Bump minimum CodeQL CLI version to 2.19.4

[henrymercer]

Follows the deprecation in #3837.

• Update minimum CodeQL version
• Remove unneeded code paths for tools feature flags that are now always true
• Update CodeQL versions tested by PR checks
• Update table in README
• Add changelog note
• Bump minor version number

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Advanced setup - Impacts users who have custom CodeQL workflows.
• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.
• Other first-party - The changes impact other first-party analyses.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This pull request raises the minimum supported CodeQL CLI (bundle) version to 2.19.4, and simplifies the Action codebase by removing compatibility paths for CLI feature flags that are now guaranteed to be available at/above that minimum. It also updates PR-check coverage, documentation, and release metadata to reflect the new baseline.

Changes:

• Bump minimum CodeQL CLI version from 2.17.6 → 2.19.4 and remove related legacy feature-gating (overwrite flag selection; SARIF jobRunUuid feature check).
• Update PR-check CodeQL version matrix to start at 2.19.4 and extend coverage through 2.24.x.
• Update README/CHANGELOG and bump Action version to 4.36.0.

Show a summary per file

File	Description
src/tools-features.ts	Removes tool feature flags that are now always supported at the new minimum.
src/tools-features.test.ts	Updates unit test to exercise a remaining tools feature flag.
src/feature-flags.ts	Clarifies comment around zstd bundle version threshold relative to minimum version checking.
src/codeql.ts	Raises minimum CLI version; always uses --force-overwrite; always emits --sarif-run-property=jobRunUuid=... when env var is set; updates extra-options filtering accordingly.
src/codeql.test.ts	Updates test to reflect --force-overwrite as the canonical overwrite flag.
README.md	Removes GHES rows for deprecated versions (3.14/3.15) from the support table.
pr-checks/sync.ts	Updates default PR-check CodeQL version set (drops 2.17/2.18; adds 2.23/2.24).
pr-checks/checks/rust.yml	Bumps the Rust PR-check “experimental support introduced” version to 2.19.4.
package.json	Bumps Action package version to 4.36.0.
package-lock.json	Aligns lockfile version metadata with 4.36.0.
CHANGELOG.md	Adds an unreleased breaking-change note for the new minimum CodeQL bundle requirement.
.github/workflows/__rust.yml	Generated workflow updated to test 2.19.4.
.github/workflows/__multi-language-autodetect.yml	Generated workflow matrix updated (drops 2.17/2.18; adds 2.23/2.24).
.github/workflows/__go-tracing-legacy-workflow.yml	Generated workflow matrix updated to match new tested versions.
.github/workflows/__go-tracing-custom-build-steps.yml	Generated workflow matrix updated to match new tested versions.
.github/workflows/__go-tracing-autobuilder.yml	Generated workflow matrix updated to match new tested versions.
lib/upload-sarif-action.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/upload-sarif-action-post.js	Generated JS updated from TS build outputs (version bump).
lib/upload-lib.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/start-proxy-action.js	Generated JS updated from TS build outputs (version bump).
lib/start-proxy-action-post.js	Generated JS updated from TS build outputs (version bump).
lib/setup-codeql-action.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/resolve-environment-action.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/init-action.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/init-action-post.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/autobuild-action.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/analyze-action.js	Generated JS updated from TS build outputs (version/min-version/flag logic).
lib/analyze-action-post.js	Generated JS updated from TS build outputs (version/min-version/flag logic).

Copilot's findings

• Files reviewed: 10/28 changed files
• Comments generated: 0