TRY UPDATE SC. On Wed, 11 Mar 2026 at 19:54, dependabot[bot] (via GitHub) <[email protected]> wrote:
> > dependabot[bot] opened a new pull request, #1030: > URL: https://github.com/apache/poi/pull/1030 > > Bumps [github/codeql-action](https://github.com/github/codeql-action) > from 2 to 4. > <details> > <summary>Release notes</summary> > <p><em>Sourced from <a href=" > https://github.com/github/codeql-action/releases";>github/codeql-action's > releases</a>.</em></p> > <blockquote> > <h2>v3.32.6</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3";>2.24.3</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3548 > ">#3548</a></li> > </ul> > <h2>v3.32.5</h2> > <ul> > <li>Repositories owned by an organization can now set up the > <code>github-codeql-disable-overlay</code> custom repository property to > disable <a > href="https://redirect.github.com/github/roadmap/issues/1158";>improved > incremental analysis for CodeQL</a>. First, create a custom repository > property with the name <code>github-codeql-disable-overlay</code> and the > type "True/false" in the organization's settings. Then in the > repository's settings, set this property to <code>true</code> to disable > improved incremental analysis. For more information, see <a href=" > https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization";>Managing > custom properties for repositories in your organization</a>. This feature > is not yet available on GitHub Enterprise Server. <a href=" > https://redirect.github.com/github/codeql-action/pull/3507";>#3507</a></li> > <li>Added an experimental change so that when <a href=" > https://redirect.github.com/github/roadmap/issues/1158";>improved > incremental analysis</a> fails on a runner — potentially due to > insufficient disk space — the failure is recorded in the Actions cache so > that subsequent runs will automatically skip improved incremental analysis > until something changes (e.g. a larger runner is provisioned or a new > CodeQL version is released). We expect to roll this change out to everyone > in March. <a href=" > https://redirect.github.com/github/codeql-action/pull/3487";>#3487</a></li> > <li>The minimum memory check for improved incremental analysis is now > skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. <a > href="https://redirect.github.com/github/codeql-action/pull/3515 > ">#3515</a></li> > <li>Reduced log levels for best-effort private package registry > connection check failures to reduce noise from workflow annotations. <a > href="https://redirect.github.com/github/codeql-action/pull/3516 > ">#3516</a></li> > <li>Added an experimental change which lowers the minimum disk space > requirement for <a href=" > https://redirect.github.com/github/roadmap/issues/1158";>improved > incremental analysis</a>, enabling it to run on standard GitHub Actions > runners. We expect to roll this change out to everyone in March. <a href=" > https://redirect.github.com/github/codeql-action/pull/3498";>#3498</a></li> > <li>Added an experimental change which allows the > <code>start-proxy</code> action to resolve the CodeQL CLI version from > feature flags instead of using the linked CLI bundle version. We expect to > roll this change out to everyone in March. <a href=" > https://redirect.github.com/github/codeql-action/pull/3512";>#3512</a></li> > <li>The previously experimental changes from versions 4.32.3, 4.32.4, > 3.32.3 and 3.32.4 are now enabled by default. <a href=" > https://redirect.github.com/github/codeql-action/pull/3503";>#3503</a>, <a > href="https://redirect.github.com/github/codeql-action/pull/3504 > ">#3504</a></li> > </ul> > <h2>v3.32.4</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2";>2.24.2</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3493 > ">#3493</a></li> > <li>Added an experimental change which improves how certificates are > generated for the authentication proxy that is used by the CodeQL Action in > Default Setup when <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registries are configured</a>. This is expected to generate more > widely compatible certificates and should have no impact on analyses which > are working correctly already. We expect to roll this change out to > everyone in February. <a href=" > https://redirect.github.com/github/codeql-action/pull/3473";>#3473</a></li> > <li>When