to 7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-java/pull/1068">actions/setup-java#1068</a></li> <li>Bump actions/setup-python from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-java/pull/1067">actions/setup-java#1067</a></li> <li>Bump <code>@typescript-eslint/parser</code> from 8.61.1 to 8.62.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-java/pull/1062">actions/setup-java#1062</a></li> <li>feat: Add verify-signature plumbing and Temurin+Microsoft verification support by <a href="https://github.com/johnoliver"><code>@johnoliver</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1060">actions/setup-java#1060</a></li> <li>Updated jetbrains test: https.request() now catches errors. This fixes leaking tests as well by <a href="https://github.com/jmjaffe37"><code>@jmjaffe37</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1070">actions/setup-java#1070</a></li> <li>Fix arm64 e2e workflow tests mislabeled as x64 by <a href="https://github.com/brunoborges"><code>@brunoborges</code></a> with <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1073">actions/setup-java#1073</a></li> <li>feat: suppress Maven transfer progress via MAVEN_ARGS by default (add show-download-progress input) by <a href="https://github.com/brunoborges"><code>@brunoborges</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1053">actions/setup-java#1053</a></li> <li>feat: Disable interactiveMode in generated Maven settings.xml by <a href="https://github.com/brunoborges"><code>@brunoborges</code></a> with <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1052">actions/setup-java#1052</a></li> <li>Bump prettier from 3.6.2 to 3.9.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-java/pull/1066">actions/setup-java#1066</a></li> <li>chore(deps-dev): bump eslint-plugin-jest from 29.0.1 to 29.15.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-java/pull/1074">actions/setup-java#1074</a></li> <li>fix: Maven Toolchains grows unexpectedly by <a href="https://github.com/Okeanos"><code>@Okeanos</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/534">actions/setup-java#534</a></li> <li>dist: Support Tencent Kona JDK by <a href="https://github.com/johnshajiang"><code>@johnshajiang</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/672">actions/setup-java#672</a></li> <li>feat: Add set-default option by <a href="https://github.com/gsmet"><code>@gsmet</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1017">actions/setup-java#1017</a></li> <li>docs: document problem matcher (and how to disable it), Maven Wrapper caching, and generated interactiveMode by <a href="https://github.com/brunoborges"><code>@brunoborges</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/1075">actions/setup-java#1075</a></li> <li>feat: Add distribution detection support to .sdkmanrc file by <a href="https://github.com/lukaszgyg"><code>@lukaszgyg</code></a> in <a href="https://redirect.github.com/actions/setup-java/pull/975">actions/setup-java#975</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/jmjaffe37"><code>@jmjaffe37</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-java/pull/1070">actions/setup-java#1070</a></li> <li><a href="https://github.com/gsmet"><code>@gsmet</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-java/pull/1017">actions/setup-java#1017</a></li> <li><a href="https://github.com/lukaszgyg"><code>@lukaszgyg</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-java/pull/975">actions/setup-java#975</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-java/compare/v5...v5.5.0">https://github.com/actions/setup-java/compare/v5...v5.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-java/commit/0f481fcb613427c0f801b606911222b5b6f3083a"><code>0f481fc</code></a> feat: Add distribution detection support to .sdkmanrc file (<a href="https://redirect.github.com/actions/setup-java/issues/975">#975</a>)</li> <li><a href="https://github.com/actions/setup-java/commit/c4922bf8099a153c2ad2fa6c869b9e6fa8d21017"><code>c4922bf</code></a> docs: document problem matcher (and how to disable it), Maven Wrapper caching...</li> <li><a href="https://github.com/actions/setup-java/commit/6657b993409da921e0c021d82aa9c159601e7a27"><code>6657b99</code></a> feat: Add set-default option (<a href="https://redirect.github.com/actions/setup-java/issues/1017">#1017</a>)</li> <li><a href="https://github.com/actions/setup-java/commit/a50fdccef19f861401a6f00b7caa2abf98504acb"><code>a50fdcc</code></a> dist: Support Tencent Kona JDK (<a href="https://redirect.github.com/actions/setup-java/issues/672">#672</a>)</li> <li><a href="https://github.com/actions/setup-java/commit/77ee41d00e246422933200d520a0334a299f26e4"><code>77ee41d</code></a> fix: Maven Toolchains grows unexpectedly (<a href="https://redirect.github.com/actions/setup-java/issues/534">#534</a>)</li> <li><a