ci(deps): bump the actions group across 1 directory with 10 updates

[dependabot]

Bumps the actions group with 10 updates in the / directory:

Package	From	To
actions/upload-artifact	7.0.0	7.0.1
golangci/golangci-lint-action	9.2.0	9.2.1
aquasecurity/trivy-action	0.35.0	0.36.0
actions/cache	5.0.4	5.0.5
marocchino/sticky-pull-request-comment	3.0.3	3.0.4
actions/github-script	8.0.0	9.0.0
codecov/codecov-action	6.0.0	6.0.1
actions/setup-node	6.3.0	6.4.0
goreleaser/goreleaser-action	7.0.0	7.2.2
github/codeql-action	4.35.1	4.36.0

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates golangci/golangci-lint-action from 9.2.0 to 9.2.1

Release notes

Sourced from golangci/golangci-lint-action's releases.

v9.2.1

What's Changed

IMPORTANT: this is the first immutable release.

Changes

• chore: improve workflows by @​ldez in golangci/golangci-lint-action#1394

Dependencies

• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1325
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1326
• build(deps): bump the dependencies group with 4 updates by @​dependabot[bot] in golangci/golangci-lint-action#1327
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1328
• build(deps): bump @​types/node from 25.0.2 to 25.0.3 in the dependencies group by @​dependabot[bot] in golangci/golangci-lint-action#1329
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1330
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1332
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1333
• build(deps): bump the dependencies group with 6 updates by @​dependabot[bot] in golangci/golangci-lint-action#1334
• build(deps-dev): bump the dev-dependencies group with 4 updates by @​dependabot[bot] in golangci/golangci-lint-action#1335
• build(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1336
• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1337
• build(deps): bump @​types/node from 25.0.9 to 25.0.10 in the dependencies group by @​dependabot[bot] in golangci/golangci-lint-action#1338
• build(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 by @​dependabot[bot] in golangci/golangci-lint-action#1339
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1340
• build(deps-dev): bump the dev-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1344
• build(deps): bump fast-xml-parser from 5.3.4 to 5.3.6 by @​dependabot[bot] in golangci/golangci-lint-action#1346
• build(deps): bump minimatch by @​dependabot[bot] in golangci/golangci-lint-action#1348
• build(deps): bump minimatch from 3.1.3 to 3.1.5 by @​dependabot[bot] in golangci/golangci-lint-action#1350
• build(deps): bump fast-xml-parser from 5.3.6 to 5.4.1 by @​dependabot[bot] in golangci/golangci-lint-action#1351
• build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6 by @​dependabot[bot] in golangci/golangci-lint-action#1357
• build(deps): bump fast-xml-parser from 5.5.6 to 5.5.7 by @​dependabot[bot] in golangci/golangci-lint-action#1358
• build(deps-dev): bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in golangci/golangci-lint-action#1359
• build(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in golangci/golangci-lint-action#1364
• build(deps): bump yaml from 2.8.2 to 2.8.3 by @​dependabot[bot] in golangci/golangci-lint-action#1365
• build(deps): bump brace-expansion by @​dependabot[bot] in golangci/golangci-lint-action#1370
• build(deps-dev): bump the dev-dependencies group across 1 directory with 7 updates by @​ldez in golangci/golangci-lint-action#1374
• build(deps): bump github/codeql-action from 4 to 4.35.2 by @​dependabot[bot] in golangci/golangci-lint-action#1384
• build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 by @​dependabot[bot] in golangci/golangci-lint-action#1386
• build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by @​dependabot[bot] in golangci/golangci-lint-action#1389
• build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 by @​dependabot[bot] in golangci/golangci-lint-action#1391

Full Changelog: golangci/golangci-lint-action@v9.2.0...v9.2.1

Commits

• 82606bf chore: prepare release v9.2.1
• 97c8387 chore: improve workflows (#1394)
• 28d0a19 build(deps): bump the dependencies group across 1 directory with 2 updates
• 633fbc7 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#1391)
• 59f43e2 build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 (#1389)
• 9eb174e build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 (#1386)
• 4f52504 build(deps): bump github/codeql-action from 4 to 4.35.2 (#1384)
• 6f87dfd docs: update examples
• c9500d7 chore: improve workflows
• 03b1faa chore: improve issue templates
• Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.35.0 to 0.36.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.36.0