the CodeQL Action is run <a href=" > https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup";>with > debugging enabled in Default Setup</a> and <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registries are configured</a>, the "Setup proxy for > registries" step will output additional diagnostic information that > can be used for troubleshooting. <a href=" > https://redirect.github.com/github/codeql-action/pull/3486";>#3486</a></li> > <li>Added a setting which allows the CodeQL Action to enable network > debugging for Java programs. This will help GitHub staff support customers > with troubleshooting issues in GitHub-managed CodeQL workflows, such as > Default Setup. This setting can only be enabled by GitHub staff. <a href=" > https://redirect.github.com/github/codeql-action/pull/3485";>#3485</a></li> > <li>Added a setting which enables GitHub-managed workflows, such as > Default Setup, to use a <a href=" > https://github.com/dsp-testing/codeql-cli-nightlies";>nightly CodeQL CLI > release</a> instead of the latest, stable release that is used by default. > This will help GitHub staff support customers whose analyses for a given > repository or organization require early access to a change in an upcoming > CodeQL CLI release. This setting can only be enabled by GitHub staff. <a > href="https://redirect.github.com/github/codeql-action/pull/3484 > ">#3484</a></li> > </ul> > <h2>v3.32.3</h2> > <ul> > <li>Added experimental support for testing connections to <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registries</a>. This feature is not currently enabled for any > analysis. In the future, it may be enabled by default for Default Setup. <a > href="https://redirect.github.com/github/codeql-action/pull/3466 > ">#3466</a></li> > </ul> > <h2>v3.32.2</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1";>2.24.1</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3460 > ">#3460</a></li> > </ul> > <h2>v3.32.1</h2> > <ul> > <li>A warning is now shown in Default Setup workflow logs if a <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registry is configured</a> using a GitHub Personal Access Token > (PAT), but no username is configured. <a href=" > https://redirect.github.com/github/codeql-action/pull/3422";>#3422</a></li> > <li>Fixed a bug which caused the CodeQL Action to fail when repository > properties cannot successfully be retrieved. <a href=" > https://redirect.github.com/github/codeql-action/pull/3421";>#3421</a></li> > </ul> > <h2>v3.32.0</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0";>2.24.0</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3425 > ">#3425</a></li> > </ul> > <h2>v3.31.11</h2> > <ul> > <li>When running a Default Setup workflow with <a href=" > https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging";>Actions > debugging enabled</a>, the CodeQL Action will now use more unique names > when uploading logs from the Dependabot authentication proxy as workflow > artifacts. This ensures that the artifact names do not clash between > multiple jobs in a build matrix. <a href=" > https://redirect.github.com/github/codeql-action/pull/3409";>#3409</a></li> > <li>Improved error handling throughout the CodeQL Action. <a href=" > https://redirect.github.com/github/codeql-action/pull/3415";>#3415</a></li> > <li>Added experimental support for automatically excluding <a href=" > https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github";>generated > files</a> from the analysis. This feature is not currently enabled for any > analysis. In the future, it may be enabled by default for some > GitHub-managed analyses. <a href=" > https://redirect.github.com/github/codeql-action/pull/3318";>#3318</a></li> > <li>The changelog extracts that are included with releases of the > CodeQL Action are now shorter to avoid duplicated information from > appearing in Dependabot PRs. <a href=" > https://redirect.github.com/github/codeql-action/pull/3403";>#3403</a></li> > </ul> > <h2>v3.31.10</h2> > <h1>CodeQL Action Changelog</h1> > <p>See the <a > href="https://github.com/github/codeql-action/releases";>releases > page</a> for the relevant changes to the CodeQL CLI and language packs.