Merge pull request #446 from github/daverlo/runAutomationDetails

Add automationdetails id to runs
Merge branch 'main' into daverlo/runAutomationDetails
2025-12-09 01:08:10 +08:00 · 2021-04-19 11:30:53 +02:00 · 2021-04-19 10:47:18 +02:00 · 2021-04-19 09:04:58 +02:00 · 2021-04-16 12:09:26 -07:00 · 2021-04-16 09:24:34 +02:00
58 changed files with 1023 additions and 270 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -7,10 +7,56 @@ on:
    branches: [main, v1]

 jobs:
+  # Identify the CodeQL tool versions to use in the analysis job.
+  check-codeql-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.compare.outputs.versions }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Init with default CodeQL bundle from the VM image
+      id: init-default
+      uses: ./init
+      with:
+        languages: javascript
+    - name: Remove empty database
+      # allows us to run init a second time
+      run: |
+        rm -rf "$RUNNER_TEMP/codeql_databases"
+    - name: Init with latest CodeQL bundle
+      id: init-latest
+      uses: ./init
+      with:
+        tools: latest
+        languages: javascript
+    - name: Compare default and latest CodeQL bundle versions
+      id: compare
+      env:
+        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
+        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+      run: |
+        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
+        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
+        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+          # Just use `tools: null` to avoid duplication in the analysis job.
+          VERSIONS_JSON='[null]'
+        else
+          # Use both `tools: null` and `tools: latest` in the analysis job.
+          VERSIONS_JSON='[null, "latest"]'
+        fi
+        # Output a JSON-encoded list with the distinct versions to test against.
+        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
+        echo "::set-output name=versions::${VERSIONS_JSON}"
+
  build:
+    needs: [check-codeql-versions]
    strategy:
      matrix:
        os: [ubuntu-latest,windows-latest,macos-latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    steps:
@@ -20,6 +66,7 @@ jobs:
      with:
        languages: javascript
        config-file: ./.github/codeql/codeql-config.yml
+        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
      run: ${{steps.init.outputs.codeql-path}} version --format=json
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -80,13 +80,65 @@ jobs:
          exit 1
        fi

-  multi-language-repo_test-custom-queries-and-remote-config:
+  # Identify the CodeQL tool versions to integration test against.
+  check-codeql-versions:
    needs: [check-js, check-node-modules]
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.compare.outputs.versions }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
+        mv ../action/.github/workflows .github
+    - name: Init with default CodeQL bundle from the VM image
+      id: init-default
+      uses: ./../action/init
+      with:
+        languages: javascript
+    - name: Remove empty database
+      # allows us to run init a second time
+      run: |
+        rm -rf "$RUNNER_TEMP/codeql_databases"
+    - name: Init with latest CodeQL bundle
+      id: init-latest
+      uses: ./../action/init
+      with:
+        tools: latest
+        languages: javascript
+    - name: Compare default and latest CodeQL bundle versions
+      id: compare
+      env:
+        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
+        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+      run: |
+        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
+        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
+        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+          # Just use `tools: null` to avoid duplication in the integration tests.
+          VERSIONS_JSON='[null]'
+        else
+          # Use both `tools: null` and `tools: latest` in the integration tests.
+          VERSIONS_JSON='[null, "latest"]'
+        fi
+        # Output a JSON-encoded list with the distinct versions to test against.
+        echo "Suggested matrix config for integration tests: $VERSIONS_JSON"
+        echo "::set-output name=versions::${VERSIONS_JSON}"
+
+  multi-language-repo_test-custom-queries-and-remote-config:
+    needs: [check-js, check-node-modules, check-codeql-versions]
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
-        tools: [~, latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    steps:
@@ -112,11 +164,12 @@ jobs:

  # Currently is not possible to analyze Go in conjunction with other languages in macos
  multi-language-repo_test-go-custom-queries:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    steps:
@@ -136,6 +189,7 @@ jobs:
      with:
        languages: go
        config-file: ./.github/codeql/custom-queries.yml
+        tools: ${{ matrix.tools }}
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -144,11 +198,12 @@ jobs:
        TEST_MODE: true

  go-custom-tracing:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}
    env:
      CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
@@ -169,6 +224,7 @@ jobs:
    - uses: ./../action/init
      with:
        languages: go
+        tools: ${{ matrix.tools }}
    - name: Build code
      shell: bash
      run: go build main.go
@@ -177,7 +233,11 @@ jobs:
        TEST_MODE: true

  go-custom-tracing-autobuild:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
+    strategy:
+      fail-fast: false
+      matrix:
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    # No need to test Go autobuild on multiple OSes since
    # we're testing Go custom tracing with a manual build on all OSes.
    runs-on: ubuntu-latest
@@ -196,6 +256,7 @@ jobs:
    - uses: ./../action/init
      with:
        languages: go
+        tools: ${{ matrix.tools }}
    - uses: ./../action/autobuild
    - uses: ./../action/analyze
      env:
@@ -235,7 +296,11 @@ jobs:
        TEST_MODE: true

