Unclear release notes / change log

[marcrohlfs]

We're using the codeql-action action and try to keep it up-to-date using Dependabot. Such PRs are not merged unthinkingly, we normally check the changes (new features, bugfixes etc.) first. Unfortunately the changelog for new versions/tags of the codeql-action action is often not very helpful to find out what's actually changed, especially when it comes to the CodeQL bundle. We often see something like "Update default CodeQL bundle version to [x.y.z]", but there's no information about the changes that come with the new bundle version (e.g. if rule implementations have been added, removed or fixed etc). And trying to find this out by checking the tags and history of the github/codeql repo doesn't help much either. Am I just missing places where I should look for such information? Or is there actually improvement potential on release notes and changelogs?

(This somehow seems to be similar to #1728, but I didn't want to continue on an already closed issue.)

[aeisenberg]

Thanks for the question. The changelog for the action bundle is located here: https://github.com/github/codeql-action/releases. I realize that this is not the most discoverable place to put it and we are discussing ways to make this easier to find.

[marcrohlfs]

Already found that, but it's still confusing. Looking at the changelogs of the language packs that are inked no that page, there're totally different version numbers and no information or cross references what language pack versions are part of what bundle versions.

Example:
Dependabot recently offered to update the codeql-action from 2.20.2 to 2.20.3. Digging in, I found that the bundle version is updated to 2.13.5 with this. Only when looking at the source changes of linked PR, I found out that it was 2.13.4 before. But also in the changes you see that the version scheme doesn't seem consistent (see priorBundleVersion). Now I can check the codeql-bundle-v2.13.5 release notes and from there to the changelogs of language packs I'm interested in, e.g. codeql/java-queries. Here I find totally different version numbers and no information which one is included in what bundle version.