Skip to content

chore: bump pinned CodeQL CLI to v2.21.4#164

Closed
security-lab-bot[bot] wants to merge 1 commit into
fix/update-codeql-version-packages-readfrom
chore/update-codeql-cli-2.21.4
Closed

chore: bump pinned CodeQL CLI to v2.21.4#164
security-lab-bot[bot] wants to merge 1 commit into
fix/update-codeql-version-packages-readfrom
chore/update-codeql-cli-2.21.4

Conversation

@security-lab-bot

Copy link
Copy Markdown
Contributor

Automated CLI version bump, requested via the "Update CodeQL CLI Version"
workflow (workflow_dispatch, codeql_version: 2.21.4).

This PR:

  • Updates .codeqlversion to 2.21.4.
  • Pins every codeql/<lang>-all / codeql/<lang>-queries dependency across all
    qlpack.yml files to the exact version shipped in the official CodeQL Bundle
    for this CLI release (see .github/scripts/pin-codeql-library-versions.sh) -
    this keeps codeql pack upgrade from jumping those libraries to
    registry-latest instead of the version this CLI actually ships/tests against.
  • Runs codeql pack upgrade <dir> for every pack directory to refresh its
    codeql-pack.lock.yml against the new CLI and pinned library versions.

This PR does not publish anything by itself - no pack version: field is
bumped here, so publish.yml's version-diff trigger won't fire for it yet.
Remaining steps (see CONTRIBUTING.md's "Updating the pinned CodeQL CLI/library
version" section):

  • Check CI on this PR - fix any compilation/test errors caused by upstream
    API changes. This is usually the hardest part; consider delegating it to a
    Copilot coding agent session pointed at this PR/branch.
  • Update the "Supported CodeQL versions" table in CONTRIBUTING.md.
  • Review and merge.
  • Once merged, run the "CodeQL Update Release" workflow
    (update-release.yml) to bump every pack's version: in lockstep via
    .release.yml and trigger the real batch publish.

@felickz

felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Closing - this was a live validation test of the update-codeql-version.yml fix in #163 (workflow_dispatch run against the fix branch, so it's based on fix/update-codeql-version-packages-read rather than main). It confirmed the fix works end-to-end: all 7 languages (cpp, csharp, go, java, javascript, python, ruby) now correctly pin to their exact CodeQL-Bundle-paired versions (e.g. codeql/go-all@4.2.6 instead of jumping to registry-latest 7.2.0), and ql/hotspots no longer breaks the loop. The real CLI 2.21.4 bump PR will be opened against main once #163 merges.

@felickz felickz closed this Jul 10, 2026
@felickz felickz deleted the chore/update-codeql-cli-2.21.4 branch July 10, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant