Skip to content

build(deps): bump github/codeql-action from 4 to 4.35.1#20817

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github/codeql-action-4.35.1
Open

build(deps): bump github/codeql-action from 4 to 4.35.1#20817
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github/codeql-action-4.35.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 21, 2026
edited by cursor Bot
Loading

Bumps github/codeql-action from 4 to 4.35.1.

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

v4.35.0

v4.34.1

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

  • Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
  • Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
  • Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
  • The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

v4.32.4

  • Update default CodeQL bundle version to 2.24.2. #3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v4.32.3

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

  • Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
  • Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
  • Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
  • The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

  • Update default CodeQL bundle version to 2.24.2. #3493

... (truncated)

Commits
  • c10b806 Merge pull request #3782 from github/update-v4.35.1-d6d1743b8
  • c5ffd06 Update changelog for v4.35.1
  • d6d1743 Merge pull request #3781 from github/henrymercer/update-git-minimum-version
  • 65d2efa Add changelog note
  • 2437b20 Update minimum git version for overlay to 2.36.0
  • ea5f719 Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.0
  • 45ceeea Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
  • 24448c9 Rebuild
  • 7c51060 Update changelog and version after v4.35.0
  • b8bb9f2 Merge pull request #3776 from github/update-v4.35.0-0078ad667
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Low risk workflow-only change that pins github/codeql-action to a newer patch release; main impact is potential CI/CodeQL scanning behavior differences from the upstream action update.

Overview
Updates the CodeQL GitHub Actions workflow to pin github/codeql-action from v4 to v4.35.1 for the init, autobuild, and analyze steps, keeping CodeQL scanning on the latest patch release.

Reviewed by Cursor Bugbot for commit 2aa7177. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
build(deps): bump github/codeql-action from 4 to 4.35.1
2aa7177 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v4...v4.35.1)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Apr 21, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 21, 2026 20:25
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code Changed Required label for PR that categorizes merge commit message as "Changed" for changelog labels Apr 21, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 21, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how this repo references github/codeql-action to ground the review.

Verdict: benign

Why this looks safe

  1. What actually changes in chia-blockchain
    The repo only pins the official action in one workflow (init, autobuild, analyzegithub/codeql-action/...@v4.35.1). Publisher is github/, not a fork or typosquat; behavior is still “run CodeQL as configured.”

  2. Scanner report
    Post-allowlist: 0 Unicode/confusable/IOC hits. The huge “heuristic” count is almost entirely charCodeAt / similar matches in bundled lib/*.js from upstream—normal for compiled action code, not evidence of a decoder-based payload. The scan range is the upstream codeql-action tag delta; that’s noisy by design, not a red flag by itself.

  3. Checklist (short)

    • Obfuscation / exfil / persistence: No basis to suspect that in this PR beyond “the action always runs code on GitHub’s runner” (inherent to any action).
    • Invisible Unicode: Scanner cleared.
    • Integrity: v4.35.1 is a published release on github/codeql-action; changelog matches Dependabot’s notes (including the Git 2.36.0 fix after 4.35.0).
    • Dependabot nuance: Editing .github/workflows/ here is expected for a github_actions bump; suspicion would be extra steps, odd run: blocks, or non-github/ actions—not version bumps of an existing CodeQL action.

Actionable note: If you rely on CodeQL “file coverage” on PRs, upstream is changing that in April 2026 unless you opt in via repo property or CODEQL_ACTION_FILE_COVERAGE_ON_PRS—operational, not malicious.

Compatibility Analysis

Searching the repo for github/codeql-action usage and scanning workflow files for compatibility context.

Here is a concise review you can use for the PR.

1) Where it’s used

Location Role
50:75:/home/runner/work/chia-blockchain/chia-blockchain/.github/workflows/codeql-analysis.yml Only workflow reference: github/codeql-action/init, /autobuild, and /analyze, all pinned to the same tag (v4.35.1 in the tree you have).

Scope: Python-only matrix, ubuntu-latest, gated with if: github.repository_owner == 'Chia-Network'.

Note: Hits under .upstream-dependency/ are from a bundled upstream copy of codeql-action (CI/malware tooling context), not additional call sites for your app’s CodeQL workflow.

2) Overlap with release-note / upstream changes

Your workflow uses the default trilogy (initautobuildanalyze) with languages: ${{ matrix.language }} only. You do not use:

  • upload-sarif as a separate step
  • custom tools: URLs, advanced registry/OIDC
  • repository custom properties / GHES-specific behavior
  • C/C++ with build-mode: none (you only analyze Python)

Release notes for 4.33 → 4.35.1 are dominated by: default CodeQL bundle churn, improved incremental analysis / TRAP caching, optional file-coverage-on-PRs behavior (April 2026), GHES and private-registry features, and a Git version threshold fix for overlay/incremental paths.

Conclusion: None of that maps to a public action input/output API your workflow relies on. Intersection is indirect: you get the bundled CodeQL version the action ships (e.g. 2.25.1 with v4.35.0), which can change Python scan results slightly but is normal for this dependency.

3) Risks / unknowns

  • Finding churn: Newer bundles can add or refine rules; expect possible alert count/triage changes, not workflow syntax breaks.
  • PR file coverage (from 4.33.0): Starting April 2026, PR runs may skip file-coverage collection (warning in logs). Only matters if you depended on that signal on PRs; restore via CODEQL_ACTION_FILE_COVERAGE_ON_PRS=true or org repo properties if needed.
  • Self-hosted / old runners: Git ≥ 2.36.0 matters for “improved incremental analysis” overlay paths; GitHub-hosted ubuntu-latest is fine. Only relevant if you later move CodeQL to old self-hosted images.
  • 4.34.1 bundle downgrade in the middle of the range was temporary; 4.35.0 moves default bundle forward again—no action required on your side.

4) Recommendation: merge

Stay on the v4 major pin, three standard actions, Python-only, hosted runners: this is a routine security-tooling bump. Merge; optionally re-check CodeQL results on one PR for unexpected alert deltas. Use merge-with-caveats only if you explicitly rely on per-PR file coverage after April 2026 (then set the env var or property); hold is not justified for this repo’s usage pattern.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 65
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 1
  • Resolved upstream range: 95e58e9a2cdfd71adc6e0353d5c52f41a045d225..c10b8064de6f491fea524254123dbe5e09572f13
  • Resolved refs: from=95e58e9a2cdfd71adc6e0353d5c52f41a045d225 to=c10b8064de6f491fea524254123dbe5e09572f13
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 12236

Top findings

  • src/git-utils.ts:213 codepoint_decoder :: // Both String.fromCharCode() and String.fromCodePoint() works only
  • lib/upload-sarif-action.js:1112 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
  • lib/upload-sarif-action.js:1134 codepoint_decoder :: const code = key.charCodeAt(index);
  • lib/upload-sarif-action.js:1618 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
  • lib/upload-sarif-action.js:3066 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
  • lib/upload-sarif-action.js:3672 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • lib/upload-sarif-action.js:3674 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • lib/upload-sarif-action.js:3754 codepoint_decoder :: while (lead < str2.length && predicate(str2.charCodeAt(lead))) lead++;
  • lib/upload-sarif-action.js:3757 codepoint_decoder :: while (trail > 0 && predicate(str2.charCodeAt(trail))) trail--;
  • lib/upload-sarif-action.js:4121 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
  • lib/upload-sarif-action.js:4123 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
  • lib/upload-sarif-action.js:4295 codepoint_decoder :: const code = url2.charCodeAt(i);
  • lib/upload-sarif-action.js:4321 codepoint_decoder :: const c = statusText.charCodeAt(i);
  • lib/upload-sarif-action.js:4875 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
  • lib/upload-sarif-action.js:4888 codepoint_decoder :: const code = char.charCodeAt(0);
  • lib/upload-sarif-action.js:4902 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
  • lib/upload-sarif-action.js:4915 codepoint_decoder :: const code = char.charCodeAt(0);
  • lib/upload-sarif-action.js:5014 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
  • lib/upload-sarif-action.js:5023 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
  • lib/upload-sarif-action.js:5362 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {

@coveralls-official
Copy link
Copy Markdown

coveralls-official Bot commented Apr 21, 2026

Coverage Report for CI Build 24744646411

Coverage decreased (-0.01%) to 91.164%

Details

  • Coverage decreased (-0.01%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 29 coverage regressions across 9 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

29 previously-covered lines in 9 files lost coverage.

File Lines Losing Coverage Coverage
chia/server/address_manager.py 7 92.83%
chia/full_node/full_node.py 5 87.37%
chia/server/node_discovery.py 5 80.38%
chia/server/server.py 4 86.1%
chia/data_layer/data_layer.py 2 85.68%
chia/full_node/full_node_api.py 2 86.62%
chia/_tests/core/test_farmer_harvester_rpc.py 2 98.06%
chia/_tests/core/util/test_file_keyring_synchronization.py 1 96.88%
chia/_tests/simulation/test_simulation.py 1 96.49%

Coverage Stats

Coverage Status
Relevant Lines: 117497
Covered Lines: 107281
Line Coverage: 91.31%
Relevant Branches: 11720
Covered Branches: 10519
Branch Coverage: 89.75%
Branches in Coverage %: Yes
Coverage Strength: 1.83 hits per line
💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants