github · Jan 10, 2025
diff --git a/‎CHANGELOG.md
+1-2 b/‎CHANGELOG.md
+1-2
diff --git a/‎CONTRIBUTING.md
+14-5 b/‎CONTRIBUTING.md
+14-5
diff --git a/‎README.md
+1-10 b/‎README.md
+1-10
diff --git a/‎lib/environment.js
+2 b/‎lib/environment.js
+2
diff --git a/‎lib/environment.js.map
+1-1 b/‎lib/environment.js.map
+1-1
diff --git a/‎lib/util.js
+9-10 b/‎lib/util.js
+9-10
diff --git a/‎lib/util.js.map
+1-1 b/‎lib/util.js.map
+1-1
diff --git a/‎lib/util.test.js
+8-8 b/‎lib/util.test.js
+8-8
diff --git a/‎lib/util.test.js.map
+1-1 b/‎lib/util.test.js.map
+1-1
diff --git a/‎src/environment.ts
+3 b/‎src/environment.ts
+3
diff --git a/‎src/util.test.ts
+10-8 b/‎src/util.test.ts
+10-8
diff --git a/‎src/util.ts
+10-11 b/‎src/util.ts
+10-11
@@ -2,10 +2,9 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
-
 ## [UNRELEASED]
 
+- CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see [this changelog post](https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/). [#2677](https://github.com/github/codeql-action/pull/2677)
 - Update default CodeQL bundle version to 2.20.1. [#2678](https://github.com/github/codeql-action/pull/2678)
 
 ## 3.28.0 - 20 Dec 2024
 
@@ -62,8 +62,9 @@ Here are a few things you can do that will increase the likelihood of your pull
 
     You can start a release by triggering this workflow via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
 1. The workflow run will open a pull request titled "Merge main into releases/v3". Follow the steps on the checklist in the pull request. Once you've checked off all but the last two of these, approve the PR and automerge it.
-1. When the "Merge main into releases/v3" pull request is merged into the `releases/v3` branch, a mergeback pull request to `main` and a backport pull request to `releases/v2` will both be automatically created. This mergeback pull request incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v3" pull request, and bumps the patch version of the CodeQL Action. The backport pull request will incorporate the updates into `releases/v2`.
-1. Approve the mergeback and backport pull requests and automerge them.
+1. When the "Merge main into releases/v3" pull request is merged into the `releases/v3` branch, a mergeback pull request to `main` will be automatically created. This mergeback pull request incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v3" pull request, and bumps the patch version of the CodeQL Action. 
+1. If a backport to an older major version is required, a pull request targeting that version's branch will also be automatically created
+1. Approve the mergeback and backport pull request (if applicable) and automerge them.
 
 Once the mergeback and backport pull request have been merged, the release is complete.
 
@@ -73,9 +74,9 @@ Since the `codeql-action` runs most of its testing through individual Actions wo
 
 1. By default, this script retrieves the checks from the latest SHA on `main`, so make sure that your `main` branch is up to date.
 2. Run the script. If there's a reason to, you can pass in a different SHA as a CLI argument.
-3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v2`, and `v3` have been updated.
+3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
 
-Note that any updates to checks need to be backported to the `releases/v2` branch, in order to maintain the same set of names for required checks.
+Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
 
 ## Deprecating a CodeQL version (write access required)
 
@@ -99,10 +100,18 @@ We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GH
     - Add a changelog note announcing the new minimum version of CodeQL that is now required.
     - Example PR: https://github.com/github/codeql-action/pull/1907
 
-## Deprecating a CodeQL Action version (write access required)
+## Adding a new CodeQL Action major version
 
 We sometimes maintain multiple versions of the CodeQL Action to enable customers on older but still supported versions of GitHub Enterprise Server (GHES) to continue to benefit from the latest CodeQL improvements. To accomplish this, the release process automation listens to updates to the release branch for the newest supported version.  When this branch is updated, the release process automatically opens backport PRs to update the release branches for older versions.
 
+To add a new major version of the Action:
+
+1. Change the `version` field of `package.json` by running `npm version x.y.z` where `x` is the new major version, and `y` and `z` match the latest minor and patch versions of the last release.
+1. Update appropriate documentation to explain the reasoning behind the releases: see [the diff](https://github.com/github/codeql-action/pull/2677/commits/913d60579d4b560addf53ec3c493d491dd3c1378) in our last major version deprecation for examples on which parts of the documentation should be updated.
+1. Consider the timeline behind deprecating the prior Action version: see [CodeQL Action deprecation documentation](#deprecating-a-codeql-action-major-version-write-access-required)
+
+## Deprecating a CodeQL Action major version (write access required)
+
 We typically deprecate older versions of the Action once all supported GHES versions are compatible with the version of Node.js we are using on `main`.
 
