Merge main into releases/v4

[github-actions]

Merging e3b8227 into releases/v4.

Conductor for this PR is @henrymercer.

Contains the following pull requests:

• Mergeback v4.31.11 refs/heads/releases/v4 into main #3418 (@mbg)
• Add installYq option to sync.py and install yq directly from GitHub release #3423 (@mbg)
• Update default bundle to 2.24.0 #3425 (@nickrolfe)
• Bump the Action minor version number on new CodeQL minor version series #3427 (@henrymercer)

Please do the following:

• Ensure the CHANGELOG displays the correct version and date.
• Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.
• Check that there are not any unexpected commits being merged into the releases/v4 branch.
• Ensure the docs team is aware of any documentation changes that need to be released.
• Mark the PR as ready for review to trigger the full set of PR checks.
• Approve and merge this PR. Make sure Create a merge commit is selected rather than Squash and merge or Rebase and merge.
• Merge the mergeback PR that will automatically be created once this PR is merged.
• Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.

[Copilot]

Pull request overview

This release PR merges main into releases/v4 to publish CodeQL Action v4.32.0, aligning it with the new default CodeQL bundle v2.24.0 and incorporating previously reviewed changes from #3418, #3423, #3425, and #3427.

Changes:

• Bump the Action version from 4.31.11 to 4.32.0 and propagate that version into lockfile and generated artifacts.
• Update the default CodeQL bundle/CLI from 2.23.9 to 2.24.0, updating prior* versions accordingly.
• Add a new changelog entry for 4.32.0 describing the bundle update; no other user-facing changes since 4.31.11 are introduced, and all code changes correspond to the mentioned PRs (no unexpected commits observed).

Additional checklist alignment:

• CHANGELOG version/date: 4.32.0 - 26 Jan 2026 matches package.json version 4.32.0 and is consistent with prior dating conventions.
• User-facing changes in CHANGELOG: The only user-facing behavior change in this release is the default bundle bump (from #3425), and it is captured; #3423 and #3427 are CI/release-automation only.
• Unexpected commits: Diffs are limited to the expected bundle/version metadata, CI helper changes (yq install, update-bundle workflow behavior), and regenerated lib/ artifacts; nothing unrelated to #3418, #3423, #3425, or #3427 appears.
• Docs impact: Outside of CHANGELOG.md, there are no documentation content changes; no special docs-team coordination beyond normal release-note visibility appears necessary.

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/defaults.json	Updates default and prior CodeQL bundle/CLI versions from 2.23.9→2.24.0 and 2.23.8→2.23.9 to match the new bundle; part of previously reviewed work, not re-reviewed here.
pr-checks/sync.py	Adds support for an installYq flag and an explicit Windows yq installation step using GitHub releases instead of Chocolatey; corresponds to #3423 and is treated as already reviewed.
pr-checks/checks/build-mode-autobuild.yml	Swaps inline yq installation for the new installYq: "true" option to drive sync.py; part of the CI/test infra from #3423.
package.json	Bumps Action version from 4.31.11 to 4.32.0, consistent with the new changelog entry and release description.
package-lock.json	Synchronizes lockfile root package version (and root package block) to 4.32.0 to match package.json.
lib/upload-sarif-action.js	Regenerated JS reflecting the new Action version and updated default bundle/CLI values; auto-generated, not manually reviewed.
lib/upload-sarif-action-post.js	Regenerated JS updating embedded package.json version to 4.32.0; auto-generated, not manually reviewed.
lib/upload-lib.js	Regenerated JS updating embedded package version and default bundle/CLI versions; auto-generated, not manually reviewed.
lib/start-proxy-action.js	Regenerated JS updating embedded package version and default bundle/CLI versions; auto-generated, not manually reviewed.
lib/start-proxy-action-post.js	Regenerated JS updating embedded package version to 4.32.0; auto-generated, not manually reviewed.
lib/setup-codeql-action.js	Regenerated JS updating embedded package version and default bundle/CLI versions; auto-generated, not manually reviewed.
lib/resolve-environment-action.js	Regenerated JS updating embedded package version to 4.32.0; auto-generated, not manually reviewed.
lib/init-action.js	Regenerated JS updating embedded package version and default bundle/CLI versions; auto-generated, not manually reviewed.
lib/init-action-post.js	Regenerated JS updating embedded package version and default bundle/CLI versions; auto-generated, not manually reviewed.
lib/defaults.json	Regenerated JSON mirroring src/defaults.json (bundle/CLI and prior versions); auto-generated, not manually reviewed.
lib/autobuild-action.js	Regenerated JS updating embedded package version and default bundle/CLI versions; auto-generated, not manually reviewed.
lib/analyze-action.js	Regenerated JS updating embedded package version and default bundle/CLI versions; auto-generated, not manually reviewed.
lib/analyze-action-post.js	Regenerated JS updating embedded package version to 4.32.0; auto-generated, not manually reviewed.
CHANGELOG.md	Adds a ## 4.32.0 - 26 Jan 2026 entry noting the default CodeQL bundle bump to 2.24.0 (with link and PR reference #3425); consistent with package.json and prior changelog style.
.github/workflows/update-bundle.yml	Extends the bundle update workflow to bump the Action minor version when the CLI minor series changes and to include that in the generated PR body; part of release automation from #3427.
.github/workflows/__build-mode-autobuild.yml	Auto-generated workflow updated to use the new yq installation logic driven by installYq; generated from pr-checks/checks, not manually reviewed.