href="https://github.com/actions/setup-java/commit/0765b158bfd14bd15c56facab447d138e1161193"><code>0765b15</code></a> chore(deps-dev): bump eslint-plugin-jest from 29.0.1 to 29.15.4 (<a href="https://redirect.github.com/actions/setup-java/issues/1074">#1074</a>)</li> <li><a href="https://github.com/actions/setup-java/commit/c712b2fb55a8deb2d59f204bd7aa86ac6f938c98"><code>c712b2f</code></a> Bump prettier from 3.6.2 to 3.9.1 (<a href="https://redirect.github.com/actions/setup-java/issues/1066">#1066</a>)</li> <li><a href="https://github.com/actions/setup-java/commit/733efaeaca653493004ffb895a11b2c6c316558e"><code>733efae</code></a> feat: Disable interactiveMode in generated Maven settings.xml (<a href="https://redirect.github.com/actions/setup-java/issues/1052">#1052</a>)</li> <li><a href="https://github.com/actions/setup-java/commit/6c4d4a5025dca6ad7cc86c839fadbcb66762ed3b"><code>6c4d4a5</code></a> feat: suppress Maven transfer progress via MAVEN_ARGS by default (add show-do...</li> <li><a href="https://github.com/actions/setup-java/commit/324b33387d37f5aa8878ea44bd7144864a316dee"><code>324b333</code></a> Fix arm64 e2e workflow tests mislabeled as x64 (<a href="https://redirect.github.com/actions/setup-java/issues/1073">#1073</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/setup-java/compare/1bcf9fb12cf4aa7d266a90ae39939e61372fe520...0f481fcb613427c0f801b606911222b5b6f3083a">compare view</a></li> </ul> </details> <br /> Updates `slackapi/slack-github-action` from 3.0.3 to 3.0.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/releases">slackapi/slack-github-action's releases</a>.</em></p> <blockquote> <h2>Slack GitHub Action v3.0.5</h2> <h3>Patch Changes</h3> <ul> <li>96fddbe: fix: revert multiline yaml parsing indentation change</li> </ul> <h2>Slack GitHub Action v3.0.4</h2> <h3>Patch Changes</h3> <ul> <li>fa03fe4: refactor: send webhooks with the <a href="https://docs.slack.dev/tools/node-slack-sdk/webhook"><code>@slack/webhook</code></a> package</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md">slackapi/slack-github-action's changelog</a>.</em></p> <blockquote> <h1>slack-github-action</h1> <h2>3.0.5</h2> <h3>Patch Changes</h3> <ul> <li>96fddbe: fix: revert multiline yaml parsing indentation change</li> </ul> <h2>3.0.4</h2> <h3>Patch Changes</h3> <ul> <li>fa03fe4: refactor: send webhooks with the <a href="https://docs.slack.dev/tools/node-slack-sdk/webhook"><code>@slack/webhook</code></a> package</li> </ul> <h2>3.0.3</h2> <h3>Patch Changes</h3> <ul> <li>66834e4: feat: add instrumentation to address error rates</li> </ul> <h2>3.0.2</h2> <h3>Patch Changes</h3> <ul> <li>79529d7: fix: resolve url.parse deprecation warning for webhook techniques</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/slackapi/slack-github-action/commit/0d95c9a7becc1e6e297d76df9bc735c44f4cbcbc"><code>0d95c9a</code></a> chore: release</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/be88bdd2ad70e7e65d9461589015dfab0bc8091b"><code>be88bdd</code></a> chore: release (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/639">#639</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/96fddbee311758285dd3a955c31f46461cfcf37d"><code>96fddbe</code></a> fix: revert multiline yaml parsing indentation change (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/638">#638</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/e1f137c5c0eed1b85746efc54220dcf0f56288a7"><code>e1f137c</code></a> chore: release (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/636">#636</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/fa03fe462514b3727d580f8540e102de2dd02a14"><code>fa03fe4</code></a> refactor: send webhooks with the <code>@slack/webhook</code> package (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/630">#630</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/0539f0d08391131bfc449a21c97440ef33468c21"><code>0539f0d</code></a> build(deps): bump js-yaml from 4.2.0 to 5.2.0 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/635">#635</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/2a276476b7da5fcc570333b80422906369651e17"><code>2a27647</code></a> build(deps): bump axios from 1.16.0 to 1.18.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/634">#634</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/84efc65e7fb7975431981a893f68627c1622e3e8"><code>84efc65</code></a> build(deps-dev): bump <code>@types/node</code> from 24.12.4 to 24.13.2 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/633">#633</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/c61fe04c35be859ccce69d77fef1801bdfd7c690"><code>c61fe04</code></a> build(deps-dev): bump <code>@biomejs/biome</code> from 2.4.16 to 2.5.