Skip to content

Merge main into releases/v4#3782

Merged
henrymercer merged 10 commits intoreleases/v4from
update-v4.35.1-d6d1743b8
Mar 27, 2026
Merged

Merge main into releases/v4#3782
henrymercer merged 10 commits intoreleases/v4from
update-v4.35.1-d6d1743b8

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Mar 27, 2026

Merging d6d1743 into releases/v4.

Conductor for this PR is @henrymercer.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v4 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
  • Merge the mergeback PR that will automatically be created once this PR is merged.
  • Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

dependabot bot and others added 10 commits March 27, 2026 10:25
@dependabot
Bump node-forge from 1.3.3 to 1.4.0
22eba96 
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.3 to 1.4.0.
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.3...v1.4.0)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions
Rebuild
36791d8
@github-actions
Update changelog and version after v4.35.0
7c51060
@github-actions
Rebuild
24448c9
@henrymercer
Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
45ceeea 
Mergeback v4.35.0 refs/heads/releases/v4 into main
@mbg
Merge pull request #3775 from github/dependabot/npm_and_yarn/node-for…
ea5f719 
…ge-1.4.0

Bump node-forge from 1.3.3 to 1.4.0
@henrymercer
Update minimum git version for overlay to 2.36.0
2437b20
@henrymercer
Add changelog note
65d2efa
@henrymercer
Merge pull request #3781 from github/henrymercer/update-git-minimum-v…
d6d1743 
…ersion

Update minimum Git version for overlay to 2.36.0
@github-actions
Update changelog for v4.35.1
c5ffd06
@henrymercer henrymercer marked this pull request as ready for review March 27, 2026 15:41
@henrymercer henrymercer requested a review from a team as a code owner March 27, 2026 15:41
Copilot AI review requested due to automatic review settings March 27, 2026 15:41
@github-actions github-actions bot added the size/XS Should be very easy to review label Mar 27, 2026
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Release-branch merge bringing recent main changes into releases/v4, including the 4.35.1 version bump and dependency/overlay-related updates.

Changes:

  • Bump action version to 4.35.1 and update the CHANGELOG for the release.
  • Update the minimum Git version required for overlay/improved incremental analysis to 2.36.0.
  • Bump node-forge to 1.4.0 (security fixes) and update lockfile; regenerate distribution files in lib/.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/git-utils.ts Updates overlay minimum Git version constant and related comments.
package.json Bumps package version to 4.35.1 and updates node-forge dependency.
package-lock.json Locks updated package version and node-forge 1.4.0 metadata.
CHANGELOG.md Adds 4.35.1 release notes entry.
lib/upload-sarif-action.js Generated distribution update (version string).
lib/upload-sarif-action-post.js Generated distribution update (version string).
lib/upload-lib.js Generated distribution update (version string).
lib/start-proxy-action.js Generated distribution update (node-forge changes + version string).
lib/start-proxy-action-post.js Generated distribution update (version string).
lib/setup-codeql-action.js Generated distribution update (version string).
lib/resolve-environment-action.js Generated distribution update (version string).
lib/init-action.js Generated distribution update (version string + min Git version constant).
lib/init-action-post.js Generated distribution update (version string).
lib/autobuild-action.js Generated distribution update (version string).
lib/analyze-action.js Generated distribution update (version string).
lib/analyze-action-post.js Generated distribution update (version string).

CHANGELOG.md

## 4.35.0 - 27 Mar 2026

- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 4.35.0 entry still states the minimum Git version for improved incremental analysis was reduced to 2.11.0, but this PR indicates the correct minimum is 2.36.0. Consider correcting the 4.35.0 release note (or otherwise preventing readers from being misled) rather than only adding a 4.35.1 correction entry.

Suggested change
- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.36.0. [#3767](https://github.com/github/codeql-action/pull/3767)

Copilot uses AI. Check for mistakes.
CHANGELOG.md

## 4.35.1 - 27 Mar 2026

- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 4.35.1 changelog entry is missing the node-forge dependency security update (PR #3775). Since this release bumps node-forge to 1.4.0 to address multiple high-severity issues, it should be captured as a user-facing change (at least as a security/dependency update) in the 4.35.1 section.

Suggested change
- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
- Updated the `node-forge` dependency to version 1.4.0 to address multiple high-severity security issues. [#3775](https://github.com/github/codeql-action/pull/3775)

Copilot uses AI. Check for mistakes.
@henrymercer henrymercer merged commit c10b806 into releases/v4 Mar 27, 2026
221 checks passed
@henrymercer henrymercer deleted the update-v4.35.1-d6d1743b8 branch March 27, 2026 16:07
@github-actions github-actions bot mentioned this pull request Mar 27, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer henrymercer approved these changes

Assignees

@henrymercer henrymercer

Labels

size/XS Should be very easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@henrymercer @mbg