What's Changed

• chore(ci): update bump-trivy workflow by @​DmitriyLewen in aquasecurity/trivy-action#546
• ci: use action.yaml as single source of truth for Trivy version by @​nikpivkin in aquasecurity/trivy-action#552
• ci: replace peter-evans/create-pull-request with gh CLI by @​nikpivkin in aquasecurity/trivy-action#550
• test: use pinned digests for trivy-db, trivy-java-db and trivy-checks by @​nikpivkin in aquasecurity/trivy-action#555
• ci: add dependabot config by @​nikpivkin in aquasecurity/trivy-action#556
• chore: add zizmor config by @​nikpivkin in aquasecurity/trivy-action#557
• chore(deps): bump the actions group with 5 updates by @​dependabot[bot] in aquasecurity/trivy-action#558
• fix: use portable shebang in entrypoint.sh by @​Hayao0819 in aquasecurity/trivy-action#545
• Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name by @​patrik-csak in aquasecurity/trivy-action#547
• Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 by @​Aditya09-cse in aquasecurity/trivy-action#548
• chore: use GitHub Actions as git commit author in bump-trivy workflow by @​nikpivkin in aquasecurity/trivy-action#561
• chore(deps): Update trivy to v0.70.0 by @​Argon-DevOps-Mgt in aquasecurity/trivy-action#559
• chore: update action version to v0.36.0 in examples by @​nikpivkin in aquasecurity/trivy-action#563

New Contributors

• @​dependabot[bot] made their first contribution in aquasecurity/trivy-action#558
• @​Hayao0819 made their first contribution in aquasecurity/trivy-action#545
• @​patrik-csak made their first contribution in aquasecurity/trivy-action#547
• @​Aditya09-cse made their first contribution in aquasecurity/trivy-action#548
• @​Argon-DevOps-Mgt made their first contribution in aquasecurity/trivy-action#559

Full Changelog: aquasecurity/trivy-action@v0.35.0...v0.36.0

Commits

• ed142fd chore: update action version to v0.36.0 in examples (#563)
• dea62cf chore(deps): Update trivy to v0.70.0 (#559)
• 128d9a8 chore: use GitHub Actions as git commit author in bump-trivy workflow (#561)
• 876cf04 Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 (#548)
• dada784 Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name (#547)
• 4a2deec fix: use portable shebang in entrypoint.sh (#545)
• 1994662 chore(deps): bump the actions group with 5 updates (#558)
• 6b36659 chore: add zizmor config (#557)
• 316aa5a ci: add dependabot config (#556)
• 264c9c5 test: use pinned digests for trivy-db, trivy-java-db and trivy-checks (#555)
• Additional commits viewable in compare view

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• See full diff in compare view

Updates marocchino/sticky-pull-request-comment from 3.0.3 to 3.0.4

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v3.0.4

What's Changed

• build(deps-dev): Bump vite from 8.0.3 to 8.0.5 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1679
• build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1680
• build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1684
• build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1683
• build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1682
• build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1681

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.3...v3.0.4

Commits

• 0ea0beb 📦️ Build
• df6c1bd build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 (#1681)
• 3ad213f build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 (#1682)
• 58072e5 build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 (#1683)
• 313a938 build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 (#1684)
• 159c677 build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 (#1680)
• b37c1a1 build(deps-dev): Bump vite from 8.0.3 to 8.0.5 (#1679)
• See full diff in compare view

Updates actions/github-script from 8.0.0 to 9.0.0

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in actions/github-script#695
• ci: use deployment: false for integration test environments by @​salmanmkc in actions/github-script#712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in actions/github-script#700

New Contributors

• @​Copilot made their first contribution in actions/github-script#695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits

• 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
• ca10bbd fix: use @​octokit/core/types import for v7 compatibility
• 86e48e2 merge: incorporate main branch changes
• c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
• afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
• ff8117e ci: fix user-agent test to handle orchestration ID
• 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
• 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
• c17d55b ci: add getOctokit integration test job
• a047196 test: add getOctokit integration tests via callAsyncFunction
• Additional commits viewable in compare view

Updates codecov/codecov-action from 6.0.0 to 6.0.1

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.1

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in codecov/codecov-action#1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in codecov/codecov-action#1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• e79a696 chore(release): 6.0.1 (#1949)
• 51e6422 fix: prevent template injection in run: steps (VULN-1652) (#1947)
• See full diff in compare view

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• See full diff in compare view

Updates goreleaser/goreleaser-action from 7.0.0 to 7.2.2

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v7.2.2

What's Changed

• ci(deps): bump the actions group with 3 updates by @​dependabot[bot] in goreleaser/goreleaser-action#560
• fix: nightly resolution to select newest published release by @​Copilot in goreleaser/goreleaser-action#562

New Contributors

• @​Copilot made their first contribution in goreleaser/goreleaser-action#562

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.2

v7.2.1

This fully removes the usage of the old nightly moving tag.

