The CodeQL runner has been deprecated in favor of the CodeQL CLI. As previously announced, starting March 14th, the CodeQL bundle now no longer includes the CodeQL runner. This deprecation only affects users who use CodeQL code scanning in 3rd party CI/CD systems; users of GitHub Actions are not affected.

GitHub Enterprise Server (GHES)

The CodeQL runner was shipped as part of GitHub Enterprise Server (GHES) versions up to and including 3.3.x. GitHub Enterprise Server 3.4 and later no longer include the CodeQL runner. We strongly recommend that customers migrate to the CodeQL CLI, which is a feature-complete replacement for the CodeQL runner and has many additional features.

How does this affect me?

If you’re using CodeQL code scanning on GitHub Actions, you are not affected by this change.

If you’ve configured code scanning to run the CodeQL runner inside another CI/CD system, we recommend migrating to the CodeQL CLI as soon as possible.
Starting April 1st, changes to both the CodeQL analysis engine and the code scanning API are not guaranteed to be compatible with older CodeQL runner releases.

What actions should I take?

You should configure your CI/CD system to use the CodeQL CLI before upgrading to GHES 3.4.0. When setting up the CodeQL CLI, we recommend that you test the CodeQL CLI set up to verify that the CLI is correctly configured to analyze your repository.

Learn more about migrating from the CodeQL runner to the CodeQL CLI here.

Currently, forwarded ports within codespaces can be set to private in which case they can be accessed only by the owner of the codespace, be shared with members of the organization or be set to public at which point anyone the URL is shared with can view the port. We heard from many organization admins that they want to disable public ports for organization-owned codespaces with the goal of ensuring that company assets can only be shared and accessed by members of the organization for security purposes.

With this feature, we have added the ability for organization admins to add port visibility constraints that enable them to control which visibility settings are available within organization-owned codespaces. For instance, admins will be able to disable the 'public' visibility port setting for desired repositories within their organization and enable developers to continue sharing ports only with members of their organization. This would be done to help preventing codespaces users from accidentally exposing company owned assets to unauthorized individuals.
port visibility policy constraint image

We will continue adding additional policy constraints based on feedback, some of which include setting a maximum idle timeout, setting maximum retention periods, setting allowed container images, and more. We'd love your feedback on additional policies that will help your scenarios.

For more information, see Restricting the visibility of forwarded ports

See more