GitHub CodeQL Action v3 to v4 Before December — when and how should I migrate?
Repositories on advanced CodeQL workflows need an upgrade plan from v3 to v4 because v3 is on a deprecation path tied to GHES 3.19 and Node 20 retirement, while v4 changes runtime assumptions to Node 24.
Blockers
- package/codeql-action-v3 — EOL 2026-12
- CodeQL Action v4 runs on the Node.js 24 runtime.
- The v3 deprecation path is tied to GHES 3.19.
- On GHES 3.19, v4 requires GitHub Connect to be enabled before workflow references are updated.
- For GHES, GitHub says advanced setup users should upgrade to v4 on GHES 3.20 and newer; GHES 3.20 ships with v4 included.
- v4 changes runtime assumptions to Node 24.
- GHES 3.18 and older cannot run Actions on Node.js 24, so they cannot run CodeQL Action v4.
Who this is for
- enterprise
- compliance
Candidates
Upgrade advanced CodeQL workflows to v4 now on GitHub.com or GHES 3.20+
As of 2026-03-29, GitHub says CodeQL Action v4 was released on 2025-10-07 and runs on the Node.js 24 runtime. For GitHub.com and GHES 3.20 and newer, advanced setup users should update workflow references from `github/codeql-action/*@v3` to `@v4`, while default setup users move automatically. GHES 3.20 ships with CodeQL Action v4 included. CodeQL Action v3 is scheduled for deprecation in December 2026, so this is the cleanest path for repos already on supported platforms.
When to choose
Use this when you are on GitHub.com, GitHub Enterprise Cloud, or GHES 3.20+ and you control advanced CodeQL workflow files. It is the default choice when you want to avoid a second migration later in 2026 and start validating Node 24 behavior now.
Tradeoffs
Pros: aligns with GitHub's supported direction, unlocks future CodeQL analysis updates, removes dependence on the v3 deprecation window. Cons: may surface runner and operating system compatibility issues tied to Node 24.
Cautions
As of 2026-03-29, GitHub Actions runners are scheduled to start using Node 24 by default on 2026-06-02, and Node 20 is only a temporary opt-out after that. GitHub also states Node 24 is incompatible with macOS 13.4 and lower, and ARM32 self-hosted runners lose support after Node 20 deprecation. GitHub's upgrade notice does not identify a separate CodeQL Action upgrade price change; check official GitHub Advanced Security licensing docs if private-repo cost needs review.
Move GHES 3.19 advanced workflows to v4 only after enabling GitHub Connect
As of 2026-03-29, GitHub says GHES 3.19 supports Node.js 24 Actions but does not ship with CodeQL Action v4. GitHub's stated migration path is to have the system administrator enable GitHub Connect so the appliance can download v4 before workflow files are changed. This lets a GHES 3.19 estate adopt v4 without a full GHES upgrade first, but it adds an operational dependency on appliance configuration.
When to choose
Use this when you are pinned to GHES 3.19 for part of 2026 but still want to get off CodeQL Action v3 before the December 2026 deprecation. It is the best fit for enterprise environments where appliance upgrades lag repository workflow updates.
Tradeoffs
Pros: avoids waiting for a broader GHES platform upgrade, preserves the path to new CodeQL capabilities before v3 freezes. Cons: requires GitHub Connect enablement and still leaves you on a GHES release that is itself on a deprecation path.
Cautions
Do not update workflow references to `@v4` on GHES 3.19 until GitHub Connect is enabled and v4 is available on the appliance. GHES 3.19 documentation also shows an older default bundled CodeQL CLI line than newer releases, so mixed-version expectations should be checked during rollout.
Do not attempt v4 on GHES 3.18 or older; upgrade GHES first, then switch CodeQL workflows
As of 2026-03-29, GitHub says GHES 3.18 and older cannot run Actions on the Node.js 24 runtime, so they cannot run CodeQL Action v4. For these estates, the gating decision is platform upgrade, not a workflow-only change. The practical sequence is GHES upgrade first, then move advanced workflow references from `@v3` to `@v4` on the upgraded platform.
When to choose
Use this when repositories are still attached to GHES 3.18 or older and security scanning continuity matters more than short-term workflow churn. The decisive factor is that Node 24 support is absent, so a direct v4 migration path does not exist.
Tradeoffs
Pros: matches GitHub's documented support boundaries and avoids broken scans from unsupported runtime assumptions. Cons: the critical path shifts to appliance upgrade planning, which is usually slower and broader in scope than a repo workflow edit.
Cautions
As of 2026-03-29, staying on v3 here is only a temporary hold because v3 is scheduled for deprecation in December 2026 together with GHES 3.19. Plan the GHES upgrade early enough to leave time for post-upgrade runner and workflow validation under Node 24.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "GitHub CodeQL Action v3 to v4 Before December — when and how should I migrate?"