github · mario-campos · Oct 6, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node20
+  using: node24
   main: index.js
@@ -58,7 +58,7 @@ jobs:
     - name: Set up Node.js
       uses: actions/setup-node@v5
       with:
-        node-version: '20'
+        node-version: 24
         cache: 'npm'
 
     - name: Install dependencies

@@ -20,6 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [20, 24]
     permissions:
       contents: read
       security-events: write # needed to upload ESLint results
@@ -36,7 +37,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
-          node-version: '20.x'
+          node-version: ${{ matrix.node-version }}
           cache: 'npm'
 
       - name: Set up Python
@@ -73,7 +74,7 @@ jobs:
 
       - name: Upload sarif
         uses: github/codeql-action/upload-sarif@v3
-        if: matrix.os == 'ubuntu-latest'
+        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
         with:
           sarif_file: eslint.sarif
           category: eslint

@@ -34,7 +34,7 @@ jobs:
     - name: Install Node.js
       uses: actions/setup-node@v5
       with:
-        node-version: 20.x
+        node-version: 24
         cache: npm
 
     - name: Install dependencies

@@ -43,7 +43,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
-          node-version: '20.x'
+          node-version: 24
           cache: 'npm'
 
       - name: Install dependencies

@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-No user facing changes.
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
 
 ## 3.30.6 - 02 Oct 2025
 

@@ -13,7 +13,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 ## Development and Testing
 
-Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
+Before you start, ensure that you have a recent version of node (24 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
 
 ### Common tasks
 

@@ -62,7 +62,8 @@ For compiled languages:
 
 The following versions of the CodeQL Action are currently supported:
 
-- v3 (latest)
+- v4 (latest)
+- v3
 
 ## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
 

@@ -92,6 +92,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node24
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"
@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node20
+  using: node24
   main: '../lib/autobuild-action.js'
@@ -165,6 +165,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node24
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.30.7",
+  "version": "4.30.7",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

@@ -21,5 +21,5 @@ outputs:
   environment:
     description: The inferred build environment configuration.
 runs:
-  using: node20
+  using: node24
   main: '../lib/resolve-environment-action.js'
@@ -52,11 +52,11 @@ export async function determineAutobuildLanguages(
    * For example, consider a user with the following workflow file:
    *
    * ```yml
-   * - uses: github/codeql-action/init@v3
+   * - uses: github/codeql-action/init@v4
    *   with:
    *     languages: go, java
-   * - uses: github/codeql-action/autobuild@v3
-   * - uses: github/codeql-action/analyze@v3
+   * - uses: github/codeql-action/autobuild@v4
+   * - uses: github/codeql-action/analyze@v4
    * ```
    *
    * - With Go extraction disabled, we will run the Java autobuilder in the

@@ -84,14 +84,14 @@ test("uploads failed SARIF run with `diagnostics export` if feature flag is off"
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "my-category",
       },
@@ -108,14 +108,14 @@ test("uploads failed SARIF run with `diagnostics export` if the database doesn't
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "my-category",
       },
@@ -135,14 +135,14 @@ test("uploads failed SARIF run with database export-diagnostics if the database
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "my-category",
       },
@@ -192,14 +192,14 @@ for (const { uploadInput, shouldUpload } of UPLOAD_INPUT_TEST_CASES) {
       },
       {
         name: "Initialize CodeQL",
-        uses: "github/codeql-action/init@v3",
+        uses: "github/codeql-action/init@v4",
         with: {
           languages: "javascript",
         },
       },
       {
         name: "Perform CodeQL Analysis",
-        uses: "github/codeql-action/analyze@v3",
+        uses: "github/codeql-action/analyze@v4",
         with: {
           category: "my-category",
           upload: uploadInput,
@@ -227,14 +227,14 @@ test("uploading failed SARIF run succeeds when workflow uses an input with a mat
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "/language:${{ matrix.language }}",
       },
@@ -254,14 +254,14 @@ test("uploading failed SARIF run fails when workflow uses a complex upload input
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         upload: "${{ matrix.language != 'csharp' }}",
       },