Skip to content

#3588 fix: gRPC query and streaming query now propagate the language parameter#3589

Merged
robfrank merged 2 commits intomainfrom
feat/grpc-query-languages-support
Mar 7, 2026
Merged

#3588 fix: gRPC query and streaming query now propagate the language parameter#3589
robfrank merged 2 commits intomainfrom
feat/grpc-query-languages-support

Conversation

@robfrank
Copy link
Collaborator

@robfrank robfrank commented Mar 7, 2026
edited
Loading

Summary

Fixes #3588

  • Added string language = 9; to ExecuteQueryRequest proto (additive, backward-compatible)
  • Server: executeQuery() and all three streamQuery modes (streamCursor, streamMaterialized, streamPaged) now use the language from the request instead of hardcoding "sql"
  • Client: query(), queryStream(), and private streamQuery() now pass the language parameter to the proto builders
  • Enabled Gremlin and Cypher e2e tests that were disabled pending this fix

Test plan

  • Proto, server, and client modules compile successfully
  • RemoteGrpcDatabaseTest.simpleGremlinQuery() enabled (was @Disabled)
  • RemoteGrpcDatabaseTest.simpleCypherQuery() enabled (was @Disabled)
  • RemoteGrpcDatabaseTest.simpleOpenCypherQuery() already passing
  • Run full e2e suite: cd e2e && mvn test -Dtest=RemoteGrpcDatabaseTest

🤖 Generated with Claude Code

@robfrank @claude
#3588 fix: gRPC query and streaming query now propagate the language …
9ab1d79 
…parameter

The language parameter was ignored in query() and queryStream() paths,
causing all queries to be executed as SQL regardless of the specified language.

- Added language field to ExecuteQueryRequest proto (field 9, backward-compatible)
- Server: executeQuery() and streamQuery() modes now use the language from the request
- Client: query(), queryStream(), and streamQuery() now pass language to the proto builders
- Enabled Gremlin and Cypher e2e tests that were disabled pending this fix

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 7, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical limitation in the gRPC client where query and streaming query operations did not correctly propagate the specified language, effectively restricting them to SQL. By introducing a new language field in the gRPC proto, and updating both the server and client implementations to utilize this parameter, the system now fully supports diverse query languages like Gremlin and Cypher through gRPC. This enhancement significantly broadens the capabilities of the gRPC interface, allowing for more flexible and powerful database interactions.

Highlights

  • gRPC Query Language Propagation: The language parameter is now correctly propagated through gRPC query and streaming query operations, resolving an issue where only command() supported non-SQL languages.
  • Protocol Buffer Update: The ExecuteQueryRequest proto message was extended with a new language field to explicitly carry the query language information.
  • Server-Side Language Handling: Server-side executeQuery() and all streamQuery modes (streamCursor, streamMaterialized, streamPaged) now dynamically use the language specified in the request, defaulting to 'sql' if not provided.
  • Client-Side Language Parameterization: Client methods query(), queryStream(), and the private streamQuery() were updated to pass the language parameter to their respective gRPC request builders.
  • Enabled E2E Tests: Previously disabled Gremlin and Cypher end-to-end tests were re-enabled and are now passing, confirming the fix for non-SQL query languages.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • docs/plans/2026-03-07-grpc-query-language-support-design.md
    • Added a new design document detailing the problem, design decisions, and proposed changes for gRPC query language support.
    • Outlined the three layers affected: Proto, Client, and Server, and their respective modifications.
    • Described the testing strategy for verifying the implementation.
  • docs/plans/2026-03-07-grpc-query-language-support-impl.md
    • Added a new implementation plan document providing a step-by-step guide for applying the changes.
    • Included instructions for modifying the proto, server, and client files, along with build commands.
    • Suggested specific e2e tests to validate the changes.
  • e2e/src/test/java/com/arcadedb/e2e/RemoteGrpcDatabaseTest.java
    • Removed the org.junit.jupiter.api.Disabled import.
    • Removed the @Disabled annotation from the simpleGremlinQuery() test method.
    • Removed the @Disabled annotation from the simpleCypherQuery() test method.
    • Added a new test method simpleOpenCypherQuery() to verify OpenCypher queries.
  • grpc-client/src/main/java/com/arcadedb/remote/grpc/RemoteGrpcDatabase.java
    • Modified the query() method to include .setLanguage(language) in the ExecuteQueryRequest builder.
    • Modified the queryStream() method to include .setLanguage(language) in the StreamQueryRequest builder.
    • Modified the private streamQuery() method to explicitly set the language to 'sql' in the StreamQueryRequest builder.
  • grpc/src/main/proto/arcadedb-server.proto
    • Added a new string language = 9; field to the ExecuteQueryRequest message, with a comment indicating 'sql' as the default if empty.
  • grpcw/src/main/java/com/arcadedb/server/grpc/ArcadeDbGrpcService.java
    • In the executeQuery() method, replaced the hardcoded 'sql' language with the language from the request, defaulting to 'sql' if not provided, and updated logging.
    • In the streamQuery() method, extracted the language from the request and passed it as a new parameter to streamMaterialized(), streamPaged(), and streamCursor() helper methods.
    • Updated the streamCursor() method signature to accept a String language parameter and used it in the db.query() call.
    • Updated the streamMaterialized() method signature to accept a String language parameter and used it in the db.query() call.
    • Updated the streamPaged() method signature to accept a String language parameter and used it in the db.query() call.
Activity
  • The pull request was initially generated using Claude Code.
  • The author confirmed successful compilation of proto, server, and client modules.
  • The author enabled and verified the RemoteGrpcDatabaseTest.simpleGremlinQuery() test.
  • The author enabled and verified the RemoteGrpcDatabaseTest.simpleCypherQuery() test.
  • The author confirmed that RemoteGrpcDatabaseTest.simpleOpenCypherQuery() was already passing.
  • The author plans to run the full e2e test suite.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@robfrank robfrank added this to the 26.4.1 milestone Mar 7, 2026
@mergify
Copy link
Contributor