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/632">#632</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/a2a53628943935f4ec3d13b0e285b247004dbdba"><code>a2a5362</code></a> build(deps-dev): bump typescript from 6.0.2 to 6.0.3 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/631">#631</a>)</li> <li>Additional commits viewable in <a href="https://github.com/slackapi/slack-github-action/compare/45a88b9581bfab2566dc881e2cd66d334e621e2c...0d95c9a7becc1e6e297d76df9bc735c44f4cbcbc">compare view</a></li> </ul> </details> <br /> Updates `aws-actions/configure-aws-credentials` from 6.2.1 to 6.2.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-actions/configure-aws-credentials/releases">aws-actions/configure-aws-credentials's releases</a>.</em></p> <blockquote> <h2>v6.2.2</h2> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a> (2026-07-07)</h2> <h3>Miscellaneous Chores</h3> <ul> <li>release 6.2.2 (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md">aws-actions/configure-aws-credentials's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <p>All notable changes to this project will be documented in this file. See <a href="https://github.com/conventional-changelog/standard-version">standard-version</a> for commit guidelines.</p> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a> (2026-07-07)</h2> <h3>Miscellaneous Chores</h3> <ul> <li>release 6.2.2 (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.0...v6.2.1">6.2.1</a> (2026-06-26)</h2> <h3>Bug Fixes</h3> <ul> <li>enforce allowed-account-ids on all auth paths (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1847">#1847</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/4d281fbc56a82e63c3fc14f2cc22361f34c97493">4d281fb</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.3...v6.2.0">6.2.0</a> (2026-06-01)</h2> <h3>Features</h3> <ul> <li>add additional session tags by default (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1775">#1775</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/e0ba7685077379a14a82d01fefd511490344ebfc">e0ba768</a>)</li> <li>add more retry logic and better logging (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1764">#1764</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/540d0c13aedb8d55501d220bd2f0b3cdedfe84e8">540d0c1</a>)</li> <li>add regex validation to role-session-name (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1765">#1765</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/e35449909c6ede5083a48ba4b8bbfaaa1cf09ba1">e354499</a>)</li> <li>Allow custom session tags to be passed when assuming a role (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1759">#1759</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/61f50f630f383628add73c1eab3f1935ba07da2b">61f50f6</a>)</li> <li>expose run id in STS client user-agent (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1774">#1774</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/29d1be30273e7ef371d59fccf6ec54572c64ec89">29d1be3</a>)</li> <li>support custom STS endpoints (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1762">#1762</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/8d52d05d7a4521fa52b39de50cb6114b12e5c332">8d52d05</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>skip credential check on output-env-credentials: false (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1778">#1778</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/58e7c47adf77846879008deadfeeef8a6969fe6c">58e7c47</a>)</li> <li>assumeRole failing from session tag size too large (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1808">#1808</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/d6f5dc331b44474b19a52caaf85fa4d637b13c8e">d6f5dc3</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.2...v6.1.3">6.1.3</a> (2026-05-28)</h2> <h3>Bug Fixes</h3> <ul> <li>fix: allow kubelet token symlink in <a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1805">#1805</a></li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.1...v6.1.2">6.1.2</a> (2026-05-26)</h2> <h3>Bug Fixes</h3> <ul> <li>additional filesystem checks (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1799">#1799</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/c39f282697aca8a78c522ecf1f7da9899a31432c">c39f282</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.0...v6.1.1">6.1.1</a> (2026-05-05)</h2> <h3>Miscellaneous Chores</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/517a711dbcd0e402f90c77e7e2f81e849156e31d"><code>517a711</code></a> chore(main): release 6.2.2 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1876">#1876</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2"><code>d01d678</code></a> chore: release 6.2.2</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/8efa52b2848773c500aa10726e251480b1a9eef6"><code>8efa52b</code></a> chore(deps-dev): bump vitest dependencies (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1874">#1874</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/8e1eed5c14c0831e3e8d3e79a355207770cfc534"><code>8e1eed5</code></a> chore(deps-dev): bump <code>@smithy/property-provider</code> from 4.4.4 to 4.4.6 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1869">#1869</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/112421a93aaa67421f2d14d7c469df0e5ca60e47"><code>112421a</code></a> chore(deps-dev): bump <code>@biomejs/biome</code> from 2.5.1 to 2.5.2 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1868">#1868</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/fbc01c6585c59a56334d4803ca1f3f249a5fba3f"><code>fbc01c6</code></a> chore(deps-dev): bump <code>@types/node</code> from 26.0.1 to 26.1.0 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1871">#1871</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/b12ca875eb3037b4cfbc4aa347bd62e1b475d439"><code>b12ca87</code></a> chore(deps-dev): bump memfs from 4.57.8 to 4.58.0 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1873">#1873</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/d314f7f43d28771d47678a1ad87f05976e241846"><code>d314f7f</code></a> chore: Update dist</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/a53b65b84a3cea262b96b50376e409283f6f818b"><code>a53b65b</code></a> chore(deps): bump <code>@aws-sdk/client-sts</code> from 3.1076.0 to 3.1080.0 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1867">#1867</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/338d2c18392e9b3ace741e4547b315bda30f7b02"><code>338d2c1</code></a> chore(deps-dev): bump sigstore from 4.1.0 to 4.1.1 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1864">#1864</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-actions/configure-aws-credentials/compare/254c19bd240aabef8777f48595e9d2d7b972184b...517a711dbcd0e402f90c77e7e2f81e849156e31d">compare view</a></li> </ul> </details> <br /> Updates `github/codeql-action/init` from 4.36.2 to 4.37.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action/init's releases</a>.</em></p> <blockquote> <h2>v4.37.0</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>v4.36.3</h2> <p>No user facing changes.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/init's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.20.6 and earlier. These versions of CodeQL were discontinued on 1 July 2026 alongside GitHub Enterprise Server 3.16, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3956">#3956</a></li> </ul> <h2>4.37.0 - 08 Jul 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>4.36.3 - 01 Jul 2026</h2> <p>No user facing changes.</p> <h2>4.36.2 - 04 Jun 2026</h2> <ul> <li>Cache CodeQL CLI version information across Actions steps. <a href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li> <li>Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. <a href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li> </ul> <h2>4.36.1 - 02 Jun 2026</h2> <p>No user facing changes.</p> <h2>4.36.0 - 22 May 2026</h2> <ul> <li><em>Breaking change</em>: Bump the minimum required CodeQL bundle version to 2.19.4. <a href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li> <li>Add support for SHA-256 Git object IDs. <a href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li> </ul> <h2>4.35.5 - 15 May 2026</h2> <ul> <li>We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li> <li>For performance and accuracy reasons, <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. <a href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li> <li>If multiple inputs are provided for the GitHub-internal <code>analysis-kinds</code> input, only <code>code-scanning</code> will be enabled. The <code>analysis-kinds</code> input is experimental, for GitHub-internal use only, and may change without notice at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li> <li>Added an experimental change which, when running a Code Scanning analysis for a PR with <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. <a href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li> </ul> <h2>4.35.4 - 07 May 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li> </ul> <h2>4.35.3 - 01 May 2026</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/99df26d4f13ea111d4ec1a7dddef6063f76b97e9"><code>99df26d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3996">#3996</a> from github/update-v4.37.0-c7c896d71</li> <li><a href="https://github.com/github/codeql-action/commit/31c27074fda95256cda077009907f8a6022dd7c0"><code>31c2707</code></a> Add changenote for <a href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a></li> <li><a href="https://github.com/github/codeql-action/commit/72df2181aac054d1f4b44264399d2aac12cf11c6"><code>72df218</code></a> Update changelog for v4.37.0</li> <li><a href="https://github.com/github/codeql-action/commit/c7c896d71b3055d36f2aff93b16bcc6c69923b91"><code>c7c896d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3995">#3995</a> from github/update-bundle/codeql-bundle-v2.26.0</li> <li><a href="https://github.com/github/codeql-action/commit/3f34ff0ea3f5153c96071437b7cbf71ea3757146"><code>3f34ff0</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/43bec09f1dc368b430cab4b5d69799bc904079d1"><code>43bec09</code></a> Update default bundle to codeql-bundle-v2.26.0</li> <li><a href="https://github.com/github/codeql-action/commit/f58f0d11ebf5dedd870fab2f999275f7602cfa46"><code>f58f0d1</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a> from github/mbg/repo-props/config-file-shorthands</li> <li><a href="https://github.com/github/codeql-action/commit/7dc37cbb5b3e37f0e1cd1f18b61e0ea849898fb8"><code>7dc37cb</code></a> Merge remote-tracking branch 'origin/main' into mbg/repo-props/config-file-sh...</li> <li><a href="https://github.com/github/codeql-action/commit/8e22350a7e28c34c82a5a499fc241923301c2c4f"><code>8e22350</code></a> Thread <code>ActionState</code> to <code>initConfig</code></li> <li><a href="https://github.com/github/codeql-action/commit/69c9e8c7d918cf2fee13b8b72fdde15883ff155b"><code>69c9e8c</code></a> Mark some <code>status-report</code> imports as <code>type</code>-only to avoid circular dependencies</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...99df26d4f13ea111d4ec1a7dddef6063f76b97e9">compare view</a></li> </ul> </details> <br /> Updates `github/codeql-action/autobuild` from 4.36.2 to 4.37.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action/autobuild's releases</a>.</em></p> <blockquote> <h2>v4.37.0</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>v4.36.3</h2> <p>No user facing changes.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/autobuild's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.20.6 and earlier. These versions of CodeQL were discontinued on 1 July 2026 alongside GitHub Enterprise Server 3.16, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3956">#3956</a></li> </ul> <h2>4.37.0 - 08 Jul 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>4.36.3 - 01 Jul 2026</h2> <p>No user facing changes.</p> <h2>4.36.2 - 04 Jun 2026</h2> <ul> <li>Cache CodeQL CLI version information across Actions steps. <a href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li> <li>Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. <a href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li> </ul> <h2>4.36.1 - 02 Jun 2026</h2> <p>No user facing changes.</p> <h2>4.36.0 - 22 May 2026</h2> <ul> <li><em>Breaking change</em>: Bump the minimum required CodeQL bundle version to 2.19.4. <a href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li> <li>Add support for SHA-256 Git object IDs. <a href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li> </ul> <h2>4.35.5 - 15 May 2026</h2> <ul> <li>We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li> <li>For performance and accuracy reasons, <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. <a href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li> <li>If multiple inputs are provided for the GitHub-internal <code>analysis-kinds</code> input, only <code>code-scanning</code> will be enabled. The <code>analysis-kinds</code> input is experimental, for GitHub-internal use only, and may change without notice at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li> <li>Added an experimental change which, when running a Code Scanning analysis for a PR with <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. <a href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li> </ul> <h2>4.35.4 - 07 May 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li> </ul> <h2>4.35.3 - 01 May 2026</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/99df26d4f13ea111d4ec1a7dddef6063f76b97e9"><code>99df26d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3996">#3996</a> from github/update-v4.37.0-c7c896d71</li> <li><a href="https://github.com/github/codeql-action/commit/31c27074fda95256cda077009907f8a6022dd7c0"><code>31c2707</code></a> Add changenote for <a href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a></li> <li><a href="https://github.com/github/codeql-action/commit/72df2181aac054d1f4b44264399d2aac12cf11c6"><code>72df218</code></a> Update changelog for v4.37.0</li> <li><a href="https://github.com/github/codeql-action/commit/c7c896d71b3055d36f2aff93b16bcc6c69923b91"><code>c7c896d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3995">#3995</a> from github/update-bundle/codeql-bundle-v2.26.0</li> <li><a href="https://github.com/github/codeql-action/commit/3f34ff0ea3f5153c96071437b7cbf71ea3757146"><code>3f34ff0</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/43bec09f1dc368b430cab4b5d69799bc904079d1"><code>43bec09</code></a> Update default bundle to codeql-bundle-v2.26.0</li> <li><a href="https://github.com/github/codeql-action/commit/f58f0d11ebf5dedd870fab2f999275f7602cfa46"><code>f58f0d1</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a> from github/mbg/repo-props/config-file-shorthands</li> <li><a href="https://github.com/github/codeql-action/commit/7dc37cbb5b3e37f0e1cd1f18b61e0ea849898fb8"><code>7dc37cb</code></a> Merge remote-tracking branch 'origin/main' into mbg/repo-props/config-file-sh...