XXX

Mergeback v4.31.0 refs/heads/releases/v4 into main

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node20
+  using: node24
   main: index.js

.github/actions/prepare-test/action.yml

@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
   version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'toolcache', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
     required: true
   use-all-platform-bundle:
     description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -41,6 +41,9 @@ runs:
         elif [[ "$VERSION" == "linked" ]]; then
           echo "tools-url=linked" >> "$GITHUB_OUTPUT"
           exit 0
+        elif [[ "$VERSION" == "toolcache" ]]; then
+          echo "tools-url=toolcache" >> "$GITHUB_OUTPUT"
+          exit 0
         elif [[ "$VERSION" == "default" ]]; then
           echo "tools-url=" >> "$GITHUB_OUTPUT"
           exit 0

.github/dependabot.yml

@@ -16,9 +16,12 @@ updates:
       - dependency-name: "eslint-plugin-import"
         versions: [">=2.30.0"]
     groups:
-      npm:
+      npm-minor:
         patterns:
           - "*"
+        update-types:
+          - "minor"
+          - "patch"
   - package-ecosystem: github-actions
     directories:
       - "/.github/workflows"
@@ -28,6 +31,9 @@ updates:
     labels:
       - Rebuild
     groups:
-      actions:
+      actions-minor:
         patterns:
           - "*"
+        update-types:
+          - "minor"
+          - "patch"

.github/pull_request_template.md

@@ -1,4 +1,13 @@
-<!-- For GitHub staff: Remember that this is a public repository. -->
+<!--
+    For GitHub staff: Remember that this is a public repository. Do not link to internal resources.
+                      If necessary, link to this PR from an internal issue and include further details there.
+
+    Everyone: Include a summary of the context of this change, what it aims to accomplish, and why you
+              chose the approach you did if applicable. Indicate any open questions you want to answer
+              during the review process and anything you want reviewers to pay particular attention to.
+
+    See https://github.com/github/codeql-action/blob/main/CONTRIBUTING.md for additional information.
+-->
 
 ### Risk assessment
 
@@ -7,6 +16,44 @@ For internal use only. Please select the risk level of this change:
 - **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
 - **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.
 
+#### Which use cases does this change impact?
+
+<!-- Delete options that don't apply. -->
+
+- **Advanced setup** - Impacts users who have custom workflows.
+- **Default setup** - Impacts users who use default setup.
+- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
+- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
+- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
+- **GHES** - Impacts GitHub Enterprise Server.
+
+#### How did/will you validate this change?
+
+<!-- Delete options that don't apply. -->
+
+- **Test repository** - This change will be tested on a test repository before merging.
+- **Unit tests** - I am depending on unit test coverage (i.e. tests in `.test.ts` files).
+- **End-to-end tests** - I am depending on PR checks (i.e. tests in `pr-checks`).
+- **Other** - Please provide details.
+- **None** - I am not validating these changes.
+
+#### If something goes wrong after this change is released, what are the mitigation and rollback strategies?
+
+<!-- Delete strategies that don't apply. -->
+
+- **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
+- **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Other** - Please provide details.
+
+#### How will you know if something goes wrong after this change is released?
+
+<!-- Delete options that don't apply. -->
+
+- **Telemetry** - I rely on existing telemetry or have made changes to the telemetry.
+    - **Dashboards** - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
+    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
+- **Other** - Please provide details.
+
 ### Merge / deployment checklist
 
 - Confirm this change is backwards compatible with existing workflows.

.github/sizeup.yml

@@ -0,0 +1,55 @@
+labeling:
+  applyCategoryLabels: true
+  categoryLabelPrefix: "size/"
+
+commenting:
+  addCommentWhenScoreThresholdHasBeenExceeded: false
+
+sizeup:
+  categories:
+    - name: extra small
+      lte: 25
+      label:
+        name: XS
+        description: Should be very easy to review
+        color: 3cbf00
+    - name: small
+      lte: 100
+      label:
+        name: S
+        description: Should be easy to review
+        color: 5d9801
+    - name: medium
+      lte: 250
+      label:
+        name: M
+        description: Should be of average difficulty to review
+        color: 7f7203
+    - name: large
+      lte: 500
+      label:
+        name: L
+        description: May be hard to review
+        color: a14c05
+    - name: extra large
+      lte: 1000
+      label:
+        name: XL
+        description: May be very hard to review
+        color: c32607
+    - name: extra extra large
+      label:
+        name: XXL
+        description: May be extremely hard to review
+        color: e50009
+  ignoredFilePatterns:
+    - ".github/workflows/__*"
+    - "lib/**/*"
+    - "package-lock.json"
+  testFilePatterns:
+    - "**/*.test.ts"
+  scoring:
+    # This formula and the aliases below it are written in prefix notation.
+    # For an explanation of how this works, please see:
+    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
+    formula: "- - + additions deletions comments whitespace"

.github/update-release-branch.py

@@ -371,10 +371,10 @@ def main():
       # releases.
       run_git('revert', vOlder_update_commits[0], '--no-edit')
 
-      # Also revert the "Update checked-in dependencies" commit created by Actions.
-      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
-      print(f'  Reverting {update_dependencies_commit}')
-      run_git('revert', update_dependencies_commit, '--no-edit')
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
+      print(f'  Reverting {rebuild_commit}')
+      run_git('revert', rebuild_commit, '--no-edit')
 
     else:
       print('  Nothing to revert.')

.github/workflows/__analyze-ref-input.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__bundle-from-toolcache.yml

@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.
 
-name: 'PR Check - Upload-sarif: code quality endpoint'
+name: 'PR Check - Bundle: From toolcache'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
@@ -21,19 +21,9 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+    inputs: {}
   workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+    inputs: {}
 defaults:
   run:
     shell: bash
@@ -41,14 +31,14 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  upload-quality-sarif:
+  bundle-from-toolcache:
     strategy:
       fail-fast: false
       matrix:
         include:
           - os: ubuntu-latest
-            version: default
-    name: 'Upload-sarif: code quality endpoint'
+            version: toolcache
+    name: 'Bundle: From toolcache'
     if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
@@ -65,31 +55,31 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
+      - name: Install @actions/tool-cache
+        run: npm install @actions/tool-cache
+      - name: Check toolcache contains CodeQL
+        continue-on-error: true
+        uses: actions/github-script@v8
         with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            if (allCodeqlVersions.length === 0) {
+              throw new Error(`CodeQL could not be found in the toolcache`);
+            }
+      - id: setup-codeql
+        uses: ./../action/setup-codeql
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: csharp,java,javascript,python
-          analysis-kinds: code-quality
-      - name: Build code
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
+      - name: Check CodeQL is installed within the toolcache
+        uses: actions/github-script@v8
         with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        id: upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-      - name: Check output from `upload-sarif` step
-        if: fromJSON(steps.upload-sarif.outputs.sarif-ids)[0].analysis != 'code-quality'
-        run: exit 1
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+            if (allCodeqlVersions.length === 0) {
+              throw new Error('CodeQL not found in toolcache');
+            }
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-input.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__local-bundle.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -104,6 +114,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -63,7 +73,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm
@@ -81,6 +91,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-config-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__quality-queries.yml

@@ -80,6 +80,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
+          post-processed-sarif-path: ${{ runner.temp }}/post-processed
       - name: Upload security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/upload-artifact@v4
@@ -96,6 +97,14 @@ jobs:
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
+      - name: Upload post-processed SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          name: |
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+          path: ${{ runner.temp }}/post-processed
+          retention-days: 7
+          if-no-files-found: error
       - name: Check quality query does not appear in security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v8

.github/workflows/__remote-config.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -72,6 +82,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__rubocop-multi-language.yml

@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__unset-environment.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -72,6 +82,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -0,0 +1,173 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Test different uses of `upload-sarif`
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  upload-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning,code-quality
+    name: Test different uses of `upload-sarif`
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: csharp,java,javascript,python
+          analysis-kinds: ${{ matrix.analysis-kinds }}
+      - name: Build code
+        run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+      - uses: ./../action/analyze
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          upload: never
+          output: ${{ runner.temp }}/results
+
+      - name: |
+          Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
+        uses: ./../action/upload-sarif
+        id: upload-sarif
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
+      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: Fail for missing output from `upload-sarif` step for `code-quality`
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Upload single SARIF file for Code Scanning
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-scanning
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
+      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') &&
+          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: Upload single SARIF file for Code Quality
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-quality
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
+      - name: Fail for missing output from `upload-single-sarif-code-quality` step
+        if: contains(matrix.analysis-kinds, 'code-quality') &&
+          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Change SARIF file extension
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
+      - name: Upload single non-`.sarif` file
+        uses: ./../action/upload-sarif
+        id: upload-single-non-sarif
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
+      - name: Fail for missing output from `upload-single-non-sarif` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__with-checkout-path.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.
@@ -103,29 +118,30 @@ jobs:
 
       - name: Verify SARIF after upload
         run: |
+          PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
           EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
           EXPECTED_REF="v1.1.0"
           EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
 
-          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+          ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
+          ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
+          ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"
 
           if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
             echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
             exit 1
           fi
 
           if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
             echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
             exit 1
           fi
 
           if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
             echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
             exit 1
           fi
     env:

.github/workflows/codescanning-config-cli.yml

@@ -56,9 +56,9 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Set up Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
       with:
-        node-version: '20'
+        node-version: 24
         cache: 'npm'
 
     - name: Install dependencies

.github/workflows/label-pr-size.yml

@@ -0,0 +1,26 @@
+name: Label PR with size
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - edited
+      - ready_for_review
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  sizeup:
+    name: Label PR with size
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Run sizeup
+        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-file-path: ".github/sizeup.yml"

.github/workflows/post-release-mergeback.yml

@@ -47,7 +47,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
 
       - name: Update git config
         run: |
@@ -146,6 +146,7 @@ jobs:
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
       - name: Create the GitHub release
+        if: steps.check.outputs.exists != 'true'
         env:
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
           VERSION: "${{ steps.getVersion.outputs.version }}"

.github/workflows/pr-checks.yml

@@ -20,6 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [20, 24]
     permissions:
       contents: read
       security-events: write # needed to upload ESLint results
@@ -34,9 +35,9 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
-          node-version: '20.x'
+          node-version: ${{ matrix.node-version }}
           cache: 'npm'
 
       - name: Set up Python
@@ -72,8 +73,8 @@ jobs:
         run: npm run lint-ci
 
       - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
-        if: matrix.os == 'ubuntu-latest'
+        uses: github/codeql-action/upload-sarif@v4
+        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
         with:
           sarif_file: eslint.sarif
           category: eslint

.github/workflows/query-filters.yml

@@ -32,9 +32,9 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Install Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
       with:
-        node-version: 20.x
+        node-version: 24
         cache: npm
 
     - name: Install dependencies

.github/workflows/update-bundle.yml

@@ -41,9 +41,9 @@ jobs:
           git config --global user.name "github-actions[bot]"
 
       - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
-          node-version: '20.x'
+          node-version: 24
           cache: 'npm'
 
       - name: Install dependencies

.github/workflows/update-proxy-release.yml

@@ -1,99 +0,0 @@
-name: Update dependency proxy release assets
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
-        type: string
-        required: true
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  update:
-    name: Update code and create PR
-    timeout-minutes: 15
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push the updated files
-      pull-requests: write # needed to create the PR
-    env:
-      RELEASE_TAG: ${{ inputs.tag }}
-    steps:
-      - name: Check release tag format
-        id: checks
-        run: |
-          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
-            exit 1
-          fi
-
-          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
-
-      - name: Check that the release exists
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
-
-      - name: Install Node
-        uses: actions/setup-node@v5
-
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-          ref: main
-
-      - name: Update git config
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-
-      - name: Update release tag and version
-        run: |
-          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
-          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
-          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
-
-      - name: Compile TypeScript and commit changes
-        env:
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-        run: |
-          set -exu
-          git checkout -b "$TARGET_BRANCH"
-
-          npm run build
-          git add ./src/start-proxy-action.ts
-          git add ./lib
-          git commit -m "Update release used by \`start-proxy\` action"
-
-      - name: Push changes and open PR
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-          PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }}
-        run: |
-          set -exu
-          pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`"
-          pr_body=$(cat << EOF
-            This PR updates the \`start-proxy\` action to use the private registry proxy binaries that
-            are attached as release assets to the \`$RELEASE_TAG\` release.
-
-
-            Please do the following before merging:
-
-            - [ ] Verify that the changes to the code are correct.
-            - [ ] Mark the PR as ready for review to trigger the CI.
-          EOF
-          )
-
-          git push origin "$TARGET_BRANCH"
-          gh pr create \
-            --head "$TARGET_BRANCH" \
-            --base "main" \
-            --title "${pr_title}" \
-            --body "${pr_body}" \
-            $PR_FLAG

CHANGELOG.md

@@ -6,6 +6,28 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
+## 4.31.0 - 24 Oct 2025
+
+- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
+- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
+
+## 4.30.9 - 17 Oct 2025
+
+- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
+- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
+
+## 4.30.8 - 10 Oct 2025
+
+No user facing changes.
+
+## 4.30.7 - 06 Oct 2025
+
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+
+## 3.30.6 - 02 Oct 2025
+
+- Update default CodeQL bundle version to 2.23.2. [#3168](https://github.com/github/codeql-action/pull/3168)
+
 ## 3.30.5 - 26 Sep 2025
 
 - We fixed a bug that was introduced in `3.30.4` with `upload-sarif` which resulted in files without a `.sarif` extension not getting uploaded. [#3160](https://github.com/github/codeql-action/pull/3160)

CONTRIBUTING.md

@@ -13,7 +13,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 ## Development and Testing
 
-Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
+Before you start, ensure that you have a recent version of node (24 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
 
 ### Common tasks
 

README.md

@@ -34,6 +34,7 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
+- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.
 