mergify bot commented Mar 7, 2026
edited
Loading

🧪 CI Insights

Here's what we observed from your CI run for 2ca180b.

🟢 All jobs passed!

But CI Insights is watching 👀

@claude
Copy link

claude bot commented Mar 7, 2026

Code Review

The core fix is correct and clean — adding language = 9 to ExecuteQueryRequest is additive and backward-compatible, and the propagation through server and client is consistent. Good work enabling the previously-disabled tests. A few issues worth addressing:

Bug: streamPaged breaks for non-SQL languages

wrapWithSkipLimit wraps the query in ArcadeDB SQL syntax:

// ArcadeDbGrpcService.java:1392
return "SELECT FROM (" + originalSql + ") ORDER BY @rid SKIP :_skip LIMIT :_limit";

Before this PR, streamPaged was hardcoded to "sql", so this was safe. Now that any language can reach it, a client sending language=cypher or language=gremlin with RetrievalMode=PAGED will produce a mixed-syntax query like:

SELECT FROM (MATCH(p:Beer) RETURN * LIMIT 10) ORDER BY @rid SKIP :_skip LIMIT :_limit

...which will fail at query execution. The method comment and variable name (pagedSql) already signal this is SQL-only. Options:

  • Restrict PAGED mode to SQL-only and return an error for other languages
  • Fall back to CURSOR mode when language is not SQL
  • Document the limitation prominently and protect it server-side

NPE risk: null language in client

Both query() and queryStream() call .setLanguage(language) where language comes directly from the caller. Protobuf's generated setLanguage(String) throws NullPointerException if passed null. The existing langOrDefault() helper is right there — use it:

// grpc-client/.../RemoteGrpcDatabase.java
.setLanguage(langOrDefault(language))   // instead of .setLanguage(language)

The command() path (line 620) already uses langOrDefault() correctly. Make query() and queryStream() consistent with it.

Duplicated language-defaulting logic on the server

The inline ternary:

(request.getLanguage() == null || request.getLanguage().isEmpty()) ? "sql" : request.getLanguage()

appears 3 times in ArcadeDbGrpcService.java (lines 256, 821, 1110). The client already has a langOrDefault() helper — extract the same helper on the server side to keep it DRY.

Planning documents committed to the repo

docs/plans/2026-03-07-grpc-query-language-support-design.md and docs/plans/2026-03-07-grpc-query-language-support-impl.md are Claude Code planning artifacts. These shouldn't be committed to the codebase — please remove them before merge.

Inconsistent test: simpleOpenCypherQuery wraps in a transaction

void simpleOpenCypherQuery() {
    database.transaction(() -> {
        final ResultSet result = database.query("opencypher", "MATCH(p:Beer) RETURN * LIMIT 10");
        assertThat(CollectionUtils.countEntries(result)).isEqualTo(10);
    }, false, 10);
}

simpleCypherQuery and simpleGremlinQuery don't need a transaction wrapper. If opencypher requires one for some reason, add a comment explaining why; otherwise remove the wrapper to make the tests consistent.

Missing streaming tests for non-SQL languages

The fix also corrects queryStream() on both client and server, but there are no e2e tests that exercise queryStream() with language=cypher or language=gremlin. Consider adding at least one streaming test for a non-SQL language to validate that path end-to-end.

Summary: The proto change and core propagation are solid. The streamPaged + non-SQL combination is the main correctness gap to resolve, and the two planning .md files should be dropped before merge.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 7, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively addresses the issue of propagating the language parameter in gRPC query and streaming query operations, with well-structured changes and enabled e2e tests. However, the implementation introduces security concerns: logging unsanitized user input in executeQuery can lead to log injection, and the streamPaged pagination logic is vulnerable to a SQL injection-style bypass that could cause a denial-of-service via an infinite loop. Furthermore, the streamPaged implementation is currently SQL-specific and will fail for other query languages. A medium-severity suggestion has also been provided to simplify and deduplicate some new server-side logic.

grpcw/src/main/java/com/arcadedb/server/grpc/ArcadeDbGrpcService.java
Comment on lines 1300 to +1302
private void streamPaged(Database db, StreamQueryRequest request, int batchSize,
ServerCallStreamObserver<QueryResult> scso,
AtomicBoolean cancelled, ProjectionConfig projectionConfig) {
AtomicBoolean cancelled, ProjectionConfig projectionConfig, String language) {
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

By adding the language parameter, this method now incorrectly suggests it supports paged streaming for any language. However, the implementation calls wrapWithSkipLimit which generates SQL-specific syntax for pagination. This will cause queries in other languages like Gremlin or Cypher to fail because the wrapped query is not valid in those languages.

To fix this, you should add a check at the beginning of the method to throw an UnsupportedOperationException if the language is not SQL, making it clear that this mode is not yet supported for other languages.

grpcw/src/main/java/com/arcadedb/server/grpc/ArcadeDbGrpcService.java Outdated
Comment on lines +821 to +823
final String language = (request.getLanguage() == null || request.getLanguage().isEmpty()) ? "sql" : request.getLanguage();

ResultSet resultSet = database.query("sql", request.getQuery(),
LogManager.instance().log(this, Level.FINE, "executeQuery(): language = %s query = %s", language, request.getQuery());
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The executeQuery method logs user-supplied language and query parameters without sanitization, creating a log injection vulnerability where attackers can spoof log entries or corrupt log files. Additionally, logging the full query string may inadvertently expose sensitive information. It is crucial to sanitize input by removing or replacing newline characters and consider masking sensitive data before logging. While request.getLanguage() == null is technically redundant for proto3 string fields (which default to empty strings), the provided suggestion prioritizes robust sanitization. This pattern is also present in streamQuery; consider extracting this logic into a private helper method to avoid duplication and improve maintainability and consistent security practices.

Suggested change
final String language = (request.getLanguage() == null || request.getLanguage().isEmpty()) ? "sql" : request.getLanguage();
ResultSet resultSet = database.query("sql", request.getQuery(),
LogManager.instance().log(this, Level.FINE, "executeQuery(): language = %s query = %s", language, request.getQuery());
final String language = (request.getLanguage() == null || request.getLanguage().isEmpty()) ? "sql" : request.getLanguage();
LogManager.instance().log(this, Level.FINE, "executeQuery(): language = %s query = %s", language.replace('\n', '_').replace('\r', '_'), request.getQuery().replace('\n', '_').replace('\r', '_'));

grpcw/src/main/java/com/arcadedb/server/grpc/ArcadeDbGrpcService.java
QueryResult.Builder b = QueryResult.newBuilder();

try (ResultSet rs = db.query("sql", pagedSql, params)) {
try (ResultSet rs = db.query(language, pagedSql, params)) {
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

In streamPaged mode, the server constructs a SQL query by concatenating the user-supplied query into a SELECT FROM (...) wrapper to apply pagination. An attacker can provide a query that escapes the subquery (e.g., by using a closing parenthesis and a comment marker like ) --) to comment out the SKIP and LIMIT clauses added by the server. This can lead to an infinite loop on the server, as it will repeatedly execute the query and receive the same full result set, causing a denial-of-service and resource exhaustion. Furthermore, the code now passes the user-supplied language to this SQL-specific wrapper, which will cause syntax errors or unpredictable behavior if a non-SQL language is specified. It is recommended to validate the query string or use a more robust method for applying pagination that does not rely on simple string concatenation.

@robfrank @claude
#3588 fix: address code review feedback
2ca180b 
- Guard streamPaged against non-SQL languages (falls back to CURSOR mode)
- Use langOrDefault() in client query/queryStream to prevent NPE on null language
- Extract langOrDefault() helper on server side to deduplicate language defaulting
- Add streaming query e2e tests for SQL and OpenCypher

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@claude
Copy link

claude bot commented Mar 7, 2026

Code Review

This is a clean, well-scoped fix that correctly propagates the language parameter through the gRPC stack. A few observations:

Correctness

PAGED mode silent fallback (ArcadeDbGrpcService.java lines 1115-1119): When a client explicitly requests PAGED mode but uses a non-SQL language, the code silently switches to CURSOR mode. This is the right behaviour since wrapWithSkipLimit generates SQL-specific syntax (SELECT FROM (...) ORDER BY @rid SKIP :_skip LIMIT :_limit), but the client receives no indication that the requested mode was ignored. A Level.WARNING log entry here would aid debugging.

streamPaged still accepts a language parameter but is now only ever called with "sql" due to the guard above. The parameter is harmless but slightly misleading — minor nit.