</p> > <h2>3.31.10 - 12 Jan 2026</h2> > <ul> > <li>Update default CodeQL bundle version to 2.23.9. <a href=" > https://redirect.github.com/github/codeql-action/pull/3393";>#3393</a></li> > </ul> > <p>See the full <a href=" > https://github.com/github/codeql-action/blob/v3.31.10/CHANGELOG.md";>CHANGELOG.md</a> > for more information.</p> > <h2>v3.31.9</h2> > <!-- raw HTML omitted --> > </blockquote> > <p>... (truncated)</p> > </details> > <details> > <summary>Changelog</summary> > <p><em>Sourced from <a href=" > https://github.com/github/codeql-action/blob/main/CHANGELOG.md";>github/codeql-action's > changelog</a>.</em></p> > <blockquote> > <h2>4.32.6 - 05 Mar 2026</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3";>2.24.3</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3548 > ">#3548</a></li> > </ul> > <h2>4.32.5 - 02 Mar 2026</h2> > <ul> > <li>Repositories owned by an organization can now set up the > <code>github-codeql-disable-overlay</code> custom repository property to > disable <a > href="https://redirect.github.com/github/roadmap/issues/1158";>improved > incremental analysis for CodeQL</a>. First, create a custom repository > property with the name <code>github-codeql-disable-overlay</code> and the > type "True/false" in the organization's settings. Then in the > repository's settings, set this property to <code>true</code> to disable > improved incremental analysis. For more information, see <a href=" > https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization";>Managing > custom properties for repositories in your organization</a>. This feature > is not yet available on GitHub Enterprise Server. <a href=" > https://redirect.github.com/github/codeql-action/pull/3507";>#3507</a></li> > <li>Added an experimental change so that when <a href=" > https://redirect.github.com/github/roadmap/issues/1158";>improved > incremental analysis</a> fails on a runner — potentially due to > insufficient disk space — the failure is recorded in the Actions cache so > that subsequent runs will automatically skip improved incremental analysis > until something changes (e.g. a larger runner is provisioned or a new > CodeQL version is released). We expect to roll this change out to everyone > in March. <a href=" > https://redirect.github.com/github/codeql-action/pull/3487";>#3487</a></li> > <li>The minimum memory check for improved incremental analysis is now > skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. <a > href="https://redirect.github.com/github/codeql-action/pull/3515 > ">#3515</a></li> > <li>Reduced log levels for best-effort private package registry > connection check failures to reduce noise from workflow annotations. <a > href="https://redirect.github.com/github/codeql-action/pull/3516 > ">#3516</a></li> > <li>Added an experimental change which lowers the minimum disk space > requirement for <a href=" > https://redirect.github.com/github/roadmap/issues/1158";>improved > incremental analysis</a>, enabling it to run on standard GitHub Actions > runners. We expect to roll this change out to everyone in March. <a href=" > https://redirect.github.com/github/codeql-action/pull/3498";>#3498</a></li> > <li>Added an experimental change which allows the > <code>start-proxy</code> action to resolve the CodeQL CLI version from > feature flags instead of using the linked CLI bundle version. We expect to > roll this change out to everyone in March. <a href=" > https://redirect.github.com/github/codeql-action/pull/3512";>#3512</a></li> > <li>The previously experimental changes from versions 4.32.3, 4.32.4, > 3.32.3 and 3.32.4 are now enabled by default. <a href=" > https://redirect.github.com/github/codeql-action/pull/3503";>#3503</a>, <a > href="https://redirect.github.com/github/codeql-action/pull/3504 > ">#3504</a></li> > </ul> > <h2>4.32.4 - 20 Feb 2026</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2";>2.24.2</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3493 > ">#3493</a></li> > <li>Added an experimental change which improves how certificates are > generated for the authentication proxy that is used by the CodeQL Action in > Default Setup when <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registries are configured</a>. This is expected to generate more > widely compatible certificates and should have no impact on analyses which > are working correctly already. We expect to roll this change out to > everyone in