 ### Workflow Permissions
 
@@ -62,7 +63,8 @@ For compiled languages:
 
 The following versions of the CodeQL Action are currently supported:
 
-- v3 (latest)
+- v4 (latest)
+- v3
 
 ## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
 

analyze/action.yml

@@ -6,7 +6,7 @@ inputs:
     description: The name of the check run to add text to.
     required: false
   output:
-    description: The path of the directory in which to save the SARIF results
+    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
     required: false
     default: "../results"
   upload:
@@ -70,6 +70,12 @@ inputs:
     description: Whether to upload the resulting CodeQL database
     required: false
     default: "true"
+  post-processed-sarif-path:
+    description: >-
+      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
+      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
+      argument for this input, they are written to the specified directory.
+    required: false
   wait-for-processing:
     description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
     required: true
@@ -92,6 +98,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node24
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node20
+  using: node24
   main: '../lib/autobuild-action.js'

eslint.config.mjs

@@ -131,6 +131,7 @@ export default [
       "no-sequences": "error",
       "no-shadow": "off",
       "@typescript-eslint/no-shadow": "error",
+      "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],
     },
   },
@@ -146,6 +147,12 @@ export default [
       "@typescript-eslint/prefer-regexp-exec": "off",
       "@typescript-eslint/require-await": "off",
       "@typescript-eslint/restrict-template-expressions": "off",
+      "@typescript-eslint/no-unused-vars": [
+        "error",
+        {
+          "argsIgnorePattern": "^_",
+        }
+      ],
       "func-style": "off",
     },
   },

init/action.yml

@@ -165,6 +165,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node24
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.1",
-  "cliVersion": "2.23.1",
-  "priorBundleVersion": "codeql-bundle-v2.23.0",
-  "priorCliVersion": "2.23.0"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.30.6",
+  "version": "4.31.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -35,6 +35,7 @@
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",
     "@octokit/plugin-retry": "^6.0.0",
+    "@octokit/request-error": "^7.0.1",
     "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
     "check-disk-space": "^3.4.0",
@@ -47,15 +48,15 @@
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.1",
-    "octokit": "^5.0.3",
-    "semver": "^7.7.2",
+    "octokit": "^5.0.4",
+    "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.36.0",
+    "@eslint/js": "^9.38.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^15.0.0",
     "@types/archiver": "^6.0.3",
@@ -66,10 +67,10 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.44.1",
+    "@typescript-eslint/eslint-plugin": "^8.46.1",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.25.10",
+    "esbuild": "^0.25.11",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",
@@ -79,7 +80,7 @@
     "glob": "^11.0.3",
     "nock": "^14.0.10",
     "sinon": "^21.0.0",
-    "typescript": "^5.9.2"
+    "typescript": "^5.9.3"
   },
   "overrides": {
     "@actions/tool-cache": {

pr-checks/checks/analyze-ref-input.yml

@@ -2,6 +2,7 @@ name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/bundle-from-toolcache.yml

@@ -0,0 +1,31 @@
+name: "Bundle: From toolcache"
+description: "The CodeQL bundle should be cached within the toolcache"
+versions:
+  - toolcache
+steps:
+  - name: Install @actions/tool-cache
+    run: npm install @actions/tool-cache
+  - name: Check toolcache contains CodeQL
+    continue-on-error: true
+    uses: actions/github-script@v8
+    with:
+      script: |
+        const toolcache = require('@actions/tool-cache');
+        const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+        if (allCodeqlVersions.length === 0) {
+          throw new Error(`CodeQL could not be found in the toolcache`);
+        }
+  - id: setup-codeql
+    uses: ./../action/setup-codeql
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - name: Check CodeQL is installed within the toolcache
+    uses: actions/github-script@v8
+    with:
+      script: |
+        const toolcache = require('@actions/tool-cache');
+        const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+        console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+        if (allCodeqlVersions.length === 0) {
+          throw new Error('CodeQL not found in toolcache');
+        }

pr-checks/checks/local-bundle.yml

@@ -2,6 +2,7 @@ name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
   - name: Fetch latest CodeQL bundle
     run: |

pr-checks/checks/multi-language-autodetect.yml

@@ -4,6 +4,7 @@ operatingSystems: ["macos", "ubuntu"]
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
+installPython: true
 steps:
   - name: Use Xcode 16
     if: runner.os == 'macOS' && matrix.version != 'nightly-latest'

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/quality-queries.yml

@@ -36,6 +36,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
       upload-database: false
+      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
   - name: Upload security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/upload-artifact@v4
@@ -52,6 +53,14 @@ steps:
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
+  - name: Upload post-processed SARIF
+    uses: actions/upload-artifact@v4
+    with:
+      name: |
+        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+      path: "${{ runner.temp }}/post-processed"
+      retention-days: 7
+      if-no-files-found: error
   - name: Check quality query does not appear in security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/github-script@v8

pr-checks/checks/remote-config.yml

@@ -6,6 +6,7 @@ versions:
   - linked
   - nightly-latest
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/checks/unset-environment.yml

@@ -6,6 +6,7 @@ versions:
   - linked
   - nightly-latest
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/upload-quality-sarif.yml

@@ -1,26 +0,0 @@
-name: "Upload-sarif: code quality endpoint"
-description: "Checks that uploading SARIFs to the code quality endpoint works"
-versions: ["default"]
-installGo: true
-steps:
-  - uses: ./../action/init
-    with:
-      tools: ${{ steps.prepare-test.outputs.tools-url }}
-      languages: csharp,java,javascript,python
-      analysis-kinds: code-quality
-  - name: Build code
-    run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-  - uses: ./../action/analyze
-    with:
-      ref: 'refs/heads/main'
-      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-      upload: never
-  - uses: ./../action/upload-sarif
-    id: upload-sarif
-    with:
-      ref: 'refs/heads/main'
-      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-  - name: "Check output from `upload-sarif` step"
-    if: fromJSON(steps.upload-sarif.outputs.sarif-ids)[0].analysis != 'code-quality'
-    run: exit 1

pr-checks/checks/upload-ref-sha-input.yml

@@ -2,6 +2,7 @@ name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/upload-sarif.yml

@@ -0,0 +1,82 @@
+name: "Test different uses of `upload-sarif`"
+description: "Checks that uploading SARIFs to the code quality endpoint works"
+versions: ["default"]
+analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
+installGo: true
+installPython: true
+steps:
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: csharp,java,javascript,python
+      analysis-kinds: ${{ matrix.analysis-kinds }}
+  - name: Build code
+    run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+  - uses: ./../action/analyze
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      upload: never
+      output: ${{ runner.temp }}/results
+
+  - name: |
+      Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
+    uses: ./../action/upload-sarif
+    id: upload-sarif
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
+  - name: "Fail for missing output from `upload-sarif` step for `code-scanning`"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)"
+    run: exit 1
+  - name: "Fail for missing output from `upload-sarif` step for `code-quality`"
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)"
+    run: exit 1
+
+  - name: Upload single SARIF file for Code Scanning
+    uses: ./../action/upload-sarif
+    id: upload-single-sarif-code-scanning
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.sarif
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
+  - name: "Fail for missing output from `upload-single-sarif-code-scanning` step"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)"
+    run: exit 1
+  - name: Upload single SARIF file for Code Quality
+    uses: ./../action/upload-sarif
+    id: upload-single-sarif-code-quality
+    if: "contains(matrix.analysis-kinds, 'code-quality')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
+  - name: "Fail for missing output from `upload-single-sarif-code-quality` step"
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)"
+    run: exit 1
+
+  - name: Change SARIF file extension
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
+  - name: Upload single non-`.sarif` file
+    uses: ./../action/upload-sarif
+    id: upload-single-non-sarif
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
+  - name: "Fail for missing output from `upload-single-non-sarif` step"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)"
+    run: exit 1

pr-checks/checks/with-checkout-path.yml

@@ -2,6 +2,7 @@ name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
   # This ensures we don't accidentally use the original checkout for any part of the test.
   - name: Delete original checkout
@@ -37,28 +38,29 @@ steps:
 
   - name: Verify SARIF after upload
     run: |
+      PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
       EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
       EXPECTED_REF="v1.1.0"
       EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
 
-      ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-      ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-      ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+      ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
+      ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
+      ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"
 
       if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
         echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
         exit 1
       fi
 
       if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
         echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
         exit 1
       fi
 
       if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
         echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
         exit 1
       fi

pr-checks/sync.py

@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
         steps.extend([
             {
                 'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v5',
+                'uses': 'actions/setup-node@v6',
                 'with': {
                     'node-version': '20.x',
                     'cache': 'npm',
@@ -184,6 +184,26 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
+    installPython = is_truthy(checkSpecification.get('installPython', ''))
+
+    if installPython:
+        basePythonVersionExpr = '3.13'
+        workflowInputs['python-version'] = {
+            'type': 'string',
+            'description': 'The version of Python to install',
+            'required': False,
+            'default': basePythonVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Python',
+            'if': 'matrix.version != \'nightly-latest\'',
+            'uses': 'actions/setup-python@v6',
+            'with': {
+                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
+            }
+        })
+
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

resolve-environment/action.yml

@@ -21,5 +21,5 @@ outputs:
   environment:
     description: The inferred build environment configuration.
 runs:
-  using: node20
+  using: node24
   main: '../lib/resolve-environment-action.js'

setup-codeql/action.yml

@@ -0,0 +1,39 @@
+name: 'CodeQL: Setup'
+description: 'Installs the CodeQL CLI'
+author: 'GitHub'
+inputs:
+  tools:
+    description: >-
+      By default, the Action will use the recommended version of the CodeQL
+      Bundle to analyze your project. You can override this choice using this
+      input. One of:
+
+      - A local path to a CodeQL Bundle tarball, or
+      - The URL of a CodeQL Bundle tarball GitHub release asset, or
+      - A special value `linked` which uses the version of the CodeQL tools
+        that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
+    required: false
+  token:
+    description: GitHub token to use for authenticating with this instance of GitHub.
+    default: ${{ github.token }}
+    required: false
+  matrix:
+    default: ${{ toJson(matrix) }}
+    required: false
+  external-repository-token:
+    description: A token for fetching additional files from private repositories in the same GitHub instance that is running this action.
+    required: false
+outputs:
+  codeql-path:
+    description: The path of the CodeQL binary that was installed.
+  codeql-version:
+    description: The version of the CodeQL binary that was installed.
+runs:
+  using: node24
+  main: '../lib/setup-codeql-action.js'

src/actions-util.ts

@@ -247,9 +247,14 @@ export function isSelfHostedRunner() {
   return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }
 
+/** Determines whether the workflow trigger is `dynamic`. */
+export function isDynamicWorkflow(): boolean {
+  return getWorkflowEventName() === "dynamic";
+}
+
 /** Determines whether we are running in default setup. */
 export function isDefaultSetup(): boolean {
-  return getWorkflowEventName() === "dynamic";
+  return isDynamicWorkflow();
 }
 
 export function prettyPrintInvocation(cmd: string, args: string[]): string {

src/analyses.test.ts

@@ -1,12 +1,19 @@
 import test from "ava";
+import * as sinon from "sinon";
 
+import * as actionsUtil from "./actions-util";
 import {
   AnalysisKind,
+  getAnalysisKinds,
   parseAnalysisKinds,
   supportedAnalysisKinds,
 } from "./analyses";
+import { getRunnerLogger } from "./logging";
+import { setupTests } from "./testing-utils";
 import { ConfigurationError } from "./util";
 
+setupTests(test);
+
 test("All known analysis kinds can be parsed successfully", async (t) => {
   for (const analysisKind of supportedAnalysisKinds) {
     t.deepEqual(await parseAnalysisKinds(analysisKind), [analysisKind]);
@@ -34,3 +41,29 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
     instanceOf: ConfigurationError,
   });
 });
+
+test("getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub
+    .withArgs("analysis-kinds")
+    .returns("code-scanning,code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
+  const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+  optionalInputStub.withArgs("quality-queries").returns("code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
+  await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+});

src/analyses.ts

@@ -1,3 +1,9 @@
+import {
+  fixCodeQualityCategory,
+  getOptionalInput,
+  getRequiredInput,
+} from "./actions-util";
+import { Logger } from "./logging";
 import { ConfigurationError } from "./util";
 
 export enum AnalysisKind {
@@ -39,6 +45,55 @@ export async function parseAnalysisKinds(
   );
 }
 
+// Used to avoid re-parsing the input after we have done it once.
+let cachedAnalysisKinds: AnalysisKind[] | undefined;
+
+/**
+ * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
+ * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
+ * If the `analysis-kinds` input cannot be parsed, a `ConfigurationError` is thrown.
+ *
+ * @param logger The logger to use.
+ * @param skipCache For testing, whether to ignore the cached values (default: false).
+ *
+ * @returns The array of enabled analysis kinds.
+ * @throws A `ConfigurationError` if the `analysis-kinds` input cannot be parsed.
+ */
+export async function getAnalysisKinds(
+  logger: Logger,
+  skipCache: boolean = false,
+): Promise<AnalysisKind[]> {
+  if (!skipCache && cachedAnalysisKinds !== undefined) {
+    return cachedAnalysisKinds;
+  }
+
+  cachedAnalysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds"),
+  );
+
+  // Warn that `quality-queries` is deprecated if there is an argument for it.
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+
+  if (qualityQueriesInput !== undefined) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
+        "Use the `analysis-kinds` input to configure different analysis kinds instead.",
+    );
+  }
+
+  // For backwards compatibility, add Code Quality to the enabled analysis kinds
+  // if an input to `quality-queries` was specified. We should remove this once
+  // `quality-queries` is no longer used.
+  if (
+    !cachedAnalysisKinds.includes(AnalysisKind.CodeQuality) &&
+    qualityQueriesInput !== undefined
+  ) {
+    cachedAnalysisKinds.push(AnalysisKind.CodeQuality);
+  }
+
+  return cachedAnalysisKinds;
+}
+
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];
 
@@ -61,6 +116,8 @@ export interface AnalysisConfig {
   /** A predicate on filenames to decide whether a SARIF file
    * belongs to this kind of analysis. */
   sarifPredicate: (name: string) => boolean;
+  /** Analysis-specific adjustment of the category. */
+  fixCategory: (logger: Logger, category?: string) => string | undefined;
   /** A prefix for environment variables used to track the uniqueness of SARIF uploads. */
   sentinelPrefix: string;
 }
@@ -74,6 +131,7 @@ export const CodeScanning: AnalysisConfig = {
   sarifPredicate: (name) =>
     name.endsWith(CodeScanning.sarifExtension) &&
     !CodeQuality.sarifPredicate(name),
+  fixCategory: (_, category) => category,
   sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
 };
 
@@ -84,5 +142,29 @@ export const CodeQuality: AnalysisConfig = {
   target: SARIF_UPLOAD_ENDPOINT.CODE_QUALITY,
   sarifExtension: ".quality.sarif",
   sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  fixCategory: fixCodeQualityCategory,
   sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
 };
+
+/**
+ * Gets the `AnalysisConfig` corresponding to `kind`.
+ * @param kind The analysis kind to get the `AnalysisConfig` for.
+ * @returns The `AnalysisConfig` corresponding to `kind`.
+ */
+export function getAnalysisConfig(kind: AnalysisKind): AnalysisConfig {
+  // Using a switch statement here accomplishes two things:
+  // 1. The type checker believes us that we have a case for every `AnalysisKind`.
+  // 2. If we ever add another member to `AnalysisKind`, the type checker will alert us that we have to add a case.
+  switch (kind) {
+    case AnalysisKind.CodeScanning:
+      return CodeScanning;
+    case AnalysisKind.CodeQuality:
+      return CodeQuality;
+  }
+}
+
+// Since we have overlapping extensions (i.e. ".sarif" includes ".quality.sarif"),
+// we want to scan a folder containing SARIF files in an order that finds the more
+// specific extensions first. This constant defines an array in the order of analyis
+// configurations with more specific extensions to less specific extensions.
+export const SarifScanOrder = [CodeQuality, CodeScanning];

src/analyze-action-env.test.ts

@@ -24,6 +24,9 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from environment variables", async (t) => {
+  // This test frequently times out on Windows with the default timeout, so we bump
+  // it a bit to 20s.
+  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

src/analyze-action-input.test.ts

@@ -24,6 +24,7 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from action inputs", async (t) => {
+  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

src/analyze-action.ts

@@ -26,7 +26,10 @@ import {
   isCodeScanningEnabled,
 } from "./config-utils";
 import { uploadDatabases } from "./database-upload";
-import { uploadDependencyCaches } from "./dependency-caching";
+import {
+  DependencyCacheUploadStatusReport,
+  uploadDependencyCaches,
+} from "./dependency-caching";
 import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
@@ -49,16 +52,22 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
+import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";
 
 interface AnalysisStatusReport
   extends uploadLib.UploadStatusReport,
     QueriesStatusReport {}
 
+interface DependencyCachingUploadStatusReport {
+  dependency_caching_upload_results?: DependencyCacheUploadStatusReport;
+}
+
 interface FinishStatusReport
   extends StatusReportBase,
     DatabaseCreationTimings,
-    AnalysisStatusReport {}
+    AnalysisStatusReport,
+    DependencyCachingUploadStatusReport {}
 
 interface FinishWithTrapUploadStatusReport extends FinishStatusReport {
   /** Size of TRAP caches that we uploaded, in bytes. */
@@ -76,6 +85,7 @@ async function sendStatusReport(
   dbCreationTimings: DatabaseCreationTimings | undefined,
   didUploadTrapCaches: boolean,
   trapCacheCleanup: TrapCacheCleanupStatusReport | undefined,
+  dependencyCacheResults: DependencyCacheUploadStatusReport | undefined,
   logger: Logger,
 ) {
   const status = getActionsStatus(error, stats?.analyze_failure_language);
@@ -95,6 +105,7 @@ async function sendStatusReport(
       ...(stats || {}),
       ...(dbCreationTimings || {}),
       ...(trapCacheCleanup || {}),
+      dependency_caching_upload_results: dependencyCacheResults,
     };
     if (config && didUploadTrapCaches) {
       const trapCacheUploadStatusReport: FinishWithTrapUploadStatusReport = {
@@ -201,7 +212,9 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
 
 async function run() {
   const startedAt = new Date();
-  let uploadResult: UploadResult | undefined = undefined;
+  let uploadResults:
+    | Partial<Record<analyses.AnalysisKind, UploadResult>>
+    | undefined = undefined;
   let runStats: QueriesStatusReport | undefined = undefined;
   let config: Config | undefined = undefined;
   let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -209,6 +222,7 @@ async function run() {
   let trapCacheUploadTime: number | undefined = undefined;
   let dbCreationTimings: DatabaseCreationTimings | undefined = undefined;
   let didUploadTrapCaches = false;
+  let dependencyCacheResults: DependencyCacheUploadStatusReport | undefined;
   util.initializeEnvironment(actionsUtil.getActionVersion());
 