Tests

simpleOpenCypherQuery wrapped in a transaction (RemoteGrpcDatabaseTest.java lines 72-75): The SQL and Gremlin/Cypher query tests run without a transaction, but this new test wraps the call in database.transaction(…, false, 10). If this wrapper is genuinely required for OpenCypher, a short comment explaining why would be helpful; if it is a copy-paste artefact it should be removed for consistency.

Missing stream tests for Gremlin and Cypher: streamQueryWithSQL and streamQueryWithOpenCypher are present, but there are no streamQueryWithGremlin / streamQueryWithCypher tests. Given that enabling those two query styles was the primary motivation of the PR, covering them in the streaming path too would be valuable.

Design / Proto

Proto field placement: adding language as field 9 at the bottom of ExecuteQueryRequest is correct and backward-compatible. Consistent with StreamQueryRequest where language was already field 7.

langOrDefault is duplicated: the same one-liner exists in both RemoteGrpcDatabase (client) and ArcadeDbGrpcService (server). Acceptable since the modules compile independently, but both must stay in sync if the default ever changes.

Documentation artefacts

docs/plans/2026-03-07-grpc-query-language-support-design.md and docs/plans/2026-03-07-grpc-query-language-support-impl.md are planning/scratchpad documents that do not belong in the permanent repository history. Please remove these files before merging.

Summary

The core fix (proto field + server + client plumbing) is correct and backward-compatible. Actionable items before merging:

  1. Remove the two docs/plans/ files.
  2. Add a Level.WARNING log when PAGED mode falls back to CURSOR for non-SQL languages.
  3. Clarify or remove the database.transaction() wrapper in simpleOpenCypherQuery.
  4. Consider adding streamQueryWithGremlin and streamQueryWithCypher e2e tests.

@codacy-production
Copy link

codacy-production bot commented Mar 7, 2026
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
-9.70% 94.12%
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (43f1922) 103672 77234 74.50%
Head commit (9ab1d79) 134238 (+30566) 86980 (+9746) 64.80% (-9.70%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#3589) 17 16 94.12%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

@codecov
Copy link

codecov bot commented Mar 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 81.81818% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.75%. Comparing base (43f1922) to head (2ca180b).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
.../com/arcadedb/server/grpc/ArcadeDbGrpcService.java 75.00% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3589      +/-   ##
==========================================
+ Coverage   65.55%   65.75%   +0.19%     
==========================================
  Files        1514     1514              
  Lines      103672   103683      +11     
  Branches    21457    21457              
==========================================
+ Hits        67967    68178     +211     
+ Misses      26467    26282     -185     
+ Partials     9238     9223      -15

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@robfrank robfrank merged commit ac3f5c0 into main Mar 7, 2026
25 of 28 checks passed
ExtReMLapin pushed a commit to ExtReMLapin/arcadedb that referenced this pull request Mar 18, 2026
@mergify
chore(deps): bump pg from 8.18.0 to 8.19.0 in /e2e-js [skip ci]
2728bac 
Bumps [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) from 8.18.0 to 8.19.0.
Changelog

*Sourced from [pg's changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md).*

> [email protected]
> ---------
>
> * [Deprecate interal query queue](https://redirect.github.com/brianc/node-postgres/pull/3603).
> * Pass connection parameters [to password callback](https://redirect.github.com/brianc/node-postgres/pull/3602).