</li> <li><a href="https://github.com/github/codeql-action/commit/8e22350a7e28c34c82a5a499fc241923301c2c4f"><code>8e22350</code></a> Thread <code>ActionState</code> to <code>initConfig</code></li> <li><a href="https://github.com/github/codeql-action/commit/69c9e8c7d918cf2fee13b8b72fdde15883ff155b"><code>69c9e8c</code></a> Mark some <code>status-report</code> imports as <code>type</code>-only to avoid circular dependencies</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...99df26d4f13ea111d4ec1a7dddef6063f76b97e9">compare view</a></li> </ul> </details> <br /> Updates `github/codeql-action/analyze` from 4.36.2 to 4.37.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action/analyze's releases</a>.</em></p> <blockquote> <h2>v4.37.0</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>v4.36.3</h2> <p>No user facing changes.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/analyze's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.20.6 and earlier. These versions of CodeQL were discontinued on 1 July 2026 alongside GitHub Enterprise Server 3.16, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3956">#3956</a></li> </ul> <h2>4.37.0 - 08 Jul 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>4.36.3 - 01 Jul 2026</h2> <p>No user facing changes.</p> <h2>4.36.2 - 04 Jun 2026</h2> <ul> <li>Cache CodeQL CLI version information across Actions steps. <a href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li> <li>Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. <a href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li> </ul> <h2>4.36.1 - 02 Jun 2026</h2> <p>No user facing changes.</p> <h2>4.36.0 - 22 May 2026</h2> <ul> <li><em>Breaking change</em>: Bump the minimum required CodeQL bundle version to 2.19.4. <a href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li> <li>Add support for SHA-256 Git object IDs. <a href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li> </ul> <h2>4.35.5 - 15 May 2026</h2> <ul> <li>We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li> <li>For performance and accuracy reasons, <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. <a href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li> <li>If multiple inputs are provided for the GitHub-internal <code>analysis-kinds</code> input, only <code>code-scanning</code> will be enabled. The <code>analysis-kinds</code> input is experimental, for GitHub-internal use only, and may change without notice at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li> <li>Added an experimental change which, when running a Code Scanning analysis for a PR with <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. <a href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li> </ul> <h2>4.35.4 - 07 May 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li> </ul> <h2>4.35.3 - 01 May 2026</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/99df26d4f13ea111d4ec1a7dddef6063f76b97e9"><code>99df26d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3996">#3996</a> from github/update-v4.37.0-c7c896d71</li> <li><a href="https://github.com/github/codeql-action/commit/31c27074fda95256cda077009907f8a6022dd7c0"><code>31c2707</code></a> Add changenote for <a href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a></li> <li><a href="https://github.com/github/codeql-action/commit/72df2181aac054d1f4b44264399d2aac12cf11c6"><code>72df218</code></a> Update changelog for v4.37.0</li> <li><a href="https://github.com/github/codeql-action/commit/c7c896d71b3055d36f2aff93b16bcc6c69923b91"><code>c7c896d</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3995">#3995</a> from github/update-bundle/codeql-bundle-v2.26.0</li> <li><a href="https://github.com/github/codeql-action/commit/3f34ff0ea3f5153c96071437b7cbf71ea3757146"><code>3f34ff0</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/43bec09f1dc368b430cab4b5d69799bc904079d1"><code>43bec09</code></a> Update default bundle to codeql-bundle-v2.26.0</li> <li><a href="https://github.com/github/codeql-action/commit/f58f0d11ebf5dedd870fab2f999275f7602cfa46"><code>f58f0d1</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a> from github/mbg/repo-props/config-file-shorthands</li> <li><a href="https://github.com/github/codeql-action/commit/7dc37cbb5b3e37f0e1cd1f18b61e0ea849898fb8"><code>7dc37cb</code></a> Merge remote-tracking branch 'origin/main' into mbg/repo-props/config-file-sh...