Skip to content

Merge main into releases/v4#3824

Merged
henrymercer merged 76 commits intoreleases/v4from
update-v4.35.2-d2e135a73
Apr 15, 2026
Merged

Merge main into releases/v4#3824
henrymercer merged 76 commits intoreleases/v4from
update-v4.35.2-d2e135a73

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Apr 15, 2026

Merging d2e135a into releases/v4.

Conductor for this PR is @henrymercer.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v4 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
  • Merge the mergeback PR that will automatically be created once this PR is merged.
  • Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

henrymercer and others added 30 commits March 27, 2026 13:57
@henrymercer
Remove unused @schemastore/package dependency
7dcea06
@dependabot
Bump brace-expansion from 1.1.12 to 1.1.13
f13c600 
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.12 to 1.1.13.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.13)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
999119b
@github-actions
Update changelog and version after v4.35.1
6010f9d
@github-actions
Rebuild
cc7db4a
@henrymercer
Move time-sensitive Actions workflows to ubuntu-latest
353802f 
We originally moved these to `ubuntu-slim`, but there is a significant performance difference.  Since we often find ourselves waiting on these jobs, let's use the faster runners.
@henrymercer
Merge pull request #3780 from github/dependabot/npm_and_yarn/brace-ex…
fe775da 
…pansion-1.1.13

Bump brace-expansion from 1.1.12 to 1.1.13
@henrymercer
Merge pull request #3779 from github/henrymercer/remove-unused-depend…
aa69c48 
…ency

Remove unused `@schemastore/package` dependency
@henrymercer
Merge pull request #3783 from github/mergeback/v4.35.1-to-main-c10b8064
191d7c6 
Mergeback v4.35.1 refs/heads/releases/v4 into main
@mbg
Generate esbuild metadata file
4ed3c0e
@henrymercer
Merge pull request #3786 from github/henrymercer/faster-interactive-jobs
a899987 
Move time-sensitive Actions workflows to `ubuntu-latest`
@mbg
Move getApiClient out of sync-checks.ts
b1981a5
@mbg
Add basic metadata analysis script
47f1709
@henrymercer
Only require Git 2.36.0 when repo contains submodules
6643a7d
@henrymercer
Don't disable if we don't need the git version
88a7e51
@henrymercer
Add changelog note
0592832
@mbg
Output largest inputs
4e0952a
@mbg
Fix outputs type
3db32b5
@mbg
Output relative to __dirname
f98bf5e
@henrymercer
Save a computation of the git root
be0a156
@henrymercer
Test fallback when repo has no submodules
a507a54
@mario-campos
Extend start-proxy.yml to test multiple registry support
0c7c298
@mario-campos
Replace jq with Actions expression for proxy_urls validation
9fd9b64 
For the sake of consistency with the other pre-existing validation code.
@henrymercer
Merge pull request #3789 from github/henrymercer/lower-minimum-git-if…
c618c9b 
…-no-submodules

Overlay: Only require Git 2.36.0 for repos that contain submodules
@mario-campos
Run pr-checks/sync.sh to generate __start-proxy.yml.
99b8dd4
@mario-campos
Use maven_repository, not maven-repository
8b5e604 
The registry/language mapping table does not map the one with hyphens.
@mario-campos
Use different maven URL for start-proxy.yml test
faf45e0
@mario-campos
Keep validation steps named consistently
7b0c5b1
@mario-campos
Delete fromJSON() calls in test validation step
e2203c6
@mbg
Merge pull request #3787 from github/mbg/bundle/metadata
2e3aaae 
Generate and analyse esbuild bundle metadata
mbg and others added 18 commits April 9, 2026 19:01
@mbg
Add changelog entry
7197c2b
@henrymercer
Merge pull request #3806 from github/henrymercer/store-language-aliases
60991e6 
Store language aliases from linked CLI
@mbg
Merge pull request #3807 from github/mbg/start-proxy/fix-field-names
a26cb68 
Fix OIDC credential property names
@mbg
Set module option for pr-checks/tsconfig.json
1cf0431
@henrymercer
Refactoring: Introduce overlay/caching.ts
4e8c9ce
@mbg
Explicitly add pr-checks to Dependabot config
b669eab
@mbg
Merge pull request #3810 from github/mbg/ts6/fix-pr-checks
ee09113 
Fix `pr-checks/tsconfig.json` for TS6
@henrymercer
Merge pull request #3819 from github/henrymercer/refactor-overlay-cac…
8339b92 
…hing

Refactoring: Introduce `overlay/caching.ts`
@dependabot
Bump the actions-minor group across 1 directory with 2 updates
c1403f0 
Bumps the actions-minor group with 2 updates in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby) and [actions/create-github-app-token](https://github.com/actions/create-github-app-token).