 To deprecate an older version of the Action:
 
@@ -63,27 +63,18 @@ For compiled languages:
 The following versions of the CodeQL Action are currently supported:
 
 - v3 (latest)
-- v2 (deprecated, support will end on December 5th, 2024)
-
-The only difference between CodeQL Action v2 and v3 is the version of Node.js on which they run. CodeQL Action v3 runs on Node 20, while CodeQL Action v2 runs on Node 16.
-
-To provide the best experience to customers using older versions of GitHub Enterprise Server, we will continue to release CodeQL Action v2 so that these customers can continue to run the latest version of CodeQL as long as their version of GitHub Enterprise Server is supported. For example CodeQL Action v3.22.11 was the first release of CodeQL Action v3 and is functionally identical to v2.22.11. This approach provides an easy way to track exactly which features are included in different versions by looking at the minor and patch version numbers.
-
-For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/)."
 
 ## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
 
 We typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.26.6` | `2.18.4` | Enterprise Server 3.15 | |
+| `v3.26.6`  | `2.18.4` | Enterprise Server 3.15 | |
 | `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
 | `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
 | `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
 
-CodeQL Action v2 has stopped receiving updates now that GHES 3.11 is deprecated.
-
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
 ## Troubleshooting
 
@@ -50,6 +50,9 @@ export enum EnvVar {
   /** Whether the init action has been run. */
   INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
 
+  /** Whether the error for a deprecated version of the CodeQL Action was logged. */
+  LOG_VERSION_DEPRECATION = "CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION",
+
   /**
    * For macOS. Result of `csrutil status` to determine whether System Integrity
    * Protection is enabled.
 
@@ -431,16 +431,16 @@ const CHECK_ACTION_VERSION_TESTS: Array<[string, util.GitHubVersion, boolean]> =
 for (const [
   version,
   githubVersion,
-  shouldReportWarning,
+  shouldReportError,
 ] of CHECK_ACTION_VERSION_TESTS) {
-  const reportWarningDescription = shouldReportWarning
-    ? "reports warning"
-    : "doesn't report warning";
+  const reportErrorDescription = shouldReportError
+    ? "reports error"
+    : "doesn't report error";
   const versionsDescription = `CodeQL Action version ${version} and GitHub version ${formatGitHubVersion(
     githubVersion,
   )}`;
-  test(`checkActionVersion ${reportWarningDescription} for ${versionsDescription}`, async (t) => {
-    const warningSpy = sinon.spy(core, "warning");
+  test(`checkActionVersion ${reportErrorDescription} for ${versionsDescription}`, async (t) => {
+    const warningSpy = sinon.spy(core, "error");
     const versionStub = sinon
       .stub(api, "getGitHubVersion")
       .resolves(githubVersion);
@@ -449,10 +449,12 @@ for (const [
     util.checkActionVersion(version, await api.getGitHubVersion());
     util.checkActionVersion(version, await api.getGitHubVersion());
 
-    if (shouldReportWarning) {
+    if (shouldReportError) {
       t.true(
         warningSpy.calledOnceWithExactly(
-          sinon.match("CodeQL Action v2 will be deprecated"),
+          sinon.match(
+            "CodeQL Action major versions v1 and v2 have been deprecated.",
+          ),
         ),
       );
     } else {
 
@@ -1071,19 +1071,18 @@ export async function checkDiskUsage(
 /**
  * Prompt the customer to upgrade to CodeQL Action v3, if appropriate.
  *
- * Check whether a customer is running v2. If they are, and we can determine that the GitHub
- * instance supports v3, then log a warning about v2's upcoming deprecation prompting the customer
- * to upgrade to v3.
+ * Check whether a customer is running v1 or v2. If they are, and we can determine that the GitHub
+ * instance supports v3, then log an error prompting the customer to upgrade to v3.
  */
 export function checkActionVersion(
   version: string,
   githubVersion: GitHubVersion,
 ) {
   if (
-    !semver.satisfies(version, ">=3") && // do not warn if the customer is already running v3
-    !process.env.CODEQL_V2_DEPRECATION_WARNING // do not warn if we have already warned
+    !semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+    !process.env[EnvVar.LOG_VERSION_DEPRECATION] // do not log error if we have already
   ) {
-    // Only log a warning for versions of GHES that are compatible with CodeQL Action version 3.
+    // Only error for versions of GHES that are compatible with CodeQL Action version 3.
     //
     // GHES 3.11 shipped without the v3 tag, but it also shipped without this warning message code.
     // Therefore users who are seeing this warning message code have pulled in a new version of the
@@ -1097,14 +1096,14 @@ export function checkActionVersion(
           ">=3.11",
         ))
     ) {
-      core.warning(
-        "CodeQL Action v2 will be deprecated on December 5th, 2024. " +
+      core.error(
+        "CodeQL Action major versions v1 and v2 have been deprecated. " +
           "Please update all occurrences of the CodeQL Action in your workflow files to v3. " +
           "For more information, see " +
-          "https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/",
+          "https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/",
       );
-      // set CODEQL_V2_DEPRECATION_WARNING env var to prevent the warning from being logged multiple times
-      core.exportVariable("CODEQL_V2_DEPRECATION_WARNING", "true");
+      // set LOG_VERSION_DEPRECATION env var to prevent the warning from being logged multiple times
+      core.exportVariable(EnvVar.LOG_VERSION_DEPRECATION, "true");
     }
   }
 }