Merge main into releases/v4#3927
Merged
Merged
Conversation
This feature has been supported since CodeQL CLI v2.18.0, which is below the new minimum version.
This feature has been supported since CodeQL CLI v2.19.0
Bumps [sinon](https://github.com/sinonjs/sinon) from 21.1.2 to 22.0.0. - [Release notes](https://github.com/sinonjs/sinon/releases) - [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md) - [Commits](sinonjs/sinon@v21.1.2...v22.0.0) --- updated-dependencies: - dependency-name: sinon dependency-version: 22.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
These jobs are not rate-limiting so we don't need to run them on larger runners.
The tests still can't run in parallel so I had to change `test` to `test.serial`, which caused a bunch of formatting changes.
Mergeback v4.35.5 refs/heads/releases/v4 into main
Address review comments for #3899
PR checks: Run slowest macOS checks on larger runners
…-prs Release process: Automatically rebuild PRs
…s-advanced-setup Log error for non-default `analysis-kinds` input outside of managed workflows
Action size: Reduce duplication between `upload-lib` and `entry-points`
Bump `brace-expansion`
To avoid requiring additional dependencies
Specify concurrency groups for non-generated workflows so we can cancel in-progress runs when new commits are pushed to a PR.
CI: Automatically cancel non-generated workflows
Action size: Add a PR check that comments on significant repo size changes
Update default bundle to 2.25.5
Contributor
Author
Repository checkout size
Sizes are measured by streaming |
Contributor
There was a problem hiding this comment.
Pull request overview
Release-merge PR that brings mainline changes into releases/v4 and prepares the 4.36.0 release by bumping the action version and updating the changelog accordingly.
Changes:
- Bump release version to
4.36.0and add the4.36.0 - 22 May 2026changelog section. - Update CodeQL/tooling baselines (minimum CodeQL version, default bundle version) and related CI/PR-check infrastructure.
- Various maintenance changes across tests, build bundling, PR-check generation, and workflows.
Show a summary per file
| File | Description |
|---|---|
| src/util.test.ts | Test refactor (sinon stub setup). |
| src/upload-lib-stub.js.tpl | New template for emitting an upload-lib stub that re-exports from shared bundle. |
| src/tools-features.ts | Removes obsolete tool feature flags from enum. |
| src/tools-features.test.ts | Updates feature-flag test to reflect removed/changed feature. |
| src/testing-utils.ts | Splits Actions env setup into setupBaseActionsVars + path-specific vars. |
| src/overlay/index.test.ts | Test refactor removing explicit stub restoration. |
| src/overlay/caching.test.ts | Test refactor removing manual stub bookkeeping/restore loop. |
| src/git-utils.ts | Adds SHA-256 OID support in parsing/validation. |
| src/git-utils.test.ts | Adds SHA-256 OID tests and refactors stubbing/cleanup. |
| src/feature-flags.ts | Clarifies why legacy version constant is retained. |
| src/diff-informed-analysis-utils.test.ts | Test refactor removing explicit stub restores. |
| src/defaults.json | Updates default/prior CodeQL bundle+CLI versions to 2.25.5/2.25.4. |
| src/codeql.ts | Bumps minimum CodeQL version; simplifies overwrite handling; always emits sarif-run-property flag. |
| src/codeql.test.ts | Updates overwrite-flag test to --force-overwrite. |
| src/analyze-action.test.ts | Consolidates analyze-action RAM/threads tests into one file. |
| src/analyze-action-input.test.ts | Deleted (tests moved into src/analyze-action.test.ts). |
| src/analyze-action-env.test.ts | Deleted (tests moved into src/analyze-action.test.ts). |
| src/analyses.ts | Logs error for non-default analysis-kinds in custom workflows; refactors error message creation. |
| src/analyses.test.ts | Adds coverage for new analysis-kinds logging behavior; uses setupBaseActionsVars. |
| README.md | Removes duplicated GHES table entries. |
| queries/default-setup-environment-variables.ql | Restricts query to src/ paths. |
| pr-checks/sync.ts | Extends OS matrix spec to support explicit runner image labels; updates default tested versions. |
