Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

馃摙 Node 16 deprecation, upcoming CodeQL Action v3 馃摙 #1959

Open
angelapwen opened this issue Oct 18, 2023 · 18 comments
Open

馃摙 Node 16 deprecation, upcoming CodeQL Action v3 馃摙 #1959

angelapwen opened this issue Oct 18, 2023 · 18 comments

Comments

@angelapwen
Copy link
Contributor

angelapwen commented Oct 18, 2023

Update

We have released v3 of the CodeQL Action! We'll keep this note up for a week as a space for folks to ask follow-up questions or provide feedback

Description

Node.js 16 reached end of life last month, September 2023, half a year before its original anticipated EOL date. GitHub Actions will begin to display a warning to users notifying them about the upcoming migration starting October 23, 2023 (GitHub Changelog post).

Users of the CodeQL Action and code scanning workflows on GitHub.com, please know that:

  • You will begin to see these warnings in your Actions logs on code scanning runs starting October 23, 2023.
  • All code scanning workflows should continue to succeed regardless of the warning.
  • The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20. has created another version of the CodeQL Action, v3, that bumps us to Node 20.

This note will be linked to from the Action CHANGELOG as well as the repository README.

Please let us know in comments on this issue if there are any questions or concerns. Thank you!

@aeisenberg aeisenberg pinned this issue Oct 18, 2023
Pl217 added a commit to UN-OCHA/hpc-cdm that referenced this issue Oct 25, 2023
CodeQL Actions are yet to release v3, which will run on `node20`
github/codeql-action#1959
Pl217 added a commit to UN-OCHA/hpc-cdm that referenced this issue Oct 26, 2023
CodeQL Actions are yet to release v3, which will run on `node20`
github/codeql-action#1959
Pl217 added a commit to UN-OCHA/hpc-api that referenced this issue Oct 26, 2023
CodeQL Actions are yet to release v3, which will run on `node20`
github/codeql-action#1959
Pl217 added a commit to UN-OCHA/hpc-cdm that referenced this issue Oct 31, 2023
CodeQL Actions are yet to release v3, which will run on `node20`
github/codeql-action#1959
Pl217 added a commit to UN-OCHA/hpc-cdm that referenced this issue Nov 1, 2023
CodeQL Actions are yet to release v3, which will run on `node20`
github/codeql-action#1959
Pl217 added a commit to UN-OCHA/hpc-api that referenced this issue Nov 1, 2023
CodeQL Actions are yet to release v3, which will run on `node20`
github/codeql-action#1959
@TWiStErRob
Copy link

Is this fixed by #2006? Can you please create a GitHub release for the new tag? (and maybe explain why it's 3.22 and not 3.0)

Background: I got a Renovate PR, but don't understand the new release.

@aeisenberg
Copy link
Contributor

Yes, v3 is now available and supports node 20. We're working through the details of exactly how to upgrade existing users from v2 to v3. but #2006 is a major part of deprecating node 16.

We have released 3.22 since v3 is identical to v2 except for the node version. This is an easy way for us (and for users) to track exactly which features you are getting.

Can you explain why you would like a new release for this? We generally only use releases for new codeql CLI versions, which are largely independent of the codeql action version.

@TWiStErRob
Copy link

Ah, CLI, that makes sense, that's why I didn't get it. I thought it was missing the release for 3.22.

So the action "release notes" are only in CHANGELOG? If so, adding the middle paragraph of your above reply to that file might help people understand the version number, rather than implying/inferring it. (It makes total sense, but unconventional.)

@aeisenberg
Copy link
Contributor

Thanks for the feedback. I'll let the team know.

@mydea
Copy link

mydea commented Jan 2, 2024

Hey there, just cross-posting from #2059:

IMHO it is a bit confusing to have a new major version that is not reflected in the (Github) releases at all, making it hard to grasp the potential impact of a major upgrade! Also in the actual (markdown) changelog, you do see the 3.22.x release, but no 3.0.0 which is also confusing because I'd usually go look for that to see what breaking changes happend for v3 - hard/impossible to know which 3.x.x release was the first v3 release without this!

FWIW I was notified of a new major release of this via dependabot, and usually I go and look for what has changed in the major to check if we can safely update, and this was not really easy to figure out here.

@aeisenberg
Copy link
Contributor

Thanks for the feedback. We're working on some better communication around this. See my comment above, which is now incorporated into the CHANGELOG directly.

@angelapwen angelapwen unpinned this issue Jan 31, 2024
@jsoref
Copy link
Contributor

jsoref commented Feb 13, 2024

@angelapwen:

  • The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating has created another version of the CodeQL Action, v3, that will bump bumps us to Node 20.

@angelapwen
Copy link
Contributor Author

@jsoref, thanks! Will update now.

@stevehipwell
Copy link

Without GitHub releases for the v3 tags Dependabot isn't picking up the changes and we're seeing Node deprecation warnings.

@angelapwen
Copy link
Contributor Author

Hi @stevehipwell, thank you for reporting this 鉁 Do you mind sharing the version of the CodeQL Action you're currently on, as well as the relevant part of your Dependabot configuration file (usually dependabot.yml) so that we can look into reproducing this behavior?

@stevehipwell
Copy link

@angelapwen as your v3 releases are only tags and the v2 releases are GH releases so I'd make a guess that that's the reason. It also makes manual discovery hard.

The following repo has the issue.

https://github.com/stevehipwell/fluentd-aggregator

@angelapwen
Copy link
Contributor Author

angelapwen commented Apr 30, 2024

馃憢 @stevehipwell thank you for sharing. Our team looked into this and found that there was a mistaken bump to the SHA your workflow is pinned to, cdcdbb579706841c47f7063dda365e292e5cad7a, which corresponds to a CodeQL bundle release (codeql-bundle-v2.13.4 ) and not a release of the CodeQL Action. As a result, anyone who received that update is no longer receiving any Dependabot PRs, as you indicated.

That said, if you manually change the SHA to one that is a CodeQL Action release SHA, you should receive all future Dependabot PRs 鈥斅爐he problem is specifically coming from the SHA and not the distinction between GH releases vs. tags. We've filed some internal issues to more broadly address any other workflows stuck on that SHA, but the one-line change should be fine for unblocking individual workflows.

Thanks again for reporting and let us know if you have any other questions!

@jsoref
Copy link
Contributor

jsoref commented Apr 30, 2024

For those following along, that appears to be 650+ files: https://github.com/search?q=%22github%2Fcodeql-action%2Fupload-sarif%40cdcdbb579706841c47f7063dda365e292e5cad7a%22&type=code

@stevehipwell
Copy link

@angelapwen is there a reason why the v3 "releases" aren't GitHub releases? This issue would have been picked up quicker if they were.

@stevehipwell
Copy link

It looks like the problem version was used in the ossf/scorecard for the example workflow until a few weeks ago when they manually bumped the version.

@stevehipwell
Copy link

@jsoref thanks for the query but as there are sub actions (I thought GitHub recommends against this pattern), the query needs to take that into account. The following query returns 800+ instances.

https://github.com/search?q=%2Fgithub%5C%2Fcodeql-action%5C%2F.%2B%40cdcdbb579706841c47f7063dda365e292e5cad7a%2F&type=code

@angelapwen
Copy link
Contributor Author

Thanks for following up @stevehipwell: historically, we've used GitHub releases for the codeql-action repo as a way to release the CodeQL bundle, which you'll see in https://github.com/github/codeql-action/releases. CodeQL bundles also include GitHub Action releases, but we also release the Action outside of the CodeQL bundle release schedule and use the tag mechanism for all Action releases.

We recognize that this mechanism has caused customer confusion and are looking into aligning GitHub releases on the codeql-action repo with releases of the CodeQL Action. It'll require some care because some customers and internal tools assume that the latest GitHub release on codeql-action is a CodeQL bundle. But it's definitely on our radar!

@angelapwen
Copy link
Contributor Author

As an update, folks on our team fixed the tags on v2.13.4 and the Dependabot PRs to bump from that version to the latest version are starting to come in now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants
@aeisenberg @jsoref @mydea @TWiStErRob @stevehipwell @angelapwen and others