Commits

* [`f2d7d11`](brianc/node-postgres@f2d7d11) Publish
* [`5a4bafc`](brianc/node-postgres@5a4bafc) Deprecate Client's internal query queue ([ArcadeData#3603](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3603))
* [`a215bfb`](brianc/node-postgres@a215bfb) Typo fix in PgPass deprecation (funciton) ([ArcadeData#3605](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3605))
* [`01e0556`](brianc/node-postgres@01e0556) fix(pg-query-stream): invoke `this.callback` on cursor end/error ([ArcadeData#2810](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/2810))
* [`e6e3692`](brianc/node-postgres@e6e3692) Pass connection parameters to password callback ([ArcadeData#3602](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3602))
* [`d80d883`](brianc/node-postgres@d80d883) test: Fix TLS connection test ending too early
* [`f332f28`](brianc/node-postgres@f332f28) fix: Connection timeout handling for native clients in connected state ([ArcadeData#3512](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3512))
* [`b2e9cb1`](brianc/node-postgres@b2e9cb1) Remove testAsync - its redundant ([ArcadeData#3588](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3588))
* [`46cdf9e`](brianc/node-postgres@46cdf9e) [fix] fix unhandled callback error for submittables ([ArcadeData#3589](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg/issues/3589))
* See full diff in [compare view](https://github.com/brianc/node-postgres/commits/[email protected]/packages/pg)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=pg&package-manager=npm\_and\_yarn&previous-version=8.18.0&new-version=8.19.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
mergify bot added a commit that referenced this pull request Mar 23, 2026
@mergify
chore(deps): bump the github-actions group with 5 updates [skip ci]
991489e 
Bumps the github-actions group with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.72` | `1.0.76` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.32.6` | `4.34.1` |
| [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) | `5.0.2` | `5.0.3` |
| [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.4` |
| [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.5.2` | `5.5.3` |
Updates `anthropics/claude-code-action` from 1.0.72 to 1.0.76
Release notes

*Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).*

> v1.0.76
> -------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.76>
>
> v1.0.75
> -------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.75>
>
> v1.0.74
> -------
>
> What's Changed
> --------------
>
> * Restore .claude/ and .mcp.json from PR base branch before CLI runs by [`@​km-anthropic`](https://github.com/km-anthropic) in [anthropics/claude-code-action#1066](https://redirect.github.com/anthropics/claude-code-action/pull/1066)
> * Remove redundant git status/diff/log from tag mode allowlist by [`@​ddworken`](https://github.com/ddworken) in [anthropics/claude-code-action#1075](https://redirect.github.com/anthropics/claude-code-action/pull/1075)
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.74>
>
> v1.0.73
> -------
>
> **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.73>


Commits

* [`6062f37`](anthropics/claude-code-action@6062f37) chore: bump Claude Code to 2.1.81 and Agent SDK to 0.2.81
* [`df37d2f`](anthropics/claude-code-action@df37d2f) chore: bump Claude Code to 2.1.79 and Agent SDK to 0.2.79
* [`1ba15be`](anthropics/claude-code-action@1ba15be) Remove redundant git status/diff/log from tag mode allowlist ([#1075](https://redirect.github.com/anthropics/claude-code-action/issues/1075))
* [`9ddce40`](anthropics/claude-code-action@9ddce40) Restore .claude/ and .mcp.json from PR base branch before CLI runs ([#1066](https://redirect.github.com/anthropics/claude-code-action/issues/1066))
* [`1b422b3`](anthropics/claude-code-action@1b422b3) chore: bump Claude Code to 2.1.78 and Agent SDK to 0.2.77
* [`4c044bb`](anthropics/claude-code-action@4c044bb) chore: bump Claude Code to 2.1.77 and Agent SDK to 0.2.77
* See full diff in [compare view](anthropics/claude-code-action@cd77b50...6062f37)
  
Updates `github/codeql-action` from 4.32.6 to 4.34.1
Release notes

*Sourced from [github/codeql-action's releases](https://github.com/github/codeql-action/releases).*

> v4.34.1
> -------
>
> * Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762)
>
> v4.34.0
> -------
>
> * Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569)
> * We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584)
> * Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585)
>
> v4.33.0
> -------
>
> * Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562)
>
>   To opt out of this change:
>
>   + **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
>   + **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
>   + **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
> * Fixed [a bug](https://redirect.github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://redirect.github.com/github/codeql-action/pull/3557)
> * The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://redirect.github.com/github/codeql-action/pull/3559)
> * Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://redirect.github.com/github/codeql-action/pull/3563)
> * Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://redirect.github.com/github/codeql-action/pull/3564)
> * A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://redirect.github.com/github/codeql-action/pull/3570)


Changelog

*Sourced from [github/codeql-action's changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md).*