   // Make inputs accessible in the `post` step, details at
@@ -330,33 +344,67 @@ async function run() {
     }
     core.setOutput("db-locations", dbLocations);
     core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadInput = actionsUtil.getOptionalInput("upload");
-    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
-      if (isCodeScanningEnabled(config)) {
-        uploadResult = await uploadLib.uploadFiles(
-          outputDir,
-          actionsUtil.getRequiredInput("checkout_path"),
-          actionsUtil.getOptionalInput("category"),
-          features,
+    const uploadKind = actionsUtil.getUploadValue(
+      actionsUtil.getOptionalInput("upload"),
+    );
+    if (runStats) {
+      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
+      const category = actionsUtil.getOptionalInput("category");
+
+      if (Math.random() > -1) {
+        uploadResults = await postProcessAndUploadSarif(
           logger,
-          analyses.CodeScanning,
+          features,
+          uploadKind,
+          checkoutPath,
+          outputDir,
+          category,
+          actionsUtil.getOptionalInput("post-processed-sarif-path"),
         );
-        core.setOutput("sarif-id", uploadResult.sarifID);
+      } else if (uploadKind === "always") {
+        uploadResults = {};
+
+        if (isCodeScanningEnabled(config)) {
+          uploadResults[analyses.AnalysisKind.CodeScanning] =
+            await uploadLib.uploadFiles(
+              outputDir,
+              checkoutPath,
+              category,
+              features,
+              logger,
+              analyses.CodeScanning,
+            );
+        }
+
+        if (isCodeQualityEnabled(config)) {
+          uploadResults[analyses.AnalysisKind.CodeQuality] =
+            await uploadLib.uploadFiles(
+              outputDir,
+              checkoutPath,
+              category,
+              features,
+              logger,
+              analyses.CodeQuality,
+            );
+        }
+      } else {
+        uploadResults = {};
+        logger.info("Not uploading results");
       }
 
-      if (isCodeQualityEnabled(config)) {
-        const qualityUploadResult = await uploadLib.uploadFiles(
-          outputDir,
-          actionsUtil.getRequiredInput("checkout_path"),
-          actionsUtil.fixCodeQualityCategory(
-            logger,
-            actionsUtil.getOptionalInput("category"),
-          ),
-          features,
-          logger,
-          analyses.CodeQuality,
+      // Set the SARIF id outputs only if we have results for them, to avoid
+      // having keys with empty values in the action output.
+      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
+        core.setOutput(
+          "sarif-id",
+          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        );
+      }
+      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
+        core.setOutput(
+          "quality-sarif-id",
+          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
         );
-        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
       }
     } else {
       logger.info("Not uploading results");
@@ -388,19 +436,23 @@ async function run() {
         Feature.JavaMinimizeDependencyJars,
         codeql,
       );
-      await uploadDependencyCaches(config, logger, minimizeJavaJars);
+      dependencyCacheResults = await uploadDependencyCaches(
+        config,
+        logger,
+        minimizeJavaJars,
+      );
     }
 
     // We don't upload results in test mode, so don't wait for processing
     if (util.isInTestMode()) {
       logger.debug("In test mode. Waiting for processing is disabled.");
     } else if (
-      uploadResult !== undefined &&
+      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
       actionsUtil.getRequiredInput("wait-for-processing") === "true"
     ) {
       await uploadLib.waitForProcessing(
         getRepositoryNwo(),
-        uploadResult.sarifID,
+        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
         getActionsLogger(),
       );
     }
@@ -431,27 +483,32 @@ async function run() {
       dbCreationTimings,
       didUploadTrapCaches,
       trapCacheCleanupTelemetry,
+      dependencyCacheResults,
       logger,
     );
     return;
   }
 
-  if (runStats && uploadResult) {
+  if (
+    runStats !== undefined &&
+    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
+  ) {
     await sendStatusReport(
       startedAt,
       config,
       {
         ...runStats,
-        ...uploadResult.statusReport,
+        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
       },
       undefined,
       trapCacheUploadTime,
       dbCreationTimings,
       didUploadTrapCaches,
       trapCacheCleanupTelemetry,
+      dependencyCacheResults,
       logger,
     );
-  } else if (runStats) {
+  } else if (runStats !== undefined) {
     await sendStatusReport(
       startedAt,
       config,
@@ -461,6 +518,7 @@ async function run() {
       dbCreationTimings,
       didUploadTrapCaches,
       trapCacheCleanupTelemetry,
+      dependencyCacheResults,
       logger,
     );
   } else {
@@ -473,6 +531,7 @@ async function run() {
       dbCreationTimings,
       didUploadTrapCaches,
       trapCacheCleanupTelemetry,
+      dependencyCacheResults,
       logger,
     );
   }

src/analyze.test.ts

@@ -334,7 +334,7 @@ test("resolveQuerySuiteAlias", (t) => {
   for (const suite of defaultSuites) {
     const resolved = resolveQuerySuiteAlias(KnownLanguage.go, suite);
     t.assert(
-      resolved.endsWith(".qls"),
+      path.extname(resolved) === ".qls",
       "Resolved default suite doesn't end in .qls",
     );
     t.assert(

src/analyze.ts

@@ -7,7 +7,6 @@ import * as del from "del";
 import * as yaml from "js-yaml";
 
 import {
-  fixCodeQualityCategory,
   getRequiredInput,
   getTemporaryDirectory,
   PullRequestBranches,
@@ -781,7 +780,7 @@ export async function runQueries(
     // accepted by the Code Quality backend.
     let category = automationDetailsId;
     if (analysis.kind === analyses.AnalysisKind.CodeQuality) {
-      category = fixCodeQualityCategory(logger, automationDetailsId);
+      category = analysis.fixCategory(logger, automationDetailsId);
     }
 
     const sarifFile = path.join(

src/api-client.ts

@@ -7,12 +7,12 @@ import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
+  asHTTPError,
   ConfigurationError,
   getRequiredEnvParam,
   GITHUB_DOTCOM_URL,
   GitHubVariant,
   GitHubVersion,
-  isHTTPError,
   parseGitHubUrl,
   parseMatrixInput,
 } from "./util";
@@ -245,7 +245,7 @@ export interface ActionsCacheItem {
 /** List all Actions cache entries matching the provided key and ref. */
 export async function listActionsCaches(
   key: string,
-  ref: string,
+  ref?: string,
 ): Promise<ActionsCacheItem[]> {
   const repositoryNwo = getRepositoryNwo();
 
@@ -260,26 +260,6 @@ export async function listActionsCaches(
   );
 }
 
-/**
- * List the most recently created Actions cache entry across all refs that
- * match the provided key.
- */
-export async function getMostRecentActionsCacheEntry(
-  key: string,
-): Promise<ActionsCacheItem | undefined> {
-  const repositoryNwo = getRepositoryNwo();
-
-  const cacheItems = await getApiClient().rest.actions.getActionsCacheList({
-    owner: repositoryNwo.owner,
-    repo: repositoryNwo.repo,
-    key,
-    sort: "created_at",
-    direction: "desc",
-    per_page: 1,
-  });
-  return cacheItems.data.actions_caches[0];
-}
-
 /** Delete an Actions cache item by its ID. */
 export async function deleteActionsCache(id: number) {
   const repositoryNwo = getRepositoryNwo();
@@ -300,22 +280,29 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
 }
 
 export function wrapApiConfigurationError(e: unknown) {
-  if (isHTTPError(e)) {
+  const httpError = asHTTPError(e);
+  if (httpError !== undefined) {
     if (
-      e.message.includes("API rate limit exceeded for installation") ||
-      e.message.includes("commit not found") ||
-      e.message.includes("Resource not accessible by integration") ||
-      /ref .* not found in this repository/.test(e.message)
+      [
+        /API rate limit exceeded/,
+        /commit not found/,
+        /Resource not accessible by integration/,
+        /ref .* not found in this repository/,
+      ].some((pattern) => pattern.test(httpError.message))
     ) {
-      return new ConfigurationError(e.message);
-    } else if (
-      e.message.includes("Bad credentials") ||
-      e.message.includes("Not Found")
+      return new ConfigurationError(httpError.message);
+    }
+    if (
+      httpError.message.includes("Bad credentials") ||
+      httpError.message.includes("Not Found")
     ) {
       return new ConfigurationError(
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
       );
     }
+    if (httpError.status === 429) {
+      return new ConfigurationError("API rate limit exceeded");
+    }
   }
   return e;
 }

src/autobuild.ts

@@ -52,11 +52,11 @@ export async function determineAutobuildLanguages(
    * For example, consider a user with the following workflow file:
    *
    * ```yml
-   * - uses: github/codeql-action/init@v3
+   * - uses: github/codeql-action/init@v4
    *   with:
    *     languages: go, java
-   * - uses: github/codeql-action/autobuild@v3
-   * - uses: github/codeql-action/analyze@v3
+   * - uses: github/codeql-action/autobuild@v4
+   * - uses: github/codeql-action/analyze@v4
    * ```
    *
    * - With Go extraction disabled, we will run the Java autobuilder in the

src/cli-errors.test.ts

@@ -310,6 +310,20 @@ test("wrapCliConfigurationError - pack cannot be found", (t) => {
   t.true(wrappedError instanceof ConfigurationError);
 });
 
+test("wrapCliConfigurationError - unknown query file", (t) => {
+  const commandError = new CommandInvocationError(
+    "codeql",
+    ["database", "init"],
+    2,
+    "my-query-file is not a .ql file, .qls file, a directory, or a query pack specification. See the logs for more details.",
+  );
+  const cliError = new CliError(commandError);
+
+  const wrappedError = wrapCliConfigurationError(cliError);
+
+  t.true(wrappedError instanceof ConfigurationError);
+});
+
 test("wrapCliConfigurationError - pack missing auth", (t) => {
   const commandError = new CommandInvocationError(
     "codeql",

src/cli-errors.ts

@@ -264,6 +264,9 @@ export const cliErrorsConfig: Record<
       new RegExp(
         "Query pack .* cannot be found\\. Check the spelling of the pack\\.",
       ),
+      new RegExp(
+        "is not a .ql file, .qls file, a directory, or a query pack specification.",
+      ),
     ],
   },
   [CliConfigErrorCategory.PackMissingAuth]: {

src/codeql.test.ts

@@ -36,7 +36,6 @@ import {
   createTestConfig,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
-import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import { initializeEnvironment } from "./util";
 
@@ -74,6 +73,7 @@ async function installIntoToolcache({
     cliVersion !== undefined
       ? { cliVersion, tagName }
       : SAMPLE_DEFAULT_CLI_VERSION,
+    createFeatures([]),
     getRunnerLogger(true),
     false,
   );
@@ -122,6 +122,8 @@ async function stubCodeql(): Promise<codeql.CodeQL> {
 }
 
 test("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
+  const features = createFeatures([]);
+
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -140,6 +142,7 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
+        features,
         getRunnerLogger(true),
         false,
       );
@@ -154,6 +157,8 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
 });
 
 test("caches semantically versioned bundles using their semantic version number", async (t) => {
+  const features = createFeatures([]);
+
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
     const url = mockBundleDownloadApi({
@@ -166,6 +171,7 @@ test("caches semantically versioned bundles using their semantic version number"
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
+      features,
       getRunnerLogger(true),
       false,
     );
@@ -181,6 +187,8 @@ test("caches semantically versioned bundles using their semantic version number"
 });
 
 test("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
+  const features = createFeatures([]);
+
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -199,6 +207,7 @@ test("downloads an explicitly requested bundle even if a different version is ca
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
+      features,
       getRunnerLogger(true),
       false,
     );
@@ -227,6 +236,8 @@ for (const {
   expectedToolcacheVersion,
 } of EXPLICITLY_REQUESTED_BUNDLE_TEST_CASES) {
   test(`caches explicitly requested bundle ${tagName} as ${expectedToolcacheVersion}`, async (t) => {
+    const features = createFeatures([]);
+
     await util.withTmpDir(async (tmpDir) => {
       setupActionsVars(tmpDir, tmpDir);
 
@@ -243,6 +254,7 @@ for (const {
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
+        features,
         getRunnerLogger(true),
         false,
       );
@@ -266,6 +278,8 @@ for (const toolcacheVersion of [
     `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
       `${toolcacheVersion} is installed`,
     async (t) => {
+      const features = createFeatures([]);
+
       await util.withTmpDir(async (tmpDir) => {
         setupActionsVars(tmpDir, tmpDir);
 
@@ -281,6 +295,7 @@ for (const toolcacheVersion of [
           tmpDir,
           util.GitHubVariant.DOTCOM,
           SAMPLE_DEFAULT_CLI_VERSION,
+          features,
           getRunnerLogger(true),
           false,
         );
@@ -295,6 +310,8 @@ for (const toolcacheVersion of [
 }
 
 test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
+  const features = createFeatures([]);
+
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -313,6 +330,7 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
         cliVersion: defaults.cliVersion,
         tagName: defaults.bundleVersion,
       },
+      features,
       getRunnerLogger(true),
       false,
     );
@@ -328,6 +346,8 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
 });
 
 test(`downloads bundle if only an unpinned version is cached on GHES`, async (t) => {
+  const features = createFeatures([]);
+
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -349,6 +369,7 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
         cliVersion: defaults.cliVersion,
         tagName: defaults.bundleVersion,
       },
+      features,
       getRunnerLogger(true),
       false,
     );
@@ -364,6 +385,8 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
 });
 
 test('downloads bundle if "latest" tools specified but not cached', async (t) => {
+  const features = createFeatures([]);
+
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -382,6 +405,7 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
+      features,
       getRunnerLogger(true),
       false,
     );
@@ -397,6 +421,8 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
 });
 
 test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
+  const features = createFeatures([]);
+
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -417,6 +443,7 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
+      features,
       getRunnerLogger(true),
       false,
     );
@@ -842,84 +869,6 @@ test("does not pass a qlconfig to the CLI when it is undefined", async (t: Execu
   });
 });
 
-const NEW_ANALYSIS_SUMMARY_TEST_CASES = [
-  {
-    codeqlVersion: makeVersionInfo("2.15.0", {
-      [ToolsFeature.AnalysisSummaryV2IsDefault]: true,
-    }),
-    githubVersion: {
-      type: util.GitHubVariant.DOTCOM,
-    },
-    flagPassed: false,
-    negativeFlagPassed: false,
-  },
-  {
-    codeqlVersion: makeVersionInfo("2.15.0"),
-    githubVersion: {
-      type: util.GitHubVariant.DOTCOM,
-    },
-    flagPassed: true,
-    negativeFlagPassed: false,
-  },
-  {
-    codeqlVersion: makeVersionInfo("2.15.0"),
-    githubVersion: {
-      type: util.GitHubVariant.GHES,
-      version: "3.10.0",
-    },
-    flagPassed: true,
-    negativeFlagPassed: false,
-  },
-];
-
-for (const {
-  codeqlVersion,
-  flagPassed,
-  githubVersion,
-  negativeFlagPassed,
-} of NEW_ANALYSIS_SUMMARY_TEST_CASES) {
-  test(`database interpret-results passes ${
-    flagPassed
-      ? "--new-analysis-summary"
-      : negativeFlagPassed
-        ? "--no-new-analysis-summary"
-        : "nothing"
-  } for CodeQL version ${JSON.stringify(codeqlVersion)} and ${
-    util.GitHubVariant[githubVersion.type]
-  } ${githubVersion.version ? ` ${githubVersion.version}` : ""}`, async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves(codeqlVersion);
-    // io throws because of the test CodeQL object.
-    sinon.stub(io, "which").resolves("");
-    await codeqlObject.databaseInterpretResults(
-      "",
-      [],
-      "",
-      "",
-      "",
-      "-v",
-      undefined,
-      "",
-      Object.assign({}, stubConfig, { gitHubVersion: githubVersion }),
-      createFeatures([]),
-    );
-    const actualArgs = runnerConstructorStub.firstCall.args[1] as string[];
-    t.is(
-      actualArgs.includes("--new-analysis-summary"),
-      flagPassed,
-      `--new-analysis-summary should${flagPassed ? "" : "n't"} be passed`,
-    );
-    t.is(
-      actualArgs.includes("--no-new-analysis-summary"),
-      negativeFlagPassed,
-      `--no-new-analysis-summary should${
-        negativeFlagPassed ? "" : "n't"
-      } be passed`,
-    );
-  });
-}
-
 test("runTool summarizes several fatal errors", async (t) => {
   const heapError =
     "A fatal error occurred: Evaluator heap must be at least 384.00 MiB";

src/codeql.ts

@@ -267,7 +267,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
  * The version flags below can be used to conditionally enable certain features
  * on versions newer than this.
  */
-const CODEQL_MINIMUM_VERSION = "2.16.6";
+const CODEQL_MINIMUM_VERSION = "2.17.6";
 
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -308,6 +308,7 @@ const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
  * @param tempDir
  * @param variant
  * @param defaultCliVersion
+ * @param features Information about the features that are enabled.
  * @param logger
  * @param checkVersion Whether to check that CodeQL CLI meets the minimum
  *        version requirement. Must be set to true outside tests.
@@ -319,6 +320,7 @@ export async function setupCodeQL(
   tempDir: string,
   variant: util.GitHubVariant,
   defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
   logger: Logger,
   checkVersion: boolean,
 ): Promise<{
@@ -341,6 +343,7 @@ export async function setupCodeQL(
       tempDir,
       variant,
       defaultCliVersion,
+      features,
       logger,
     );
 
@@ -367,7 +370,8 @@ export async function setupCodeQL(
       toolsVersion,
       zstdAvailability,
     };
-  } catch (e) {
+  } catch (rawError) {
+    const e = api.wrapApiConfigurationError(rawError);
     const ErrorClass =
       e instanceof util.ConfigurationError ||
       (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
@@ -856,14 +860,6 @@ export async function getCodeQLForCmd(
       } else {
         codeqlArgs.push("--no-sarif-include-diagnostics");
       }
-      if (
-        !isSupportedToolsFeature(
-          await this.getVersion(),
-          ToolsFeature.AnalysisSummaryV2IsDefault,
-        )
-      ) {
-        codeqlArgs.push("--new-analysis-summary");
-      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);

src/config-utils.test.ts

@@ -49,10 +49,9 @@ function createTestInitConfigInputs(
   return Object.assign(
     {},
     {
-      analysisKindsInput: "code-scanning",
+      analysisKinds: [AnalysisKind.CodeScanning],
       languagesInput: undefined,
       queriesInput: undefined,
-      qualityQueriesInput: undefined,
       packsInput: undefined,
       configFile: undefined,
       dbLocation: undefined,
@@ -65,6 +64,16 @@ function createTestInitConfigInputs(
       debugDatabaseName: "",
       repository: { owner: "github", repo: "example" },
       tempDir: "",
+      codeql: createStubCodeQL({
+        async betterResolveLanguages() {
+          return {
+            extractors: {
+              html: [{ extractor_root: "" }],
+              javascript: [{ extractor_root: "" }],
+            },
+          };
+        },
+      }),
       workspacePath: "",
       sourceRoot: "",
       githubVersion,
@@ -89,20 +98,6 @@ function createConfigFile(inputFileContents: string, tmpDir: string): string {
   return configFilePath;
 }
 
-// Returns a default CodeQL stub for tests
-function createDefaultTestCodeQL() {
-  return createStubCodeQL({
-    async betterResolveLanguages() {
-      return {
-        extractors: {
-          html: [{ extractor_root: "" }],
-          javascript: [{ extractor_root: "" }],
-        },
-      };
-    },
-  });
-}
-
 type GetContentsResponse = { content?: string } | object[];
 
 function mockGetContents(
@@ -153,23 +148,24 @@ test("load empty config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
         tempDir,
+        codeql,
         logger,
       }),
-      codeql,
     );
 
     const expectedConfig = await configUtils.initActionState(
       createTestInitConfigInputs({
         languagesInput: languages,
         tempDir,
+        codeql,
         logger,
       }),
       {},
-      codeql,
     );
 
     t.deepEqual(config, expectedConfig);
@@ -192,14 +188,15 @@ test("load code quality config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
-        analysisKindsInput: "code-quality",
+        analysisKinds: [AnalysisKind.CodeQuality],
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
         tempDir,
+        codeql,
         logger,
       }),
-      codeql,
     );
 
     // And the config we expect it to result in
@@ -276,15 +273,16 @@ test("initActionState doesn't throw if there are queries configured in the repos
 
     await t.notThrowsAsync(async () => {
       const config = await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
-          analysisKindsInput: "code-quality",
+          analysisKinds: [AnalysisKind.CodeQuality],
           languagesInput: languages,
           repository: { owner: "github", repo: "example" },
           tempDir,
+          codeql,
           repositoryProperties,
           logger,
         }),
-        codeql,
       );
 
       t.deepEqual(config, expectedConfig);
@@ -314,13 +312,14 @@ test("loading a saved config produces the same config", async (t) => {
     t.deepEqual(await configUtils.getConfig(tempDir, logger), undefined);
 
     const config1 = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
+        codeql,
         workspacePath: tempDir,
         logger,
       }),
-      codeql,
     );
     await configUtils.saveConfig(config1, logger);
 
@@ -365,13 +364,14 @@ test("loading config with version mismatch throws", async (t) => {
       .returns("does-not-exist");
 
     const config = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
+        codeql,
         workspacePath: tempDir,
         logger,
       }),
-      codeql,
     );
     // initConfig does not save the config, so we do it here.
     await configUtils.saveConfig(config, logger);
@@ -393,12 +393,12 @@ test("load input outside of workspace", async (t) => {
   return await withTmpDir(async (tempDir) => {
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile: "../input",
           tempDir,
           workspacePath: tempDir,
         }),
-        createDefaultTestCodeQL(),
       );
       throw new Error("initConfig did not throw error");
     } catch (err) {
@@ -421,12 +421,12 @@ test("load non-local input with invalid repo syntax", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile,
           tempDir,
           workspacePath: tempDir,
         }),
-        createDefaultTestCodeQL(),
       );
       throw new Error("initConfig did not throw error");
     } catch (err) {
@@ -450,13 +450,13 @@ test("load non-existent input", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           configFile,
           tempDir,
           workspacePath: tempDir,
         }),
-        createDefaultTestCodeQL(),
       );
       throw new Error("initConfig did not throw error");
     } catch (err) {
@@ -534,6 +534,7 @@ test("load non-empty input", async (t) => {
     const configFilePath = createConfigFile(inputFileContents, tempDir);
 
     const actualConfig = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         buildModeInput: "none",
@@ -541,9 +542,9 @@ test("load non-empty input", async (t) => {
         debugArtifactName: "my-artifact",
         debugDatabaseName: "my-db",
         tempDir,
+        codeql,
         workspacePath: tempDir,
       }),
-      codeql,
     );
 
     // Should exactly equal the object we constructed earlier
@@ -589,15 +590,17 @@ test("Using config input and file together, config input should be used.", async
     // Only JS, python packs will be ignored
     const languagesInput = "javascript";
 
-    const inputs = createTestInitConfigInputs({
-      languagesInput,
-      configFile: configFilePath,
-      configInput,
-      tempDir,
-      workspacePath: tempDir,
-    });
-    configUtils.amendInputConfigFile(inputs, inputs.logger);
-    const config = await configUtils.initConfig(inputs, codeql);
+    const config = await configUtils.initConfig(
+      createFeatures([]),
+      createTestInitConfigInputs({
+        languagesInput,
+        configFile: configFilePath,
+        configInput,
+        tempDir,
+        codeql,
+        workspacePath: tempDir,
+      }),
+    );
 
     t.deepEqual(config.originalUserInput, yaml.load(configInput));
   });
@@ -639,13 +642,14 @@ test("API client used when reading remote config", async (t) => {
     const languagesInput = "javascript";
 
     await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         configFile,
         tempDir,
+        codeql,
         workspacePath: tempDir,
       }),
-      codeql,
     );
     t.assert(spyGetContents.called);
   });
@@ -659,12 +663,12 @@ test("Remote config handles the case where a directory is provided", async (t) =
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
           workspacePath: tempDir,
         }),
-        createDefaultTestCodeQL(),
       );
       throw new Error("initConfig did not throw error");
     } catch (err) {
@@ -688,12 +692,12 @@ test("Invalid format of remote config handled correctly", async (t) => {
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
           workspacePath: tempDir,
         }),
-        createDefaultTestCodeQL(),
       );
       throw new Error("initConfig did not throw error");
     } catch (err) {
@@ -718,11 +722,12 @@ test("No detected languages", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           tempDir,
+          codeql,
           workspacePath: tempDir,
         }),
-        codeql,
       );
       throw new Error("initConfig did not throw error");
     } catch (err) {
@@ -740,12 +745,12 @@ test("Unknown languages", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           tempDir,
           workspacePath: tempDir,
         }),
-        createDefaultTestCodeQL(),
       );
       throw new Error("initConfig did not throw error");
     } catch (err) {
@@ -996,7 +1001,7 @@ interface OverlayDatabaseModeTestSetup {
   isDefaultBranch: boolean;
   repositoryOwner: string;
   buildMode: BuildMode | undefined;
-  languages: string[];
+  languages: Language[];
   codeqlVersion: string;
   gitRoot: string | undefined;
   codeScanningConfig: configUtils.UserConfig;
@@ -1023,8 +1028,6 @@ const getOverlayDatabaseModeMacro = test.macro({
     expected: {
       overlayDatabaseMode: OverlayDatabaseMode;
       useOverlayDatabaseCaching: boolean;
-      preliminaryOverlayDatabaseMode?: OverlayDatabaseMode;
-      preliminaryUseOverlayDatabaseCaching?: boolean;
     },
   ) => {
     return await withTmpDir(async (tempDir) => {
@@ -1086,51 +1089,13 @@ const getOverlayDatabaseModeMacro = test.macro({
           repository,
           features,
           setup.languages,
-          setup.languages.join(","),
           tempDir, // sourceRoot
           setup.buildMode,
           setup.codeScanningConfig,
           logger,
         );
 
-        const expectedResult = {
-          overlayDatabaseMode: expected.overlayDatabaseMode,
-          useOverlayDatabaseCaching: expected.useOverlayDatabaseCaching,
-        };
-        t.deepEqual(result, expectedResult);
-
-        let configFile: string | undefined;
-        if (Object.keys(setup.codeScanningConfig).length > 0) {
-          configFile = createConfigFile(
-            yaml.dump(setup.codeScanningConfig),
-            tempDir,
-          );
-        }
-
-        // Test getPreliminaryOverlayDatabaseMode as well
-        const preliminaryResult =
-          await configUtils.getPreliminaryOverlayDatabaseMode(
-            createTestInitConfigInputs({
-              languagesInput: setup.languages.join(","),
-              configFile,
-              features,
-              tempDir,
-              workspacePath: tempDir,
-              sourceRoot: tempDir,
-              repository,
-              logger,
-            }),
-          );
-
-        const expectedPreliminaryResult = {
-          overlayDatabaseMode:
-            expected.preliminaryOverlayDatabaseMode ??
-            expected.overlayDatabaseMode,
-          useOverlayDatabaseCaching:
-            expected.preliminaryUseOverlayDatabaseCaching ??
-            expected.useOverlayDatabaseCaching,
-        };
-        t.deepEqual(preliminaryResult, expectedPreliminaryResult);
+        t.deepEqual(result, expected);
       } finally {
         // Restore the original environment
         process.env = originalEnv;
@@ -1385,20 +1350,6 @@ test(
   },
 );
 
-test(
-  getOverlayDatabaseModeMacro,
-  "Overlay analysis on PR when feature enabled via language alias",
-  {
-    languages: ["javascript-typescript"],
-    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
-    isPullRequest: true,
-  },
-  {
-    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
-    useOverlayDatabaseCaching: true,
-  },
-);
-
 test(
   getOverlayDatabaseModeMacro,
   "Overlay analysis on PR when feature enabled with custom analysis",
@@ -1555,20 +1506,6 @@ test(
   },
 );
 
-test(
-  getOverlayDatabaseModeMacro,
-  "No overlay analysis on PR when the language is unknown",
-  {
-    languages: ["cobol"],
-    features: [Feature.OverlayAnalysis],
-    isPullRequest: true,
-  },
-  {
-    overlayDatabaseMode: OverlayDatabaseMode.None,
-    useOverlayDatabaseCaching: false,
-  },
-);
-
 test(
   getOverlayDatabaseModeMacro,
   "Overlay PR analysis by env for dsp-testing",
@@ -1636,8 +1573,6 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
-    preliminaryOverlayDatabaseMode: OverlayDatabaseMode.Overlay,
-    preliminaryUseOverlayDatabaseCaching: false,
   },
 );
 
@@ -1652,8 +1587,6 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
-    preliminaryOverlayDatabaseMode: OverlayDatabaseMode.Overlay,
-    preliminaryUseOverlayDatabaseCaching: false,
   },
 );
 
@@ -1667,8 +1600,6 @@ test(
   {
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
-    preliminaryOverlayDatabaseMode: OverlayDatabaseMode.Overlay,
-    preliminaryUseOverlayDatabaseCaching: false,
   },
 );
 

src/config-utils.ts

@@ -11,7 +11,6 @@ import {
   CodeQuality,
   codeQualityQueries,
   CodeScanning,
-  parseAnalysisKinds,
 } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
@@ -20,6 +19,7 @@ import {
   calculateAugmentation,
   ExcludeQueryFilter,
   generateCodeScanningConfig,
+  parseUserConfig,
   UserConfig,
 } from "./config/db-config";
 import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
@@ -33,7 +33,6 @@ import {
   CODEQL_OVERLAY_MINIMUM_VERSION,
   OverlayDatabaseMode,
 } from "./overlay-database-utils";
-import * as overlayLanguageAliases from "./overlay-language-aliases.json";
 import { RepositoryNwo } from "./repository";
 import { downloadTrapCaches } from "./trap-caching";
 import {
@@ -332,36 +331,6 @@ export async function getLanguages(
   return languages;
 }
 
-/**
- * Get the (unverified) languages for overlay analysis.
- *
- * This is a simplified version of `getLanguages` that only resolves language
- * aliases but does not check if the languages are actually supported by the
- * CodeQL CLI. It is intended to be used for overlay analysis preparations
- * before the CodeQL CLI is available.
- */
-async function getUnverifiedLanguagesForOverlay(
-  languagesInput: string | undefined,
-  repository: RepositoryNwo,
-  sourceRoot: string,
-  logger: Logger,
-): Promise<string[]> {
-  // Obtain languages without filtering them.
-  const { rawLanguages } = await getRawLanguages(
-    languagesInput,
-    repository,
-    sourceRoot,
-    logger,
-  );
-  const languageAliases = overlayLanguageAliases as Record<string, string>;
-
-  const languagesSet: string[] = [];
-  for (const language of rawLanguages) {
-    languagesSet.push(languageAliases[language] || language);
-  }
-  return languagesSet;
-}
-
 export function getRawLanguagesNoAutodetect(
   languagesInput: string | undefined,
 ): string[] {
@@ -404,10 +373,8 @@ export async function getRawLanguages(
 
