MacOS CodeQL enableAutomaticCodeQLInstall forbidden

[stefanrenne]

Description

The AdvancedSecurity-Codeql-Init@1 task has the option to automatically install the latest version

- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    enableAutomaticCodeQLInstall: true

50% of the times it fails with a 403 (forbidden)

2025-04-01T07:50:30.9591570Z ##[section]Starting: Advanced Security Codeql Initialize
2025-04-01T07:50:30.9598030Z ==============================================================================
2025-04-01T07:50:30.9598240Z Task         : Advanced Security Initialize CodeQL
2025-04-01T07:50:30.9598380Z Description  : Initializes the CodeQL database in preparation for building.
2025-04-01T07:50:30.9598560Z Version      : 1.1.311
2025-04-01T07:50:30.9598660Z Author       : Microsoft Corporation
2025-04-01T07:50:30.9598780Z Help         : https://aka.ms/advancedsecurity/code-scanning/detection
2025-04-01T07:50:30.9599080Z ==============================================================================
2025-04-01T07:50:31.6831380Z Session Id=d002106b-dd67-4e8a-874b-0f27e4424fa0
2025-04-01T07:50:31.6845400Z Starting CodeQL automatic detection and installation.
2025-04-01T07:50:31.6845820Z ##[group]CodeQL Detection and Installation
2025-04-01T07:50:31.6846260Z Retrieving the latest release information for https://api.github.com/repos/github/codeql-action/releases/latest
2025-04-01T07:50:31.8900440Z ##[warning] Request failed with status code 403
2025-04-01T07:50:31.9840830Z ##[group]Install and Setup CodeQL tools
2025-04-01T07:50:31.9982680Z ##[endgroup]
2025-04-01T07:50:32.0009980Z ##[warning] The GitHub release API URL for CodeQL failed.
2025-04-01T07:50:32.0072200Z ##[error]The GitHub release API URL for CodeQL failed.
2025-04-01T07:50:32.0089940Z 
2025-04-01T07:50:32.1091810Z Learn more about the scan for the CodeQL build tasks:
2025-04-01T07:50:32.1604200Z https://aka.ms/advanced-security/code-scanning/detection
2025-04-01T07:50:32.1643230Z 
2025-04-01T07:50:32.1981970Z ##[section]Finishing: Advanced Security Codeql Initialize

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 20.04
• Ubuntu 22.04
• Ubuntu 24.04
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• macOS 15
• macOS 15 Arm64
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

Image version and build link

MacOS14: 20250324.987
MacOS15: 20250327.1013

Is it regression?

no

Expected behavior

Download and use the latest version of Graphql

Actual behavior

Fails with a 403

Repro steps

- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    enableAutomaticCodeQLInstall: true

[prasanjitsahoo]

Hi @stefanrenne , We'll investigate the issue and keep you informed of any updates. Thank you.

[diegoddp]

Hi @stefanrenne Please verify that your GitHub API rate limits are not being exceeded. The 403 error might be due to hitting the rate limit for API requests

[prasanjitsahoo]

Hi @stefanrenne 👋,
The latest CodeQL version is now available post-deployment. Could you please verify from your end once again?
The 403 Forbidden error during CodeQL auto-install is a known behavior and typically stems from unauthenticated access to the GitHub public API:
https://api.github.com/repos/github/codeql-action/releases/latest
Why It Fails ~50% of the Time:
This is due to GitHub’s rate limiting for unauthenticated requests — limited to 60 requests/hour per IP. In shared environments (e.g., hosted runners or NATed gateways), this limit is commonly exceeded, resulting in:
##[warning] Request failed with status code 403

[stefanrenne]

@prasanjitsahoo would be great if there would be a option for auto-install to use a custom GitHub api token

[prasanjitsahoo]

Thanks for the suggestion! We've now added support for using a custom GitHub API token via the API_PAT variable during the auto-install process. This helps avoid rate limits and ensures reliable fetching of release data.

Closing this issue as resolved — feel free to reopen if you encounter any further problems. 🙌

[brentlyjdavid]

@prasanjitsahoo where is this documented at? And how does this affect ADO customers? We are seeing the same 403s in ADO. How would we add a GitHub API token if we are using ADO?