> CodeQL Action Changelog
> =======================
>
> See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
>
> [UNRELEASED]
> ------------
>
> No user facing changes.
>
> 4.34.1 - 20 Mar 2026
> --------------------
>
> * Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762)
>
> 4.34.0 - 20 Mar 2026
> --------------------
>
> * Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569)
> * We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584)
> * Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585)
>
> 4.33.0 - 16 Mar 2026
> --------------------
>
> * Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562)
>
>   To opt out of this change:
>
>   + **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
>   + **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
>   + **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
> * Fixed [a bug](https://redirect.github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://redirect.github.com/github/codeql-action/pull/3557)
> * The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://redirect.github.com/github/codeql-action/pull/3559)
> * Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://redirect.github.com/github/codeql-action/pull/3563)
> * Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://redirect.github.com/github/codeql-action/pull/3564)
> * A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://redirect.github.com/github/codeql-action/pull/3570)
>
> 4.32.6 - 05 Mar 2026
> --------------------
>
> * Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://redirect.github.com/github/codeql-action/pull/3548)
>
> 4.32.5 - 02 Mar 2026
> --------------------
>
> * Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://redirect.github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://redirect.github.com/github/codeql-action/pull/3507)
> * Added an experimental change so that when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://redirect.github.com/github/codeql-action/pull/3487)
> * The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://redirect.github.com/github/codeql-action/pull/3515)
> * Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://redirect.github.com/github/codeql-action/pull/3516)
> * Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://redirect.github.com/github/codeql-action/pull/3498)
> * Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://redirect.github.com/github/codeql-action/pull/3512)
> * The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://redirect.github.com/github/codeql-action/pull/3503), [#3504](https://redirect.github.com/github/codeql-action/pull/3504)
>
> 4.32.4 - 20 Feb 2026
> --------------------
>
> * Update default CodeQL bundle version to [2.24.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://redirect.github.com/github/codeql-action/pull/3493)
> * Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://redirect.github.com/github/codeql-action/pull/3473)

... (truncated)


Commits

* [`3869755`](github/codeql-action@3869755) Merge pull request [#3763](https://redirect.github.com/github/codeql-action/issues/3763) from github/update-v4.34.1-095e0fe50
* [`20e68ac`](github/codeql-action@20e68ac) Update changelog for v4.34.1
* [`095e0fe`](github/codeql-action@095e0fe) Merge pull request [#3762](https://redirect.github.com/github/codeql-action/issues/3762) from github/henrymercer/downgrade-default-bundle
* [`47b94fe`](github/codeql-action@47b94fe) Add changelog note
* [`51a1d69`](github/codeql-action@51a1d69) Downgrade default bundle to codeql-bundle-v2.24.3
* [`510cf73`](github/codeql-action@510cf73) Merge pull request [#3589](https://redirect.github.com/github/codeql-action/issues/3589) from github/mergeback/v4.34.0-to-main-c6f93110
* [`89f0c86`](github/codeql-action@89f0c86) Rebuild
* [`c3f90ba`](github/codeql-action@c3f90ba) Update changelog and version after v4.34.0
* [`c6f9311`](github/codeql-action@c6f9311) Merge pull request [#3588](https://redirect.github.com/github/codeql-action/issues/3588) from github/update-v4.34.0-30c555a52
* [`eeb9b3f`](github/codeql-action@eeb9b3f) Update changelog for v4.34.0
* Additional commits viewable in [compare view](github/codeql-action@0d579ff...3869755)
  
Updates `zgosalvez/github-actions-ensure-sha-pinned-actions` from 5.0.2 to 5.0.3
Release notes

*Sourced from [zgosalvez/github-actions-ensure-sha-pinned-actions's releases](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases).*

> v5.0.3
> ------
>
> What's Changed
> --------------
>
> * Bump flatted from 3.3.1 to 3.4.2 by [`@​dependabot`](https://github.com/dependabot)[bot] in [zgosalvez/github-actions-ensure-sha-pinned-actions#299](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/299)
>
> **Full Changelog**: <zgosalvez/github-actions-ensure-sha-pinned-actions@v5...v5.0.3>


Commits

* [`471d5ac`](zgosalvez/github-actions-ensure-sha-pinned-actions@471d5ac) Bump flatted from 3.3.1 to 3.4.2 ([#299](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/issues/299))
* See full diff in [compare view](zgosalvez/github-actions-ensure-sha-pinned-actions@cc9ffdc...471d5ac)
  
Updates `actions/cache` from 5.0.3 to 5.0.4
Release notes

*Sourced from [actions/cache's releases](https://github.com/actions/cache/releases).*

> v5.0.4
> ------
>
> What's Changed
> --------------
>
> * Add release instructions and update maintainer docs by [`@​Link`](https://github.com/Link)- in [actions/cache#1696](https://redirect.github.com/actions/cache/pull/1696)
> * Potential fix for code scanning alert no. 52: Workflow does not contain permissions by [`@​Link`](https://github.com/Link)- in [actions/cache#1697](https://redirect.github.com/actions/cache/pull/1697)
> * Fix workflow permissions and cleanup workflow names / formatting by [`@​Link`](https://github.com/Link)- in [actions/cache#1699](https://redirect.github.com/actions/cache/pull/1699)
> * docs: Update examples to use the latest version by [`@​XZTDean`](https://github.com/XZTDean) in [actions/cache#1690](https://redirect.github.com/actions/cache/pull/1690)
> * Fix proxy integration tests by [`@​Link`](https://github.com/Link)- in [actions/cache#1701](https://redirect.github.com/actions/cache/pull/1701)
> * Fix cache key in examples.md for bun.lock by [`@​RyPeck`](https://github.com/RyPeck) in [actions/cache#1722](https://redirect.github.com/actions/cache/pull/1722)
> * Update dependencies & patch security vulnerabilities by [`@​Link`](https://github.com/Link)- in [actions/cache#1738](https://redirect.github.com/actions/cache/pull/1738)
>
> New Contributors
> ----------------
>
> * [`@​XZTDean`](https://github.com/XZTDean) made their first contribution in [actions/cache#1690](https://redirect.github.com/actions/cache/pull/1690)
> * [`@​RyPeck`](https://github.com/RyPeck) made their first contribution in [actions/cache#1722](https://redirect.github.com/actions/cache/pull/1722)
>
> **Full Changelog**: <actions/cache@v5...v5.0.4>


