Bump github/codeql-action from 4.35.3 to 4.35.4

[dependabot]

Bumps github/codeql-action from 4.35.3 to 4.35.4.

Release notes

Sourced from github/codeql-action's releases.

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

Changelog

Sourced from github/codeql-action's changelog.

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

Commits

• 68bde55 Merge pull request #3885 from github/update-v4.35.4-803d9e8c3
• 9739ad2 Update changelog for v4.35.4
• 803d9e8 Merge pull request #3883 from github/mbg/test/macro-wrapper
• 0fd9c7d Merge pull request #3882 from github/dependabot/github_actions/dot-github/wor...
• 922d6fb Use makeMacro instead of test.macro
• df77e87 Update test macro snippet
• 6e3f985 Add wrapper for test.macro
• e7a347d Merge pull request #3881 from github/update-bundle/codeql-bundle-v2.25.4
• 17eabb2 Rebuild
• aaef09c Bump ruby/setup-ruby
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency bump limited to the CodeQL GitHub Actions workflow; it may only affect code scanning results via the updated default CodeQL bundle.

Overview
Updates the CodeQL GitHub Actions workflow to use github/codeql-action v4.35.4 for both init and analyze, picking up the newer default CodeQL bundle used during scanning.

^{Reviewed by Cursor Bugbot for commit 2b9448e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update: examining local changes and upstream diff between 4.35.3 and 4.35.4.
Verdict: benign

Summary: Patch bump of the official github/codeql-action from 4.35.3 → 4.35.4. In this repo the only consumer change is pinning init and analyze to @v4.35.4 in .github/workflows/codeql-analysis.yml. Upstream changes align with the published release (default CodeQL bundle 2.25.3 → 2.25.4), plus routine maintenance (undici override, overlay-cache logic, docs/tests, rebuild).

Checklist (by category)

Category	Assessment
Classic obfuscation	No malicious obfuscation. Scanner obfuscation_indicator hits are test base64 encoding and lockfile package names — false positives.
Unexpected network / exfil	No new suspicious hosts. credential_exfil_indicator hits are CHANGELOG text and test fixtures (token + https://localhost) — false positives.
FS persistence / shell spawn	shell_process_spawn hits are @actions/exec, test exec: mocks, and bundle exec rubocop in upstream CI — expected, not payload behavior.
Lifecycle scripts	No preinstall/postinstall/install in upstream package.json scripts.
Typosquatting / minified payloads	Package name unchanged (github/codeql-action). Large lib/upload-lib.js diff is a normal rebuild (undici path consolidation), not a smuggled payload.
Invisible Unicode / GlassWorm	Scanner: 0 unicode, confusable, and IOC findings.
Dependency integrity	Semver patch; tags v4.35.3 / v4.35.4 resolve to merge commits e46ed2c / 68bde55 (matches scanner range). New undici override is documented upstream maintenance, not an unexplained dependency explosion.
Dependabot context	No node_modules/ / vendor changes in this PR. Upstream touched .github/workflows/__rubocop-multi-language.yml (their internal CI only); chiavdf does not import that file.

Scanner vs manual review

Scanner status warn with 56 heuristics is expected noise for codeql-action (exec-heavy tests, bundled HTTP client, changelog security wording). Manual review disagrees with treating these as compromise signals — no credible IOC or Unicode findings; production diffs (defaults.json, api-client.ts, overlay/caching.ts) are documented feature/maintenance work.

Action

Safe to merge after CodeQL workflow CI passes. Residual risk is ordinary: newer query engine may surface new findings or change timing — not supply-chain malware.

Compatibility Analysis

Reviewing CodeQL usage in the repo and what changed upstream between 4.35.3 and 4.35.4.

Compatibility & adoption analysis — github/codeql-action 4.35.3 → 4.35.4

1) Where it’s used

Single consumer: .github/workflows/codeql-analysis.yml

Step	Action	Inputs used
Initialize CodeQL	github/codeql-action/init@v4.35.4	languages: ${{ matrix.language }}
Perform CodeQL Analysis	github/codeql-action/analyze@v4.35.4	(defaults only)

Workflow context:

• Matrix: cpp, python
• Manual build between init and analyze (cmake/boost/gmp, pip wheel .)
• Triggers: push/pull_request on main, weekly cron
• No repo-local .github/codeql/ config, no tools: / config-file: / build-mode: / codeql-version: overrides
• Not referenced in application code, lockfiles, or other workflows

PR scope: version pin only in that workflow file (two lines).

