github
diff --git a/‎.github/actions/verify-debug-artifact-scan-completed/action.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/actions/verify-debug-artifact-scan-completed/action.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/actions/verify-debug-artifact-scan-completed/index.js‎
Lines changed: 2 additions & 0 deletions b/‎.github/actions/verify-debug-artifact-scan-completed/index.js‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/actions/verify-debug-artifact-scan-completed/post.js‎
Lines changed: 11 additions & 0 deletions b/‎.github/actions/verify-debug-artifact-scan-completed/post.js‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/__global-proxy.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/__global-proxy.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/__rubocop-multi-language.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/__rubocop-multi-language.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/codescanning-config-cli.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/workflows/codescanning-config-cli.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/debug-artifacts-failure-safe.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/debug-artifacts-failure-safe.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/debug-artifacts-safe.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/debug-artifacts-safe.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/post-release-mergeback.yml‎
Lines changed: 10 additions & 10 deletions b/‎.github/workflows/post-release-mergeback.yml‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node24
+  main: index.js
+  post: post.js
@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");
@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");
@@ -6,6 +6,11 @@ env:
   # Diff informed queries add an additional query filter which is not yet
   # taken into account by these tests.
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  # Specify overlay enablement manually to ensure stability around the exclude-from-incremental
+  # query filter. Here we only enable for the default code scanning suite.
+  CODEQL_ACTION_OVERLAY_ANALYSIS: true
+  CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT: false
+  CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT: true
 
 on:
   push:
 
@@ -58,6 +58,8 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
@@ -54,6 +54,8 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         id: init
         with:
 
@@ -131,16 +131,6 @@ jobs:
           cat $PARTIAL_CHANGELOG
           echo "::endgroup::"
 
-      - name: Create mergeback branch and PR
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
-
       - name: Generate token
         uses: actions/[email protected]
         id: app-token
@@ -161,3 +151,13 @@ jobs:
             --latest=false \
             --title "$VERSION" \
             --notes-file "$PARTIAL_CHANGELOG"
+
+      - name: Create mergeback branch and PR
+        if: ${{ endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        uses: ./.github/actions/prepare-mergeback-branch
+        with:
+          base: "${{ env.BASE_BRANCH }}"
+          head: "${{ env.HEAD_BRANCH }}"
+          branch: "${{ steps.getVersion.outputs.newBranch }}"
+          version: "${{ steps.getVersion.outputs.version }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"
@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 4.31.10 - 12 Jan 2026
+
+- Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)
+
 ## 4.31.9 - 16 Dec 2025
 
 No user facing changes.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// The main step is a no-op, since we can only verify artifact scan completion in the post step.`
	`2`	`+console.log("Will verify artifact scan completion in the post step.");`