ci(deps): bump the github-actions group across 1 directory with 12 updates

[dependabot]

Bumps the github-actions group with 12 updates in the /.github/workflows directory:

Package	From	To
step-security/harden-runner	2.14.1	2.16.0
step-security/setup-buildx-action	3.11.1	4.0.0
step-security/docker-login-action	3.6.0	3.7.0
docker/metadata-action	5.10.0	6.0.0
actions/upload-artifact	6.0.0	7.0.0
actions/download-artifact	7.0.0	8.0.1
anchore/sbom-action	0.22.1	0.23.1
step-security/mise-action	3.5.1	3.6.1
taiki-e/install-action	2.67.18	2.68.33
github/codeql-action	4.32.1	4.33.0
aquasecurity/trivy-action	0.33.1	0.35.0
actions/dependency-review-action	4.8.2	4.9.0

Updates step-security/harden-runner from 2.14.1 to 2.16.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.16.0

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

What's Changed

• Fixes step-security/harden-runner#642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

Commits

• fa2e9d6 Release v2.16.0 (#646)
• 58077d3 Release v2.15.1 (#641)
• a90bcbc Update readme (#637)
• f0a59d8 Release v2.15.0 (#639)
• 5ef0c07 Merge pull request #635 from step-security/rc-34
• eb43c7b update agent
• See full diff in compare view

Updates step-security/setup-buildx-action from 3.11.1 to 4.0.0

Release notes

Sourced from step-security/setup-buildx-action's releases.

v4.0.0

What's Changed

• build(deps): bump tar from 7.5.7 to 7.5.9 by @​dependabot[bot] in step-security/setup-buildx-action#27
• build(deps): bump axios from 1.13.2 to 1.13.5 by @​dependabot[bot] in step-security/setup-buildx-action#28
• fix: upgrade packages and fix vulnerabilities by @​Raj-StepSecurity in step-security/setup-buildx-action#29
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in step-security/setup-buildx-action#30
• fix: added new subscription check code and banner by @​amanstep in step-security/setup-buildx-action#31

New Contributors

• @​dependabot[bot] made their first contribution in step-security/setup-buildx-action#27

Full Changelog: step-security/setup-buildx-action@v3...v4.0.0

v3.12.0

What's Changed

• chore: Cherry-picked changes from upstream by @​github-actions[bot] in step-security/setup-buildx-action#19
• fix: upgraded packages and fixed vulnerabilities by @​Raj-StepSecurity in step-security/setup-buildx-action#25

New Contributors

• @​github-actions[bot] made their first contribution in step-security/setup-buildx-action#19
• @​Raj-StepSecurity made their first contribution in step-security/setup-buildx-action#25

Full Changelog: step-security/setup-buildx-action@v3...v3.12.0

Commits

• f931205 Merge pull request #31 from step-security/fix/banner
• 863ecf2 fix: added new subscription check code and banner
• aa38f26 Merge pull request #30 from step-security/auto-cherry-pick
• 5ede296 chore: updated dist
• 5e7a8f6 chore: cherry-picked conflicting changes
• c1d26c0 remove deprecated inputs/outputs
• b7b9367 remove deprecated inputs/outputs
• b5a0e7a remove deprecated inputs/outputs
• 46f6f46 remove deprecated inputs/outputs
• ab54f58 remove deprecated inputs/outputs
• Additional commits viewable in compare view

Updates step-security/docker-login-action from 3.6.0 to 3.7.0

Release notes

Sourced from step-security/docker-login-action's releases.

v3.7.0

What's Changed

• fix: upgraded packages and fixed vulns by @​Raj-StepSecurity in step-security/docker-login-action#23
• build(deps): bump tar from 7.5.7 to 7.5.9 by @​dependabot[bot] in step-security/docker-login-action#24
• build(deps): bump axios from 1.13.2 to 1.13.5 by @​dependabot[bot] in step-security/docker-login-action#25
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in step-security/docker-login-action#22
• feat: author updated for actions by @​Raj-StepSecurity in step-security/docker-login-action#26
• [StepSecurity] Apply security best practices by @​stepsecurity-app[bot] in step-security/docker-login-action#27
• build(deps): bump tar from 7.5.9 to 7.5.11 by @​dependabot[bot] in step-security/docker-login-action#29
• fix: improve subscription banner and make public repos free by @​Raj-StepSecurity in step-security/docker-login-action#28
• fix: upgraded deps to fix vulnerabilities by @​Raj-StepSecurity in step-security/docker-login-action#30
• fix: upstream author name corrected by @​Raj-StepSecurity in step-security/docker-login-action#31

