[v4] Upgrade Node.js runtime from v20 to v24

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node20
+  using: node24
   main: index.js

.github/workflows/codescanning-config-cli.yml

@@ -58,7 +58,7 @@ jobs:
     - name: Set up Node.js
       uses: actions/setup-node@v5
       with:
-        node-version: '20'
+        node-version: 24
         cache: 'npm'
 
     - name: Install dependencies

.github/workflows/pr-checks.yml

@@ -20,6 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [20, 24]
     permissions:
       contents: read
       security-events: write # needed to upload ESLint results
@@ -36,7 +37,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
-          node-version: '20.x'
+          node-version: ${{ matrix.node-version }}
           cache: 'npm'
 
       - name: Set up Python
@@ -51,7 +52,12 @@ jobs:
           npm config set script-shell bash
           npm ci
 
-      - name: Verify compiled JS up to date
+      - name: Verify compiled JS up to date (Node.js 20)
+        if: matrix.node-version == 20
+        run: .github/workflows/script/check-js-20.sh
+
+      - name: Verify compiled JS up to date (Node.js 24)
+        if: matrix.node-version == 24
         run: .github/workflows/script/check-js.sh
 
       - name: Verify PR checks up to date
@@ -73,7 +79,7 @@ jobs:
 
       - name: Upload sarif
         uses: github/codeql-action/upload-sarif@v3
-        if: matrix.os == 'ubuntu-latest'
+        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
         with:
           sarif_file: eslint.sarif
           category: eslint

.github/workflows/query-filters.yml

@@ -34,7 +34,7 @@ jobs:
     - name: Install Node.js
       uses: actions/setup-node@v5
       with:
-        node-version: 20.x
+        node-version: 24
         cache: npm
 
     - name: Install dependencies

.github/workflows/script/check-js-20.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+set -eu
+
+# Change @types/node to v20 temporarily to check that the generated JS files are correct.
+contents=$(jq '.devDependencies."@types/node" = "^20.0.0"' package.json)
+echo "${contents}" > package.json
+
+npm install
+
+if [ ! -z "$(git status --porcelain)" ]; then
+    git config --global user.email "[email protected]"
+    git config --global user.name "github-actions[bot]"
+    # The period in `git add --all .` ensures that we stage deleted files too.
+    git add --all .
+    git commit -m "Use @types/node v20"
+fi
+
+# Wipe the lib directory in case there are extra unnecessary files in there
+rm -rf lib
+
+# Generate the JavaScript files
+npm run-script build
+
+# Check that repo is still clean.
+# The downgrade of @types/node means that we expect certain changes to the generated JS files.
+# Therefore, we should ignore these changes to @types/node and check for outstanding changes.
+if [[ $(git diff | grep --perl-regexp '^-(?!--)' | grep --count --invert-match --perl-regexp '"@types/node": "\^24') -gt 0 || \
+      $(git diff | grep --perl-regexp '^\+(?!\+\+)' | grep --count --invert-match --perl-regexp '"@types/node": "\^20') -gt 0 ]]
+then
+    >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update"
+    git diff
+    exit 1
+fi
+echo "Success: JavaScript files are up to date"
+
+# Clean up changes to package.json, package-lock.json, and lib/*.js.
+git reset --hard HEAD~1

.github/workflows/update-bundle.yml

@@ -43,7 +43,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
-          node-version: '20.x'
+          node-version: 24
           cache: 'npm'
 
       - name: Install dependencies

CHANGELOG.md

@@ -16,6 +16,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 - We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107)
 - You can now run the latest CodeQL nightly bundle by passing `tools: nightly` to the `init` action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. [#3130](https://github.com/github/codeql-action/pull/3130)
 - Update default CodeQL bundle version to 2.23.1. [#3118](https://github.com/github/codeql-action/pull/3118)
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
 
 ## 3.30.3 - 10 Sep 2025
 

CONTRIBUTING.md

@@ -13,7 +13,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 ## Development and Testing
 
-Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
+Before you start, ensure that you have a recent version of node (24 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
 
 ### Common tasks
 

README.md

@@ -62,7 +62,8 @@ For compiled languages:
 
 The following versions of the CodeQL Action are currently supported:
 
-- v3 (latest)
+- v4 (latest)
+- v3
 
 ## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
 

analyze/action.yml

@@ -92,6 +92,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node24
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node20
+  using: node24
   main: '../lib/autobuild-action.js'

build.mjs

@@ -68,7 +68,7 @@ const context = await esbuild.context({
   outdir: OUT_DIR,
   platform: "node",
   plugins: [cleanPlugin, copyDefaultsPlugin, onEndPlugin],
-  target: ["node20"],
+  target: ["node24"],
 });
 
 await context.rebuild();

init/action.yml

@@ -165,6 +165,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node24
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'