Skip to content

Comments

Remove FF gate for improved CA generation#3504

Open
mbg wants to merge 1 commit intomainfrom
mbg/ff/remove-ImprovedProxyCertificates
Open

Remove FF gate for improved CA generation#3504
mbg wants to merge 1 commit intomainfrom
mbg/ff/remove-ImprovedProxyCertificates

Conversation

@mbg
Copy link
Member

@mbg mbg commented Feb 24, 2026

Removes the FF added in #3473 since this is now fully rolled out and appears to be stable.

Risk assessment

For internal use only. Please select the risk level of this change:

  • High risk: Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

Which use cases does this change impact?

Workflow types:

  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.
  • Other first-party - The changes impact other first-party analyses.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg self-assigned this Feb 24, 2026
@mbg mbg requested a review from a team as a code owner February 24, 2026 11:27
Copilot AI review requested due to automatic review settings February 24, 2026 11:27
@github-actions github-actions bot added the size/S Should be easy to review label Feb 24, 2026
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the ImprovedProxyCertificates feature-flag gate and makes the improved proxy CA certificate generation behavior the default for all runs of the start-proxy action.

Changes:

  • Make generateCertificateAuthority always apply the improved CA extensions and always sign with SHA-256.
  • Remove the ImprovedProxyCertificates feature flag from Feature / featureConfig and stop querying it in start-proxy-action.
  • Update unit tests to reflect the always-on certificate extensions.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/start-proxy/ca.ts Always uses the improved CA extensions and SHA-256 signing; removes FF parameter.
src/start-proxy/ca.test.ts Consolidates tests to assert the improved extensions are always present.
src/start-proxy-action.ts Stops querying the removed feature flag; always uses the updated CA generation.
src/feature-flags.ts Removes ImprovedProxyCertificates from the feature enum and config map.
lib/upload-sarif-action.js Generated JS update reflecting feature flag removal.
lib/upload-sarif-action-post.js Generated JS update reflecting feature flag removal.
lib/upload-lib.js Generated JS update reflecting feature flag removal.
lib/start-proxy-action.js Generated JS update reflecting CA generation signature + feature flag removal.
lib/start-proxy-action-post.js Generated JS update reflecting feature flag removal.
lib/setup-codeql-action.js Generated JS update reflecting feature flag removal.
lib/resolve-environment-action.js Generated JS update reflecting feature flag removal.
lib/init-action.js Generated JS update reflecting feature flag removal.
lib/init-action-post.js Generated JS update reflecting feature flag removal.
lib/autobuild-action.js Generated JS update reflecting feature flag removal.
lib/analyze-action.js Generated JS update reflecting feature flag removal.
lib/analyze-action-post.js Generated JS update reflecting feature flag removal.

sam-robson
sam-robson approved these changes Feb 24, 2026
View reviewed changes
Copy link
Contributor

@sam-robson sam-robson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sam-robson sam-robson sam-robson approved these changes

Assignees

@mbg mbg

Labels

size/S Should be easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbg @sam-robson