Merge pull request #2113 from github/update-v3.24.0-2db032717

Merge main into releases/v3

CHANGELOG.md

@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 3.24.0 - 02 Feb 2024
+
+- CodeQL Python analysis will no longer install dependencies on GitHub Enterprise Server, as is already the case for GitHub.com. See [release notes for 3.23.0](#3230---08-jan-2024) for more details. [#2106](https://github.com/github/codeql-action/pull/2106)
+
 ## 3.23.2 - 26 Jan 2024
 
 - On Linux, the maximum possible value for the `--threads` option now respects the CPU count as specified in `cgroup` files to more accurately reflect the number of available cores when running in containers. [#2083](https://github.com/github/codeql-action/pull/2083)

README.md

@@ -16,6 +16,19 @@ We recommend using default setup to configure CodeQL analysis for your repositor
 
 You can also configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration. For more information, see "[Configuring advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" and "[Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."
 
+## Supported versions of the CodeQL Action
+
+The following versions of the CodeQL Action are currently supported:
+
+- v3 (latest)
+- v2 (deprecated, support will end on December 5th, 2024)
+
+The only difference between CodeQL Action v2 and v3 is the version of Node.js on which they run. CodeQL Action v3 runs on Node 20, while CodeQL Action v2 runs on Node 16.
+
+To provide the best experience to customers using older versions of GitHub Enterprise Server, we will continue to release CodeQL Action v2 so that these customers can continue to run the latest version of CodeQL as long as their version of GitHub Enterprise Server is supported. For example CodeQL Action v3.22.11 was the first release of CodeQL Action v3 and is functionally identical to v2.22.11. This approach provides an easy way to track exactly which features are included in different versions by looking at the minor and patch version numbers.
+
+For more information, see ["Code scanning: deprecation of CodeQL Action v2."](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/).
+
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).

analyze/action.yml

@@ -52,10 +52,10 @@ inputs:
     # If changing this, make sure to update workflow.ts accordingly.
     default: ${{ github.workspace }}
   ref:
-    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is not available in pull requests from forks."
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is ignored for pull requests from forks."
     required: false
   sha:
-    description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is not available in pull requests from forks."
+    description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is ignored for pull requests from forks."
     required: false
   category:
     description: String used by Code Scanning for matching the analyses

init/action.yml

@@ -10,6 +10,23 @@ inputs:
     description: |
       A comma-separated value of the languages to be analysed e.g. python,javascript
     required: false
+  build-mode:
+    description: >-
+      [Experimental, for internal testing only] The build mode that will be used to analyze the language.
+      This input is only available in single-language analyses.
+
+      Available build modes will differ based on the language being analyzed. One of: 
+
+      - none:      The database will be created without building the source code.
+                   Available for all interpreted languages and some compiled languages.
+      - autobuild: The database will be created by attempting to automatically build the source code.
+                   To use this build mode, ensure that your workflow calls the `autobuild` action
+                   between the `init` and `analyze` steps.
+                   Available for all compiled languages.
+      - manual:    The database will be created by building the source code using a manually specified
+                   build command. To use this build mode, specify manual build steps in your workflow
+                   between the `init` and `analyze` steps. Available for all compiled languages.
+    required: false
   token:
     description: GitHub token to use for authenticating with this instance of GitHub. To download custom packs from multiple registries, use the registries input.
     default: ${{ github.token }}