 /** Inputs required to initialize a configuration. */
 export interface InitConfigInputs {
-  analysisKindsInput: string;
   languagesInput: string | undefined;
   queriesInput: string | undefined;
-  qualityQueriesInput: string | undefined;
   packsInput: string | undefined;
   configFile: string | undefined;
   dbLocation: string | undefined;
@@ -420,12 +387,14 @@ export interface InitConfigInputs {
   debugDatabaseName: string;
   repository: RepositoryNwo;
   tempDir: string;
+  codeql: CodeQL;
   workspacePath: string;
   sourceRoot: string;
   githubVersion: GitHubVersion;
   apiDetails: api.GitHubApiCombinedDetails;
   features: FeatureEnablement;
   repositoryProperties: RepositoryProperties;
+  analysisKinds: AnalysisKind[];
   logger: Logger;
 }
 
@@ -435,10 +404,8 @@ export interface InitConfigInputs {
  */
 export async function initActionState(
   {
-    analysisKindsInput,
     languagesInput,
     queriesInput,
-    qualityQueriesInput,
     packsInput,
     buildModeInput,
     dbLocation,
@@ -449,27 +416,16 @@ export async function initActionState(
     debugDatabaseName,
     repository,
     tempDir,
+    codeql,
     sourceRoot,
     githubVersion,
     features,
     repositoryProperties,
+    analysisKinds,
     logger,
   }: InitConfigInputs,
   userConfig: UserConfig,
-  codeql: CodeQL,
 ): Promise<Config> {
-  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
-
-  // For backwards compatibility, add Code Quality to the enabled analysis kinds
-  // if an input to `quality-queries` was specified. We should remove this once
-  // `quality-queries` is no longer used.
-  if (
-    !analysisKinds.includes(AnalysisKind.CodeQuality) &&
-    qualityQueriesInput !== undefined
-  ) {
-    analysisKinds.push(AnalysisKind.CodeQuality);
-  }
-
   const languages = await getLanguages(
     codeql,
     languagesInput,
@@ -569,48 +525,14 @@ async function downloadCacheWithTime(
   return { trapCaches, trapCacheDownloadTime };
 }
 
-/**
- * Amends the input config file if configInput is provided.
- * If configInput is set, it takes precedence over configFile.
- *
- * This function should be called only once on any specific `InitConfigInputs`
- * object. Otherwise it could emit a false warning.
- */
-export function amendInputConfigFile(
-  inputs: InitConfigInputs,
-  logger: Logger,
-): void {
-  // if configInput is set, it takes precedence over configFile
-  if (inputs.configInput) {
-    if (inputs.configFile) {
-      logger.warning(
-        `Both a config file and config input were provided. Ignoring config file.`,
-      );
-    }
-    inputs.configFile = userConfigFromActionPath(inputs.tempDir);
-    fs.writeFileSync(inputs.configFile, inputs.configInput);
-    logger.debug(`Using config from action input: ${inputs.configFile}`);
-  }
-}
-
-/**
- * Load user configuration from a file or return an empty configuration
- * if no config file is specified.
- */
 async function loadUserConfig(
-  configFile: string | undefined,
+  logger: Logger,
+  configFile: string,
   workspacePath: string,
   apiDetails: api.GitHubApiCombinedDetails,
   tempDir: string,
-  logger: Logger,
+  validateConfig: boolean,
 ): Promise<UserConfig> {
-  if (!configFile) {
-    logger.debug("No configuration file was provided");
-    return {};
-  }
-
-  logger.debug(`Using configuration file: ${configFile}`);
-
   if (isLocal(configFile)) {
     if (configFile !== userConfigFromActionPath(tempDir)) {
       // If the config file is not generated by the Action, it should be relative to the workspace.
@@ -622,9 +544,14 @@ async function loadUserConfig(
         );
       }
     }
-    return getLocalConfig(configFile);
+    return getLocalConfig(logger, configFile, validateConfig);
   } else {
-    return await getRemoteConfig(configFile, apiDetails);
+    return await getRemoteConfig(
+      logger,
+      configFile,
+      apiDetails,
+      validateConfig,
+    );
   }
 }
 
@@ -655,38 +582,32 @@ const OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES: Record<Language, Feature> = {
 };
 
 async function isOverlayAnalysisFeatureEnabled(
-  codeScanningConfig: UserConfig,
-  languagesInput: string | undefined,
   repository: RepositoryNwo,
-  sourceRoot: string,
   features: FeatureEnablement,
-  logger: Logger,
+  codeql: CodeQL,
+  languages: Language[],
+  codeScanningConfig: UserConfig,
 ): Promise<boolean> {
   // TODO: Remove the repository owner check once support for overlay analysis
   // stabilizes, and no more backward-incompatible changes are expected.
   if (!["github", "dsp-testing"].includes(repository.owner)) {
     return false;
   }
-  if (!(await features.getValue(Feature.OverlayAnalysis))) {
+  if (!(await features.getValue(Feature.OverlayAnalysis, codeql))) {
     return false;
   }
-
-  const languages = await getUnverifiedLanguagesForOverlay(
-    languagesInput,
-    repository,
-    sourceRoot,
-    logger,
-  );
-
   let enableForCodeScanningOnly = false;
   for (const language of languages) {
     const feature = OVERLAY_ANALYSIS_FEATURES[language];
-    if (feature && (await features.getValue(feature))) {
+    if (feature && (await features.getValue(feature, codeql))) {
       continue;
     }
     const codeScanningFeature =
       OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES[language];
-    if (codeScanningFeature && (await features.getValue(codeScanningFeature))) {
+    if (
+      codeScanningFeature &&
+      (await features.getValue(codeScanningFeature, codeql))
+    ) {
       enableForCodeScanningOnly = true;
       continue;
     }
@@ -724,18 +645,14 @@ async function isOverlayAnalysisFeatureEnabled(
  * For `Overlay` and `OverlayBase`, the function performs further checks and
  * reverts to `None` if any check should fail.
  *
- * If `codeql` or `languages` is undefined, the function will skip checks that
- * depend on them.
- *
  * @returns An object containing the overlay database mode and whether the
  * action should perform overlay-base database caching.
  */
 export async function getOverlayDatabaseMode(
-  codeql: CodeQL | undefined,
+  codeql: CodeQL,
   repository: RepositoryNwo,
   features: FeatureEnablement,
-  languages: Language[] | undefined,
-  languagesInput: string | undefined,
+  languages: Language[],
   sourceRoot: string,
   buildMode: BuildMode | undefined,
   codeScanningConfig: UserConfig,
@@ -762,12 +679,11 @@ export async function getOverlayDatabaseMode(
     );
   } else if (
     await isOverlayAnalysisFeatureEnabled(
-      codeScanningConfig,
-      languagesInput,
       repository,
-      sourceRoot,
       features,
-      logger,
+      codeql,
+      languages,
+      codeScanningConfig,
     )
   ) {
     if (isAnalyzingPullRequest()) {
@@ -797,12 +713,17 @@ export async function getOverlayDatabaseMode(
   }
 
   if (
-    codeql !== undefined &&
-    languages !== undefined &&
     buildMode !== BuildMode.None &&
     (
       await Promise.all(
-        languages.map(async (l) => await codeql.isTracedLanguage(l)),
+        languages.map(
+          async (l) =>
+            l !== KnownLanguage.go && // Workaround to allow overlay analysis for Go with any build
+            // mode, since it does not yet support BMN. The Go autobuilder and/or extractor will
+            // ensure that overlay-base databases are only created for supported Go build setups,
+            // and that we'll fall back to full databases in other cases.
+            (await codeql.isTracedLanguage(l)),
+        ),
       )
     ).some(Boolean)
   ) {
@@ -813,10 +734,7 @@ export async function getOverlayDatabaseMode(
     );
     return nonOverlayAnalysis;
   }
-  if (
-    codeql !== undefined &&
-    !(await codeQlVersionAtLeast(codeql, CODEQL_OVERLAY_MINIMUM_VERSION))
-  ) {
+  if (!(await codeQlVersionAtLeast(codeql, CODEQL_OVERLAY_MINIMUM_VERSION))) {
     logger.warning(
       `Cannot build an ${overlayDatabaseMode} database because ` +
         `the CodeQL CLI is older than ${CODEQL_OVERLAY_MINIMUM_VERSION}. ` +
@@ -839,62 +757,6 @@ export async function getOverlayDatabaseMode(
   };
 }
 
-/**
- * Get preliminary overlay database mode using only the information available
- * in InitConfigInputs, without depending on CodeQL.
- *
- * This is a simplified version of getOverlayDatabaseMode that can be called
- * before the CodeQL CLI is available.
- *
- * @param inputs The initialization configuration inputs.
- * @returns An object containing the overlay database mode and whether the
- * action should perform overlay-base database caching.
- */
-export async function getPreliminaryOverlayDatabaseMode(
-  inputs: InitConfigInputs,
-): Promise<{
-  overlayDatabaseMode: OverlayDatabaseMode;
-  useOverlayDatabaseCaching: boolean;
-}> {
-  const userConfig = await loadUserConfig(
-    inputs.configFile,
-    inputs.workspacePath,
-    inputs.apiDetails,
-    inputs.tempDir,
-    inputs.logger,
-  );
-
-  const languages = await getUnverifiedLanguagesForOverlay(
-    inputs.languagesInput,
-    inputs.repository,
-    inputs.sourceRoot,
-    inputs.logger,
-  );
-  const augmentationProperties = await calculateAugmentation(
-    inputs.packsInput,
-    inputs.queriesInput,
-    inputs.repositoryProperties,
-    languages,
-  );
-  const computedConfig = generateCodeScanningConfig(
-    inputs.logger,
-    userConfig,
-    augmentationProperties,
-  );
-
-  return getOverlayDatabaseMode(
-    undefined, // codeql
-    inputs.repository,
-    inputs.features,
-    undefined, // languages
-    inputs.languagesInput,
-    inputs.sourceRoot,
-    undefined, // buildMode
-    computedConfig,
-    inputs.logger,
-  );
-}
-
 function dbLocationOrDefault(
   dbLocation: string | undefined,
   tempDir: string,
@@ -926,19 +788,40 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
  * a default config. The parsed config is then stored to a known location.
  */
 export async function initConfig(
+  features: FeatureEnablement,
   inputs: InitConfigInputs,
-  codeql: CodeQL,
 ): Promise<Config> {
   const { logger, tempDir } = inputs;
 
-  const userConfig = await loadUserConfig(
-    inputs.configFile,
-    inputs.workspacePath,
-    inputs.apiDetails,
-    tempDir,
-    logger,
-  );
-  const config = await initActionState(inputs, userConfig, codeql);
+  // if configInput is set, it takes precedence over configFile
+  if (inputs.configInput) {
+    if (inputs.configFile) {
+      logger.warning(
+        `Both a config file and config input were provided. Ignoring config file.`,
+      );
+    }
+    inputs.configFile = userConfigFromActionPath(tempDir);
+    fs.writeFileSync(inputs.configFile, inputs.configInput);
+    logger.debug(`Using config from action input: ${inputs.configFile}`);
+  }
+
+  let userConfig: UserConfig = {};
+  if (!inputs.configFile) {
+    logger.debug("No configuration file was provided");
+  } else {
+    logger.debug(`Using configuration file: ${inputs.configFile}`);
+    const validateConfig = await features.getValue(Feature.ValidateDbConfig);
+    userConfig = await loadUserConfig(
+      logger,
+      inputs.configFile,
+      inputs.workspacePath,
+      inputs.apiDetails,
+      tempDir,
+      validateConfig,
+    );
+  }
+
+  const config = await initActionState(inputs, userConfig);
 
   // If Code Quality analysis is the only enabled analysis kind, then we will initialise
   // the database for Code Quality. That entails disabling the default queries and only
@@ -965,11 +848,10 @@ export async function initConfig(
   // rest of the config has been populated.
   const { overlayDatabaseMode, useOverlayDatabaseCaching } =
     await getOverlayDatabaseMode(
-      codeql,
+      inputs.codeql,
       inputs.repository,
       inputs.features,
       config.languages,
-      inputs.languagesInput,
       inputs.sourceRoot,
       config.buildMode,
       config.computedConfig,
@@ -984,7 +866,11 @@ export async function initConfig(
 
   if (
     overlayDatabaseMode === OverlayDatabaseMode.Overlay ||
-    (await shouldPerformDiffInformedAnalysis(codeql, inputs.features, logger))
+    (await shouldPerformDiffInformedAnalysis(
+      inputs.codeql,
+      inputs.features,
+      logger,
+    ))
   ) {
     config.extraQueryExclusions.push({
       exclude: { tags: "exclude-from-incremental" },
@@ -1025,7 +911,11 @@ function isLocal(configPath: string): boolean {
   return configPath.indexOf("@") === -1;
 }
 
-function getLocalConfig(configFile: string): UserConfig {
+function getLocalConfig(
+  logger: Logger,
+  configFile: string,
+  validateConfig: boolean,
+): UserConfig {
   // Error if the file does not exist
   if (!fs.existsSync(configFile)) {
     throw new ConfigurationError(
@@ -1033,12 +923,19 @@ function getLocalConfig(configFile: string): UserConfig {
     );
   }
 
-  return yaml.load(fs.readFileSync(configFile, "utf8")) as UserConfig;
+  return parseUserConfig(
+    logger,
+    configFile,
+    fs.readFileSync(configFile, "utf-8"),
+    validateConfig,
+  );
 }
 
 async function getRemoteConfig(
+  logger: Logger,
   configFile: string,
   apiDetails: api.GitHubApiCombinedDetails,
+  validateConfig: boolean,
 ): Promise<UserConfig> {
   // retrieve the various parts of the config location, and ensure they're present
   const format = new RegExp(
@@ -1046,7 +943,7 @@ async function getRemoteConfig(
   );
   const pieces = format.exec(configFile);
   // 5 = 4 groups + the whole expression
-  if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
+  if (pieces?.groups === undefined || pieces.length < 5) {
     throw new ConfigurationError(
       errorMessages.getConfigFileRepoFormatInvalidMessage(configFile),
     );
@@ -1074,9 +971,12 @@ async function getRemoteConfig(
     );
   }
 
-  return yaml.load(
+  return parseUserConfig(
+    logger,
+    configFile,
     Buffer.from(fileContents, "base64").toString("binary"),
-  ) as UserConfig;
+    validateConfig,
+  );
 }
 
 /**

src/config/db-config.test.ts

@@ -2,7 +2,13 @@ import test, { ExecutionContext } from "ava";
 
 import { RepositoryProperties } from "../feature-flags/properties";
 import { KnownLanguage, Language } from "../languages";
-import { prettyPrintPack } from "../util";
+import { getRunnerLogger } from "../logging";
+import {
+  checkExpectedLogMessages,
+  getRecordingLogger,
+  LoggedMessage,
+} from "../testing-utils";
+import { ConfigurationError, prettyPrintPack } from "../util";
 
 import * as dbConfig from "./db-config";
 
