📢 Node 16 deprecation, upcoming CodeQL Action v3 📢

[angelapwen]

Update

We have released v3 of the CodeQL Action! We'll keep this note up for a week as a space for folks to ask follow-up questions or provide feedback

Description

Node.js 16 reached end of life last month, September 2023, half a year before its original anticipated EOL date. GitHub Actions will begin to display a warning to users notifying them about the upcoming migration starting October 23, 2023 (GitHub Changelog post).

Users of the CodeQL Action and code scanning workflows on GitHub.com, please know that:

• You will begin to see these warnings in your Actions logs on code scanning runs starting October 23, 2023.
• All code scanning workflows should continue to succeed regardless of the warning.
• The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20. has created another version of the CodeQL Action, v3, that bumps us to Node 20.

This note will be linked to from the Action CHANGELOG as well as the repository README.

Please let us know in comments on this issue if there are any questions or concerns. Thank you!

[TWiStErRob]

Is this fixed by #2006? Can you please create a GitHub release for the new tag? (and maybe explain why it's 3.22 and not 3.0)

Background: I got a Renovate PR, but don't understand the new release.

[aeisenberg]

Yes, v3 is now available and supports node 20. We're working through the details of exactly how to upgrade existing users from v2 to v3. but #2006 is a major part of deprecating node 16.

We have released 3.22 since v3 is identical to v2 except for the node version. This is an easy way for us (and for users) to track exactly which features you are getting.

Can you explain why you would like a new release for this? We generally only use releases for new codeql CLI versions, which are largely independent of the codeql action version.

[TWiStErRob]

Ah, CLI, that makes sense, that's why I didn't get it. I thought it was missing the release for 3.22.

So the action "release notes" are only in CHANGELOG? If so, adding the middle paragraph of your above reply to that file might help people understand the version number, rather than implying/inferring it. (It makes total sense, but unconventional.)

[aeisenberg]

Thanks for the feedback. I'll let the team know.

[mydea]

Hey there, just cross-posting from #2059:

IMHO it is a bit confusing to have a new major version that is not reflected in the (Github) releases at all, making it hard to grasp the potential impact of a major upgrade! Also in the actual (markdown) changelog, you do see the 3.22.x release, but no 3.0.0 which is also confusing because I'd usually go look for that to see what breaking changes happend for v3 - hard/impossible to know which 3.x.x release was the first v3 release without this!

FWIW I was notified of a new major release of this via dependabot, and usually I go and look for what has changed in the major to check if we can safely update, and this was not really easy to figure out here.

[aeisenberg]

Thanks for the feedback. We're working on some better communication around this. See my comment above, which is now incorporated into the CHANGELOG directly.

[jsoref]

@angelapwen:

• The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating has created another version of the CodeQL Action, v3, that will bump bumps us to Node 20.

[angelapwen]

@jsoref, thanks! Will update now.