From b9c90effa0914d8dc2603169bce18c9bc52ad055 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Jun 2026 16:09:07 +0100 Subject: [PATCH 1/3] Pin Swift macOS checks to macOS 15 for Xcode 16 `macos-latest-xlarge` now resolves to macOS 26, which ships only Xcode 26 (Swift 6.2) and no longer includes Xcode 16. The Swift-analysing PR checks select Xcode 16 because CodeQL CLI versions before 2.24.0 only support Swift up to 6.1, so `xcode-select -s /Applications/Xcode_16.app` fails on macOS 26. Pin these checks to macOS 15, where Xcode 16 is still available, so we keep testing the full matrix of supported CodeQL versions. This also pre-empts the `swift-custom-build` check failing once plain `macos`/`macos-latest` migrates. See https://github.com/actions/runner-images/issues/14167. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../workflows/__multi-language-autodetect.yml | 18 +++++++++--------- .github/workflows/__swift-custom-build.yml | 6 +++--- pr-checks/checks/multi-language-autodetect.yml | 5 ++++- pr-checks/checks/swift-custom-build.yml | 6 +++++- 4 files changed, 21 insertions(+), 14 deletions(-) diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index f4849b9903..c6bf1e3557 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -61,39 +61,39 @@ jobs: include: - os: ubuntu-latest version: stable-v2.19.4 - - os: macos-latest-xlarge + - os: macos-15-xlarge version: stable-v2.19.4 - os: ubuntu-latest version: stable-v2.20.7 - - os: macos-latest-xlarge + - os: macos-15-xlarge version: stable-v2.20.7 - os: ubuntu-latest version: stable-v2.21.4 - - os: macos-latest-xlarge + - os: macos-15-xlarge version: stable-v2.21.4 - os: ubuntu-latest version: stable-v2.22.4 - - os: macos-latest-xlarge + - os: macos-15-xlarge version: stable-v2.22.4 - os: ubuntu-latest version: stable-v2.23.9 - - os: macos-latest-xlarge + - os: macos-15-xlarge version: stable-v2.23.9 - os: ubuntu-latest version: stable-v2.24.3 - - os: macos-latest-xlarge + - os: macos-15-xlarge version: stable-v2.24.3 - os: ubuntu-latest version: default - - os: macos-latest-xlarge + - os: macos-15-xlarge version: default - os: ubuntu-latest version: linked - - os: macos-latest-xlarge + - os: macos-15-xlarge version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest-xlarge + - os: macos-15-xlarge version: nightly-latest name: Multi-language repository if: github.triggering_actor != 'dependabot[bot]' diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index 83c06ffd09..f0e4c21431 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -59,11 +59,11 @@ jobs: fail-fast: false matrix: include: - - os: macos-latest + - os: macos-15 version: linked - - os: macos-latest + - os: macos-15 version: default - - os: macos-latest + - os: macos-15 version: nightly-latest name: Swift analysis using a custom build command if: github.triggering_actor != 'dependabot[bot]' diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml index fcafe5fb35..4647d1b88b 100644 --- a/pr-checks/checks/multi-language-autodetect.yml +++ b/pr-checks/checks/multi-language-autodetect.yml @@ -2,8 +2,11 @@ name: "Multi-language repository" description: "An end-to-end integration test of a multi-language repository using automatic language detection" operatingSystems: - ubuntu + # Pin to macOS 15 rather than `macos-latest`: the older CodeQL CLI versions in the + # matrix only support Swift up to 6.1 (Xcode 16), which is not available on macOS 26 + # (ships Xcode 26 / Swift 6.2). See https://github.com/actions/runner-images/issues/14167. - os: macos - runner-image: macos-latest-xlarge + runner-image: macos-15-xlarge env: CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true installGo: true diff --git a/pr-checks/checks/swift-custom-build.yml b/pr-checks/checks/swift-custom-build.yml index 7a07d5b7e2..0c45152643 100644 --- a/pr-checks/checks/swift-custom-build.yml +++ b/pr-checks/checks/swift-custom-build.yml @@ -5,7 +5,11 @@ versions: - default - nightly-latest operatingSystems: - - macos + # Pin to macOS 15 rather than `macos-latest`: the `linked`/`default` CodeQL CLI versions + # are analysed with Xcode 16, which is not available on macOS 26 (ships Xcode 26 / Swift + # 6.2). See https://github.com/actions/runner-images/issues/14167. + - os: macos + runner-image: macos-15 installGo: true installDotNet: true env: From e054b4b84862b154147f7b1f94e655296834a5c6 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Jun 2026 16:39:54 +0100 Subject: [PATCH 2/3] Address review: split macOS Swift checks by CodeQL version Rather than pinning every macOS job to macOS 15, only run the older CodeQL CLI versions (which need Xcode 16, and so macOS 15) there. Newer versions, which support Swift 6.2, run on the latest macOS runner with its default Xcode, so we keep exercising the common latest-CLI-on-latest-runner combination. To express this, `sync.ts` now supports an optional per-OS-entry `codeql-versions` filter, used by `multi-language-autodetect` to send old versions to `macos-15-xlarge` and new versions to `macos-latest-xlarge`. `swift-custom-build` only runs `linked`/`default`/`nightly`, which all support Swift 6.2, so it no longer needs the Xcode 16 step or a macOS 15 pin. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../workflows/__multi-language-autodetect.yml | 11 ++++---- .github/workflows/__swift-custom-build.yml | 9 +++---- .../checks/multi-language-autodetect.yml | 25 ++++++++++++++++--- pr-checks/checks/swift-custom-build.yml | 9 +------ pr-checks/sync.ts | 15 +++++++++++ 5 files changed, 46 insertions(+), 23 deletions(-) diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index c6bf1e3557..ea97041651 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -81,19 +81,19 @@ jobs: version: stable-v2.23.9 - os: ubuntu-latest version: stable-v2.24.3 - - os: macos-15-xlarge + - os: macos-latest-xlarge version: stable-v2.24.3 - os: ubuntu-latest version: default - - os: macos-15-xlarge + - os: macos-latest-xlarge version: default - os: ubuntu-latest version: linked - - os: macos-15-xlarge + - os: macos-latest-xlarge version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-15-xlarge + - os: macos-latest-xlarge version: nightly-latest name: Multi-language repository if: github.triggering_actor != 'dependabot[bot]' @@ -130,7 +130,8 @@ jobs: python-version: '3.13' - name: Use Xcode 16 - if: runner.os == 'macOS' && matrix.version != 'nightly-latest' + # Only the older CodeQL CLI versions need Xcode 16, and these run on macOS 15. + if: matrix.os == 'macos-15-xlarge' run: sudo xcode-select -s "/Applications/Xcode_16.app" - uses: ./../action/init diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index f0e4c21431..23db3651b6 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -59,11 +59,11 @@ jobs: fail-fast: false matrix: include: - - os: macos-15 + - os: macos-latest version: linked - - os: macos-15 + - os: macos-latest version: default - - os: macos-15 + - os: macos-latest version: nightly-latest name: Swift analysis using a custom build command if: github.triggering_actor != 'dependabot[bot]' @@ -91,9 +91,6 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: 'false' setup-kotlin: 'true' - - name: Use Xcode 16 - if: runner.os == 'macOS' && matrix.version != 'nightly-latest' - run: sudo xcode-select -s "/Applications/Xcode_16.app" - uses: ./../action/init id: init with: diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml index 4647d1b88b..263dd9bc02 100644 --- a/pr-checks/checks/multi-language-autodetect.yml +++ b/pr-checks/checks/multi-language-autodetect.yml @@ -2,11 +2,27 @@ name: "Multi-language repository" description: "An end-to-end integration test of a multi-language repository using automatic language detection" operatingSystems: - ubuntu - # Pin to macOS 15 rather than `macos-latest`: the older CodeQL CLI versions in the - # matrix only support Swift up to 6.1 (Xcode 16), which is not available on macOS 26 - # (ships Xcode 26 / Swift 6.2). See https://github.com/actions/runner-images/issues/14167. + # Newer CodeQL CLI versions support Swift 6.2, so