@@ -153,7 +159,6 @@ const packSpecPrettyPrintingMacro = test.macro({
   title: (
     _providedTitle: string | undefined,
     packStr: string,
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
     _packObj: dbConfig.Pack,
   ) => `Prettyprint pack spec: '${packStr}'`,
 });
@@ -392,3 +397,111 @@ test(
   {},
   /"a-pack-without-a-scope" is not a valid pack/,
 );
+
+test("parseUserConfig - successfully parses valid YAML", (t) => {
+  const result = dbConfig.parseUserConfig(
+    getRunnerLogger(true),
+    "test",
+    `
+    paths-ignore:
+      - "some/path"
+    queries:
+      - uses: foo
+    some-unknown-option: true
+    `,
+    true,
+  );
+  t.truthy(result);
+  if (t.truthy(result["paths-ignore"])) {
+    t.is(result["paths-ignore"].length, 1);
+    t.is(result["paths-ignore"][0], "some/path");
+  }
+  if (t.truthy(result["queries"])) {
+    t.is(result["queries"].length, 1);
+    t.deepEqual(result["queries"][0], { uses: "foo" });
+  }
+});
+
+test("parseUserConfig - throws a ConfigurationError if the file is not valid YAML", (t) => {
+  t.throws(
+    () =>
+      dbConfig.parseUserConfig(
+        getRunnerLogger(true),
+        "test",
+        `
+        paths-ignore:
+         - "some/path"
+         queries:
+         - foo
+        `,
+        true,
+      ),
+    {
+      instanceOf: ConfigurationError,
+    },
+  );
+});
+
+test("parseUserConfig - validation isn't picky about `query-filters`", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.notThrows(() =>
+    dbConfig.parseUserConfig(
+      logger,
+      "test",
+      `
+        query-filters:
+          - something
+          - include: foo
+          - exclude: bar
+        `,
+      true,
+    ),
+  );
+});
+
+test("parseUserConfig - throws a ConfigurationError if validation fails", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.throws(
+    () =>
+      dbConfig.parseUserConfig(
+        logger,
+        "test",
+        `
+        paths-ignore:
+         - "some/path"
+        queries: true
+        `,
+        true,
+      ),
+    {
+      instanceOf: ConfigurationError,
+      message:
+        'The configuration file "test" is invalid: instance.queries is not of a type(s) array.',
+    },
+  );
+
+  const expectedMessages = ["instance.queries is not of a type(s) array"];
+  checkExpectedLogMessages(t, loggedMessages, expectedMessages);
+});
+
+test("parseUserConfig - throws no ConfigurationError if validation should fail, but feature is disabled", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.notThrows(() =>
+    dbConfig.parseUserConfig(
+      logger,
+      "test",
+      `
+        paths-ignore:
+         - "some/path"
+        queries: true
+        `,
+      false,
+    ),
+  );
+});

src/config/db-config.ts

@@ -1,5 +1,7 @@
 import * as path from "path";
 
+import * as yaml from "js-yaml";
+import * as jsonschema from "jsonschema";
 import * as semver from "semver";
 
 import * as errorMessages from "../error-messages";
@@ -378,10 +380,7 @@ function combineQueries(
   const result: QuerySpec[] = [];
 
   // Query settings obtained from the repository properties have the highest precedence.
-  if (
-    augmentationProperties.repoPropertyQueries &&
-    augmentationProperties.repoPropertyQueries.input
-  ) {
+  if (augmentationProperties.repoPropertyQueries?.input) {
     logger.info(
       `Found query configuration in the repository properties (${RepositoryPropertyName.EXTRA_QUERIES}): ` +
         `${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}`,
@@ -474,3 +473,53 @@ export function generateCodeScanningConfig(
 
   return augmentedConfig;
 }
+
+/**
+ * Attempts to parse `contents` into a `UserConfig` value.
+ *
+ * @param logger The logger to use.
+ * @param pathInput The path to the file where `contents` was obtained from, for use in error messages.
+ * @param contents The string contents of a YAML file to try and parse as a `UserConfig`.
+ * @param validateConfig Whether to validate the configuration file against the schema.
+ * @returns The `UserConfig` corresponding to `contents`, if parsing was successful.
+ * @throws A `ConfigurationError` if parsing failed.
+ */
+export function parseUserConfig(
+  logger: Logger,
+  pathInput: string,
+  contents: string,
+  validateConfig: boolean,
+): UserConfig {
+  try {
+    const schema =
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      require("../../src/db-config-schema.json") as jsonschema.Schema;
+
+    const doc = yaml.load(contents);
+
+    if (validateConfig) {
+      const result = new jsonschema.Validator().validate(doc, schema);
+
+      if (result.errors.length > 0) {
+        for (const error of result.errors) {
+          logger.error(error.stack);
+        }
+        throw new ConfigurationError(
+          errorMessages.getInvalidConfigFileMessage(
+            pathInput,
+            result.errors.map((e) => e.stack),
+          ),
+        );
+      }
+    }
+
+    return doc as UserConfig;
+  } catch (error) {
+    if (error instanceof yaml.YAMLException) {
+      throw new ConfigurationError(
+        errorMessages.getConfigFileParseErrorMessage(pathInput, error.message),
+      );
+    }
+    throw error;
+  }
+}

src/database-upload.test.ts

@@ -5,6 +5,7 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import { GitHubApiDetails } from "./api-client";
 import * as apiClient from "./api-client";
 import { createStubCodeQL } from "./codeql";
@@ -108,6 +109,39 @@ test("Abort database upload if 'upload-database' input set to false", async (t)
   });
 });
 
+test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(actionsUtil, "getRequiredInput")
+      .withArgs("upload-database")
+      .returns("true");
+    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+
+    await mockHttpRequests(201);
+
+    const loggedMessages = [];
+    await uploadDatabases(
+      testRepoName,
+      getCodeQL(),
+      {
+        ...getTestConfig(tmpDir),
+        analysisKinds: [AnalysisKind.CodeQuality],
+      },
+      testApiDetails,
+      getRecordingLogger(loggedMessages),
+    );
+    t.assert(
+      loggedMessages.find(
+        (v: LoggedMessage) =>
+          v.type === "debug" &&
+          v.message ===
+            "Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
+      ) !== undefined,
+    );
+  });
+});
+
 test("Abort database upload if running against GHES", async (t) => {
   await withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);

src/database-upload.ts

@@ -1,6 +1,7 @@
 import * as fs from "fs";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import { getApiClient, GitHubApiDetails } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
@@ -22,6 +23,13 @@ export async function uploadDatabases(
     return;
   }
 
+  if (!config.analysisKinds.includes(AnalysisKind.CodeScanning)) {
+    logger.debug(
+      `Not uploading database because 'analysis-kinds: ${AnalysisKind.CodeScanning}' is not enabled.`,
+    );
+    return;
+  }
+
   if (util.isInTestMode()) {
     logger.debug("In test mode. Skipping database upload.");
     return;

src/db-config-schema.json

@@ -0,0 +1,145 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "CodeQL Database Configuration",
+  "description": "Format of the config file supplied by the user for CodeQL analysis",
+  "type": "object",
+  "properties": {
+    "name": {
+      "type": "string",
+      "description": "Name of the configuration"
+    },
+    "disable-default-queries": {
+      "type": "boolean",
+      "description": "Whether to disable default queries"
+    },
+    "queries": {
+      "type": "array",
+      "description": "List of additional queries to run",
+      "items": {
+        "$ref": "#/definitions/QuerySpec"
+      }
+    },
+    "paths-ignore": {
+      "type": "array",
+      "description": "Paths to ignore during analysis",
+      "items": {
+        "type": "string"
+      }
+    },
+    "paths": {
+      "type": "array",
+      "description": "Paths to include in analysis",
+      "items": {
+        "type": "string"
+      }
+    },
+    "packs": {
+      "description": "Query packs to include. Can be a simple array for single-language analysis or an object with language-specific arrays for multi-language analysis",
+      "oneOf": [
+        {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        }
+      ]
+    },
+    "query-filters": {
+      "type": "array",
+      "description": "Set of query filters to include and exclude extra queries based on CodeQL query suite include and exclude properties",
+      "items": {
+        "$ref": "#/definitions/QueryFilter"
+      }
+    }
+  },
+  "additionalProperties": true,
+  "definitions": {
+    "QuerySpec": {
+      "type": "object",
+      "description": "Detailed query specification object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Optional name for the query"
+        },
+        "uses": {
+          "type": "string",
+          "description": "The query or query suite to use"
+        }
+      },
+      "required": ["uses"],
+      "additionalProperties": false
+    },
+    "QueryFilter": {
+      "description": "Query filter that can either include or exclude queries",
+      "oneOf": [
+        {
+          "$ref": "#/definitions/ExcludeQueryFilter"
+        },
+        {
+          "$ref": "#/definitions/IncludeQueryFilter"
+        },
+        {}
+      ]
+    },
+    "ExcludeQueryFilter": {
+      "type": "object",
+      "description": "Filter to exclude queries",
+      "properties": {
+        "exclude": {
+          "type": "object",
+          "description": "Queries to exclude",
+          "additionalProperties": {
+            "oneOf": [
+              {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              },
+              {
+                "type": "string"
+              }
+            ]
+          }
+        }
+      },
+      "required": ["exclude"],
+      "additionalProperties": false
+    },
+    "IncludeQueryFilter": {
+      "type": "object",
+      "description": "Filter to include queries",
+      "properties": {
+        "include": {
+          "type": "object",
+          "description": "Queries to include",
+          "additionalProperties": {
+            "oneOf": [
+              {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              },
+              {
+                "type": "string"
+              }
+            ]
+          }
+        }
+      },
+      "required": ["include"],
+      "additionalProperties": false
+    }
+  }
+}

src/debug-artifacts.ts

@@ -59,7 +59,7 @@ export async function uploadCombinedSarifArtifacts(
         for (const outputDir of outputDirs) {
           const sarifFiles = fs
             .readdirSync(path.resolve(baseTempDir, outputDir))
-            .filter((f) => f.endsWith(".sarif"));
+            .filter((f) => path.extname(f) === ".sarif");
 
           for (const sarifFile of sarifFiles) {
             toUpload.push(path.resolve(baseTempDir, outputDir, sarifFile));

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.1",
-  "cliVersion": "2.23.1",
-  "priorBundleVersion": "codeql-bundle-v2.23.0",
-  "priorCliVersion": "2.23.0"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }

src/dependency-caching.ts

@@ -5,12 +5,13 @@ import * as actionsCache from "@actions/cache";
 import * as glob from "@actions/glob";
 
 import { getTemporaryDirectory } from "./actions-util";
+import { listActionsCaches } from "./api-client";
 import { getTotalCacheSize } from "./caching-utils";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
-import { getRequiredEnvParam } from "./util";
+import { getErrorMessage, getRequiredEnvParam } from "./util";
 
 /**
  * Caching configuration for a particular language.
@@ -84,20 +85,42 @@ async function makeGlobber(patterns: string[]): Promise<glob.Globber> {
   return glob.create(patterns.join("\n"));
 }
 
+/** Enumerates possible outcomes for cache hits. */
+export enum CacheHitKind {
+  /** We were unable to calculate a hash for the key. */
+  NoHash = "no-hash",
+  /** No cache was found. */
+  Miss = "miss",
+  /** The primary cache key matched. */
+  Exact = "exact",
+  /** A restore key matched. */
+  Partial = "partial",
+}
+
+/** Represents results of trying to restore a dependency cache for a language. */
+export interface DependencyCacheRestoreStatus {
+  language: Language;
+  hit_kind: CacheHitKind;
+  download_duration_ms?: number;
+}
+
+/** An array of `DependencyCacheRestoreStatus` objects for each analysed language with a caching configuration. */
+export type DependencyCacheRestoreStatusReport = DependencyCacheRestoreStatus[];
+
 /**
  * Attempts to restore dependency caches for the languages being analyzed.
  *
  * @param languages The languages being analyzed.
  * @param logger A logger to record some informational messages to.
  * @param minimizeJavaJars Whether the Java extractor should rewrite downloaded JARs to minimize their size.
- * @returns A list of languages for which dependency caches were restored.
+ * @returns An array of `DependencyCacheRestoreStatus` objects for each analysed language with a caching configuration.
  */
 export async function downloadDependencyCaches(
   languages: Language[],
   logger: Logger,
   minimizeJavaJars: boolean,
-): Promise<Language[]> {
-  const restoredCaches: Language[] = [];
+): Promise<DependencyCacheRestoreStatusReport> {
+  const status: DependencyCacheRestoreStatusReport = [];
 
   for (const language of languages) {
     const cacheConfig = getDefaultCacheConfig()[language];
@@ -114,6 +137,7 @@ export async function downloadDependencyCaches(
     const globber = await makeGlobber(cacheConfig.hash);
 
     if ((await globber.glob()).length === 0) {
+      status.push({ language, hit_kind: CacheHitKind.NoHash });
       logger.info(
         `Skipping download of dependency cache for ${language} as we cannot calculate a hash for the cache key.`,
       );
@@ -131,35 +155,66 @@ export async function downloadDependencyCaches(
       )}`,
     );
 
+    const start = performance.now();
     const hitKey = await actionsCache.restoreCache(
       cacheConfig.paths,
       primaryKey,
       restoreKeys,
     );
+    const download_duration_ms = Math.round(performance.now() - start);
 
     if (hitKey !== undefined) {
       logger.info(`Cache hit on key ${hitKey} for ${language}.`);
-      restoredCaches.push(language);
+      const hit_kind =
+        hitKey === primaryKey ? CacheHitKind.Exact : CacheHitKind.Partial;
+      status.push({ language, hit_kind, download_duration_ms });
     } else {
+      status.push({ language, hit_kind: CacheHitKind.Miss });
       logger.info(`No suitable cache found for ${language}.`);
     }
   }
 
-  return restoredCaches;
+  return status;
 }
 
+/** Enumerates possible outcomes for storing caches. */
+export enum CacheStoreResult {
+  /** We were unable to calculate a hash for the key. */
+  NoHash = "no-hash",
+  /** There is nothing to store in the cache. */
+  Empty = "empty",
+  /** There already exists a cache with the key we are trying to store. */
+  Duplicate = "duplicate",
+  /** The cache was stored successfully. */
+  Stored = "stored",
+}
+
+/** Represents results of trying to upload a dependency cache for a language. */
+export interface DependencyCacheUploadStatus {
+  language: Language;
+  result: CacheStoreResult;
+  upload_size_bytes?: number;
+  upload_duration_ms?: number;
+}
+
+/** An array of `DependencyCacheUploadStatus` objects for each analysed language with a caching configuration. */
+export type DependencyCacheUploadStatusReport = DependencyCacheUploadStatus[];
+
 /**
  * Attempts to store caches for the languages that were analyzed.
  *
  * @param config The configuration for this workflow.
  * @param logger A logger to record some informational messages to.
  * @param minimizeJavaJars Whether the Java extractor should rewrite downloaded JARs to minimize their size.
+ *
+ * @returns An array of `DependencyCacheUploadStatus` objects for each analysed language with a caching configuration.
  */
 export async function uploadDependencyCaches(
   config: Config,
   logger: Logger,
   minimizeJavaJars: boolean,
-): Promise<void> {
+): Promise<DependencyCacheUploadStatusReport> {
+  const status: DependencyCacheUploadStatusReport = [];
   for (const language of config.languages) {
     const cacheConfig = getDefaultCacheConfig()[language];
 
@@ -175,6 +230,7 @@ export async function uploadDependencyCaches(
     const globber = await makeGlobber(cacheConfig.hash);
 
     if ((await globber.glob()).length === 0) {
+      status.push({ language, result: CacheStoreResult.NoHash });
       logger.info(
         `Skipping upload of dependency cache for ${language} as we cannot calculate a hash for the cache key.`,
       );
@@ -195,6 +251,7 @@ export async function uploadDependencyCaches(
 
     // Skip uploading an empty cache.
     if (size === 0) {
+      status.push({ language, result: CacheStoreResult.Empty });
       logger.info(
         `Skipping upload of dependency cache for ${language} since it is empty.`,
       );
@@ -208,7 +265,16 @@ export async function uploadDependencyCaches(
     );
 
     try {
+      const start = performance.now();
       await actionsCache.saveCache(cacheConfig.paths, key);
+      const upload_duration_ms = Math.round(performance.now() - start);
+
+      status.push({
+        language,
+        result: CacheStoreResult.Stored,
+        upload_size_bytes: Math.round(size),
+        upload_duration_ms,
+      });
     } catch (error) {
       // `ReserveCacheError` indicates that the cache key is already in use, which means that a
       // cache with that key already exists or is in the process of being uploaded by another
@@ -218,12 +284,16 @@ export async function uploadDependencyCaches(
           `Not uploading cache for ${language}, because ${key} is already in use.`,
         );
         logger.debug(error.message);
+
+        status.push({ language, result: CacheStoreResult.Duplicate });
       } else {
         // Propagate other errors upwards.
         throw error;
       }
     }
   }
+
+  return status;
 }
 
