On March 30, 2022, we released CodeQL Action v2, which runs on the Node.js 16 runtime. In April 2022, we announced that CodeQL Action v1 would be deprecated at the same time as GitHub Enterprise Server (GHES) 3.3.
This deprecation period has elapsed and starting January 18, 2023, CodeQL Action v1 is now discontinued.
It will no longer be updated or supported, and while we will not be deleting it except in the case of a security vulnerability, workflows using it may eventually break.
New CodeQL analysis capabilities will only be available to users of v2.
For more information about this deprecation, please see the original deprecation announcement from April 2022.
How does this affect me?
If you use code scanning with CodeQL on any of the following platforms, you should update your workflow file(s) to use CodeQL Action v2 as soon as possible:
- GitHub.com (including open source repositories, users of GitHub Teams and GitHub Enterprise Cloud)
- GHES 3.4.13 and later
Users of GHES 3.4.12 or earlier: please read this section in the original deprecation announcement.
What do I need to change in my workflow?
To upgrade to the CodeQL Action v2, open your CodeQL workflow file(s) in the .github/workflows
directory of your repository and look for references to:
github/codeql-action/init@v1
github/codeql-action/autobuild@v1
github/codeql-action/analyze@v1
github/codeql-action/upload-sarif@v1
These entries need to be replaced with their v2
equivalents:
github/codeql-action/init@v2
github/codeql-action/autobuild@v2
github/codeql-action/analyze@v2
github/codeql-action/upload-sarif@v2
If you use a pinned version of the CodeQL Action in your workflows, for example github/codeql-action/init@32be38e
, check the latest Actions workflow run summary on your repository.
If you see a warning stating that you are running CodeQL Action v1
, then please update your workflow to reference v2
or alternatively the latest github/codeql-action
commit tagged v2.
Can I use Dependabot to help me with this upgrade?
All users on GitHub.com, and GHES customers using GitHub Advanced Security with a local copy of github/codeql-action
, can use Dependabot to automatically upgrade their Actions dependencies.
For more details on how to set this up, please see this page.
GHES customers should also make sure:
- Dependabot version updates are enabled for your enterprise
- At least one self-hosted runner is set up to run Dependabot updates