New Contributors

• @​github-actions[bot] made their first contribution in step-security/docker-login-action#22
• @​stepsecurity-app[bot] made their first contribution in step-security/docker-login-action#27

Full Changelog: step-security/docker-login-action@v3...v3.7.0

Commits

• 6aa05fe Merge pull request #31 from step-security/fix/upstram-author
• e3e053a fix: upstream author name corrected
• 7e7dbc0 Merge pull request #30 from step-security/fix/vulnerabilities-manual
• 80fa174 fix: upgraded deps to fix vulnerabilities
• 4fda943 Merge pull request #28 from step-security/fix/validate-subscription-check
• 1b734e7 failing tests fixed
• c63e7d7 Merge branch 'main' into fix/validate-subscription-check
• 3a00914 Merge pull request #29 from step-security/dependabot/npm_and_yarn/tar-7.5.11
• 35556c9 node version upgraded
• 62753db code linted
• Additional commits viewable in compare view

Updates docker/metadata-action from 5.10.0 to 6.0.0

Release notes

Sourced from docker/metadata-action's releases.

v6.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/metadata-action#605
• List inputs now preserve # inside values while still supporting full-line # comments by @​crazy-max in docker/metadata-action#607
• Switch to ESM and update config/test wiring by @​crazy-max in docker/metadata-action#602
• Bump lodash from 4.17.21 to 4.17.23 in docker/metadata-action#588
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/metadata-action#599
• Bump @​actions/github from 6.0.1 to 9.0.0 in docker/metadata-action#597
• Bump @​docker/actions-toolkit from 0.68.0 to 0.79.0 in docker/metadata-action#604
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in docker/metadata-action#600
• Bump semver from 7.7.3 to 7.7.4 in docker/metadata-action#603

Full Changelog: docker/metadata-action@v5.10.0...v6.0.0

Commits

• 030e881 Merge pull request #607 from crazy-max/allow-comments
• 4b529ac chore: update generated content
• b0082b3 preserve comments in list input values with commentNoInfix
• 7b19fec Merge pull request #604 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 281c9b0 chore: update generated content
• 5f43b3b test: stabilize github mock setup since ESM
• 9d53276 github class moved since actions-toolkit v0.77.0
• eaa3d39 chore(deps): Bump @​docker/actions-toolkit from 0.68.0 to 0.77.0
• 6b695f7 Merge pull request #605 from crazy-max/node24
• a1afadc node 24 as default runtime
• Additional commits viewable in compare view

Updates actions/upload-artifact from 6.0.0 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

Commits

• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• See full diff in compare view

Updates actions/download-artifact from 7.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates anchore/sbom-action from 0.22.1 to 0.23.1

Release notes

Sourced from anchore/sbom-action's releases.

v0.23.1

⬆️ Dependencies

• chore(deps): update Syft to v1.42.2 (#607) [@anchore-actions-token-generator[bot]]
• chore(deps): bump fast-xml-parser and all other deps (#604) [@dependabot[bot]]

v0.23.0

• switch to single-file dist build with sub-action flags and update dependencies (#595) [@​kzantow]
• switch to esbuild (#590) [@​willmurphyscode]
• update Syft to v1.42.1 (#599) [@anchore-actions-token-generator[bot]]

v0.22.2

⬆️ Dependencies

• chore(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 (#581) [@dependabot[bot]]
• chore(deps): update Syft to v1.41.2 (#582) [@anchore-actions-token-generator[bot]]
• chore(deps-dev): bump the dev-dependencies group with 2 updates (#580) [@dependabot[bot]]
• chore(deps): update Syft to v1.41.1 (#579) [@anchore-actions-token-generator[bot]]

Commits

• 57aae52 chore(deps): update Syft to v1.42.2 (#607)
• c29e913 chore(deps): bump fast-xml-parser and other deps (#604)
• 17ae174 chore(deps/test): move to es modules, node:test, single dist file (#595)
• 6d473d3 chore(deps): update Syft to v1.42.1 (#599)
• 60619e7 fix tests and bump fast-xml-parser (#598)
• e2bd58a chore(deps-dev): bump the dev-dependencies group with 3 updates (#592)
• d032d7d ci(syft auto update): npm ci, not npm install (#597)
• 2d09430 fix(dev): switch to esbuild (#590)
• 74c5ce9 chore(deps): update Syft to v1.42.0 (#589)
• 77fae5a chore(deps-dev): bump the dev-dependencies group with 4 updates (#583)
• Additional commits viewable in compare view