 /**
@@ -270,3 +340,34 @@ async function cachePrefix(
 
   return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }
+
+/** Represents information about our overall cache usage for CodeQL dependency caches. */
+export interface DependencyCachingUsageReport {
+  count: number;
+  size_bytes: number;
+}
+
+/**
+ * Tries to determine the overall cache usage for CodeQL dependencies caches.
+ *
+ * @param logger The logger to log errors to.
+ * @returns Returns the overall cache usage for CodeQL dependencies caches, or `undefined` if we couldn't determine it.
+ */
+export async function getDependencyCacheUsage(
+  logger: Logger,
+): Promise<DependencyCachingUsageReport | undefined> {
+  try {
+    const caches = await listActionsCaches(CODEQL_DEPENDENCY_CACHE_PREFIX);
+    const totalSize = caches.reduce(
+      (acc, cache) => acc + (cache.size_in_bytes ?? 0),
+      0,
+    );
+    return { count: caches.length, size_bytes: totalSize };
+  } catch (err) {
+    logger.warning(
+      `Unable to retrieve information about dependency cache usage: ${getErrorMessage(err)}`,
+    );
+  }
+
+  return undefined;
+}

src/environment.ts

@@ -47,6 +47,9 @@ export enum EnvVar {
   /** Whether the CodeQL Action has already warned the user about low disk space. */
   HAS_WARNED_ABOUT_DISK_SPACE = "CODEQL_ACTION_HAS_WARNED_ABOUT_DISK_SPACE",
 
+  /** Whether the `setup-codeql` action has been run. */
+  SETUP_CODEQL_ACTION_HAS_RUN = "CODEQL_ACTION_SETUP_CODEQL_HAS_RUN",
+
   /** Whether the init action has been run. */
   INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
 
@@ -128,4 +131,10 @@ export enum EnvVar {
    * whether the upload is disabled. This is intended for testing and debugging purposes.
    */
   SARIF_DUMP_DIR = "CODEQL_ACTION_SARIF_DUMP_DIR",
+
+  /**
+   * Whether to skip uploading SARIF results to GitHub. Intended for testing purposes.
+   * This setting is more specific than `CODEQL_ACTION_TEST_MODE`, which implies this option.
+   */
+  SKIP_SARIF_UPLOAD = "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
 }

src/error-messages.ts

@@ -14,6 +14,22 @@ export function getConfigFileDoesNotExistErrorMessage(
   return `The configuration file "${configFile}" does not exist`;
 }
 
+export function getConfigFileParseErrorMessage(
+  configFile: string,
+  message: string,
+): string {
+  return `Cannot parse "${configFile}": ${message}`;
+}
+
+export function getInvalidConfigFileMessage(
+  configFile: string,
+  messages: string[],
+): string {
+  const andMore =
+    messages.length > 10 ? `, and ${messages.length - 10} more.` : ".";
+  return `The configuration file "${configFile}" is invalid: ${messages.slice(0, 10).join(", ")}${andMore}`;
+}
+
 export function getConfigFileRepoFormatInvalidMessage(
   configFile: string,
 ): string {

src/feature-flags.ts

@@ -7,6 +7,7 @@ import { getApiClient } from "./api-client";
 import type { CodeQL } from "./codeql";
 import * as defaults from "./defaults.json";
 import { Logger } from "./logging";
+import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay-database-utils";
 import { RepositoryNwo } from "./repository";
 import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
@@ -42,6 +43,8 @@ export interface FeatureEnablement {
  * Legacy features should end with `_enabled`.
  */
 export enum Feature {
+  AllowToolcacheInput = "allow_toolcache_input",
+  AnalyzeUseNewUpload = "analyze_use_new_upload",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   DiffInformedQueries = "diff_informed_queries",
@@ -72,9 +75,10 @@ export enum Feature {
   OverlayAnalysisRust = "overlay_analysis_rust",
   OverlayAnalysisSwift = "overlay_analysis_swift",
   PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
-  UseRepositoryProperties = "use_repository_properties",
   QaTelemetryEnabled = "qa_telemetry_enabled",
   ResolveSupportedLanguagesUsingCli = "resolve_supported_languages_using_cli",
+  UseRepositoryProperties = "use_repository_properties",
+  ValidateDbConfig = "validate_db_config",
 }
 
 export const featureConfig: Record<
@@ -108,6 +112,16 @@ export const featureConfig: Record<
     toolsFeature?: ToolsFeature;
   }
 > = {
+  [Feature.AllowToolcacheInput]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: undefined,
+  },
+  [Feature.AnalyzeUseNewUpload]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
+    minimumVersion: undefined,
+  },
   [Feature.CleanupTrapCaches]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -156,7 +170,7 @@ export const featureConfig: Record<
   [Feature.OverlayAnalysis]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
-    minimumVersion: undefined,
+    minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
   },
   [Feature.OverlayAnalysisActions]: {
     defaultValue: false,
@@ -280,6 +294,11 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
     minimumVersion: "2.23.0",
   },
+  [Feature.ValidateDbConfig]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
+    minimumVersion: undefined,
+  },
 };
 
 /**
@@ -634,7 +653,7 @@ class GitHubFeatureFlags {
       }
 
       this.logger.debug(
-        "Loaded the following default values for the feature flags from the Code Scanning API:",
+        "Loaded the following default values for the feature flags from the CodeQL Action API:",
       );
       for (const [feature, value] of Object.entries(remoteFlags).sort(
         ([nameA], [nameB]) => nameA.localeCompare(nameB),
@@ -644,12 +663,13 @@ class GitHubFeatureFlags {
       this.hasAccessedRemoteFeatureFlags = true;
       return remoteFlags;
     } catch (e) {
-      if (util.isHTTPError(e) && e.status === 403) {
+      const httpError = util.asHTTPError(e);
+      if (httpError?.status === 403) {
         this.logger.warning(
-          "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
+          "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
             "As a result, it will not be opted into any experimental features. " +
             "This could be because the Action is running on a pull request from a fork. If not, " +
-            `please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`,
+            `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
         );
         this.hasAccessedRemoteFeatureFlags = false;
         return {};

src/init-action-post-helper.test.ts

@@ -2,6 +2,7 @@ import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import * as codeql from "./codeql";
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
@@ -28,12 +29,13 @@ test("post: init action with debug mode off", async (t) => {
     const gitHubVersion: util.GitHubVersion = {
       type: util.GitHubVariant.DOTCOM,
     };
-    sinon.stub(configUtils, "getConfig").resolves({
-      debugMode: false,
-      gitHubVersion,
-      languages: [],
-      packs: [],
-    } as unknown as configUtils.Config);
+    sinon.stub(configUtils, "getConfig").resolves(
+      createTestConfig({
+        debugMode: false,
+        gitHubVersion,
+        languages: [],
+      }),
+    );
 
     const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
     const printDebugLogsSpy = sinon.spy();
@@ -84,14 +86,14 @@ test("uploads failed SARIF run with `diagnostics export` if feature flag is off"
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "my-category",
       },
@@ -108,14 +110,14 @@ test("uploads failed SARIF run with `diagnostics export` if the database doesn't
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "my-category",
       },
@@ -135,14 +137,14 @@ test("uploads failed SARIF run with database export-diagnostics if the database
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "my-category",
       },
@@ -192,14 +194,14 @@ for (const { uploadInput, shouldUpload } of UPLOAD_INPUT_TEST_CASES) {
       },
       {
         name: "Initialize CodeQL",
-        uses: "github/codeql-action/init@v3",
+        uses: "github/codeql-action/init@v4",
         with: {
           languages: "javascript",
         },
       },
       {
         name: "Perform CodeQL Analysis",
-        uses: "github/codeql-action/analyze@v3",
+        uses: "github/codeql-action/analyze@v4",
         with: {
           category: "my-category",
           upload: uploadInput,
@@ -227,14 +229,14 @@ test("uploading failed SARIF run succeeds when workflow uses an input with a mat
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         category: "/language:${{ matrix.language }}",
       },
@@ -254,14 +256,14 @@ test("uploading failed SARIF run fails when workflow uses a complex upload input
     },
     {
       name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
       with: {
         languages: "javascript",
       },
     },
     {
       name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
       with: {
         upload: "${{ matrix.language != 'csharp' }}",
       },
@@ -295,6 +297,17 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
   t.truthy(result.upload_failed_run_stack_trace);
 });
 
+test("not uploading failed SARIF when `code-scanning` is not an enabled analysis kind", async (t) => {
+  const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
+    analysisKinds: [AnalysisKind.CodeQuality],
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_skipped_because,
+    "Code Scanning is not enabled.",
+  );
+});
+
 function createTestWorkflow(
   steps: workflow.WorkflowJobStep[],
 ): workflow.Workflow {
@@ -327,20 +340,22 @@ async function testFailedSarifUpload(
     expectUpload = true,
     exportDiagnosticsEnabled = false,
     matrix = {},
+    analysisKinds = [AnalysisKind.CodeScanning],
   }: {
     category?: string;
     databaseExists?: boolean;
     expectUpload?: boolean;
     exportDiagnosticsEnabled?: boolean;
     matrix?: { [key: string]: string };
+    analysisKinds?: AnalysisKind[];
   } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
-  const config = {
+  const config = createTestConfig({
+    analysisKinds,
     codeQLCmd: "codeql",
     debugMode: true,
     languages: [],
-    packs: [],
-  } as unknown as configUtils.Config;
+  });
   if (databaseExists) {
     config.dbLocation = "path/to/database";
   }

src/init-action-post-helper.ts

@@ -7,7 +7,8 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config } from "./config-utils";
+import { Config, isCodeScanningEnabled } from "./config-utils";
+import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
@@ -18,8 +19,8 @@ import {
   delay,
   getErrorMessage,
   getRequiredEnvParam,
-  isInTestMode,
   parseMatrixInput,
+  shouldSkipSarifUpload,
   wrapError,
 } from "./util";
 import {
@@ -45,6 +46,10 @@ export interface JobStatusReport {
   job_status: JobStatus;
 }
 
+export interface DependencyCachingUsageReport {
+  dependency_caching_usage?: dependencyCaching.DependencyCachingUsageReport;
+}
+
 function createFailedUploadFailedSarifResult(
   error: unknown,
 ): UploadFailedSarifResult {
@@ -76,7 +81,7 @@ async function maybeUploadFailedSarif(
     !["always", "failure-only"].includes(
       actionsUtil.getUploadValue(shouldUpload),
     ) ||
-    isInTestMode()
+    shouldSkipSarifUpload()
   ) {
     return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
   }
@@ -134,6 +139,15 @@ export async function tryUploadSarifIfRunFailed(
       EnvVar.JOB_STATUS,
       process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
     );
+
+    // If the only enabled analysis kind is `code-quality`, then we shouldn't
+    // upload the failed SARIF to Code Scanning.
+    if (!isCodeScanningEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Scanning is not enabled.",
+      };
+    }
+
     try {
       return await maybeUploadFailedSarif(
         config,

src/init-action-post.ts

@@ -12,10 +12,16 @@ import {
   printDebugLogs,
 } from "./actions-util";
 import { getGitHubVersion } from "./api-client";
+import { CachingKind } from "./caching-utils";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import * as debugArtifacts from "./debug-artifacts";
+import {
+  DependencyCachingUsageReport,
+  getDependencyCacheUsage,
+} from "./dependency-caching";
 import { Features } from "./feature-flags";
+import * as gitUtils from "./git-utils";
 import * as initActionPostHelper from "./init-action-post-helper";
 import { getActionsLogger } from "./logging";
 import { getRepositoryNwo } from "./repository";
@@ -32,7 +38,8 @@ import { checkDiskUsage, checkGitHubVersionInRange, wrapError } from "./util";
 interface InitPostStatusReport
   extends StatusReportBase,
     initActionPostHelper.UploadFailedSarifResult,
-    initActionPostHelper.JobStatusReport {}
+    initActionPostHelper.JobStatusReport,
+    initActionPostHelper.DependencyCachingUsageReport {}
 
 async function runWrapper() {
   const logger = getActionsLogger();
@@ -41,6 +48,7 @@ async function runWrapper() {
   let uploadFailedSarifResult:
     | initActionPostHelper.UploadFailedSarifResult
     | undefined;
+  let dependencyCachingUsage: DependencyCachingUsageReport | undefined;
   try {
     // Restore inputs from `init` Action.
     restoreInputs();
@@ -73,6 +81,17 @@ async function runWrapper() {
         features,
         logger,
       );
+
+      // If we are analysing the default branch and some kind of caching is enabled,
+      // then try to determine our overall cache usage for dependency caches. We only
+      // do this under these circumstances to avoid slowing down analyses for PRs
+      // and where caching may not be enabled.
+      if (
+        (await gitUtils.isAnalyzingDefaultBranch()) &&
+        config.dependencyCachingEnabled !== CachingKind.None
+      ) {
+        dependencyCachingUsage = await getDependencyCacheUsage(logger);
+      }
     }
   } catch (unwrappedError) {
     const error = wrapError(unwrappedError);
@@ -109,6 +128,7 @@ async function runWrapper() {
       ...statusReportBase,
       ...uploadFailedSarifResult,
       job_status: initActionPostHelper.getFinalJobStatus(),
+      dependency_caching_usage: dependencyCachingUsage,
     };
     logger.info("Sending status report for init-post step.");
     await sendStatusReport(statusReport);

src/init-action.ts

@@ -15,6 +15,7 @@ import {
   getTemporaryDirectory,
   persistInputs,
 } from "./actions-util";
+import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import {
   getDependencyCachingEnabled,
@@ -23,7 +24,10 @@ import {
 } from "./caching-utils";
 import { CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { downloadDependencyCaches } from "./dependency-caching";
+import {
+  DependencyCacheRestoreStatusReport,
+  downloadDependencyCaches,
+} from "./dependency-caching";
 import {
   addDiagnostic,
   flushDiagnostics,
@@ -42,10 +46,9 @@ import {
   runDatabaseInitCluster,
 } from "./init";
 import { KnownLanguage } from "./languages";
-import { getActionsLogger, Logger, withGroupAsync } from "./logging";
+import { getActionsLogger, Logger } from "./logging";
 import {
   downloadOverlayBaseDatabaseFromCache,
-  getCodeQLVersionFromOverlayBaseDatabase,
   OverlayBaseDatabaseDownloadStats,
   OverlayDatabaseMode,
 } from "./overlay-database-utils";
@@ -54,6 +57,7 @@ import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
   InitStatusReport,
+  InitToolsDownloadFields,
   InitWithConfigStatusReport,
   createInitWithConfigStatusReport,
   createStatusReportBase,
@@ -84,14 +88,29 @@ import {
 } from "./util";
 import { validateWorkflow } from "./workflow";
 
-/** Fields of the init status report populated when the tools source is `download`. */
-interface InitToolsDownloadFields {
-  /** Time taken to download the bundle, in milliseconds. */
-  tools_download_duration_ms?: number;
-  /**
-   * Whether the relevant tools dotcom feature flags have been misconfigured.
-   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
-  tools_feature_flags_valid?: boolean;
+/**
+ * Sends a status report indicating that the `init` Action is starting.
+ *
+ * @param startedAt
+ * @param config
+ * @param logger
+ */
+async function sendStartingStatusReport(
+  startedAt: Date,
+  config: Partial<configUtils.Config> | undefined,
+  logger: Logger,
+) {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.Init,
+    "starting",
+    startedAt,
+    config,
+    await checkDiskUsage(logger),
+    logger,
+  );
+  if (statusReportBase !== undefined) {
+    await sendStatusReport(statusReportBase);
+  }
 }
 
 async function sendCompletedStatusReport(
@@ -103,6 +122,7 @@ async function sendCompletedStatusReport(
   toolsSource: ToolsSource,
   toolsVersion: string,
   overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined,
+  dependencyCachingResults: DependencyCacheRestoreStatusReport | undefined,
   logger: Logger,
   error?: Error,
 ) {
@@ -152,6 +172,7 @@ async function sendCompletedStatusReport(
           await getTotalCacheSize(Object.values(config.trapCaches), logger),
         ),
         overlayBaseDatabaseStats,
+        dependencyCachingResults,
       );
     await sendStatusReport({
       ...initWithConfigStatusReport,
@@ -206,6 +227,7 @@ async function run() {
     ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
     : {};
 
