Merge pull request #3905 from github/update-v4.35.5-d4b485515

Merge main into releases/v4

Author: mbg

.github/workflows/codescanning-config-cli.yml

@@ -6,13 +6,6 @@ env:
   # Diff informed queries add an additional query filter which is not yet
   # taken into account by these tests.
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
-  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
-  # query filter. Here we only enable for the default code scanning suite.
-  CODEQL_ACTION_OVERLAY_ANALYSIS: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
-  CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK: false
-  CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS: true
 
 on:
   push:
@@ -79,33 +72,13 @@ jobs:
       with:
         version: ${{ matrix.version }}
 
-    # On PRs, overlay analysis may change the config that is passed to the CLI.
-    # Therefore, we have two variants of the following test, one for PRs and one for other events.
-    - name: Empty file (non-PR)
-      if: github.event_name != 'pull_request'
+    - name: Empty file
       uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - name: Empty file (PR)
-      if: github.event_name == 'pull_request'
-      uses: ./../action/.github/actions/check-codescanning-config
-      with:
-        expected-config-file-contents: |
-          {
-            "query-filters": [
-              {
-                "exclude": {
-                  "tags": "exclude-from-incremental"
-                }
-              }
-            ]
-          }
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-
     - name: Packs from input
       if: success() || failure()
       uses: ./../action/.github/actions/check-codescanning-config

.github/workflows/post-release-mergeback.yml

@@ -131,7 +131,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/rollback-release.yml

@@ -136,7 +136,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v3.1.1
+        uses: actions/create-github-app-token@v3.2.0
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-release-branch.yml

@@ -93,7 +93,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v3.1.1
+      uses: actions/create-github-app-token@v3.2.0
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 4.35.5 - 15 May 2026
+
+- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899)
+- For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
+- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+
 ## 4.35.4 - 07 May 2026
 
 - Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881)

analyze/action.yml

@@ -95,5 +95,5 @@ outputs:
     description: The ID of the uploaded SARIF file.
 runs:
   using: node24
-  main: "../lib/analyze-action.js"
-  post: "../lib/analyze-action-post.js"
+  main: "../lib/analyze-entry.js"
+  post: "../lib/analyze-post-entry.js"

autobuild/action.yml

@@ -16,4 +16,4 @@ inputs:
     required: false
 runs:
   using: node24
-  main: '../lib/autobuild-action.js'
+  main: '../lib/autobuild-entry.js'

build.mjs

@@ -1,5 +1,5 @@
-import { copyFile, rm, writeFile } from "node:fs/promises";
-import { dirname, join } from "node:path";
+import { copyFile, readFile, rm, writeFile } from "node:fs/promises";
+import { basename, dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 
 import * as esbuild from "esbuild";
@@ -62,18 +62,123 @@ const onEndPlugin = {
   },
 };
 
+/** The name of the virtual `entry-points` module. */
+const SHARED_ENTRYPOINT = "entry-points";
+
+/**
+ * This plugin finds all source files that contain action entry points.
+ * It then generates the virtual `entry-points` module which imports all identifies files,
+ * and re-exports their `runWrapper` functions with suitable aliases.
+ * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle
+ * and calls the respective entry point.
+ *
+ * @type {esbuild.Plugin}
+ */
+const entryPointsPlugin = {
+  name: "entry-points",
+  setup(build) {
+    const namespace = "actions";
+    const actions = [];
+
+    const toPascal = (s) =>
+      s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase());
+
+    // Find the source files containing action entry points.
+    build.onStart(() => {
+      const actionFiles = globSync("src/*-action{,-post}.ts");
+      for (const actionFile of actionFiles) {
+        const match = basename(actionFile).match(/(.*)-action(-post)?/);
+
+        if (match.length < 2) {
+          throw new Error(`'${actionFile}' didn't match expected pattern.`);
+        }
+
+        const actionName = match[1];
+        const isPost = match[2] !== undefined;
+
+        actions.push({
+          path: actionFile,
+          name: actionName,
+          isPost,
+          pascalCaseName: `${toPascal(actionName)}${isPost ? "Post" : ""}Action`,
+        });
+      }
+    });
+
+    // Resolve the virtual `entry-points` file and set the corresponding namespace.
+    // Ideally, we'd `RegExp.escape` the entrypoint here, but that API isn't supported in Node 20.
+    // Since we're dealing with a hardcoded string, this isn't too much of a problem.
+    build.onResolve({ filter: new RegExp(`^${SHARED_ENTRYPOINT}$`) }, () => {
+      return { path: SHARED_ENTRYPOINT, namespace };
+    });
+
+    // Generate the virtual `entry-points` file based on the actions we discovered.
+    // Restrict using the namespace. The path filter does not need to discriminate any further.
+    build.onLoad({ filter: /.*/, namespace }, async () => {
+      const wrapperTemplatePath = "entry-wrapper.js.tpl";
+      const wrapperTemplate = await readFile(
+        join(SRC_DIR, wrapperTemplatePath),
+        "utf-8",
+      );
+
+      const actionsSorted = actions.sort((a, b) =>
+        a.name.localeCompare(b.name),
+      );
+      const imports = actionsSorted
+        .map(
+          (action) =>
+            `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}"`,
+        )
+        .join("\n");
+      const wrappers = actionsSorted
+        .map((action) =>
+          wrapperTemplate.replaceAll("__ACTION__", action.pascalCaseName),
+        )
+        .join("\n\n");
+
+      return {
+        contents: `"use strict";\n${imports}\n\n${wrappers}\n`,
+        resolveDir: ".",
+        loader: "ts",
+      };
+    });
+
+    // Emit entry point stubs for each action using the entry template.
+    build.onEnd(async (result) => {
+      // Read the entry point template.
+      const templatePath = "action-entry.js.tpl";
+      const template = await readFile(join(SRC_DIR, templatePath), "utf-8");
+
+      const makeHeader = (sourceFile) =>
+        `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`;
+
+      // Write entry point stubs for each action.
+      for (const action of actions) {
+        await writeFile(
+          join(
+            OUT_DIR,
+            `${action.name}${action.isPost ? "-post" : ""}-entry.js`,
+          ),
+          makeHeader(action.path) +
+            template.replaceAll("__ACTION__", action.pascalCaseName),
+        );
+      }
+    });
+  },
+};
+
 const context = await esbuild.context({
   // Include upload-lib.ts as an entry point for use in testing environments.
-  entryPoints: globSync([
-    `${SRC_DIR}/*-action.ts`,
-    `${SRC_DIR}/*-action-post.ts`,
-    "src/upload-lib.ts",
-  ]),
+  entryPoints: [
+    { in: SHARED_ENTRYPOINT, out: SHARED_ENTRYPOINT },
+    join(SRC_DIR, "upload-lib.ts"),
+  ],
   bundle: true,
   format: "cjs",
   outdir: OUT_DIR,
   platform: "node",
-  plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
+  external: ["./entry-points"],
+  plugins: [cleanPlugin, copyDefaultsPlugin, entryPointsPlugin, onEndPlugin],
   target: ["node20"],
   define: {
     __CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),

init/action.yml

@@ -171,5 +171,5 @@ outputs:
     description: The version of the CodeQL binary used for analysis
 runs:
   using: node24
-  main: '../lib/init-action.js'
-  post: '../lib/init-action-post.js'
+  main: '../lib/init-entry.js'
+  post: '../lib/init-post-entry.js'