Merge branch 'main' into henrymercer/require-codeql-2.19.4

Author: henrymercer

.github/update-release-branch.py

@@ -16,12 +16,23 @@
 """
 
 # NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
+# Changing it requires a transition period where both old and new versions are supported.
 BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'
 
 # Name of the remote
 ORIGIN = 'origin'
 
+# Environment variables to check for a GitHub API token.
+TOKEN_ENVIRONMENT_VARIABLES = ('GH_TOKEN', 'GITHUB_TOKEN')
+
+# Gets a GitHub API token from one of the supported environment variables.
+def get_github_token():
+  for variable_name in TOKEN_ENVIRONMENT_VARIABLES:
+    token = os.environ.get(variable_name, '').strip()
+    if token:
+      return token
+  raise Exception('Missing GitHub token. Set GITHUB_TOKEN or GH_TOKEN.')
+
 # Runs git with the given args and returns the stdout.
 # Raises an error if git does not exit successfully (unless passed
 # allow_non_zero_exit_code=True).
@@ -270,12 +281,6 @@ def update_changelog(version):
 def main():
   parser = argparse.ArgumentParser('update-release-branch.py')
 
-  parser.add_argument(
-    '--github-token',
-    type=str,
-    required=True,
-    help='GitHub token, typically from GitHub Actions.'
-  )
   parser.add_argument(
     '--repository-nwo',
     type=str,
@@ -313,7 +318,7 @@ def main():
   target_branch = args.target_branch
   is_primary_release = args.is_primary_release
 
-  repo = Github(args.github_token).get_repo(args.repository_nwo)
+  repo = Github(get_github_token()).get_repo(args.repository_nwo)
 
   # the target branch will be of the form releases/vN, where N is the major version number
   target_branch_major_version = target_branch.strip('releases/v')

.github/workflows/__multi-language-autodetect.yml

@@ -77,7 +77,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14-xlarge,macos-15-xlarge]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 

.github/workflows/__swift-autobuild.yml

@@ -6,13 +6,6 @@ env:
   # Diff informed queries add an additional query filter which is not yet
   # taken into account by these tests.
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true
 
 on:
   push:
@@ -79,33 +72,13 @@ jobs:
       with:
         version: ${{ matrix.version }}
 
-    # On PRs, overlay analysis may change the config that is passed to the CLI.
-    # Therefore, we have two variants of the following test, one for PRs and one for other events.
-    - name: Empty file (non-PR)
-      if: github.event_name != 'pull_request'
+    - name: Empty file
       uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - name: Empty file (PR)
-      if: github.event_name == 'pull_request'
-      uses: ./../action/.github/actions/check-codescanning-config
-      with:
-        expected-config-file-contents: |
-          {
-            "query-filters": [
-              {
-                "exclude": {
-                  "tags": "exclude-from-incremental"
-                }
-              }
-            ]
-          }
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-
     - name: Packs from input
       if: success() || failure()
       uses: ./../action/.github/actions/check-codescanning-config

.github/workflows/codeql.yml

@@ -131,7 +131,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/codescanning-config-cli.yml

@@ -136,7 +136,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/post-release-mergeback.yml

@@ -64,11 +64,12 @@ jobs:
 
     - name: Update current release branch
       if: github.event_name == 'workflow_dispatch'
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         echo SOURCE_BRANCH=${REF_NAME}
         echo TARGET_BRANCH=releases/${MAJOR_VERSION}
         python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
           --repository-nwo ${{ github.repository }} \
           --source-branch '${{ env.REF_NAME }}' \
           --target-branch 'releases/${{ env.MAJOR_VERSION }}' \
@@ -93,7 +94,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v3.1.1
+      uses: actions/create-github-app-token@v3.2.0
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -107,11 +108,12 @@ jobs:
     - uses: ./.github/actions/release-initialise
 
     - name: Update older release branch
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         echo SOURCE_BRANCH=${SOURCE_BRANCH}
         echo TARGET_BRANCH=${TARGET_BRANCH}
         python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
           --repository-nwo ${{ github.repository }} \
           --source-branch ${SOURCE_BRANCH} \
           --target-branch ${TARGET_BRANCH} \

.github/workflows/rollback-release.yml

@@ -4,6 +4,13 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+- Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
+
+## 4.35.5 - 15 May 2026
+
+- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
+- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
 - _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
 

.github/workflows/update-release-branch.yml

@@ -71,7 +71,7 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:
 
-- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
+- At a minimum, you must provide a token with permissions to update branch protection rules. For example, `gh auth token | pr-checks/sync-checks.ts --token-stdin` uses the same token that `gh` uses. You can also set the `GH_TOKEN` or `GITHUB_TOKEN` environment variable. If no token is provided or the token has insufficient permissions, the script will fail.
 - By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
 - If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
 - You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.