- Update default CodeQL bundle version to 2.9.5. #1056
- When
wait-for-processingis enabled, the workflow will now fail if there were any errors that occurred during processing of the analysis results.
- Add
working-directoryinput to theautobuildaction. #1024 - The
analyzeandupload-sarifactions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting thewait-for-processingaction input to"false". #1007 - Update default CodeQL bundle version to 2.9.0.
- Fix a bug where status reporting fails on Windows. #1042
- Update default CodeQL bundle version to 2.8.5. #1014
- Fix error where the init action would fail due to a GitHub API request that was taking too long to complete #1025
- A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. #1018
- Update default CodeQL bundle version to 2.8.4. #990
- Fix a bug where an invalid
commit_oidwas being sent to code scanning when a custom checkout path was being used. #956
- Update default CodeQL bundle version to 2.8.3.
- The CodeQL runner is now deprecated and no longer being released. For more information, see CodeQL runner deprecation.
- Fix two bugs that cause action failures with GHES 3.3 or earlier. #978
- Fix
not a permitted keyinvalid requests with GHES 3.1 or earlier - Fix
RUNNER_ARCH environment variable must be seterrors with GHES 3.3 or earlier
- Fix
- Update default CodeQL bundle version to 2.8.2. #950
- Fix a bug where old results can be uploaded if the languages in a repository change when using a non-ephemeral self-hosted runner. #955
- Fix a bug where the CLR traces can continue tracing even after tracing should be stopped. #938
- Due to potential issues for GHES 3.1–3.3 customers who are using recent versions of the CodeQL Action via GHES Connect, the CodeQL Action now uses Node.js v12 rather than Node.js v16. #937
- The CodeQL CLI versions up to and including version 2.4.4 are not compatible with the CodeQL Action 1.1.1 and later. The Action will emit an error if it detects that it is being used by an incompatible version of the CLI. #931
- Update default CodeQL bundle version to 2.8.1. #925
- The CodeQL Action now uses Node.js v16. #909
- Beware that the CodeQL build tracer in this release (and in all earlier releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. As a result, analyzing these languages with the
windows-latestorwindows-2022Actions virtual environments is currently unsupported. If you use any of these languages, please use thewindows-2019Actions virtual environment or otherwise avoid these specific Windows versions until a new release fixes this incompatibility.
- Add
sarif-idas an output for theupload-sarifandanalyzeactions. #889 - Add
refandshainputs to theanalyzeaction, which override the defaults provided by the GitHub Action context. #889 - Update default CodeQL bundle version to 2.8.0. #911
- Remove
experimentalmessage when using custom CodeQL packages. #888 - Add a better warning message stating that experimental features will be disabled if the workflow has been triggered by a pull request from a fork or the
security-events: writepermission is not present. #882
- Display a better error message when encountering a workflow that runs the
codeql-action/initaction multiple times. #876 - Update default CodeQL bundle version to 2.7.6. #877
- The feature to wait for SARIF processing to complete after upload has been disabled by default due to a bug in its interaction with pull requests from forks.
- Update default CodeQL bundle version to 2.7.5. #866
- Fix a bug where SARIF files were failing upload due to an invalid test for unique categories. #872
- The
analyzeandupload-sarifactions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting thewait-for-processingaction input to"false". #855
- Update default CodeQL bundle version to 2.7.3. #842
No user facing changes.
- Update default CodeQL bundle version to 2.7.2. #827
- The
upload-sarifaction now allows multiple uploads in a single job, as long as they have different categories. #801 - Update default CodeQL bundle version to 2.7.1. #816
- The
initstep of the Action now supportsramandthreadsinputs to limit resource use of CodeQL extractors. These inputs also serve as defaults to the subsequentanalyzestep, which finalizes the database and executes queries. #738 - When used with CodeQL 2.7.1 or above, the Action now includes custom query help in the analysis results uploaded to GitHub code scanning, if available. To add help text for a custom query, create a Markdown file next to the
.qlfile containing the query, using the same base name but the file extension.md. #804
- Update default CodeQL bundle version to 2.7.0. #795
No user facing changes.
No user facing changes.
- Fixed a bug where some builds were no longer being traced correctly. #766
- Update default CodeQL bundle version to 2.6.3. #761
No user facing changes.
- Update default CodeQL bundle version to 2.6.2. #746
- Update default CodeQL bundle version to 2.6.1. #733
- Update default CodeQL bundle version to 2.6.0. #712
- Update baseline lines of code counter for python. All multi-line strings are counted as code. #714
- Remove old baseline LoC injection #715
- Update README to include a sample permissions block. #689
- Update default CodeQL bundle version to 2.5.9. #687
- Fix an issue where a summary of diagnostics information from CodeQL was not output to the logs of the
analyzestep of the Action. #672
No user facing changes.
- Update default CodeQL bundle version to 2.5.8. #631
No user facing changes.
- The
initstep of the Action now supports asource-rootinput as a path to the root source-code directory. By default, the path is relative to$GITHUB_WORKSPACE. #607 - The
initstep will now try to install a few Python tools needed by this Action when running on a self-hosted runner. #616
- The
analyzestep of the Action now supports askip-queriesoption to merely build the CodeQL database without analyzing. This functionality is not present in the runner. Additionally, the step will no longer fail if it encounters a finalized database, and will instead continue with query execution. #602 - Update the warning message when the baseline lines of code count is unavailable. #608
- Fix
RUNNER_TEMP environment variable must be setwhen using runner. #594 - Fix couting of lines of code for C# projects. #586
No user facing changes.
- Fix out of memory in hash computation. #550
- Clean up logging during analyze results. #557
- Add
--finalize-datasettodatabase finalizecall, freeing up some disk space after database creation. #558
- Pass the
--sarif-group-rules-by-packargument to CodeQL CLI invocations that generate SARIF. This means the SARIF rule object for each query will now be found underneath its corresponding query pack inruns[].tool.extensions. #546 - Output the location of CodeQL databases created in the analyze step. #543