Changelog

*Sourced from [actions/cache's changelog](https://github.com/actions/cache/blob/main/RELEASES.md).*

> Releases
> ========
>
> How to prepare a release
> ------------------------
>
> > [!NOTE]  
> > Relevant for maintainers with write access only.
>
> 1. Switch to a new branch from `main`.
> 2. Run `npm test` to ensure all tests are passing.
> 3. Update the version in [`https://github.com/actions/cache/blob/main/package.json`](https://github.com/actions/cache/blob/main/package.json).
> 4. Run `npm run build` to update the compiled files.
> 5. Update this [`https://github.com/actions/cache/blob/main/RELEASES.md`](https://github.com/actions/cache/blob/main/RELEASES.md) with the new version and changes in the `## Changelog` section.
> 6. Run `licensed cache` to update the license report.
> 7. Run `licensed status` and resolve any warnings by updating the [`https://github.com/actions/cache/blob/main/.licensed.yml`](https://github.com/actions/cache/blob/main/.licensed.yml) file with the exceptions.
> 8. Commit your changes and push your branch upstream.
> 9. Open a pull request against `main` and get it reviewed and merged.
> 10. Draft a new release <https://github.com/actions/cache/releases> use the same version number used in `package.json`
>     1. Create a new tag with the version number.
>     2. Auto generate release notes and update them to match the changes you made in `RELEASES.md`.
>     3. Toggle the set as the latest release option.
>     4. Publish the release.
> 11. Navigate to <https://github.com/actions/cache/actions/workflows/release-new-action-version.yml>
>     1. There should be a workflow run queued with the same version number.
>     2. Approve the run to publish the new version and update the major tags for this action.
>
> Changelog
> ---------
>
> ### 5.0.4
>
> * Bump `minimatch` to v3.1.5 (fixes ReDoS via globstar patterns)
> * Bump `undici` to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
> * Bump `fast-xml-parser` to v5.5.6
>
> ### 5.0.3
>
> * Bump `@actions/cache` to v5.0.5 (Resolves: <https://github.com/actions/cache/security/dependabot/33>)
> * Bump `@actions/core` to v2.0.3
>
> ### 5.0.2
>
> * Bump `@actions/cache` to v5.0.3 [#1692](https://redirect.github.com/actions/cache/pull/1692)
>
> ### 5.0.1
>
> * Update `@azure/storage-blob` to `^12.29.1` via `@actions/[email protected]` [#1685](https://redirect.github.com/actions/cache/pull/1685)
>
> ### 5.0.0
>
> > [!IMPORTANT]
> > `actions/cache@v5` runs on the Node.js 24 runtime and requires a minimum Actions Runner version of `2.327.1`.

... (truncated)


Commits

* [`6682284`](actions/cache@6682284) Merge pull request [#1738](https://redirect.github.com/actions/cache/issues/1738) from actions/prepare-v5.0.4
* [`e340396`](actions/cache@e340396) Update RELEASES
* [`8a67110`](actions/cache@8a67110) Add licenses
* [`1865903`](actions/cache@1865903) Update dependencies & patch security vulnerabilities
* [`5656298`](actions/cache@5656298) Merge pull request [#1722](https://redirect.github.com/actions/cache/issues/1722) from RyPeck/patch-1
* [`4e380d1`](actions/cache@4e380d1) Fix cache key in examples.md for bun.lock
* [`b7e8d49`](actions/cache@b7e8d49) Merge pull request [#1701](https://redirect.github.com/actions/cache/issues/1701) from actions/Link-/fix-proxy-integration-tests
* [`984a21b`](actions/cache@984a21b) Add traffic sanity check step
* [`acf2f1f`](actions/cache@acf2f1f) Fix resolution
* [`95a07c5`](actions/cache@95a07c5) Add wait for proxy
* Additional commits viewable in [compare view](actions/cache@cdf6c1f...6682284)
  
Updates `codecov/codecov-action` from 5.5.2 to 5.5.3
Release notes

*Sourced from [codecov/codecov-action's releases](https://github.com/codecov/codecov-action/releases).*

