codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard

Published 20 hours ago β€’ verified publisher icon github

πŸ“’ Node 16 deprecation, upcoming CodeQL Action v3 πŸ“’

Open angelapwen opened this issue 2 years ago β€’ 18 comments

Update

We have released v3 of the CodeQL Action! We'll keep this note up for a week as a space for folks to ask follow-up questions or provide feedback

Description

Node.js 16 reached end of life last month, September 2023, half a year before its original anticipated EOL date. GitHub Actions will begin to display a warning to users notifying them about the upcoming migration starting October 23, 2023 (GitHub Changelog post).

Users of the CodeQL Action and code scanning workflows on GitHub.com, please know that:

  • You will begin to see these warnings in your Actions logs on code scanning runs starting October 23, 2023.
  • All code scanning workflows should continue to succeed regardless of the warning.
  • The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and ~actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20~. has created another version of the CodeQL Action, v3, that bumps us to Node 20.

This note will be linked to from the Action CHANGELOG as well as the repository README.

Please let us know in comments on this issue if there are any questions or concerns. Thank you!

angelapwen avatar Oct 18 '23 21:10 angelapwen

Is this fixed by #2006? Can you please create a GitHub release for the new tag? (and maybe explain why it's 3.22 and not 3.0)

Background: I got a Renovate PR, but don't understand the new release.

TWiStErRob avatar Dec 14 '23 10:12 TWiStErRob

Yes, v3 is now available and supports node 20. We're working through the details of exactly how to upgrade existing users from v2 to v3. but #2006 is a major part of deprecating node 16.

We have released 3.22 since v3 is identical to v2 except for the node version. This is an easy way for us (and for users) to track exactly which features you are getting.

Can you explain why you would like a new release for this? We generally only use releases for new codeql CLI versions, which are largely independent of the codeql action version.

aeisenberg avatar Dec 14 '23 18:12 aeisenberg

Ah, CLI, that makes sense, that's why I didn't get it. I thought it was missing the release for 3.22.

So the action "release notes" are only in CHANGELOG? If so, adding the middle paragraph of your above reply to that file might help people understand the version number, rather than implying/inferring it. (It makes total sense, but unconventional.)

TWiStErRob avatar Dec 14 '23 19:12 TWiStErRob

Thanks for the feedback. I'll let the team know.

aeisenberg avatar Dec 14 '23 19:12 aeisenberg

Hey there, just cross-posting from https://github.com/github/codeql-action/issues/2059:

IMHO it is a bit confusing to have a new major version that is not reflected in the (Github) releases at all, making it hard to grasp the potential impact of a major upgrade! Also in the actual (markdown) changelog, you do see the 3.22.x release, but no 3.0.0 which is also confusing because I'd usually go look for that to see what breaking changes happend for v3 - hard/impossible to know which 3.x.x release was the first v3 release without this!

FWIW I was notified of a new major release of this via dependabot, and usually I go and look for what has changed in the major to check if we can safely update, and this was not really easy to figure out here.

mydea avatar Jan 02 '24 09:01 mydea

Thanks for the feedback. We're working on some better communication around this. See my comment above, which is now incorporated into the CHANGELOG directly.

aeisenberg avatar Jan 09 '24 01:01 aeisenberg

@angelapwen:

  • The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and ~actively working on creating~ has created another version of the CodeQL Action, v3, that ~will bump~ bumps us to Node 20.

jsoref avatar Feb 13 '24 21:02 jsoref

@jsoref, thanks! Will update now.

angelapwen avatar Feb 14 '24 09:02 angelapwen

Without GitHub releases for the v3 tags Dependabot isn't picking up the changes and we're seeing Node deprecation warnings.

stevehipwell avatar Apr 30 '24 15:04 stevehipwell

Hi @stevehipwell, thank you for reporting this ✨ Do you mind sharing the version of the CodeQL Action you're currently on, as well as the relevant part of your Dependabot configuration file (usually dependabot.yml) so that we can look into reproducing this behavior?

angelapwen avatar Apr 30 '24 18:04 angelapwen

@angelapwen as your v3 releases are only tags and the v2 releases are GH releases so I'd make a guess that that's the reason. It also makes manual discovery hard.

The following repo has the issue.

https://github.com/stevehipwell/fluentd-aggregator

stevehipwell avatar Apr 30 '24 18:04 stevehipwell

πŸ‘‹ @stevehipwell thank you for sharing. Our team looked into this and found that there was a mistaken bump to the SHA your workflow is pinned to, cdcdbb579706841c47f7063dda365e292e5cad7a, which corresponds to a CodeQL bundle release (codeql-bundle-v2.13.4 ) and not a release of the CodeQL Action. As a result, anyone who received that update is no longer receiving any Dependabot PRs, as you indicated.

That said, if you manually change the SHA to one that is a CodeQL Action release SHA, you should receive all future Dependabot PRs β€”Β the problem is specifically coming from the SHA and not the distinction between GH releases vs. tags. We've filed some internal issues to more broadly address any other workflows stuck on that SHA, but the one-line change should be fine for unblocking individual workflows.

Thanks again for reporting and let us know if you have any other questions!

angelapwen avatar Apr 30 '24 20:04 angelapwen

For those following along, that appears to be 650+ files: https://github.com/search?q=%22github%2Fcodeql-action%2Fupload-sarif%40cdcdbb579706841c47f7063dda365e292e5cad7a%22&type=code

jsoref avatar Apr 30 '24 20:04 jsoref

@angelapwen is there a reason why the v3 "releases" aren't GitHub releases? This issue would have been picked up quicker if they were.

stevehipwell avatar May 01 '24 08:05 stevehipwell

It looks like the problem version was used in the ossf/scorecard for the example workflow until a few weeks ago when they manually bumped the version.

stevehipwell avatar May 01 '24 08:05 stevehipwell

@jsoref thanks for the query but as there are sub actions (I thought GitHub recommends against this pattern), the query needs to take that into account. The following query returns 800+ instances.

https://github.com/search?q=%2Fgithub%5C%2Fcodeql-action%5C%2F.%2B%40cdcdbb579706841c47f7063dda365e292e5cad7a%2F&type=code

stevehipwell avatar May 01 '24 08:05 stevehipwell

Thanks for following up @stevehipwell: historically, we've used GitHub releases for the codeql-action repo as a way to release the CodeQL bundle, which you'll see in https://github.com/github/codeql-action/releases. CodeQL bundles also include GitHub Action releases, but we also release the Action outside of the CodeQL bundle release schedule and use the tag mechanism for all Action releases.

We recognize that this mechanism has caused customer confusion and are looking into aligning GitHub releases on the codeql-action repo with releases of the CodeQL Action. It'll require some care because some customers and internal tools assume that the latest GitHub release on codeql-action is a CodeQL bundle. But it's definitely on our radar!

angelapwen avatar May 01 '24 19:05 angelapwen

As an update, folks on our team fixed the tags on v2.13.4 and the Dependabot PRs to bump from that version to the latest version are starting to come in now!

angelapwen avatar May 17 '24 22:05 angelapwen