diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml
index c5a838716c..7bba1d6d4e 100644
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -20,6 +20,8 @@ jobs:
     name: Query Filters Tests
     timeout-minutes: 45
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
     steps:
     - name: Check out repository
       uses: actions/checkout@v4
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c880f45809..7e5ebdb6c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 3.28.5 - 24 Jan 2025
+
+- Update default CodeQL bundle version to 2.20.3. [#2717](https://github.com/github/codeql-action/pull/2717)
+
 ## 3.28.4 - 23 Jan 2025
 
 No user facing changes.
diff --git a/lib/defaults.json b/lib/defaults.json
index 851fee2175..68e0d49497 100644
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.20.2",
-    "cliVersion": "2.20.2",
-    "priorBundleVersion": "codeql-bundle-v2.20.1",
-    "priorCliVersion": "2.20.1"
+    "bundleVersion": "codeql-bundle-v2.20.3",
+    "cliVersion": "2.20.3",
+    "priorBundleVersion": "codeql-bundle-v2.20.2",
+    "priorCliVersion": "2.20.2"
 }
diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json
index f9d944f3e6..06f2758975 100644
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.4",
+  "version": "3.28.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
diff --git a/package-lock.json b/package-lock.json
index 145d4c1e83..e4b0c119d5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "3.28.4",
+  "version": "3.28.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "3.28.4",
+      "version": "3.28.5",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^2.1.9",
diff --git a/package.json b/package.json
index 331e189a3b..77400ece0c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.4",
+  "version": "3.28.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
diff --git a/src/defaults.json b/src/defaults.json
index 8645754788..642bf93f0e 100644
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.20.2",
-  "cliVersion": "2.20.2",
-  "priorBundleVersion": "codeql-bundle-v2.20.1",
-  "priorCliVersion": "2.20.1"
+  "bundleVersion": "codeql-bundle-v2.20.3",
+  "cliVersion": "2.20.3",
+  "priorBundleVersion": "codeql-bundle-v2.20.2",
+  "priorCliVersion": "2.20.2"
 }