---

2) Intersection with upstream changes

User-facing change in 4.35.4: default CodeQL bundle 2.25.3 → 2.25.4 (src/defaults.json only).

No changes between v4.35.3 and v4.35.4 to:

• init/action.yml
• analyze/action.yml
• setup-codeql/action.yml

This repo uses only init + analyze with languages — no overlap with changed action inputs or experimental APIs.

Indirect effect: unpinned tools means runs pick up CodeQL CLI/query packs from bundle 2.25.4 (cpp/python extractors and queries may differ slightly from 2.25.3).

Other upstream diff (rebuilt JS bundles, overlay-cache tests, makeMacro test helper, undici) is internal to the action; not used by this workflow.

---

3) Risks / unknowns

Risk	Severity	Notes
New/changed Code Scanning alerts	Low–medium	Expected with any bundle bump; may affect PR checks if alerts are blocking
CI flakiness on custom build	Low	Existing apt/cmake/pip build step; not introduced by this bump
Longer first run after merge	Low	New bundle download/cache warm-up
GHES / pinned CLI	N/A	Standard ubuntu-latest + github.com actions
Supply chain	Low	Official github/codeql-action; malware scan flagged only changelog/test noise

Unknown until CI runs: whether 2.25.4 changes cpp/python findings or breaks the custom build + analyze path (historically rare for patch bundles).

---

4) Recommendation: merge

Patch bump of the official action with no workflow API changes and minimal, standard adoption (version pins only). The only behavioral change relevant here is the default bundle patch, which is appropriate for security scanning.

Post-merge check: confirm the CodeQL workflow is green on main (both matrix legs). If new alerts appear, triage as query-pack updates, not action incompatibility.

Not recommended: hold unless you must freeze query results; no structural incompatibility found.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 23
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: e46ed2cbd01164d986452f91f178727624ae40d7..68bde559dea0fdcac2102bfdf6230c5f70eb485e
• Resolved refs: from=e46ed2cbd01164d986452f91f178727624ae40d7 to=68bde559dea0fdcac2102bfdf6230c5f70eb485e
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 56

Top findings

• src/status-report.test.ts:296 shell_process_spawn :: exec: async (
• src/overlay/caching.test.ts:56 shell_process_spawn :: exec: async (
• src/testing-utils.ts:162 shell_process_spawn :: // Make the implementation available as fn. We don't call it exec so
• src/testing-utils.ts:165 shell_process_spawn :: wrapper.fn = decl.exec;
• .github/workflows/__rubocop-multi-language.yml:72 shell_process_spawn :: bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
• src/upload-sarif.test.ts:47 shell_process_spawn :: exec: async (
• src/setup-codeql.test.ts:487 shell_process_spawn :: exec: async (
• src/setup-codeql.test.ts:764 shell_process_spawn :: exec: async (
• src/diff-informed-analysis-utils.test.ts:49 shell_process_spawn :: exec: async (
• src/init-action-post-helper.test.ts:801 shell_process_spawn :: exec: async (
• src/codeql.test.ts:3 shell_process_spawn :: import { ExecOptions } from "@actions/exec";
• src/codeql.test.ts:4 shell_process_spawn :: import * as toolrunner from "@actions/exec/lib/toolrunner";
• src/codeql.test.ts:576 shell_process_spawn :: exec: async (
• src/codeql.test.ts:1125 shell_process_spawn :: runnerObjectStub.exec.callsFake(async () => {
• src/config-utils.test.ts:1040 shell_process_spawn :: exec: async (
• package.json:27 shell_process_spawn :: "@actions/exec": "^2.0.0",
• src/config/db-config.test.ts:20 shell_process_spawn :: exec: (
• src/config/db-config.test.ts:38 shell_process_spawn :: exec: (
• src/config/db-config.test.ts:54 shell_process_spawn :: exec: (t: ExecutionContext, arg: string) =>
• src/config/db-config.test.ts:141 shell_process_spawn :: exec: (t: ExecutionContext, packStr: string, packObj: dbConfig.Pack) => {