Updates `ruby/setup-ruby` from 1.295.0 to 1.300.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@319994f...4c56a21)

Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](actions/create-github-app-token@v3.0.0...v3.1.1)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-version: 1.300.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
- dependency-name: actions/create-github-app-token
  dependency-version: 3.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump the npm-minor group across 1 directory with 6 updates
9dd4cfe 
Bumps the npm-minor group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) | `8.0.3` | `8.1.0` |
| [jsonschema](https://github.com/tdegrunt/jsonschema) | `1.4.1` | `1.5.0` |
| [@eslint/compat](https://github.com/eslint/rewrite/tree/HEAD/packages/compat) | `2.0.3` | `2.0.4` |
| [@types/sinon](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/sinon) | `21.0.0` | `21.0.1` |
| [esbuild](https://github.com/evanw/esbuild) | `0.27.4` | `0.28.0` |
| [nock](https://github.com/nock/nock) | `14.0.11` | `14.0.12` |



Updates `@octokit/plugin-retry` from 8.0.3 to 8.1.0
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](octokit/plugin-retry.js@v8.0.3...v8.1.0)

Updates `jsonschema` from 1.4.1 to 1.5.0
- [Commits](https://github.com/tdegrunt/jsonschema/commits)

Updates `@eslint/compat` from 2.0.3 to 2.0.4
- [Release notes](https://github.com/eslint/rewrite/releases)
- [Changelog](https://github.com/eslint/rewrite/blob/main/packages/compat/CHANGELOG.md)
- [Commits](https://github.com/eslint/rewrite/commits/compat-v2.0.4/packages/compat)

Updates `@types/sinon` from 21.0.0 to 21.0.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/sinon)

Updates `esbuild` from 0.27.4 to 0.28.0
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.27.4...v0.28.0)

Updates `nock` from 14.0.11 to 14.0.12
- [Release notes](https://github.com/nock/nock/releases)
- [Changelog](https://github.com/nock/nock/blob/main/CHANGELOG.md)
- [Commits](nock/nock@v14.0.11...v14.0.12)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: jsonschema
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: "@eslint/compat"
  dependency-version: 2.0.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: "@types/sinon"
  dependency-version: 21.0.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: esbuild
  dependency-version: 0.28.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: nock
  dependency-version: 14.0.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
1024fc4
@github-actions
Rebuild
f1c3393
@henrymercer
Merge pull request #3821 from github/dependabot/npm_and_yarn/npm-mino…
3c45af2 
…r-345b938e93

Bump the npm-minor group across 1 directory with 6 updates
@henrymercer
Merge pull request #3820 from github/dependabot/github_actions/dot-gi…
6521697 
…thub/workflows/actions-minor-cc17fecf2b

Bump the actions-minor group across 1 directory with 2 updates
@github-actions
Update default bundle to codeql-bundle-v2.25.2
5a0a562
@github-actions
Add changelog note
60abb65
@henrymercer
Merge pull request #3823 from github/update-bundle/codeql-bundle-v2.25.2
d2e135a 
Update default bundle to 2.25.2
@github-actions
Update changelog for v4.35.2
6f31bfe
@henrymercer henrymercer marked this pull request as ready for review April 15, 2026 11:07
@henrymercer henrymercer requested a review from a team as a code owner April 15, 2026 11:07
Copilot AI review requested due to automatic review settings April 15, 2026 11:07
@github-actions github-actions bot added the size/XXL May be extremely hard to review label Apr 15, 2026
@henrymercer henrymercer enabled auto-merge April 15, 2026 11:10
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This release-branch merge brings main changes into releases/v4 and bumps the action to the 4.35.2 release, including the corresponding changelog entry and dependency/tooling updates.

Changes:

