Skip to content

Merge releases/v4 into releases/v3#3929

Merged
oscarsj merged 79 commits into
releases/v3from
backport-v3.36.0-7211b7c80
May 22, 2026
Merged

Merge releases/v4 into releases/v3#3929
oscarsj merged 79 commits into
releases/v3from
backport-v3.36.0-7211b7c80

Conversation

@github-actions

@github-actions github-actions Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

Merging 7211b7c into releases/v3.

Conductor for this PR is @oscarsj.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v3 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.

henrymercer and others added 30 commits May 12, 2026 18:24
@henrymercer
Add support for SHA-256 Git object IDs
6a4e35f
@henrymercer
Improve regex clarity
de3e561
@henrymercer
Bump minimum CodeQL CLI version to 2.19.4
d122da3
@henrymercer
Remove ForceOverwrite tools feature
97fb30d 
This feature has been supported since CodeQL CLI v2.18.0, which is below the new minimum version.
@henrymercer
Remove DatabaseInterpretResultsSupportsSarifRunProperty tools feature
a333d64 
This feature has been supported since CodeQL CLI v2.19.0
@henrymercer
Add note about CODEQL_VERSION_ZSTD_BUNDLE
b986640
@henrymercer
Merge branch 'main' into henrymercer/sha256
a66f7bb
@henrymercer
Update PR check testing matrix
9c3aedb
@mbg
Log error for non-default analysis-kinds input outside of managed w…
4235601 
…orkflows
@henrymercer
Merge branch 'main' into henrymercer/sha256
93d215d
@henrymercer
Remove unnecessary sinon restore calls
3c8c0ae
@dependabot
Bump sinon from 21.1.2 to 22.0.0
d4eab00 
Bumps [sinon](https://github.com/sinonjs/sinon) from 21.1.2 to 22.0.0.
- [Release notes](https://github.com/sinonjs/sinon/releases)
- [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md)
- [Commits](sinonjs/sinon@v21.1.2...v22.0.0)

---
updated-dependencies:
- dependency-name: sinon
  dependency-version: 22.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@henrymercer
Merge branch 'main' into henrymercer/sha256
e8d3fa2
@henrymercer
Add PR checks shortcut to package.json
fcdf5dd
@henrymercer
PR checks: Run slowest macOS checks on larger runners
aa005fa
@henrymercer
Move checks back to default runners
a32db48 
These jobs are not rate-limiting so we don't need to run them on larger runners.
@henrymercer
Address review comments
1b65777
@henrymercer
Improve OS types and docs
931147e
@mbg
Remove outdated comments for analyze-action tests
db84cb5
@mbg
Merge analyze-action-input test into analyze-action-env file
9e1f914 
The tests still can't run in parallel so I had to change `test` to `test.serial`, which caused a bunch of formatting changes.
@mbg
Rename analyze-action-env.test.ts to analyze-action.test.ts
4695921
@mbg
"action" to "Action" in build.mjs
2320f9d
@mbg
Add missing semicolons
ab5047b
@mbg
Fix typo
064674d 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@henrymercer
Merge branch 'main' into henrymercer/sha256
b43bb7b
@github-actions
Update changelog and version after v4.35.5
06c7e6f
@github-actions
Rebuild
f1ce9f4
@mbg
Merge pull request #3906 from github/mergeback/v4.35.5-to-main-9e0d7b8d
7187b6e 
Mergeback v4.35.5 refs/heads/releases/v4 into main
@mbg
Merge pull request #3904 from github/mbg/esbuild/split-follow-up
bbef5ff 
Address review comments for #3899
@henrymercer
Merge pull request #3903 from github/henrymercer/macos-larger-runners
67f4038 
PR checks: Run slowest macOS checks on larger runners
henrymercer and others added 18 commits May 20, 2026 15:17
@henrymercer
Bump brace-expansion
a134948 
Address GHSA-jxxr-4gwj-5jf2
@henrymercer
Merge pull request #3918 from github/henrymercer/upgrade-brace-expansion
164c32a 
Bump `brace-expansion`
@henrymercer
Address review comments
a14f75e
@henrymercer
Revert getErrorMessage import
f3f52bf 
To avoid requiring additional dependencies
@henrymercer
CI: Automatically cancel non-generated workflows
8ffeae7 
Specify concurrency groups for non-generated workflows so we can cancel in-progress runs when new commits are pushed to a PR.
@henrymercer
Merge pull request #3919 from github/henrymercer/workflow-concurrency
c5297a2 
CI: Automatically cancel non-generated workflows
@henrymercer
Update excluded required check list
72ac23c
@henrymercer
Merge pull request #3910 from github/henrymercer/repo-size-diff-check
8449852 
Action size: Add a PR check that comments on significant repo size changes
@github-actions
Update default bundle to codeql-bundle-v2.25.5
2dc40ce
@github-actions
Add changelog note
d1f74b7
@oscarsj
Merge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5
ebc2d9e 
Update default bundle to 2.25.5
@github-actions
Update changelog for v4.36.0
7740f2f
@oscarsj
Merge pull request #3927 from github/update-v4.36.0-ebc2d9e2b
7211b7c 
Merge main into releases/v4
@github-actions
Revert "Update version and changelog for v3.35.5"
c45c87a 
This reverts commit b2dd803.
@github-actions
Revert "Rebuild"
9b64c8b 
This reverts commit 4b79f1b.
@github-actions
Merge remote-tracking branch 'origin/releases/v4' into backport-v3.36…
2be5c61 
….0-7211b7c80
@github-actions
Update version and changelog for v3.36.0
a9739a6
@github-actions
Rebuild
bc887ca
@oscarsj oscarsj marked this pull request as ready for review May 22, 2026 11:16
@oscarsj oscarsj requested a review from a team as a code owner May 22, 2026 11:16
Copilot AI review requested due to automatic review settings May 22, 2026 11:16
@oscarsj oscarsj enabled auto-merge May 22, 2026 11:17
@github-actions github-actions Bot added the size/XXL May be extremely hard to review label May 22, 2026
@github-actions

