github
diff --git a/‎.github/workflows/pr-checks.yml
+3 b/‎.github/workflows/pr-checks.yml
+3
diff --git a/‎CHANGELOG.md
+4-3 b/‎CHANGELOG.md
+4-3
diff --git a/‎lib/actions-util.js
+24-1 b/‎lib/actions-util.js
+24-1
diff --git a/‎lib/actions-util.js.map
+1-1 b/‎lib/actions-util.js.map
+1-1
diff --git a/‎lib/analyze-action-post.js
+4-3 b/‎lib/analyze-action-post.js
+4-3
diff --git a/‎lib/analyze-action-post.js.map
+1-1 b/‎lib/analyze-action-post.js.map
+1-1
diff --git a/‎lib/analyze-action.js
+3 b/‎lib/analyze-action.js
+3
diff --git a/‎lib/analyze-action.js.map
+1-1 b/‎lib/analyze-action.js.map
+1-1
diff --git a/‎lib/feature-flags.js
+7 b/‎lib/feature-flags.js
+7
@@ -13,6 +13,9 @@ jobs:
     name: Check JS
     runs-on: ubuntu-latest
     timeout-minutes: 45
+    permissions:
+      contents: read
+      security-events: write
 
     strategy:
       fail-fast: false
 
@@ -7,6 +7,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 ## [UNRELEASED]
 
 - Bump the minimum CodeQL bundle version to 2.14.6. [#2549](https://github.com/github/codeql-action/pull/2549)
+- Fix an issue where the `upload-sarif` Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the `upload-sarif` Action. [#2557](https://github.com/github/codeql-action/pull/2557)
 - Update default CodeQL bundle version to 2.19.2. [#2552](https://github.com/github/codeql-action/pull/2552)
 
 ## 3.26.13 - 14 Oct 2024
@@ -23,11 +24,11 @@ No user facing changes.
 
 ## 3.26.11 - 03 Oct 2024
 
-- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. 
+- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
 
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped to `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-  
-  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. 
+
+  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
 ## 3.26.10 - 30 Sep 2024