> v5.5.3
> ------
>
> What's Changed
> --------------
>
> * build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by [`@​dependabot`](https://github.com/dependabot)[bot] in [codecov/codecov-action#1874](https://redirect.github.com/codecov/codecov-action/pull/1874)
> * chore(release): bump to 5.5.3 by [`@​thomasrockhu-codecov`](https://github.com/thomasrockhu-codecov) in [codecov/codecov-action#1922](https://redirect.github.com/codecov/codecov-action/pull/1922)
>
> **Full Changelog**: <codecov/codecov-action@v5.5.2...v5.5.3>


Changelog

*Sourced from [codecov/codecov-action's changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md).*

> v5.5.2
> ------
>
> ### What's Changed
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2>
>
> v5.5.1
> ------
>
> ### What's Changed
>
> * fix: overwrite pr number on fork by [`@​thomasrockhu-codecov`](https://github.com/thomasrockhu-codecov) in [codecov/codecov-action#1871](https://redirect.github.com/codecov/codecov-action/pull/1871)
> * build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by `@​app/dependabot` in [codecov/codecov-action#1868](https://redirect.github.com/codecov/codecov-action/pull/1868)
> * build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by `@​app/dependabot` in [codecov/codecov-action#1867](https://redirect.github.com/codecov/codecov-action/pull/1867)
> * fix: update to use local app/ dir by [`@​thomasrockhu-codecov`](https://github.com/thomasrockhu-codecov) in [codecov/codecov-action#1872](https://redirect.github.com/codecov/codecov-action/pull/1872)
> * docs: fix typo in README by [`@​datalater`](https://github.com/datalater) in [codecov/codecov-action#1866](https://redirect.github.com/codecov/codecov-action/pull/1866)
> * Document a `codecov-cli` version reference example by [`@​webknjaz`](https://github.com/webknjaz) in [codecov/codecov-action#1774](https://redirect.github.com/codecov/codecov-action/pull/1774)
> * build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by `@​app/dependabot` in [codecov/codecov-action#1861](https://redirect.github.com/codecov/codecov-action/pull/1861)
> * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by `@​app/dependabot` in [codecov/codecov-action#1833](https://redirect.github.com/codecov/codecov-action/pull/1833)
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1>
>
> v5.5.0
> ------
>
> ### What's Changed
>
> * feat: upgrade wrapper to 0.2.4 by [`@​jviall`](https://github.com/jviall) in [codecov/codecov-action#1864](https://redirect.github.com/codecov/codecov-action/pull/1864)
> * Pin actions/github-script by Git SHA by [`@​martincostello`](https://github.com/martincostello) in [codecov/codecov-action#1859](https://redirect.github.com/codecov/codecov-action/pull/1859)
> * fix: check reqs exist by [`@​joseph-sentry`](https://github.com/joseph-sentry) in [codecov/codecov-action#1835](https://redirect.github.com/codecov/codecov-action/pull/1835)
> * fix: Typo in README by [`@​spalmurray`](https://github.com/spalmurray) in [codecov/codecov-action#1838](https://redirect.github.com/codecov/codecov-action/pull/1838)
> * docs: Refine OIDC docs by [`@​spalmurray`](https://github.com/spalmurray) in [codecov/codecov-action#1837](https://redirect.github.com/codecov/codecov-action/pull/1837)
> * build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by `@​app/dependabot` in [codecov/codecov-action#1829](https://redirect.github.com/codecov/codecov-action/pull/1829)
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0>
>
> v5.4.3
> ------
>
> ### What's Changed
>
> * build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by `@​app/dependabot` in [codecov/codecov-action#1822](https://redirect.github.com/codecov/codecov-action/pull/1822)
> * fix: OIDC on forks by [`@​joseph-sentry`](https://github.com/joseph-sentry) in [codecov/codecov-action#1823](https://redirect.github.com/codecov/codecov-action/pull/1823)
>
> **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3>
>
> v5.4.2
> ------

... (truncated)


Commits

* [`1af5884`](codecov/codecov-action@1af5884) chore(release): bump to 5.5.3 ([#1922](https://redirect.github.com/codecov/codecov-action/issues/1922))
* [`c143300`](codecov/codecov-action@c143300) build(deps): bump actions/github-script from 7.0.1 to 8.0.0 ([#1874](https://redirect.github.com/codecov/codecov-action/issues/1874))
* See full diff in [compare view](codecov/codecov-action@671740a...1af5884)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore  major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore  minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore  ` will remove the ignore condition of the specified dependency and ignore conditions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

26.3.2

Development

Successfully merging this pull request may close these issues.

gRPC query and streaming query ignore the language parameter (always use SQL)

1 participant

@robfrank