Skip to content

Merge main into releases/v4#3523

Merged
henrymercer merged 129 commits intoreleases/v4from
update-v4.32.5-ca42bf226
Mar 2, 2026
Merged

Merge main into releases/v4#3523
henrymercer merged 129 commits intoreleases/v4from
update-v4.32.5-ca42bf226

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 27, 2026

Merging ca42bf2 into releases/v4.

Conductor for this PR is @henrymercer.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v4 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
  • Merge the mergeback PR that will automatically be created once this PR is merged.
  • Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

mbg and others added 30 commits February 15, 2026 15:39
@mbg
Revert "Merge pull request #3476 from github/henrymercer/retry-auth-e…
ea1a400 
…rrors"

This reverts commit 9658e23, reversing
changes made to 2d6b98c.
@mbg
Move getDefaultCliVersion out of GitHubFeatureFlags
5283c3b 
It doesn't need to be in there since it doesn't depend on the API itself and call `getDefaultCliVersionFromFlags` directly
@mbg
Add OfflineFeatures class
368f322
@mbg
Abstract over FeatureEnablement implementations with initFeatures
2c9bc45
@mbg
Return OfflineFeatures for CCR
9dcfdf2
@mbg
Move FF test utils out of main file
ee8360d
@mbg
Add mockCCR helper to testing-utils
377300b
@mbg
Add test to check that OfflineFeatures doesn't use the API client
bc76cea
@mbg
Change FFs not supported log message
0874cf9
@mbg
Log when using OfflineFeatures for CCR
60dee3d
@mbg
Restore test improvements from previous PR
7af50a4
@mbg
Use OfflineFeatures when !supportsFeatureFlags as well
db834c9
@mbg
Merge remote-tracking branch 'origin/main' into mbg/features/offline-…
ab25800 
…features
@henrymercer
Create separate directory for overlay source code
d1bdc0e
@henrymercer
Compute cache key for overlay language status
d28d996
@henrymercer
Add save and restore methods
69c2819
@henrymercer
Generalise status to multiple languages
e275d63
@henrymercer
Skip overlay analysis based on cached status
ebad062
@henrymercer
Save overlay status to Actions cache
96961e0
@henrymercer
Introduce feature flags for saving and checking status
827bba6
@henrymercer
Be more explicit about attempt to build overlay DB
6c405c2
@henrymercer
Sort doc URLs
0c47ae1
@henrymercer
Add status page diagnostic when overlay skipped
7b7a951
@henrymercer
Only store overlay status if analysis failed
ef58c00
@henrymercer
Improve diagnostic message wording
cc0dce0
@henrymercer
Tweak diagnostic message
d24014a
@henrymercer
Improve error messages
3dd1275
@henrymercer
More error message improvements
554b931
@henrymercer
Include diagnostics in bundle
5c583bb
@henrymercer
Avoid mutating languages array in overlay status functions
05d4e25 
Use [...languages].sort() instead of languages.sort() to avoid
mutating the caller's array as a side effect.
dependabot bot and others added 10 commits February 27, 2026 13:21
@dependabot
Bump minimatch from 3.1.3 to 3.1.5
29181f2 
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.3 to 3.1.5.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.3...v3.1.5)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
236fbf7
@github-actions
Rebuild
2475286
@henrymercer
Merge pull request #3513 from github/dependabot/npm_and_yarn/npm-mino…
2c92579 
…r-e1092f1102

Bump eslint-plugin-jsdoc from 62.5.0 to 62.6.0 in the npm-minor group
@henrymercer
Merge pull request #3514 from github/dependabot/npm_and_yarn/globals-…
8ab0431 
…17.3.0

Bump globals from 16.5.0 to 17.3.0
@henrymercer
Update supported Action / Bundle / GHES version table
3a42a99
@henrymercer
Merge pull request #3521 from github/dependabot/npm_and_yarn/minimatc…
76348c0 
…h-3.1.5

Bump minimatch from 3.1.3 to 3.1.5
@henrymercer
Merge pull request #3520 from github/dependabot/npm_and_yarn/fast-xml…
6704d80 
…-parser-5.4.1

Bump fast-xml-parser from 5.3.6 to 5.4.1
@henrymercer
Merge pull request #3522 from github/henrymercer/update-supported-ver…
ca42bf2 
…sions-table

Update supported Action / Bundle / GHES version table
@github-actions
Update changelog for v4.32.5
c72d9a4
@github-actions github-actions bot added the size/XXL May be extremely hard to review label Feb 27, 2026
@henrymercer henrymercer marked this pull request as ready for review February 27, 2026 15:18
@henrymercer henrymercer requested a review from a team as a code owner February 27, 2026 15:18
@henrymercer henrymercer requested review from Copilot and mbg February 27, 2026 15:18
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

mbg
mbg previously approved these changes Mar 2, 2026
View reviewed changes
Copy link
Member

@mbg mbg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of small comments / suggestions for the change notes. Otherwise LGTM.

CHANGELOG.md Outdated
- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
- Reduced log levels for private package registry connection check failures from `error` to `info`/`warning` to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
- Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://github.com/github/codeql-action/pull/3498)
- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using a hardcoded bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
Copy link
Member

@mbg mbg Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(There's also a hard-coded version, but this change replaces uses the FFs instead of the linked one if able.)

Suggested change
- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using a hardcoded bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)
- Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://github.com/github/codeql-action/pull/3512)

CHANGELOG.md Outdated
- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
- When [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — typically due to insufficient disk space — the failure is now recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). [#3487](https://github.com/github/codeql-action/pull/3487)
- The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://github.com/github/codeql-action/pull/3515)
- Reduced log levels for private package registry connection check failures from `error` to `info`/`warning` to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
Copy link
Member

@mbg mbg Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Reduced log levels for private package registry connection check failures from `error` to `info`/`warning` to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)
- Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://github.com/github/codeql-action/pull/3516)

CHANGELOG.md Outdated
## 4.32.5 - 02 Mar 2026

- Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://github.com/github/codeql-action/pull/3507)
- When [improved incremental analysis](https://github.com/github/roadmap/issues/1158) fails on a runner — typically due to insufficient disk space — the failure is now recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). [#3487](https://github.com/github/codeql-action/pull/3487)
Copy link
Member

@mbg mbg Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add something to indicate that this is FF-ed?

@henrymercer henrymercer requested a review from mbg March 2, 2026 10:49
@henrymercer henrymercer enabled auto-merge March 2, 2026 10:59
@henrymercer henrymercer merged commit c793b71 into releases/v4 Mar 2, 2026
244 checks passed
@henrymercer henrymercer deleted the update-v4.32.5-ca42bf226 branch March 2, 2026 11:11
@github-actions github-actions bot mentioned this pull request Mar 2, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mbg mbg mbg approved these changes

Assignees

@henrymercer henrymercer

Labels

size/XXL May be extremely hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mbg @henrymercer @sam-robson