Full Changelog: goreleaser/goreleaser-action@v7.2.0...v7.2.1

v7.2.0

What's Changed

• test: cover install across release eras by @​caarlos0 in goreleaser/goreleaser-action#555
• feat: add version-file input by @​caarlos0 in goreleaser/goreleaser-action#556
• feat: resolve nightly to latest vX.Y.Z--nightly release by @​caarlos0 in goreleaser/goreleaser-action#558

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.0

v7.1.0

What's Changed

• feat: verify release checksum and cosign signature by @​caarlos0 in goreleaser/goreleaser-action#550
• docs: document cosign verification in README by @​caarlos0 in goreleaser/goreleaser-action#553
• docs: Upgrade import GPG action version by @​flecno in goreleaser/goreleaser-action#547
• ci: drop docker-bake in favor of plain npm by @​caarlos0 in goreleaser/goreleaser-action#551
• ci: add release-major-tag workflow by @​caarlos0 in goreleaser/goreleaser-action#552
• ci: drop pre-cosign-v3 goreleaser versions from tests by @​caarlos0 in goreleaser/goreleaser-action#554
• ci(deps): bump the actions group with 2 updates by @​dependabot[bot] in goreleaser/goreleaser-action#543
• ci(deps): bump the actions group with 5 updates by @​dependabot[bot] in goreleaser/goreleaser-action#546
• chore(deps): bump undici from 6.23.0 to 6.24.1 by @​dependabot[bot] in goreleaser/goreleaser-action#545

New Contributors

• @​flecno made their first contribution in goreleaser/goreleaser-action#547

Full Changelog: goreleaser/goreleaser-action@v7...v7.1.0

Commits

• 5daf1e9 fix: nightly resolution to select newest published release (#562)
• 5cc7ebb ci: update actions
• 702f5f9 ci(deps): bump the actions group with 3 updates (#560)
• 1a80836 ci(nightly): pass GITHUB_TOKEN to nightly integration job
• a71152e refactor: drop legacy 'nightly' tag fallback
• 4c6ab56 feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release (#558)
• 4f96abf feat: add version-file input (#556)
• 15fa2a9 test: cover install across release eras (#555)
• e24998b ci: drop pre-cosign-v3 goreleaser versions from tests (#554)
• be2e8a3 docs: document cosign verification in README (#553)
• Additional commits viewable in compare view

Updates github/codeql-action from 4.35.1 to 4.36.0

Release notes

Sourced from github/codeql-action's releases.

v4.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. I...

  Description has been truncated

[github-actions]

🟢 Change Impact Analysis

Metric	Value
Risk Level	LOW 🟢
Files Changed	12
Symbols Changed	12
Directly Affected	0
Transitively Affected	0

Blast Radius: 0 modules, 0 files, 0 unique callers

📝 Changed Symbols (12)

Symbol	File	Type	Confidence
.github/workflows/build-matrix.yml	.github/workflows/build-matrix.yml	modified	30%
.github/workflows/ci.yml	.github/workflows/ci.yml	modified	30%
.github/workflows/ckb.yml	.github/workflows/ckb.yml	modified	30%
.github/workflows/cov.yml	.github/workflows/cov.yml	modified	30%
.github/workflows/nfr.yml	.github/workflows/nfr.yml	modified	30%
.github/workflows/release.yml	.github/workflows/release.yml	modified	30%
.github/workflows/security-dependencies.yml	.github/workflows/security-dependencies.yml	modified	30%
.github/workflows/security-gate.yml	.github/workflows/security-gate.yml	modified	30%
.github/workflows/security-sast-common.yml	.github/workflows/security-sast-common.yml	modified	30%
.github/workflows/security-sast-go.yml	.github/workflows/security-sast-go.yml	modified	30%
.github/workflows/security-sast-python.yml	.github/workflows/security-sast-python.yml	modified	30%
.github/workflows/security-secrets.yml	.github/workflows/security-secrets.yml	modified	30%

Recommendations

• ℹ️ coverage: 12 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

---

_{Generated by CKB}

[github-actions]

CKB Analysis

🎯 12 changed → 0 affected · 🔥 12 hotspots · 📚 197 stale

Risk factors: Medium-sized PR with 12 files • Touches 12 hotspot(s)

👥 Suggested: @lisa.welsch1985@gmail.com (83%), @talantyyr@gmail.com (83%)

Metric	Value
Impact Analysis	12 symbols → 0 affected	🟢
Doc Coverage	6.598984771573605%	⚠️
Complexity	0 violations	✅
Coupling	0 gaps	✅
Blast Radius	0 modules, 0 files	✅
Index	indexed (0s)	🆕

🎯 Change Impact Analysis · 🟢 LOW · 12 changed → 0 affected

Metric	Value
Symbols Changed	12
Directly Affected	0
Transitively Affected	0
Modules in Blast Radius	0
Files in Blast Radius	0

Symbols changed in this PR:

