github
diff --git a/‎.github/actions/release-branches/action.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/actions/release-branches/action.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/actions/release-branches/release-branches.py‎
Lines changed: 0 additions & 55 deletions b/‎.github/actions/release-branches/release-branches.py‎
Lines changed: 0 additions & 55 deletions
diff --git a/‎.github/actions/release-initialise/action.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/actions/release-initialise/action.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/releases.ini‎
Lines changed: 0 additions & 1 deletion b/‎.github/releases.ini‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎.github/workflows/__rubocop-multi-language.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/__rubocop-multi-language.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/script/update-required-checks.sh‎
Lines changed: 0 additions & 64 deletions b/‎.github/workflows/script/update-required-checks.sh‎
Lines changed: 0 additions & 64 deletions
diff --git a/‎.vscode/tests.code-snippets‎
Lines changed: 30 additions & 0 deletions b/‎.vscode/tests.code-snippets‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 7 additions & 5 deletions b/‎CONTRIBUTING.md‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎eslint.config.mjs‎
Lines changed: 21 additions & 6 deletions b/‎eslint.config.mjs‎
Lines changed: 21 additions & 6 deletions
@@ -22,7 +22,8 @@ runs:
         MAJOR_VERSION: ${{ inputs.major_version }}
         LATEST_TAG: ${{ inputs.latest_tag }}
       run: |
-        python ${{ github.action_path }}/release-branches.py \
+        npm ci
+        npx tsx ./pr-checks/release-branches.ts \
             --major-version "$MAJOR_VERSION" \
             --latest-tag "$LATEST_TAG"
       shell: bash
@@ -15,6 +15,12 @@ runs:
       run: echo "$GITHUB_CONTEXT"
       shell: bash
 
+    - name: Set up Node
+      uses: actions/setup-node@v6
+      with:
+        node-version: 20
+        cache: 'npm'
+
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
 
@@ -0,0 +1,30 @@
+{
+  // Place your codeql-action workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
+  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
+  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
+  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
+  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
+  // Placeholders with the same ids are connected.
+  // Example:
+  // "Print to console": {
+  // 	"scope": "javascript,typescript",
+  // 	"prefix": "log",
+  // 	"body": [
+  // 		"console.log('$1');",
+  // 		"$2"
+  // 	],
+  // 	"description": "Log output to console"
+  // }
+  "Test Macro": {
+    "scope": "javascript, typescript",
+    "prefix": "testMacro",
+    "body": [
+      "const ${1:nameMacro} = test.macro({",
+      "  exec: async (t: ExecutionContext<unknown>) => {},",
+      "",
+      "  title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
+      "});",
+    ],
+    "description": "An Ava test macro",
+  },
+}
@@ -2,6 +2,11 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 4.35.0 - 27 Mar 2026
+
+- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
+- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
+
 ## 4.34.1 - 20 Mar 2026
 
 - Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)
 
@@ -69,12 +69,14 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 ## Keeping the PR checks up to date (admin access required)
 
-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:
 
-- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
-- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
+- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
+- By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
+- If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
+- You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
 
-After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
+After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v4`, and any other currently supported major versions have been updated.
 
 Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
 
@@ -122,7 +124,7 @@ To deprecate an older version of the Action:
    - Implement an Actions warning for customers using the deprecated version.
 1. Wait for the deprecation period to pass.
 1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
-1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
+1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [config.ts](pr-checks/config.ts).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
 
 ## Resources
 
 
@@ -7,7 +7,11 @@ import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
 import tseslint from "typescript-eslint";
 import globals from "globals";
+import path from "path";
+import { fileURLToPath } from "url";
 
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
 const githubFlatConfigs = github.getFlatConfigs();
 
 export default [
@@ -43,7 +47,7 @@ export default [
     plugins: {
       "import-x": importX,
       "no-async-foreach": fixupPluginRules(noAsyncForeach),
-      "jsdoc": jsdoc,
+      jsdoc: jsdoc,
     },
 
     languageOptions: {
@@ -67,7 +71,13 @@ export default [
 
         typescript: {},
       },
-      "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
+      "import/ignore": [
+        "sinon",
+        "uuid",
+        "@octokit/plugin-retry",
+        "del",
+        "get-folder-size",
+      ],
       "import-x/resolver-next": [
         createTypeScriptImportResolver(),
         createNodeResolver({
@@ -143,7 +153,7 @@ export default [
           // We don't currently require full JSDoc coverage, so this rule
           // should not error on missing @param annotations.
           disableMissingParamChecks: true,
-        }
+        },
       ],
     },
   },
@@ -162,9 +172,9 @@ export default [
       "@typescript-eslint/no-unused-vars": [
         "error",
         {
-          "args": "all",
-          "argsIgnorePattern": "^_",
-        }
+          args: "all",
+          argsIgnorePattern: "^_",
+        },
       ],
       "func-style": "off",
     },
@@ -183,6 +193,11 @@ export default [
       // The scripts in `pr-checks` are expected to output to the console.
       "no-console": "off",
 
+      "import/no-extraneous-dependencies": [
+        "error",
+        { packageDir: [__dirname, path.resolve(__dirname, "pr-checks")] },
+      ],
+
       "@typescript-eslint/no-floating-promises": [
         "error",
         {