github-actions Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor Author

Repository checkout size

Compressed archive size
Base (releases/v3) 2173.01 KiB (2225160 bytes)
This PR 1578.54 KiB (1616428 bytes)
Delta -594.46 KiB (-608732 bytes, -27.36%)

Sizes are measured by streaming git archive --format=tar.gz <ref>, which includes tracked files and excludes untracked files such as node_modules. The compressed checkout is downloaded by every consumer of this Action, so changes here directly affect Action download time. See the workflow run for details.

Copilot AI reviewed May 22, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR merges the releases/v4 line of development into releases/v3 to cut the v3.36.0 release, including the associated version bumps, changelog entries, CodeQL CLI/bundle updates, PR-checks automation updates, and related tests.

Changes:

  • Bump the minimum supported CodeQL CLI to 2.19.4 and update the default bundle to 2.25.5, removing now-unneeded feature-gating around overwrite and SARIF run properties.
  • Add support for SHA-256 Git object IDs in Git-related utilities (plus unit tests).
  • Improve PR checks automation (runner sizing, concurrency, token handling), and add a new “repo size diff” check that can post/update a sticky PR comment.
Show a summary per file
File Description
src/util.test.ts Simplifies stubbing of getGitHubVersion in tests (cleanup handled by setupTests).
src/upload-lib-stub.js.tpl New stub template to re-export upload-lib via the shared entry-points bundle.
src/tools-features.ts Removes tools feature flags that are now assumed always-on with the new minimum CLI.
src/tools-features.test.ts Adjusts supported-tools-feature test to use an existing feature flag.
src/testing-utils.ts Adds setupBaseActionsVars and a shared override type for Actions env var setup in tests.
src/overlay/index.test.ts Refactors stubbing (relies on setupTests for restore).
src/overlay/caching.test.ts Refactors stubbing (relies on setupTests for restore).
src/git-utils.ts Supports SHA-256 OIDs in merge-parent parsing and git ls-files --stage parsing.
src/git-utils.test.ts Adds SHA-256 coverage and simplifies stub teardown.
src/feature-flags.ts Clarifies why an older version constant is retained.
src/diff-informed-analysis-utils.test.ts Simplifies stub teardown (relies on setupTests).
src/defaults.json Updates default bundle/CLI versions to 2.25.5.
src/codeql.ts Bumps minimum CLI to 2.19.4 and simplifies overwrite/SARIF run-property handling.
src/codeql.test.ts Updates overwrite-flag test to --force-overwrite.
src/analyze-action.test.ts Consolidates analyze action RAM/threads precedence tests into one file.
src/analyze-action-input.test.ts Removes superseded dedicated-process test file.
src/analyze-action-env.test.ts Removes superseded dedicated-process test file.
src/analyses.ts Logs an error when non-default analysis-kinds are used in custom workflows.
src/analyses.test.ts Adds coverage for new analysis-kinds logging behavior and uses base Actions env setup.
README.md Removes duplicate GHES table rows.
queries/default-setup-environment-variables.ql Restricts env-var read findings to src/ (excluding tests).
pr-checks/sync.ts Extends OS matrix config to support explicit runner image labels; updates tested CLI versions list.
pr-checks/sync-checks.ts Switches token handling to env vars or stdin (--token-stdin) for safer usage.
pr-checks/sync-checks.test.ts Adds unit tests for the new token resolution logic.
pr-checks/excluded.yml Updates excluded required-check patterns/names (incl. repo-size comment jobs).