• .github/workflows/build-matrix.yml [modified] (30%) — .github/workflows/build-matrix.yml
• .github/workflows/ci.yml [modified] (30%) — .github/workflows/ci.yml
• .github/workflows/ckb.yml [modified] (30%) — .github/workflows/ckb.yml
• .github/workflows/cov.yml [modified] (30%) — .github/workflows/cov.yml
• .github/workflows/nfr.yml [modified] (30%) — .github/workflows/nfr.yml
• .github/workflows/release.yml [modified] (30%) — .github/workflows/release.yml
• .github/workflows/security-dependencies.yml [modified] (30%) — .github/workflows/security-dependencies.yml
• .github/workflows/security-gate.yml [modified] (30%) — .github/workflows/security-gate.yml
• .github/workflows/security-sast-common.yml [modified] (30%) — .github/workflows/security-sast-common.yml
• .github/workflows/security-sast-go.yml [modified] (30%) — .github/workflows/security-sast-go.yml
• … and 2 more

Recommendations:

• ℹ️ 12 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

🔥 Hotspots · 12 volatile files

File	Churn Score
.github/workflows/build-matrix.yml	1.37
.github/workflows/ci.yml	2.43
.github/workflows/ckb.yml	3.53
.github/workflows/cov.yml	2.01
.github/workflows/nfr.yml	2.74
.github/workflows/release.yml	2.01
.github/workflows/security-dependencies.yml	2.01
.github/workflows/security-gate.yml	1.37

📦 Modules · 1 at risk

	Module	Files
🔴	.github/workflows	12

💡 Quick wins · 10 suggestions

• 🟡 Add tests → internal/federation/contract_impact_test.go
• 🟡 Add tests → internal/query/navigation_extended_test.go
• 🟡 Add tests → internal/query/query_extended_test.go
• 🟡 Add tests → internal/mcp/tool_impls_test.go
• 🟡 Add tests → internal/daemon/daemon_test.go
• 🟢 Assign backup owner → internal/federation/contract_impact_test.go
• 🟢 Assign backup owner → internal/query/navigation_extended_test.go
• 🟢 Assign backup owner → internal/query/query_extended_test.go

📚 Stale docs · 197 broken references

• docs/CONTRIBUTING.md:108 → errors.New
• docs/CONTRIBUTING.md:108 → errors.SYMBOL_NOT_FOUND
• docs/CONTRIBUTING.md:111 → errors.Wrap
• docs/backlog/index-refresh-improvements.md:36 → watcher.Add
• docs/backlog/index-refresh-improvements.md:36 → filepath.Join
• docs/backlog/index-refresh-improvements.md:97 → time.Second
• docs/featureplans/change-impact-analysis-checklist.md:208 → coverage.out
• docs/featureplans/change-impact-analysis-checklist.md:214 → lcov.info
• docs/featureplans/change-impact-analysis-checklist.md:309 → coverage.out
• docs/featureplans/change-impact-analysis.md:448 → scip.SCIPIndex
• docs/featureplans/change-impact-analysis.md:478 → context.Context
• docs/featureplans/change-impact-analysis.md:669 → coverage.out
• docs/features/a2a/overview.md:41 → index.initialized
• docs/features/a2a/overview.md:42 → index.fresh
• docs/features/a2a/overview.md:43 → index.commitsBehind

---

_{Generated by CKB · Run details}

[github-actions]

CKB Review: ✅ PASS — 90/100

12 files (+64 changes) · 1 modules

Changes 12 files across 1 modules. No blocking issues found.

Check	Status	Detail
blast-radius	ℹ️ INFO	No symbols with callers in changes
hotspots	ℹ️ INFO	12 hotspot file(s) touched (top 10 shown)
format-consistency	✅ PASS	No format consistency issues
bug-patterns	✅ PASS	No bug patterns detected
coupling	✅ PASS	No missing co-change files
dead-code	✅ PASS	No dead code in changed files
unwired	✅ PASS	All exported symbols are reachable from entrypoints
complexity	✅ PASS	No significant complexity increase
breaking	✅ PASS	No breaking API changes
test-gaps	✅ PASS	All changed functions have tests
comment-drift	✅ PASS	No comment/code drift detected
health	✅ PASS	No significant health changes
secrets	✅ PASS	No secrets detected
risk	✅ PASS	Risk score: 0.45 (medium)
tests	✅ PASS	0 test(s) cover the changes
arch-health	⚪ SKIP	Cartographer not compiled in this build
layers	⚪ SKIP	Cartographer not compiled in this build

Change Breakdown

Category	Files	Review Priority
config	12	🟢 Quick check

Code Health

Estimated review: ~32min (moderate)

Reviewers: lisa.welsch1985 (83%) · talantyyr (83%)