codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

📢 upcoming v3 deprecation, v4 now released 📢

Open mario-campos opened this issue 1 month ago • 6 comments

Notice of v3 deprecation

Node.js 20.x (the runtime used by CodeQL Action v3) reaches end-of-life on 30 April 2026: https://nodejs.org/en/blog/release/v20.9.0. To keep the Action running on a supported runtime, we have released CodeQL Action v4, which uses Node.js 24.

For more information, please see the Changelog post.

Deprecation warnings

Starting this month, CodeQL Action v3 will begin to emit warnings to the workflow logs that v3 will soon be deprecated.

Need help?

If you have questions, encounter issues while migrating, or need more time, please leave a comment on this issue. We’ll be monitoring feedback and can help where possible. Thank you!

mario-campos avatar Nov 03 '25 19:11 mario-campos

depreciation message states v3 will be depreciated December 2026. However, it generates and error breaking all scanning using v3

 C:\hostedtoolcache\windows\CodeQL\2.23.5\x64\codeql\codeql.exe database finalize --finalize-dataset --threads=2 --ram=6655 D:\a\_temp\codeql_databases\javascript
  CodeQL detected code written in C# and GitHub Actions, but not any written in JavaScript/TypeScript. Confirm that there is some source code for JavaScript/TypeScript in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build .
  Error: Encountered a fatal error while running "C:\hostedtoolcache\windows\CodeQL\2.23.5\x64\codeql\codeql.exe database finalize --finalize-dataset --threads=2 --ram=6655 D:\a\_temp\codeql_databases\javascript". Exit code was 32 and last log line was: CodeQL detected code written in C# and GitHub Actions, but not any written in JavaScript/TypeScript. Confirm that there is some source code for JavaScript/TypeScript in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build . See the logs for more details.

Issue: https://github.com/github/codeql-action/issues/3297

brian-welsh avatar Nov 14 '25 18:11 brian-welsh

@brian-welsh I have responded in the issue you created/linked.

mbg avatar Nov 14 '25 19:11 mbg

I'm not sure where to report this but it seems GitHub itself is still using v3. Our codeql logs start with

Error: CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/

This is coming from the embedded CodeQL check, we are not doing anything custom.

ulgens avatar Nov 15 '25 14:11 ulgens

Hi @ulgens,

Thanks -- we are aware and in the process of updating the Default Setup workflow to use v4. Obviously this will be done in good time before v3 is deprecated and there's nothing you need to do there.

We wanted to get the deprecation message out as soon as possible to give everyone with custom workflows as much notice as possible to make the change.

mbg avatar Nov 15 '25 15:11 mbg

@mbg Thank you, but I'm still confused. If it's too early even for GitHub to use v4, why is there even a deprecation warning? I do understand the concern you shared, but I'm not sure it creates the result you intend. Seeing a deprecation warning for an internal tool that we have no control over feels weird and problematic.

ulgens avatar Nov 15 '25 15:11 ulgens

If it's too early even for GitHub to use v4, why is there even a deprecation warning?

In general, the purpose of a deprecation message is to give as much notice of a forthcoming deprecation as possible, to allow everyone to plan for it and take whatever steps are necessary to migrate to the new version.

It's not too early to use v4 of the CodeQL Action, if you are currently using v3 and are able to upgrade.

Seeing a deprecation warning for an internal tool that we have no control over feels weird and problematic.

Thank you for this feedback and I understand your point, but the message is purely informative and has no effect on the outcomes, results, or behaviours of the workflows. There is some value in having this message, even for Default Setup. For example, you may have a combination of Default Setup and Advanced Setup configurations for CodeQL and displaying the message in logs for both helps raise awareness. Furthermore, if you have configured restrictions for which Actions or which versions of Actions are allowed to be used in your organisation, then that may need to be updated to allow v4 even if you are only using Default Setup.

Like I said, we are in the process of getting the Default Setup workflow upgraded to v4 and I would hope that this will ship in the coming week. The message will disappear from those workflows then.

mbg avatar Nov 16 '25 14:11 mbg