| pr-checks/sync-checks.ts | Improves token handling (stdin/env); updates CLI options accordingly. |
| pr-checks/sync-checks.test.ts | Adds unit tests for token resolution logic. |
| pr-checks/excluded.yml | Updates excluded/required check name lists (incl. repo size comment checks). |
| pr-checks/config.ts | Introduces REPO_ROOT to simplify path joins. |
| pr-checks/checks/swift-autobuild.yml | Switches macOS runner to macos-latest-xlarge. |
| pr-checks/checks/rust.yml | Updates Rust check CodeQL version from 2.19.3 to 2.19.4. |
| pr-checks/checks/multi-language-autodetect.yml | Switches macOS runner to macos-latest-xlarge. |
| pr-checks/check-repo-size.ts | New script to measure archive size delta and produce sticky-comment artifacts. |
| pr-checks/check-repo-size.test.ts | Unit/integration tests for repo-size checker utilities and git-archive measurement. |
| package.json | Bumps version to 4.36.0; updates test deps (ava/sinon) and adds update-pr-checks script. |
| package-lock.json | Updates lockfile for version bump and dependency changes. |
| lib/entry-points.js | Generated bundle updates (version, defaults, features, deps, upload-lib export). |
| lib/defaults.json | Generated defaults updated to 2.25.5/2.25.4. |
| CONTRIBUTING.md | Updates sync-checks instructions to use env/stdin token flow. |
| CHANGELOG.md | Adds 4.36.0 section with key release notes. |
| build.mjs | Reworks bundling to expose upload-lib via shared entry-points and emit a stub. |
| .github/workflows/update-release-branch.yml | Switches update script to use token via env var rather than CLI arg. |
| .github/workflows/test-codeql-bundle-all.yml | Adds concurrency controls to cancel redundant PR runs. |
| .github/workflows/query-filters.yml | Adds concurrency controls to cancel redundant PR runs. |
| .github/workflows/python312-windows.yml | Adds concurrency controls to cancel redundant PR runs. |
| .github/workflows/pr-checks.yml | Adds concurrency; reorganizes checks; adds repo-size diff artifact + separate comment-posting job. |
| .github/workflows/post-release-mergeback.yml | Ensures Node 24 setup with npm cache for mergeback workflow. |
| .github/workflows/debug-artifacts-safe.yml | Adds concurrency controls to cancel redundant PR runs. |
| .github/workflows/debug-artifacts-failure-safe.yml | Adds concurrency controls to cancel redundant PR runs. |
| .github/workflows/codescanning-config-cli.yml | Adds concurrency controls to cancel redundant PR runs. |
| .github/workflows/codeql.yml | Moves macOS jobs to macos-*-xlarge runners. |
| .github/workflows/check-expected-release-files.yml | Adds concurrency controls to cancel redundant PR runs. |
| .github/workflows/__swift-autobuild.yml | Generated workflow updated for macos-latest-xlarge. |
| .github/workflows/__rust.yml | Generated workflow updated for stable-v2.19.4. |
| .github/workflows/__multi-language-autodetect.yml | Generated workflow updates for runner sizing + tested versions. |
| .github/workflows/__go-tracing-legacy-workflow.yml | Generated workflow updates for tested versions. |
| .github/workflows/__go-tracing-custom-build-steps.yml | Generated workflow updates for tested versions. |
| .github/workflows/__go-tracing-autobuilder.yml | Generated workflow updates for tested versions. |
| .github/update-release-branch.py | Improves token handling via env; automates rebuild commits; updates PR body guidance. |
| .github/actions/release-initialise/action.yml | Uses Node 24 for release initialisation action. |
| .github/actions/prepare-mergeback-branch/action.yml | Automates rebuild + separate “Rebuild” commit during mergeback branch preparation. |
Copilot's findings
- Files reviewed: 49/59 changed files
- Comments generated: 2
oscarsj
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merging ebc2d9e into
releases/v4.Conductor for this PR is @oscarsj.
Contains the following pull requests:
analysis-kindsinput outside of managed workflows #3895 (@mbg)upload-libandentry-points#3912 (@henrymercer)brace-expansion#3918 (@henrymercer)Please do the following:
releases/v4branch.Create a merge commitis selected rather thanSquash and mergeorRebase and merge.