analyse Swift on the latest macOS runner + # (currently macOS 26) with its default Xcode. This exercises the common combination of a + # recent CLI on a recent runner. + - os: macos + runner-image: macos-latest-xlarge + codeql-versions: + - stable-v2.24.3 + - default + - linked + - nightly-latest + # Older CodeQL CLI versions only support Swift up to 6.1, which requires Xcode 16. That is + # not available on macOS 26, so run these versions on macOS 15 where we select Xcode 16 + # below. See https://github.com/actions/runner-images/issues/14167. - os: macos runner-image: macos-15-xlarge + codeql-versions: + - stable-v2.19.4 + - stable-v2.20.7 + - stable-v2.21.4 + - stable-v2.22.4 + - stable-v2.23.9 env: CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true installGo: true @@ -21,7 +37,8 @@ steps: python-version: "3.13" - name: Use Xcode 16 - if: runner.os == 'macOS' && matrix.version != 'nightly-latest' + # Only the older CodeQL CLI versions need Xcode 16, and these run on macOS 15. + if: matrix.os == 'macos-15-xlarge' run: sudo xcode-select -s "/Applications/Xcode_16.app" - uses: ./../action/init diff --git a/pr-checks/checks/swift-custom-build.yml b/pr-checks/checks/swift-custom-build.yml index 0c45152643..a2d04421b8 100644 --- a/pr-checks/checks/swift-custom-build.yml +++ b/pr-checks/checks/swift-custom-build.yml @@ -5,19 +5,12 @@ versions: - default - nightly-latest operatingSystems: - # Pin to macOS 15 rather than `macos-latest`: the `linked`/`default` CodeQL CLI versions - # are analysed with Xcode 16, which is not available on macOS 26 (ships Xcode 26 / Swift - # 6.2). See https://github.com/actions/runner-images/issues/14167. - - os: macos - runner-image: macos-15 + - macos installGo: true installDotNet: true env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" steps: - - name: Use Xcode 16 - if: runner.os == 'macOS' && matrix.version != 'nightly-latest' - run: sudo xcode-select -s "/Applications/Xcode_16.app" - uses: ./../action/init id: init with: diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index b969fcb937..0ee33e4f2d 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -54,6 +54,12 @@ type OperatingSystem = os: OperatingSystemIdentifier; /** Optional runner image label. */ "runner-image"?: string; + /** + * Optional CodeQL versions to run on this entry. If specified, only these versions are + * tested on this runner image. This allows running different runner images for different + * CodeQL versions of the same OS. + */ + "codeql-versions"?: string[]; }; /** @@ -379,6 +385,15 @@ function generateJobMatrix( continue; } + // If this OS entry restricts itself to specific CodeQL versions, skip other versions. + const entryVersions = + typeof operatingSystemConfig === "string" + ? undefined + : operatingSystemConfig["codeql-versions"]; + if (entryVersions && !entryVersions.includes(version)) { + continue; + } + const runnerImagesForOs = typeof operatingSystemConfig === "string" || operatingSystemConfig["runner-image"] === undefined From cdcf50882b8559fbd061ffb6170b070a1d2e34bf Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Jun 2026 17:33:14 +0100 Subject: [PATCH 3/3] Default macOS PR checks to latest runner, pin only old CLIs to macOS 15 Redesign the per-entry codeql-versions filter so an OS entry without a version list catches all versions not claimed by its siblings. This lets new CodeQL versions flow to macos-latest-xlarge automatically. Move v2.23.9 (which supports Swift 6.2) off the macOS 15 list and simplify the matrix filter logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../workflows/__multi-language-autodetect.yml | 2 +- .../checks/multi-language-autodetect.yml | 9 ----- pr-checks/sync.ts | 38 ++++++++++++++++--- 3 files changed, 33 insertions(+), 16 deletions(-) diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index ea97041651..4c75f5e5d5 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -77,7 +77,7 @@ jobs: version: stable-v2.22.4 - os: ubuntu-latest version: stable-v2.23.9 - - os: macos-15-xlarge + - os: macos-latest-xlarge version: stable-v2.23.9 - os: ubuntu-latest version: stable-v2.24.3 diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml index 263dd9bc02..1608fcc6b7 100644 --- a/pr-checks/checks/multi-language-autodetect.yml +++ b/pr-checks/checks/multi-language-autodetect.yml @@ -2,16 +2,8 @@ name: "Multi-language repository" description: "An end-to-end integration test of a multi-language repository using automatic language detection" operatingSystems: - ubuntu - # Newer CodeQL CLI versions support Swift 6.2, so analyse Swift on the latest macOS runner - # (currently macOS 26) with its default Xcode. This exercises the common combination of a - # recent CLI on a recent runner. - os: macos runner-image: macos-latest-xlarge - codeql-versions: - - stable-v2.24.3 - - default - - linked - - nightly-latest # Older CodeQL CLI versions only support Swift up to 6.1, which requires Xcode 16. That is # not available on macOS 26, so run these versions on macOS 15 where we select Xcode 16 # below. See https://github.com/actions/runner-images/issues/14167. @@ -22,7 +14,6 @@ operatingSystems: - stable-v2.20.7 - stable-v2.21.4 - stable-v2.22.4 - - stable-v2.23.9 env: CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true installGo: true diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index 0ee33e4f2d..035f5b34de 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -55,9 +55,10 @@ type OperatingSystem = /** Optional runner image label. */ "runner-image"?: string; /** - * Optional CodeQL versions to run on this entry. If specified, only these versions are - * tested on this runner image. This allows running different runner images for different - * CodeQL versions of the same OS. + * Optional CodeQL versions to run on this entry. If specified, this entry runs only these + * versions. A sibling entry for the same OS that omits `codeql-versions` runs all versions + * not claimed by any sibling entry. This allows pinning specific CodeQL versions to a + * particular runner image while letting the remaining versions default to another. */ "codeql-versions"?: string[]; }; @@ -358,6 +359,28 @@ function generateJobMatrix( ): Array> { let matrix: Array> = []; + const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"]; + + // For each OS, collect the CodeQL versions explicitly claimed by entries that specify + // `codeql-versions`. A sibling entry for the same OS that omits `codeql-versions` runs all + // versions not in this set. + const claimedVersionsByOs = new Map>(); + for (const operatingSystemConfig of operatingSystems) { + if (typeof operatingSystemConfig === "string") { + continue; + } + const entryVersions = operatingSystemConfig["codeql-versions"]; + if (!entryVersions) { + continue; + } + const claimed = + claimedVersionsByOs.get(operatingSystemConfig.os) ?? new Set(); + for (const entryVersion of entryVersions) { + claimed.add(entryVersion); + } + claimedVersionsByOs.set(operatingSystemConfig.os, claimed); + } + for (const version of checkSpecification.versions ?? defaultTestVersions) { if (version === "latest") { throw new Error( @@ -370,7 +393,6 @@ function generateJobMatrix( "macos-latest", "windows-latest", ]; - const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"]; for (const operatingSystemConfig of operatingSystems) { const operatingSystem = @@ -385,12 +407,16 @@ function generateJobMatrix( continue; } - // If this OS entry restricts itself to specific CodeQL versions, skip other versions. + // An entry that specifies `codeql-versions` runs only those versions. A sibling entry for + // the same OS that omits `codeql-versions` runs all versions not claimed by its siblings. const entryVersions = typeof operatingSystemConfig === "string" ? undefined : operatingSystemConfig["codeql-versions"]; - if (entryVersions && !entryVersions.includes(version)) { + const runsThisVersion = entryVersions + ? entryVersions.includes(version) + : !claimedVersionsByOs.get(operatingSystem)?.has(version); + if (!runsThisVersion) { continue; }