📢 Node 16 deprecation, upcoming CodeQL Action v3 📢 #1959
Comments
CodeQL Actions are yet to release v3, which will run on `node20` github/codeql-action#1959
CodeQL Actions are yet to release v3, which will run on `node20` github/codeql-action#1959
CodeQL Actions are yet to release v3, which will run on `node20` github/codeql-action#1959
CodeQL Actions are yet to release v3, which will run on `node20` github/codeql-action#1959
CodeQL Actions are yet to release v3, which will run on `node20` github/codeql-action#1959
CodeQL Actions are yet to release v3, which will run on `node20` github/codeql-action#1959
|
Is this fixed by #2006? Can you please create a GitHub release for the new tag? (and maybe explain why it's 3.22 and not 3.0) Background: I got a Renovate PR, but don't understand the new release. |
|
Yes, v3 is now available and supports node 20. We're working through the details of exactly how to upgrade existing users from v2 to v3. but #2006 is a major part of deprecating node 16. We have released 3.22 since v3 is identical to v2 except for the node version. This is an easy way for us (and for users) to track exactly which features you are getting. Can you explain why you would like a new release for this? We generally only use releases for new codeql CLI versions, which are largely independent of the codeql action version. |
|
Ah, CLI, that makes sense, that's why I didn't get it. I thought it was missing the release for 3.22. So the action "release notes" are only in CHANGELOG? If so, adding the middle paragraph of your above reply to that file might help people understand the version number, rather than implying/inferring it. (It makes total sense, but unconventional.) |
|
Thanks for the feedback. I'll let the team know. |
|
Hey there, just cross-posting from #2059: IMHO it is a bit confusing to have a new major version that is not reflected in the (Github) releases at all, making it hard to grasp the potential impact of a major upgrade! Also in the actual (markdown) changelog, you do see the 3.22.x release, but no 3.0.0 which is also confusing because I'd usually go look for that to see what breaking changes happend for v3 - hard/impossible to know which 3.x.x release was the first v3 release without this! FWIW I was notified of a new major release of this via dependabot, and usually I go and look for what has changed in the major to check if we can safely update, and this was not really easy to figure out here. |
|
Thanks for the feedback. We're working on some better communication around this. See my comment above, which is now incorporated into the CHANGELOG directly. |
|
|
@jsoref, thanks! Will update now. |
|
Without GitHub releases for the v3 tags Dependabot isn't picking up the changes and we're seeing Node deprecation warnings. |
|
Hi @stevehipwell, thank you for reporting this ✨ Do you mind sharing the version of the CodeQL Action you're currently on, as well as the relevant part of your Dependabot configuration file (usually |
|
@angelapwen as your v3 releases are only tags and the v2 releases are GH releases so I'd make a guess that that's the reason. It also makes manual discovery hard. The following repo has the issue. |
|
👋 @stevehipwell thank you for sharing. Our team looked into this and found that there was a mistaken bump to the SHA your workflow is pinned to, That said, if you manually change the SHA to one that is a CodeQL Action release SHA, you should receive all future Dependabot PRs — the problem is specifically coming from the SHA and not the distinction between GH releases vs. tags. We've filed some internal issues to more broadly address any other workflows stuck on that SHA, but the one-line change should be fine for unblocking individual workflows. Thanks again for reporting and let us know if you have any other questions! |
|
For those following along, that appears to be 650+ files: https://github.com/search?q=%22github%2Fcodeql-action%2Fupload-sarif%40cdcdbb579706841c47f7063dda365e292e5cad7a%22&type=code |
|
@angelapwen is there a reason why the v3 "releases" aren't GitHub releases? This issue would have been picked up quicker if they were. |
|
It looks like the problem version was used in the ossf/scorecard for the example workflow until a few weeks ago when they manually bumped the version. |
|
@jsoref thanks for the query but as there are sub actions (I thought GitHub recommends against this pattern), the query needs to take that into account. The following query returns 800+ instances. |
|
Thanks for following up @stevehipwell: historically, we've used GitHub releases for the We recognize that this mechanism has caused customer confusion and are looking into aligning GitHub releases on the |
|
As an update, folks on our team fixed the tags on v2.13.4 and the Dependabot PRs to bump from that version to the latest version are starting to come in now! |
and others
Update
We have released v3 of the CodeQL Action! We'll keep this note up for a week as a space for folks to ask follow-up questions or provide feedback
Description
Node.js 16 reached end of life last month, September 2023, half a year before its original anticipated EOL date. GitHub Actions will begin to display a warning to users notifying them about the upcoming migration starting October 23, 2023 (GitHub Changelog post).
Users of the CodeQL Action and code scanning workflows on GitHub.com, please know that:
actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20. has created another version of the CodeQL Action, v3, that bumps us to Node 20.This note will be linked to from the Action CHANGELOG as well as the repository README.
Please let us know in comments on this issue if there are any questions or concerns. Thank you!
The text was updated successfully, but these errors were encountered: