Skip to content

Merge main into releases/v4#3776

Merged
oscarsj merged 69 commits intoreleases/v4from
update-v4.35.0-0078ad667
Mar 27, 2026
Merged

Merge main into releases/v4#3776
oscarsj merged 69 commits intoreleases/v4from
update-v4.35.0-0078ad667

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Mar 27, 2026
edited by oscarsj
Loading

Merging 0078ad6 into releases/v4.

Conductor for this PR is @oscarsj.

Contains the following pull requests:

Please do the following:

  • Ensure the CHANGELOG displays the correct version and date.
  • Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
  • Check that there are not any unexpected commits being merged into the releases/v4 branch.
  • Ensure the docs team is aware of any documentation changes that need to be released.
  • Mark the PR as ready for review to trigger the full set of PR checks.
  • Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
  • Merge the mergeback PR that will automatically be created once this PR is merged.
  • Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

mbg and others added 30 commits March 16, 2026 19:34
@mbg
Add snippet to scaffold test.macros
193dd19
@mbg
Refactor PAT test into a test.macro
6e67ef6
@mbg
Add params for credentials and checkAccepted to testPATWarning
f86097d
@mbg
Add "token without a username" test
0393130
@mbg
Add assertNotLogged test helper
740f177
@mbg
Replace getRecordingLogger implementation with RecordingLogger
ddafddb
@mbg
Add hasMessage to RecordingLogger
de06821
@mbg
Add tests for the absence of the warning
28f515d
@mbg
Fix warning for PAT-like token with username
f88d49e
@dependabot
Bump fast-xml-parser from 5.5.6 to 5.5.7
1a45a9b 
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.5.6 to 5.5.7.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.5.6...v5.5.7)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.5.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@github-actions
Rebuild
64507ed
@github-actions
Update changelog and version after v4.34.1
8fd6c0e
@github-actions
Rebuild
8dc2e5d
@henrymercer
Merge pull request #3764 from github/mergeback/v4.34.1-to-main-38697555
05b1a5d 
Mergeback v4.34.1 refs/heads/releases/v4 into main
@henrymercer
Merge pull request #3587 from github/dependabot/npm_and_yarn/fast-xml…
72c0b0e 
…-parser-5.5.7

Bump fast-xml-parser from 5.5.6 to 5.5.7
@henrymercer
Use --stage instead of --format in git ls-files
d48d054
@henrymercer
Update minimum Git version required for overlay
28f56f2
@henrymercer
Add changelog note
8c023a6
@henrymercer
Merge pull request #3767 from github/henrymercer/overlay-reduce-minim…
eedab83 
…um-git-version

Reduce the minimum Git version required for overlay
@mbg
Fix test names
d128e5d
@mbg
Merge remote-tracking branch 'origin/main' into mbg/start-proxy/token…
137e0de 
…-check-fixes
@mbg
Merge pull request #3579 from github/mbg/start-proxy/token-check-fixes
3d564d9 
Fix warning for PAT-like token with username
@mbg
Convert release-branches.py to TypeScript
054745b
@mbg
Install node in release-initialise action
aa27731
@mbg
Replace release-branches.py with TS version in release-branches a…
3db9a05 
…ction
@mbg
Refactor backport computation into computeReleaseBranches
0d87a75
@mbg
Validate inputs
b72f4fe
@mbg
Add tests for release-branches.ts
49af37b
@mbg
Add config file for excluded checks from update-required-checks.sh
4867f59
@mbg
Add initial TS implementation of update-required-checks.sh
9813849
sam-robson and others added 17 commits March 25, 2026 15:51
@sam-robson
feat: always include files from diff in overlay changed files
521c353
@sam-robson
refactor: single source of truth for getDiffRangesJsonFilePath and si…
d5bb39f 
…mplified getDiffRangeFilePaths
@dependabot
Bump the npm-minor group with 5 updates
b659882 
Bumps the npm-minor group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [esbuild](https://github.com/evanw/esbuild) | `0.27.3` | `0.27.4` |
| [eslint-plugin-import-x](https://github.com/un-ts/eslint-plugin-import-x) | `4.16.1` | `4.16.2` |
| [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc) | `62.7.1` | `62.8.0` |
| [sinon](https://github.com/sinonjs/sinon) | `21.0.2` | `21.0.3` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.57.0` | `8.57.1` |


Updates `esbuild` from 0.27.3 to 0.27.4
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.27.3...v0.27.4)

Updates `eslint-plugin-import-x` from 4.16.1 to 4.16.2
- [Release notes](https://github.com/un-ts/eslint-plugin-import-x/releases)
- [Changelog](https://github.com/un-ts/eslint-plugin-import-x/blob/master/CHANGELOG.md)
- [Commits](un-ts/eslint-plugin-import-x@v4.16.1...v4.16.2)

Updates `eslint-plugin-jsdoc` from 62.7.1 to 62.8.0
- [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases)
- [Commits](gajus/eslint-plugin-jsdoc@v62.7.1...v62.8.0)

Updates `sinon` from 21.0.2 to 21.0.3
- [Release notes](https://github.com/sinonjs/sinon/releases)
- [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md)
- [Commits](sinonjs/sinon@v21.0.2...v21.0.3)

Updates `typescript-eslint` from 8.57.0 to 8.57.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.57.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.27.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: eslint-plugin-import-x
  dependency-version: 4.16.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: eslint-plugin-jsdoc
  dependency-version: 62.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor
- dependency-name: sinon
  dependency-version: 21.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
- dependency-name: typescript-eslint
  dependency-version: 8.57.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump ruby/setup-ruby
a663d01 
Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby).


Updates `ruby/setup-ruby` from 1.288.0 to 1.295.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@09a7688...319994f)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-version: 1.295.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@github-actions
Rebuild
ea7b090
@sam-robson
fix: improve error handling and logging for diff range path resolution
23a0098
@sam-robson
Merge pull request #3554 from github/sam-robson/overlay-include-diff
4bdd4e7 
feat: always include files from diff in overlay changed files
@mbg
Merge pull request #3575 from github/mbg/ts/sync-checks
3ff82aa 
Convert `release-branches.py` and `update-required-checks.sh` to TypeScript
@mbg
Merge pull request #3770 from github/dependabot/github_actions/dot-gi…
9d3ec57 
…thub/workflows/actions-minor-266139ee1d

Bump ruby/setup-ruby from 1.288.0 to 1.295.0 in /.github/workflows in the actions-minor group across 1 directory
@mbg
Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-3536e7c6f0
6b1a9f2
@mbg
Merge pull request #3768 from github/dependabot/npm_and_yarn/npm-mino…
5cc552f 
…r-3536e7c6f0

Bump the npm-minor group with 5 updates
@dependabot
Bump yaml from 2.8.2 to 2.8.3
dd06097 
Bumps [yaml](https://github.com/eemeli/yaml) from 2.8.2 to 2.8.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.8.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.8.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@henrymercer
Merge pull request #3772 from github/dependabot/npm_and_yarn/yaml-2.8.3
f94817b 
Bump yaml from 2.8.2 to 2.8.3
@github-actions
Update default bundle to codeql-bundle-v2.25.1
8c29faa
@github-actions
Add changelog note
fa7a15b
@oscarsj
Merge pull request #3773 from github/update-bundle/codeql-bundle-v2.25.1
0078ad6 
Update default bundle to 2.25.1
@github-actions
Update changelog for v4.35.0
e9cf68b
@oscarsj oscarsj mentioned this pull request Mar 27, 2026
Closed
8 tasks
@oscarsj oscarsj marked this pull request as ready for review March 27, 2026 11:50
@oscarsj oscarsj requested a review from a team as a code owner March 27, 2026 11:50
Copilot AI review requested due to automatic review settings March 27, 2026 11:50
@github-actions github-actions bot added the size/XXL May be extremely hard to review label Mar 27, 2026
@oscarsj oscarsj enabled auto-merge March 27, 2026 11:51
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Release mergeback bringing main into releases/v4, updating the action to v4.35.0 and incorporating recent feature work, dependency bumps, and release tooling changes for the v4 line.

Changes:

  • Bump action version to 4.35.0 and update CHANGELOG for the release.
  • Update default CodeQL bundle/CLI to 2.25.1 and adjust overlay/diff-informed analysis behavior.
  • Refresh dependencies and evolve release/pr-checks automation (new TypeScript scripts, workflow/script updates).

