Code scanning: CodeQL Action v1 is now deprecated

On March 30, 2022, we released CodeQL Action v2, which runs on the Node.js 16 runtime. In April 2022, we announced that CodeQL Action v1 would be deprecated at the same time as GitHub Enterprise Server (GHES) 3.3.
This deprecation period has elapsed and starting January 18, 2023, CodeQL Action v1 is now discontinued.
It will no longer be updated or supported, and while we will not be deleting it except in the case of a security vulnerability, workflows using it may eventually break.
New CodeQL analysis capabilities will only be available to users of v2.

For more information about this deprecation, please see the original deprecation announcement from April 2022.

How does this affect me?

If you use code scanning with CodeQL on any of the following platforms, you should update your workflow file(s) to use CodeQL Action v2 as soon as possible:

  • GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
  • GHES 3.4.13 and later

Users of GHES 3.4.12 or earlier: please read this section in the original deprecation announcement.

What do I need to change in my workflow?

To upgrade to the CodeQL Action v2, open your CodeQL workflow file(s) in the .github/workflows directory of your repository and look for references to:

  • github/codeql-action/init@v1
  • github/codeql-action/autobuild@v1
  • github/codeql-action/analyze@v1
  • github/codeql-action/upload-sarif@v1

These entries need to be replaced with their v2 equivalents:

  • github/codeql-action/init@v2
  • github/codeql-action/autobuild@v2
  • github/codeql-action/analyze@v2
  • github/codeql-action/upload-sarif@v2

If you use a pinned version of the CodeQL Action in your workflows, for example github/codeql-action/init@32be38e, check the latest Actions workflow run summary on your repository.
If you see a warning stating that you are running CodeQL Action v1, then please update your workflow to reference v2 or alternatively the latest github/codeql-action commit tagged v2.

Can I use Dependabot to help me with this upgrade?

All users on GitHub.com, and GHES customers using GitHub Advanced Security with a local copy of github/codeql-action, can use Dependabot to automatically upgrade their Actions dependencies.
For more details on how to set this up, please see this page.

GHES customers should also make sure:

In security overview, when you select a team from the Team dropdown or filter by team in either the security risk or the security coverage views, results include repositories where the team has write privileges. Previously, results only included repositories where the team had admin privileges or had been granted access to security alerts.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.

Learn more about the team filter and send us your feedback

Learn more about GitHub Advanced Security

See more