  • Bump action version to 4.35.2 and update CHANGELOG.md for the release.
  • Update default CodeQL bundle to 2.25.2 and apply assorted feature/refactor/test updates included in the merge.
  • Refresh dependencies, build tooling, and PR checks/workflows.
Show a summary per file
File Description
tsconfig.json Updates TS compiler settings for TS6 and bundler-style module resolution.
src/trap-caching.ts Adds deprecation warning for TRAP cache cleanup.
src/tools-features.ts Removes a tools feature flag entry related to Python stdlib extraction.
src/testing-utils.ts Updates overlay mode import path after overlay refactor.
src/status-report.ts Updates overlay caching stats import after refactor.
src/start-proxy/types.ts Fixes OIDC credential JSON property names to hyphenated keys.
src/start-proxy/types.test.ts Updates tests to use hyphenated OIDC credential keys.
src/start-proxy.ts Switches language alias handling to a checked-in aliases JSON snapshot.
src/start-proxy.test.ts Adds/updates tests for multi-registry credentials and OIDC keys.
src/overlay/overlay-database-mode.ts Extracts OverlayDatabaseMode enum into its own module.
src/overlay/index.ts Refactors overlay module by moving caching logic out to overlay/caching.ts.
src/overlay/index.test.ts Updates tests to align with overlay caching refactor.
src/overlay/caching.ts New module containing overlay-base database cache upload/download logic.
src/overlay/caching.test.ts New test suite for overlay caching module and stable cache keys.
src/known-language-aliases.json Adds a checked-in snapshot of CodeQL language aliases.
src/init-action.ts Updates overlay imports; adjusts Swift incompatible OS handling; removes Python stdlib override feature logic.
src/init-action-post-helper.ts Updates overlay mode import path after refactor.
src/init-action-post-helper.test.ts Updates overlay mode import path in tests.
src/git-utils.ts Lowers Git requirement logic by only using --recurse-submodules when submodules exist.
src/git-utils.test.ts Updates/extends tests for submodule-aware git ls-files behavior.
src/feature-flags.ts Removes Python stdlib extraction feature flag configuration.
src/defaults.json Bumps default CodeQL bundle/CLI versions to 2.25.2.
src/database-upload.ts Updates overlay mode import path after refactor.
src/config-utils.ts Adjusts overlay Git version validation to apply stricter requirement only when submodules exist.
src/config-utils.test.ts Updates overlay enablement tests for new submodule-aware Git version logic.
src/codeql.ts Updates overlay mode import path after refactor.
src/cli-errors.ts Adds Swift incompatible OS configuration error category.
src/cli-errors.test.ts Adds test coverage for Swift incompatible OS error wrapping.
src/analyze.ts Updates overlay mode import path after refactor.
src/analyze-action.ts Imports overlay cache upload from new overlay/caching module.
pr-checks/tsconfig.json Adjusts PR-checks TS config for TS6 compatibility.
pr-checks/sync-checks.ts Refactors API client construction into a dedicated module.
pr-checks/config.ts Adds constant for esbuild metafile path used by tooling.
pr-checks/checks/start-proxy.yml Extends start-proxy PR check to validate multiple registries in outputs.
pr-checks/checks/rubocop-multi-language.yml Updates ruby/setup-ruby action version pin.
pr-checks/checks/language-aliases.yml Updates language alias check inputs/expectations (removes Swift).
pr-checks/bundle-metadata.ts Adds script to print esbuild bundle sizes from metafile.
pr-checks/api-client.ts New shared API client helper for PR-check scripts.
package.json Bumps package version to 4.35.2; updates deps; extends build to print bundle metadata.
package-lock.json Lockfile updates for version bump and dependency upgrades.
lib/upload-sarif-action-post.js Generated distribution artifact update (not reviewed).
lib/start-proxy-action-post.js Generated distribution artifact update (not reviewed).
lib/defaults.json Generated distribution artifact update of defaults (not reviewed).
build.mjs Enables esbuild metafile output and writes meta.json.
CHANGELOG.md Adds 4.35.2 release notes entry.
.gitignore Ignores generated meta.json build metadata file.
.github/workflows/update-release-branch.yml Moves time-sensitive jobs to ubuntu-latest; bumps token action.
.github/workflows/update-bundle.yml Moves to ubuntu-latest; adds step to update checked-in language aliases snapshot.
.github/workflows/rollback-release.yml Bumps actions/create-github-app-token version.
.github/workflows/prepare-release.yml Moves to ubuntu-latest.
.github/workflows/post-release-mergeback.yml Moves to ubuntu-latest; bumps token action.
.github/workflows/debug-artifacts-failure-safe.yml Specifies languages for debug artifacts workflow init step.
.github/workflows/__start-proxy.yml Generated workflow update (not reviewed).
.github/workflows/__rubocop-multi-language.yml Generated workflow update (not reviewed).
.github/workflows/__language-aliases.yml Generated workflow update (not reviewed).
.github/dependabot.yml Extends Dependabot npm updates to also cover /pr-checks.

Copilot's findings

  • Files reviewed: 47/66 changed files
  • Comments generated: 1

@henrymercer henrymercer merged commit 95e58e9 into releases/v4 Apr 15, 2026
222 checks passed
@henrymercer henrymercer deleted the update-v4.35.2-d2e135a73 branch April 15, 2026 11:22
@github-actions github-actions bot mentioned this pull request Apr 15, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer henrymercer approved these changes

Assignees

@henrymercer henrymercer

Labels

size/XXL May be extremely hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@henrymercer @mbg @mario-campos