Reviewed changes

Copilot reviewed 39 out of 47 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/testing-utils.ts Adds additional test logger helpers and tightens immutability.
src/start-proxy.ts Refactors PAT-without-username warning condition for clarity.
src/start-proxy.test.ts Expands coverage around PAT warning behavior using a shared macro.
src/overlay/index.ts Ensures overlay changed-files includes diff-range file paths in addition to OID changes.
src/overlay/index.test.ts Adds tests covering diff-range merging and path conversion logic.
src/init-action.ts Persists PR diff ranges during init for later reuse by analyze.
src/git-utils.ts Lowers minimum Git version for overlay by switching ls-files output parsing strategy.
src/git-utils.test.ts Updates tests to match new git ls-files --stage parsing.
src/diff-informed-analysis-utils.ts Uses shared temp-file path helper and adds JSON parse error handling.
src/defaults.json Updates default bundle/CLI versions to 2.25.1.
src/config-utils.test.ts Updates git-version fallback test for new minimum Git requirement.
src/analyze.ts Switches diff-informed setup to read precomputed diff ranges instead of recomputing.
src/analyze-action.ts Simplifies diff-informed setup call site (based on init-produced file).
src/actions-util.ts Adds helper to compute the pr-diff-range.json file path in temp directory.
pr-checks/sync-checks.ts New TypeScript replacement for updating required checks via GitHub API.
pr-checks/sync-checks.test.ts Unit tests for required-check exclusion filtering.
pr-checks/release-branches.ts New TypeScript replacement for computing backport branches for releases.
pr-checks/release-branches.test.ts Unit tests for backport branch computation.
pr-checks/package.json Adds dependencies needed by new pr-checks scripts.
pr-checks/excluded.yml New configuration defining which checks to exclude from “required checks”.
pr-checks/config.ts New shared config (e.g., oldest supported major version, excluded checks file path).
pr-checks/checks/rubocop-multi-language.yml Updates pinned ruby/setup-ruby version in template.
package.json Bumps version to 4.35.0 and updates dev dependency versions.
package-lock.json Lockfile updates for dependency bumps and workspaces.
lib/upload-sarif-action-post.js Generated build output update (mirrors TS changes).
lib/start-proxy-action.js Generated build output update (mirrors TS changes).
lib/start-proxy-action-post.js Generated build output update (mirrors TS changes).
lib/setup-codeql-action.js Generated build output update (mirrors TS changes).
lib/defaults.json Generated defaults update (mirrors src/defaults.json).
eslint.config.mjs ESLint config adjustments (import deps handling, minor formatting/keys).
CONTRIBUTING.md Updates docs to point to new TypeScript scripts/config for required checks & deprecation.
CHANGELOG.md Adds 4.35.0 release entry.
.vscode/tests.code-snippets Adds a VS Code snippet to scaffold Ava test macros.
.github/workflows/script/update-required-checks.sh Removes legacy bash script for updating required checks.
.github/workflows/__rubocop-multi-language.yml Generated workflow update for new pinned ruby/setup-ruby version.
.github/releases.ini Removes legacy releases.ini config.
.github/actions/release-initialise/action.yml Adds Node setup step for release initialise composite action.
.github/actions/release-branches/release-branches.py Removes legacy Python implementation.
.github/actions/release-branches/action.yml Switches release-branches action to npx tsx implementation.

CHANGELOG.md
## 4.35.0 - 27 Mar 2026

- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 4.35.0 section looks incomplete relative to the PRs being merged into this release branch. In particular, PRs like #3554 (overlay changed files should always include all PR diff files for diff-informed analysis) and #3579 (fix warning behavior for PAT-like token with username) appear user-facing but aren’t mentioned here. Please add any missing user-facing entries for this release (or confirm these are intentionally excluded).

Suggested change
- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
- Ensured that the overlay of changed files used for diff-informed analysis always includes all files from the pull request diff. [#3554](https://github.com/github/codeql-action/pull/3554)
- Fixed the warning behavior when a personal access token-like value includes a username, so that warnings are accurate and not emitted unnecessarily. [#3579](https://github.com/github/codeql-action/pull/3579)

Copilot uses AI. Check for mistakes.
@oscarsj oscarsj merged commit b8bb9f2 into releases/v4 Mar 27, 2026
222 checks passed
@oscarsj oscarsj deleted the update-v4.35.0-0078ad667 branch March 27, 2026 12:11
@github-actions github-actions bot mentioned this pull request Mar 27, 2026
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@oscarsj oscarsj oscarsj approved these changes

Assignees

@oscarsj oscarsj

Labels

size/XXL May be extremely hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@oscarsj @mbg @henrymercer @sam-robson