Bump minimum CodeQL CLI version to 2.19.4

CHANGELOG.md

@@ -12,6 +12,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 - For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791)
 - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
+- _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
 
 ## 4.35.4 - 07 May 2026
 

README.md

@@ -78,8 +78,6 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 | `v3.28.21` | `2.21.3` | Enterprise Server 3.18 | |
 | `v3.28.12` | `2.20.7` | Enterprise Server 3.17 | |
 | `v3.28.6` | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.15 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.35.6",
+  "version": "4.36.0",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/rust.yml

@@ -2,7 +2,7 @@ name: "Rust analysis"
 description: "Tests creation of a Rust database"
 versions:
   # experimental rust support introduced, requires action to set `CODEQL_ENABLE_EXPERIMENTAL_FEATURES`
-  - stable-v2.19.3
+  - stable-v2.19.4
   # first public preview version
   - stable-v2.22.1
   - linked

pr-checks/sync.ts

@@ -115,17 +115,17 @@ type LanguageSetups = Partial<Record<BuiltInLanguage, LanguageSetup>>;
 // The default set of CodeQL Bundle versions to use for the PR checks.
 const defaultTestVersions = [
   // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
-  "stable-v2.17.6",
-  // The last CodeQL release in the 2.18 series.
-  "stable-v2.18.4",
-  // The last CodeQL release in the 2.19 series.
   "stable-v2.19.4",
   // The last CodeQL release in the 2.20 series.
   "stable-v2.20.7",
   // The last CodeQL release in the 2.21 series.
   "stable-v2.21.4",
   // The last CodeQL release in the 2.22 series.
   "stable-v2.22.4",
+  // The last CodeQL release in the 2.23 series.
+  "stable-v2.23.9",
+  // The last CodeQL release in the 2.24 series.
+  "stable-v2.24.3",
   // The default version of CodeQL for Dotcom, as determined by feature flags.
   "default",
   // The version of CodeQL shipped with the Action in `defaults.json`. During the release process

src/codeql.test.ts

@@ -1072,15 +1072,15 @@ test.serial(
 );
 
 test.serial(
-  "Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
+  "Avoids duplicating --force-overwrite flag if specified in CODEQL_ACTION_EXTRA_OPTIONS",
   async (t) => {
     const runnerConstructorStub = stubToolRunnerConstructor();
     const codeqlObject = await stubCodeql();
     // io throws because of the test CodeQL object.
     sinon.stub(io, "which").resolves("");
 
     process.env["CODEQL_ACTION_EXTRA_OPTIONS"] =
-      '{ "database": { "init": ["--overwrite"] } }';
+      '{ "database": { "init": ["--force-overwrite"] } }';
 
     await codeqlObject.databaseInitCluster(
       stubConfig,
@@ -1093,9 +1093,9 @@ test.serial(
     t.true(runnerConstructorStub.calledOnce);
     const args = runnerConstructorStub.firstCall.args[1] as string[];
     t.is(
-      args.filter((option: string) => option === "--overwrite").length,
+      args.filter((option: string) => option === "--force-overwrite").length,
       1,
-      "--overwrite should only be passed once",
+      "--force-overwrite should only be passed once",
     );
 
     // Clean up