</li> <li><a href="https://github.com/github/codeql-action/commit/8e22350a7e28c34c82a5a499fc241923301c2c4f"><code>8e22350</code></a> Thread <code>ActionState</code> to <code>initConfig</code></li> <li><a href="https://github.com/github/codeql-action/commit/69c9e8c7d918cf2fee13b8b72fdde15883ff155b"><code>69c9e8c</code></a> Mark some <code>status-report</code> imports as <code>type</code>-only to avoid circular dependencies</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...99df26d4f13ea111d4ec1a7dddef6063f76b97e9">compare view</a></li> </ul> </details> <br /> Updates `actions/stale` from 10.3.0 to 10.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/stale/releases">actions/stale's releases</a>.</em></p> <blockquote> <h2>v10.4.0</h2> <h2>What's Changed</h2> <h3>Bug Fix</h3> <ul> <li>Fixed <code>only-issue-types</code> validation by <a href="https://github.com/trueberryless"><code>@trueberryless</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1338">actions/stale#1338</a></li> </ul> <h3>Dependency Updates</h3> <ul> <li>Bump undici to 6.27.0 via override, clean up stale license files, and version to 10.4.0. by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1342">actions/stale#1342</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/trueberryless"><code>@trueberryless</code></a> made their first contribution in <a href="https://redirect.github.com/actions/stale/pull/1338">actions/stale#1338</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/stale/compare/v10.3.0...v10.4.0">https://github.com/actions/stale/compare/v10.3.0...v10.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/stale/commit/1e223db275d687790206a7acac4d1a11bd6fe629"><code>1e223db</code></a> Bump undici to 6.27.0 via override, clean up stale license files, and version...</li> <li><a href="https://github.com/actions/stale/commit/9461cb10066d1553762bac6a02599ab8c26b14dd"><code>9461cb1</code></a> fix: <code>only-issue-types</code> does not affect PRs (<a href="https://redirect.github.com/actions/stale/issues/1338">#1338</a>)</li> <li>See full diff in <a href="https://github.com/actions/stale/compare/eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899...1e223db275d687790206a7acac4d1a11bd6fe629">compare view</a></li> </ul> </details> <br /> Updates `astral-sh/setup-uv` from 8.2.0 to 8.3.2 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/astral-sh/setup-uv/commit/11f9893b081a58869d3b5fccaea48c9e9e46f990"><code>11f9893</code></a> chore: roll up Dependabot updates (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/948">#948</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/f79855603231e1609d02bec6956bd0e05cbc46b5"><code>f798556</code></a> docs: update version references to v8.3.1 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/946">#946</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/e80544d808267c93733c3fd1e2c8c65e0c8707d6"><code>e80544d</code></a> chore: update known checksums for 0.11.28 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/947">#947</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/f98e06938123ccabd21905ea5d0069192241f9f1"><code>f98e069</code></a> Change update-docs PR labels from 'update-docs' to 'documentation' (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/945">#945</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/cd462639a967553a16241af35461402a96978d48"><code>cd46263</code></a> chore: update known checksums for 0.11.27 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/944">#944</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/11245c7e122cd1c2297e8115d1e43fe1570f6270"><code>11245c7</code></a> docs: update version references to v8.3.0 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/939">#939</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/d31148d669074a8d0a63714ba94f3201e7020bc3"><code>d31148d</code></a> Strip environment markers from detected uv dependency pins (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/938">#938</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/17c398959b4611a88929fabb5c563a8e43a0ff60"><code>17c3989</code></a> Fix cache keys for Python version ranges (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/937">#937</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/3cc3c11fdf511cab39136b7c946d973d4ad0df20"><code>3cc3c11</code></a> chore(deps): roll up Dependabot updates (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/936">#936</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/9225f843d7a9f80a757cf25ef48901fda69ba4bc"><code>9225f84</code></a> chore(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/924">#924</a>)</li> <li>Additional commits viewable in <a href="https://github.com/astral-sh/setup-uv/compare/fac544c07dec837d0ccb6301d7b5580bf5edae39...11f9893b081a58869d3b5fccaea48c9e9e46f990">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
