📢 Node 16 deprecation, upcoming CodeQL Action v3 📢

[angelapwen]

Update

We have released v3 of the CodeQL Action! We'll keep this note up for a week as a space for folks to ask follow-up questions or provide feedback

Description

Node.js 16 reached end of life last month, September 2023, half a year before its original anticipated EOL date. GitHub Actions will begin to display a warning to users notifying them about the upcoming migration starting October 23, 2023 (GitHub Changelog post).

Users of the CodeQL Action and code scanning workflows on GitHub.com, please know that:

• You will begin to see these warnings in your Actions logs on code scanning runs starting October 23, 2023.
• All code scanning workflows should continue to succeed regardless of the warning.
• The team at GitHub maintaining the CodeQL Action is aware of the deprecation timeline and actively working on creating another version of the CodeQL Action, v3, that will bump us to Node 20. has created another version of the CodeQL Action, v3, that bumps us to Node 20.

This note will be linked to from the Action CHANGELOG as well as the repository README.

Please let us know in comments on this issue if there are any questions or concerns. Thank you!

[TWiStErRob]

Is this fixed by #2006? Can you please create a GitHub release for the new tag? (and maybe explain why it's 3.22 and not 3.0)

Background: I got a Renovate PR, but don't understand the new release.

[aeisenberg]

Yes, v3 is now available and supports node 20. We're working through the details of exactly how to upgrade existing users from v2 to v3. but #2006 is a major part of deprecating node 16.

We have released 3.22 since v3 is identical to v2 except for the node version. This is an easy way for us (and for users) to track exactly which features you are getting.

Can you explain why you would like a new release for this? We generally only use releases for new codeql CLI versions, which are largely independent of the codeql action version.

[TWiStErRob]

Ah, CLI, that makes sense, that's why I didn't get it. I thought it was missing the release for 3.22.

So the action "release notes" are only in CHANGELOG? If so, adding the middle paragraph of your above reply to that file might help people understand the version number, rather than implying/inferring it. (It makes total sense, but unconventional.)

[aeisenberg]

Thanks for the feedback. I'll let the team know.