+  // Create a unique identifier for this run.
   const jobRunUuid = uuidV4();
   logger.info(`Job run UUID is ${jobRunUuid}.`);
   core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
@@ -223,94 +245,33 @@ async function run() {
   );
 
   try {
-    const statusReportBase = await createStatusReportBase(
-      ActionName.Init,
-      "starting",
-      startedAt,
-      config,
-      await checkDiskUsage(logger),
-      logger,
-    );
-    if (statusReportBase !== undefined) {
-      await sendStatusReport(statusReportBase);
+    // Parsing the `analysis-kinds` input may throw a `ConfigurationError`, which we don't want before
+    // we have called `sendStartingStatusReport` below. However, we want the analysis kinds for that status
+    // report. To work around this, we ignore exceptions that are thrown here and then call `getAnalysisKinds`
+    // a second time later. The second call will then throw the exception again. If `getAnalysisKinds` is
+    // successful, the results are cached so that we don't duplicate the work in normal runs.
+    let analysisKinds: AnalysisKind[] | undefined;
+    try {
+      analysisKinds = await getAnalysisKinds(logger);
+    } catch (err) {
+      logger.debug(
+        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
+      );
     }
 
-    const inputs: configUtils.InitConfigInputs = {
-      analysisKindsInput: getRequiredInput("analysis-kinds"),
-      languagesInput: getOptionalInput("languages"),
-      queriesInput: getOptionalInput("queries"),
-      qualityQueriesInput: getOptionalInput("quality-queries"),
-      packsInput: getOptionalInput("packs"),
-      buildModeInput: getOptionalInput("build-mode"),
-      configFile,
-      dbLocation: getOptionalInput("db-location"),
-      configInput: getOptionalInput("config"),
-      trapCachingEnabled: getTrapCachingEnabled(),
-      dependencyCachingEnabled: getDependencyCachingEnabled(),
-      // Debug mode is enabled if:
-      // - The `init` Action is passed `debug: true`.
-      // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
-      //   or by setting the `ACTIONS_STEP_DEBUG` secret to `true`).
-      debugMode: getOptionalInput("debug") === "true" || core.isDebug(),
-      debugArtifactName:
-        getOptionalInput("debug-artifact-name") || DEFAULT_DEBUG_ARTIFACT_NAME,
-      debugDatabaseName:
-        getOptionalInput("debug-database-name") || DEFAULT_DEBUG_DATABASE_NAME,
-      repository: repositoryNwo,
-      tempDir: getTemporaryDirectory(),
-      workspacePath: getRequiredEnvParam("GITHUB_WORKSPACE"),
-      sourceRoot,
-      githubVersion: gitHubVersion,
-      apiDetails,
-      features,
-      repositoryProperties,
-      logger,
-    };
-    configUtils.amendInputConfigFile(inputs, logger);
+    // Send a status report indicating that an analysis is starting.
+    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
+
+    // Throw a `ConfigurationError` if the `setup-codeql` action has been run.
+    if (process.env[EnvVar.SETUP_CODEQL_ACTION_HAS_RUN] === "true") {
+      throw new ConfigurationError(
+        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`,
+      );
+    }
 
     const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
       gitHubVersion.type,
     );
-
-    await withGroupAsync(
-      "Compute CodeQL version to use for overlay analysis",
-      async () => {
-        if (getOptionalInput("tools")) {
-          logger.info(
-            "Nothing to do here because the workflow specified a tools input.",
-          );
-          return;
-        }
-
-        const { overlayDatabaseMode, useOverlayDatabaseCaching } =
-          await configUtils.getPreliminaryOverlayDatabaseMode(inputs);
-        if (overlayDatabaseMode !== OverlayDatabaseMode.Overlay) {
-          logger.info(
-            "Nothing to do here because we are not performing overlay analysis",
-          );
-          return;
-        }
-        if (!useOverlayDatabaseCaching) {
-          logger.info(
-            `Nothing to do here because we are not using overlay database caching`,
-          );
-          return;
-        }
-
-        const codeQlVersionForOverlay =
-          await getCodeQLVersionFromOverlayBaseDatabase(logger);
-        if (codeQlVersionForOverlay === undefined) {
-          return;
-        }
-
-        logger.info(
-          `Using CodeQL version ${codeQlVersionForOverlay} for overlay analysis.`,
-        );
-        codeQLDefaultVersionInfo.cliVersion = codeQlVersionForOverlay;
-        codeQLDefaultVersionInfo.tagName = `codeql-bundle-v${codeQlVersionForOverlay}`;
-      },
-    );
-
     toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
     const initCodeQLResult = await initCodeQL(
       getOptionalInput("tools"),
@@ -318,6 +279,7 @@ async function run() {
       getTemporaryDirectory(),
       gitHubVersion.type,
       codeQLDefaultVersionInfo,
+      features,
       logger,
     );
     codeql = initCodeQLResult.codeql;
@@ -362,15 +324,38 @@ async function run() {
       }
     }
 
-    // Warn that `quality-queries` is deprecated if there is an argument for it.
-    if (inputs.qualityQueriesInput !== undefined) {
-      logger.warning(
-        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
-          "Use the `analysis-kinds` input to configure different analysis kinds instead.",
-      );
-    }
-
-    config = await initConfig(inputs, codeql);
+    analysisKinds = await getAnalysisKinds(logger);
+    config = await initConfig(features, {
+      analysisKinds,
+      languagesInput: getOptionalInput("languages"),
+      queriesInput: getOptionalInput("queries"),
+      packsInput: getOptionalInput("packs"),
+      buildModeInput: getOptionalInput("build-mode"),
+      configFile,
+      dbLocation: getOptionalInput("db-location"),
+      configInput: getOptionalInput("config"),
+      trapCachingEnabled: getTrapCachingEnabled(),
+      dependencyCachingEnabled: getDependencyCachingEnabled(),
+      // Debug mode is enabled if:
+      // - The `init` Action is passed `debug: true`.
+      // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
+      //   or by setting the `ACTIONS_STEP_DEBUG` secret to `true`).
+      debugMode: getOptionalInput("debug") === "true" || core.isDebug(),
+      debugArtifactName:
+        getOptionalInput("debug-artifact-name") || DEFAULT_DEBUG_ARTIFACT_NAME,
+      debugDatabaseName:
+        getOptionalInput("debug-database-name") || DEFAULT_DEBUG_DATABASE_NAME,
+      repository: repositoryNwo,
+      tempDir: getTemporaryDirectory(),
+      codeql,
+      workspacePath: getRequiredEnvParam("GITHUB_WORKSPACE"),
+      sourceRoot,
+      githubVersion: gitHubVersion,
+      apiDetails,
+      features,
+      repositoryProperties,
+      logger,
+    });
 
     await checkInstallPython311(config.languages, codeql);
   } catch (unwrappedError) {
@@ -393,6 +378,7 @@ async function run() {
   }
 
   let overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined;
+  let dependencyCachingResults: DependencyCacheRestoreStatusReport | undefined;
   try {
     if (
       config.overlayDatabaseMode === OverlayDatabaseMode.Overlay &&
@@ -604,7 +590,7 @@ async function run() {
       codeql,
     );
     if (shouldRestoreCache(config.dependencyCachingEnabled)) {
-      await downloadDependencyCaches(
+      dependencyCachingResults = await downloadDependencyCaches(
         config.languages,
         logger,
         minimizeJavaJars,
@@ -756,6 +742,7 @@ async function run() {
       toolsSource,
       toolsVersion,
       overlayBaseDatabaseStats,
+      dependencyCachingResults,
       logger,
       error,
     );
@@ -778,6 +765,7 @@ async function run() {
     toolsSource,
     toolsVersion,
     overlayBaseDatabaseStats,
+    dependencyCachingResults,
     logger,
   );
 }

src/init.ts

@@ -9,7 +9,7 @@ import { getOptionalInput, isSelfHostedRunner } from "./actions-util";
 import { GitHubApiDetails } from "./api-client";
 import { CodeQL, setupCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { CodeQLDefaultVersionInfo } from "./feature-flags";
+import { CodeQLDefaultVersionInfo, FeatureEnablement } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { ToolsSource } from "./setup-codeql";
@@ -23,6 +23,7 @@ export async function initCodeQL(
   tempDir: string,
   variant: util.GitHubVariant,
   defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
   logger: Logger,
 ): Promise<{
   codeql: CodeQL;
@@ -44,6 +45,7 @@ export async function initCodeQL(
     tempDir,
     variant,
     defaultCliVersion,
+    features,
     logger,
     true,
   );
@@ -59,11 +61,11 @@ export async function initCodeQL(
 }
 
 export async function initConfig(
+  features: FeatureEnablement,
   inputs: configUtils.InitConfigInputs,
-  codeql: CodeQL,
 ): Promise<configUtils.Config> {
   return await withGroupAsync("Load language configuration", async () => {
-    return await configUtils.initConfig(inputs, codeql);
+    return await configUtils.initConfig(features, inputs);
   });
 }
 

src/overlay-database-utils.test.ts

@@ -11,10 +11,6 @@ import * as gitUtils from "./git-utils";
 import { getRunnerLogger } from "./logging";
 import {
   downloadOverlayBaseDatabaseFromCache,
-  getCacheRestoreKeyPrefix,
-  getCacheSaveKey,
-  getCacheWorkflowKeyPrefix,
-  getCodeQLVersionFromOverlayBaseDatabase,
   OverlayDatabaseMode,
   writeBaseDatabaseOidsFile,
   writeOverlayChangesFile,
@@ -265,197 +261,3 @@ test(
   },
   false,
 );
-
-test("overlay-base database cache keys remain stable", async (t) => {
-  const config = createTestConfig({ languages: ["python", "javascript"] });
-  const codeQlVersion = "2.23.0";
-  const commitOid = "abc123def456";
-
-  sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-  sinon.stub(gitUtils, "getCommitOid").resolves(commitOid);
-
-  const saveKey = await getCacheSaveKey(config, codeQlVersion, "checkout-path");
-  const expectedSaveKey =
-    "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-abc123def456";
-  t.is(
-    saveKey,
-    expectedSaveKey,
-    "Cache save key changed unexpectedly. " +
-      "This may indicate breaking changes in the cache key generation logic.",
-  );
-
-  const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
-    config,
-    codeQlVersion,
-  );
-  const expectedRestoreKeyPrefix =
-    "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-";
-  t.is(
-    restoreKeyPrefix,
-    expectedRestoreKeyPrefix,
-    "Cache restore key prefix changed unexpectedly. " +
-      "This may indicate breaking changes in the cache key generation logic.",
-  );
-
-  const workflowKeyPrefix = await getCacheWorkflowKeyPrefix();
-  const expectedWorkflowKeyPrefix =
-    "codeql-overlay-base-database-1-c5666c509a2d9895-";
-  t.is(
-    workflowKeyPrefix,
-    expectedWorkflowKeyPrefix,
-    "Cache workflow key prefix changed unexpectedly. " +
-      "This may indicate breaking changes in the cache key generation logic.",
-  );
-
-  t.true(
-    saveKey.startsWith(restoreKeyPrefix),
-    `Expected save key "${saveKey}" to start with restore key prefix "${restoreKeyPrefix}"`,
-  );
-  t.true(
-    restoreKeyPrefix.startsWith(workflowKeyPrefix),
-    `Expected restore key prefix "${restoreKeyPrefix}" to start with workflow key prefix "${workflowKeyPrefix}"`,
-  );
-});
-
-/**
- * Helper function to generate a cache save key for testing.
- * Sets up the necessary sinon stubs and returns the generated cache key.
- */
-async function generateTestCacheKey(codeQlVersion: string): Promise<string> {
-  const config = createTestConfig({ languages: ["python", "javascript"] });
-  const commitOid = "abc123def456";
-
-  sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-  sinon.stub(gitUtils, "getCommitOid").resolves(commitOid);
-
-  return await getCacheSaveKey(config, codeQlVersion, "checkout-path");
-}
-
-/**
- * Helper function to stub getMostRecentActionsCacheEntry with a given key and creation date.
- * Returns the stubbed function for cleanup if needed.
- */
-function stubMostRecentActionsCacheEntry(key?: string, createdAt?: Date) {
-  const cacheItem =
-    key !== undefined || createdAt !== undefined
-      ? {
-          key,
-          created_at: createdAt?.toISOString(),
-        }
-      : undefined;
-
-  return sinon
-    .stub(apiClient, "getMostRecentActionsCacheEntry")
-    .resolves(cacheItem);
-}
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns version when cache entry is valid", async (t) => {
-  const logger = getRunnerLogger(true);
-  const cacheKey = await generateTestCacheKey("2.23.0");
-
-  stubMostRecentActionsCacheEntry(cacheKey, new Date());
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(result, "2.23.0", "Should return the extracted CodeQL version");
-});
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns undefined when no cache entries found", async (t) => {
-  const logger = getRunnerLogger(true);
-
-  sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-  stubMostRecentActionsCacheEntry();
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(
-    result,
-    undefined,
-    "Should return undefined when no cache entries found",
-  );
-});
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns undefined when cache entry is too old", async (t) => {
-  const logger = getRunnerLogger(true);
-  const cacheKey = await generateTestCacheKey("2.23.0");
-
-  const oldDate = new Date();
-  oldDate.setDate(oldDate.getDate() - 15); // 15 days ago (older than 14 day limit)
-
-  stubMostRecentActionsCacheEntry(cacheKey, oldDate);
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(
-    result,
-    undefined,
-    "Should return undefined when cache entry is too old",
-  );
-});
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns undefined when cache key format is invalid", async (t) => {
-  const logger = getRunnerLogger(true);
-
-  sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-  stubMostRecentActionsCacheEntry("invalid-key-format", new Date());
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(
-    result,
-    undefined,
-    "Should return undefined when cache key format is invalid",
-  );
-});
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns undefined when CodeQL version is invalid semver", async (t) => {
-  const logger = getRunnerLogger(true);
-  const invalidCacheKey = await generateTestCacheKey("invalid.version");
-
-  stubMostRecentActionsCacheEntry(invalidCacheKey, new Date());
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(
-    result,
-    undefined,
-    "Should return undefined when CodeQL version is invalid semver",
-  );
-});
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns undefined when CodeQL version is too old", async (t) => {
-  const logger = getRunnerLogger(true);
-  const cacheKey = await generateTestCacheKey("2.20.0"); // Older than minimum required version (2.22.4)
-
-  stubMostRecentActionsCacheEntry(cacheKey, new Date());
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(
-    result,
-    undefined,
-    "Should return undefined when CodeQL version is older than minimum required version",
-  );
-});
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns undefined when cache entry has no key", async (t) => {
-  const logger = getRunnerLogger(true);
-
-  sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-  stubMostRecentActionsCacheEntry(undefined, new Date());
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(
-    result,
-    undefined,
-    "Should return undefined when cache entry has no key",
-  );
-});
-
-test("getCodeQLVersionFromOverlayBaseDatabase returns undefined when cache entry has no created_at", async (t) => {
-  const logger = getRunnerLogger(true);
-  const cacheKey = await generateTestCacheKey("2.23.0");
-
-  stubMostRecentActionsCacheEntry(cacheKey, undefined);
-
-  const result = await getCodeQLVersionFromOverlayBaseDatabase(logger);
-  t.is(
-    result,
-    undefined,
-    "Should return undefined when cache entry has no created_at",
-  );
-});