February. <a href=" > https://redirect.github.com/github/codeql-action/pull/3473";>#3473</a></li> > <li>When the CodeQL Action is run <a href=" > https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup";>with > debugging enabled in Default Setup</a> and <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registries are configured</a>, the "Setup proxy for > registries" step will output additional diagnostic information that > can be used for troubleshooting. <a href=" > https://redirect.github.com/github/codeql-action/pull/3486";>#3486</a></li> > <li>Added a setting which allows the CodeQL Action to enable network > debugging for Java programs. This will help GitHub staff support customers > with troubleshooting issues in GitHub-managed CodeQL workflows, such as > Default Setup. This setting can only be enabled by GitHub staff. <a href=" > https://redirect.github.com/github/codeql-action/pull/3485";>#3485</a></li> > <li>Added a setting which enables GitHub-managed workflows, such as > Default Setup, to use a <a href=" > https://github.com/dsp-testing/codeql-cli-nightlies";>nightly CodeQL CLI > release</a> instead of the latest, stable release that is used by default. > This will help GitHub staff support customers whose analyses for a given > repository or organization require early access to a change in an upcoming > CodeQL CLI release. This setting can only be enabled by GitHub staff. <a > href="https://redirect.github.com/github/codeql-action/pull/3484 > ">#3484</a></li> > </ul> > <h2>4.32.3 - 13 Feb 2026</h2> > <ul> > <li>Added experimental support for testing connections to <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registries</a>. This feature is not currently enabled for any > analysis. In the future, it may be enabled by default for Default Setup. <a > href="https://redirect.github.com/github/codeql-action/pull/3466 > ">#3466</a></li> > </ul> > <h2>4.32.2 - 05 Feb 2026</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1";>2.24.1</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3460 > ">#3460</a></li> > </ul> > <h2>4.32.1 - 02 Feb 2026</h2> > <ul> > <li>A warning is now shown in Default Setup workflow logs if a <a href=" > https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries";>private > package registry is configured</a> using a GitHub Personal Access Token > (PAT), but no username is configured. <a href=" > https://redirect.github.com/github/codeql-action/pull/3422";>#3422</a></li> > <li>Fixed a bug which caused the CodeQL Action to fail when repository > properties cannot successfully be retrieved. <a href=" > https://redirect.github.com/github/codeql-action/pull/3421";>#3421</a></li> > </ul> > <h2>4.32.0 - 26 Jan 2026</h2> > <ul> > <li>Update default CodeQL bundle version to <a href=" > https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0";>2.24.0</a>. > <a href="https://redirect.github.com/github/codeql-action/pull/3425 > ">#3425</a></li> > </ul> > <h2>4.31.11 - 23 Jan 2026</h2> > <ul> > <li>When running a Default Setup workflow with <a href=" > https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging";>Actions > debugging enabled</a>, the CodeQL Action will now use more unique names > when uploading logs from the Dependabot authentication proxy as workflow > artifacts. This ensures that the artifact names do not clash between > multiple jobs in a build matrix. <a href=" > https://redirect.github.com/github/codeql-action/pull/3409";>#3409</a></li> > <li>Improved error handling throughout the CodeQL Action. <a href=" > https://redirect.github.com/github/codeql-action/pull/3415";>#3415</a></li> > <li>Added experimental support for automatically excluding <a href=" > https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github";>generated > files</a> from the analysis. This feature is not currently enabled for any > analysis. In the future, it may be enabled by default for some > GitHub-managed analyses. <a href=" > https://redirect.github.com/github/codeql-action/pull/3318";>#3318</a></li> > <li>The changelog extracts that are included with releases of the > CodeQL Action are now shorter to avoid duplicated information from > appearing in Dependabot PRs. <a href=" > https://redirect.github.com/github/codeql-action/pull/3403";>#3403</a></li> > </ul> > <h2>4.31.10 - 12 Jan 2026</h2> > <ul> > <li>Update default CodeQL bundle version to 2.23.9. <a href=" > https://redirect.github.com/github/codeql-action/pull/3393";>#3393</a></li> > </ul> > <!