Updates step-security/mise-action from 3.5.1 to 3.6.1

Release notes

Sourced from step-security/mise-action's releases.

v3.6.1

What's Changed

• fix: Security updates by @​github-actions[bot] in step-security/mise-action#190
• fix: remove husky by @​Raj-StepSecurity in step-security/mise-action#192
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in step-security/mise-action#191
• fix: Security updates by @​github-actions[bot] in step-security/mise-action#193
• chore: Cherry-picked changes from upstream by @​Raj-StepSecurity in step-security/mise-action#195

Full Changelog: step-security/mise-action@v3...v3.6.1

Commits

• 88aa01c Merge pull request #195 from step-security/auto-cherry-pick
• a0237b8 fix: code build script applied
• 8d2017a chore: Cherry-picked changes from upstream
• d291411 Merge pull request #193 from step-security/npm-audit-fix
• 58be52d fix: apply audit fixes
• fcb1908 fix: apply audit fixes
• eaad836 fix: apply audit fixes
• a482abe Merge pull request #191 from step-security/auto-cherry-pick
• b5856be conflicted commits cherry-picked
• aa6a1cf Merge branch 'main' into auto-cherry-pick
• Additional commits viewable in compare view

Updates taiki-e/install-action from 2.67.18 to 2.68.33

Release notes

Sourced from taiki-e/install-action's releases.

2.68.33

• Update dprint@latest to 0.53.0.

2.68.32

• Update tombi@latest to 0.9.6.

• Update martin@latest to 1.4.0.

2.68.31

• Update cargo-shear@latest to 1.11.2.

2.68.30

• Update just@latest to 1.47.0.

• Update tombi@latest to 0.9.5.

2.68.29

• Update cargo-shear@latest to 1.11.1.

2.68.28

• Update cargo-shear@latest to 1.11.0.

• Update vacuum@latest to 0.25.1.

• Update uv@latest to 0.10.10.

• Update mise@latest to 2026.3.9.

2.68.27

• Update cargo-cyclonedx@latest to 0.5.8.

• Update mise@latest to 2026.3.8.

2.68.26

• Update vacuum@latest to 0.25.0.

• Update syft@latest to 1.42.2.

• Update shfmt@latest to 3.13.0.

• Update prek@latest to 0.3.5.

• Update mise@latest to 2026.3.7.

• Update cargo-shear@latest to 1.10.0.

• Update cargo-nextest@latest to 0.9.130.

2.68.25

• Update zizmor@latest to 1.23.1.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

• Update vacuum@latest to 0.25.2.

[2.68.33] - 2026-03-16

• Update dprint@latest to 0.53.0.

[2.68.32] - 2026-03-15

• Update tombi@latest to 0.9.6.

• Update martin@latest to 1.4.0.

[2.68.31] - 2026-03-15

• Update cargo-shear@latest to 1.11.2.

[2.68.30] - 2026-03-15

• Update just@latest to 1.47.0.

• Update tombi@latest to 0.9.5.

[2.68.29] - 2026-03-14

• Update cargo-shear@latest to 1.11.1.

[2.68.28] - 2026-03-14

• Update cargo-shear@latest to 1.11.0.

• Update vacuum@latest to 0.25.1.

• Update uv@latest to 0.10.10.

• Update mise@latest to 2026.3.9.

[2.68.27] - 2026-03-12

... (truncated)

Commits

• cbb1dca Release 2.68.33
• 57531b2 Update dprint@latest to 0.53.0
• f916cfa Release 2.68.32
• f48a693 Update tombi@latest to 0.9.6
• 49eda53 Update martin@latest to 1.4.0
• a57ddfb Release 2.68.31
• 781b2c8 Update cargo-shear@latest to 1.11.2
• b02547a Release 2.68.30
• e67e9c2 Update just@latest to 1.47.0
• c0b4660 Update tombi@latest to 0.9.5
• Additional commits viewable in compare view

Updates github/codeql-action from 4.32.1 to 4.33.0

Release notes

Sourced from github/codeql-action's releases.

v4.33.0

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

• Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

v4.32.4

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v4.32.3

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

v4.32.2

• Update default CodeQL bundle version to 2.24.1. #3460

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

4.32.6 - 05 Mar 2026

• Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI relea...

  Description has been truncated