pr-checks/config.ts Introduces REPO_ROOT constant and uses it for stable path construction.
pr-checks/checks/swift-autobuild.yml Moves macOS Swift autobuild checks to xlarge runner.
pr-checks/checks/rust.yml Updates tested Rust CLI version to stable-v2.19.4.
pr-checks/checks/multi-language-autodetect.yml Moves macOS checks to xlarge runner.
pr-checks/check-repo-size.ts Adds script to measure git-archive size deltas and emit candidate sticky-comment artifacts.
pr-checks/check-repo-size.test.ts Adds tests for repo-size script formatting, arg parsing, and archive-size measurement.
package.json Bumps action version to 3.36.0; updates test deps (ava downgrade, sinon bump); adds update-pr-checks script.
package-lock.json Updates lockfile for dependency changes (but version metadata needs correction).
lib/entry-points.js Generated output reflecting TS changes (not reviewed).
lib/defaults.json Generated output reflecting TS changes (not reviewed).
CONTRIBUTING.md Updates sync-checks usage instructions to stdin/env-token approach.
CHANGELOG.md Adds 3.36.0 release notes and date.
build.mjs Reworks bundling to expose upload-lib via entry-points and emit an upload-lib.js stub; updates entrypoint stub generation.
.github/workflows/update-release-branch.yml Passes token via environment (aligning with updated script expectations).
.github/workflows/test-codeql-bundle-all.yml Adds concurrency settings.
.github/workflows/query-filters.yml Adds concurrency settings.
.github/workflows/python312-windows.yml Adds concurrency settings.
.github/workflows/pr-checks.yml Adds workflow/job concurrency, runner adjustments, repo-size measurement + comment posting, and refactors “other checks”.
.github/workflows/post-release-mergeback.yml Ensures Node 24 setup w/ npm cache.
.github/workflows/debug-artifacts-safe.yml Adds concurrency settings.
.github/workflows/debug-artifacts-failure-safe.yml Adds concurrency settings.
.github/workflows/codescanning-config-cli.yml Adds concurrency settings.
.github/workflows/codeql.yml Switches macOS jobs to xlarge runners.
.github/workflows/check-expected-release-files.yml Adds concurrency settings.
.github/workflows/__swift-autobuild.yml Generated workflow updated for runner image change (not reviewed).
.github/workflows/__rust.yml Generated workflow updated for version change (not reviewed).
.github/workflows/__multi-language-autodetect.yml Generated workflow updated for runner sizing + version matrix changes (not reviewed).
.github/workflows/__go-tracing-legacy-workflow.yml Generated workflow updated for version matrix changes (not reviewed).
.github/workflows/__go-tracing-custom-build-steps.yml Generated workflow updated for version matrix changes (not reviewed).
.github/workflows/__go-tracing-autobuilder.yml Generated workflow updated for version matrix changes (not reviewed).
.github/update-release-branch.py Switches to env-based token, automates rebuild commits, and adjusts PR-body instructions.
.github/actions/release-initialise/action.yml Bumps Node version to 24 for release initialisation.
.github/actions/prepare-mergeback-branch/action.yml Automates rebuilding and committing lib/ changes during mergeback branch preparation.

Copilot's findings

  • Files reviewed: 49/59 changed files
  • Comments generated: 0

@oscarsj oscarsj merged commit 03e4368 into releases/v3 May 22, 2026
232 checks passed
@oscarsj oscarsj deleted the backport-v3.36.0-7211b7c80 branch May 22, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@oscarsj oscarsj oscarsj approved these changes

Assignees

@oscarsj oscarsj

Labels

size/XXL May be extremely hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@oscarsj @henrymercer @mbg