-- raw HTML omitted --> > </blockquote> > <p>... (truncated)</p> > </details> > <details> > <summary>Commits</summary> > <ul> > <li><a href=" > https://github.com/github/codeql-action/commit/0d579ffd059c29b07949a3cce3983f0780820c98";><code>0d579ff</code></a> > Merge pull request <a href=" > https://redirect.github.com/github/codeql-action/issues/3551";>#3551</a> > from github/update-v4.32.6-72d2d850d</li> > <li><a href=" > https://github.com/github/codeql-action/commit/d4c6be7cf1c47a33a06fa9183269e133e6863574";><code>d4c6be7</code></a> > Update changelog for v4.32.6</li> > <li><a href=" > https://github.com/github/codeql-action/commit/72d2d850d1f91d4e1e024f4cf4276fd16bb68462";><code>72d2d85</code></a> > Merge pull request <a href=" > https://redirect.github.com/github/codeql-action/issues/3548";>#3548</a> > from github/update-bundle/codeql-bundle-v2.24.3</li> > <li><a href=" > https://github.com/github/codeql-action/commit/23f983ce00d9a853697a6aaa9eae8d5abbf14849";><code>23f983c</code></a> > Merge pull request <a href=" > https://redirect.github.com/github/codeql-action/issues/3544";>#3544</a> > from github/dependabot/github_actions/dot-github/wor...</li> > <li><a href=" > https://github.com/github/codeql-action/commit/832e97ccad228ef72e06ffee26f6251bceeb7e5f";><code>832e97c</code></a> > Merge pull request <a href=" > https://redirect.github.com/github/codeql-action/issues/3545";>#3545</a> > from github/dependabot/github_actions/dot-github/wor...</li> > <li><a href=" > https://github.com/github/codeql-action/commit/5ef38c0b13c2f0f5ce928cb7706f5fb19fc97ae2";><code>5ef38c0</code></a> > Merge pull request <a href=" > https://redirect.github.com/github/codeql-action/issues/3546";>#3546</a> > from github/dependabot/npm_and_yarn/tar-7.5.10</li> > <li><a href=" > https://github.com/github/codeql-action/commit/80c9cda73902bba67939606c4bf3a1d9606bb150";><code>80c9cda</code></a> > Add changelog note</li> > <li><a href=" > https://github.com/github/codeql-action/commit/f2669dd916c673b2811839169929a8ba71bb7634";><code>f2669dd</code></a> > Update default bundle to codeql-bundle-v2.24.3</li> > <li><a href=" > https://github.com/github/codeql-action/commit/bd03c44cf40965f5476f66fad404194e4cb35710";><code>bd03c44</code></a> > Merge branch 'main' into > dependabot/github_actions/dot-github/workflows/actio...</li> > <li><a href=" > https://github.com/github/codeql-action/commit/102d7627b63c066871badf0743c11b2f6dd9c9e9";><code>102d762</code></a> > Bump tar from 7.5.7 to 7.5.10</li> > <li>Additional commits viewable in <a href=" > https://github.com/github/codeql-action/compare/v2...v4";>compare > view</a></li> > </ul> > </details> > <br /> > > > [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores > ) > > Dependabot will resolve any conflicts with this PR as long as you don't > alter it yourself. You can also trigger a rebase manually by commenting > `@dependabot rebase`. > > [//]: # (dependabot-automerge-start) > [//]: # (dependabot-automerge-end) > > --- > > <details> > <summary>Dependabot commands and options</summary> > <br /> > > You can trigger Dependabot actions by commenting on this PR: > - `@dependabot rebase` will rebase this PR > - `@dependabot recreate` will recreate this PR, overwriting any edits > that have been made to it > - `@dependabot show <dependency name> ignore conditions` will show all > of the ignore conditions of the specified dependency > - `@dependabot ignore this major version` will close this PR and stop > Dependabot creating any more for this major version (unless you reopen the > PR or upgrade to it yourself) > - `@dependabot ignore this minor version` will close this PR and stop > Dependabot creating any more for this minor version (unless you reopen the > PR or upgrade to it yourself) > - `@dependabot ignore this dependency` will close this PR and stop > Dependabot creating any more for this dependency (unless you reopen the PR > or upgrade to it yourself) > > > </details> > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: [email protected] > > For queries about this service, please contact Infrastructure at: > [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