  test-proxy:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
+    strategy:
+      fail-fast: false
+      matrix:
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ubuntu-latest
    container:
      image: ubuntu:18.04
@@ -259,6 +324,7 @@ jobs:
    - uses: ./../action/init
      with:
        languages: javascript
+        tools: ${{ matrix.tools }}
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
--- a/lib/actions-util.js
+++ b/lib/actions-util.js
@@ -77,7 +77,7 @@ exports.prepareLocalRunEnvironment = prepareLocalRunEnvironment;
 /**
 * Gets the SHA of the commit that is currently checked out.
 */
-exports.getCommitOid = async function () {
+exports.getCommitOid = async function (ref = "HEAD") {
    // Try to use git to get the current commit SHA. If that fails then
    // log but otherwise silently fall back to using the SHA from the environment.
    // The only time these two values will differ is during analysis of a PR when
@@ -87,7 +87,7 @@ exports.getCommitOid = async function () {
    // reported on the merge commit.
    try {
        let commitOid = "";
-        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["rev-parse", "HEAD"], {
+        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["rev-parse", ref], {
            silent: true,
            listeners: {
                stdout: (data) => {
@@ -328,7 +328,7 @@ function getWorkflowRunID() {
 }
 exports.getWorkflowRunID = getWorkflowRunID;
 /**
- * Get the analysis key paramter for the current job.
+ * Get the analysis key parameter for the current job.
 *
 * This will combine the workflow path and current job name.
 * Computing this the first time requires making requests to
@@ -354,15 +354,28 @@ async function getRef() {
    // Will be in the form "refs/heads/master" on a push event
    // or in the form "refs/pull/N/merge" on a pull_request event
    const ref = getRequiredEnvParam("GITHUB_REF");
+    const sha = getRequiredEnvParam("GITHUB_SHA");
    // For pull request refs we want to detect whether the workflow
    // has run `git checkout HEAD^2` to analyze the 'head' ref rather
    // than the 'merge' ref. If so, we want to convert the ref that
    // we report back.
    const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
-    const checkoutSha = await exports.getCommitOid();
-    if (pull_ref_regex.test(ref) &&
-        checkoutSha !== getRequiredEnvParam("GITHUB_SHA")) {
-        return ref.replace(pull_ref_regex, "refs/pull/$1/head");
+    if (!pull_ref_regex.test(ref)) {
+        return ref;
+    }
+    const head = await exports.getCommitOid("HEAD");
+    // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+    // in actions/checkout@v1 this may not be true as it checks out the repository
+    // using GITHUB_REF. There is a subtle race condition where
+    // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
+    // git git-parse GITHUB_REF == git rev-parse HEAD instead.
+    const hasChangedRef = sha !== head &&
+        (await exports.getCommitOid(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
+            head;
+    if (hasChangedRef) {
+        const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
+        core.debug(`No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`);
+        return newRef;
    }
    else {
        return ref;
@@ -434,6 +447,10 @@ function isHTTPError(arg) {
    var _a;
    return ((_a = arg) === null || _a === void 0 ? void 0 : _a.status) !== undefined && Number.isInteger(arg.status);
 }
+const GENERIC_403_MSG = "The repo on which this action is running is not opted-in to CodeQL code scanning.";
+const GENERIC_404_MSG = "Not authorized to used the CodeQL code scanning feature on this repo.";
+const OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+const INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 /**
 * Send a status report to the code_scanning/analysis/status endpoint.
 *
@@ -462,34 +479,51 @@ async function sendStatusReport(statusReport) {
        return true;
    }
    catch (e) {
+        console.log(e);
        if (isHTTPError(e)) {
            switch (e.status) {
                case 403:
-                    core.setFailed("The repo on which this action is running is not opted-in to CodeQL code scanning.");
+                    if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+                        core.setFailed('Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                            "Uploading Code Scanning results requires write access. " +
+                            'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                            "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.");
+                    }
+                    else {
+                        core.setFailed(e.message || GENERIC_403_MSG);
+                    }
                    return false;
                case 404:
-                    core.setFailed("Not authorized to used the CodeQL code scanning feature on this repo.");
+                    core.setFailed(GENERIC_404_MSG);
                    return false;
                case 422:
                    // schema incompatibility when reporting status
                    // this means that this action version is no longer compatible with the API
                    // we still want to continue as it is likely the analysis endpoint will work
                    if (getRequiredEnvParam("GITHUB_SERVER_URL") !== util_1.GITHUB_DOTCOM_URL) {
-                        core.debug("CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.");
+                        core.debug(INCOMPATIBLE_MSG);
                    }
                    else {
-                        core.debug("CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.");
+                        core.debug(OUT_OF_DATE_MSG);
                    }
                    return true;
            }
        }
        // something else has gone wrong and the request/response will be logged by octokit
        // it's possible this is a transient error and we should continue scanning
-        core.error("An unexpected error occured when sending code scanning status report.");
+        core.error("An unexpected error occurred when sending code scanning status report.");
        return true;
    }
 }
 exports.sendStatusReport = sendStatusReport;
+// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
+function workflowIsTriggeredByPushEvent() {
+    return process.env["GITHUB_EVENT_NAME"] === "push";
+}
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+    return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 function isRunningLocalAction() {
--- a/lib/actions-util.js.map
+++ b/lib/actions-util.js.map
--- a/lib/actions-util.test.js
+++ b/lib/actions-util.test.js
@@ -28,16 +28,33 @@ ava_1.default("getRef() returns merge PR ref if GITHUB_SHA still checked out", a
    const currentSha = "a".repeat(40);
    process.env["GITHUB_REF"] = expectedRef;
    process.env["GITHUB_SHA"] = currentSha;
-    sinon_1.default.stub(actionsutil, "getCommitOid").resolves(currentSha);
+    const callback = sinon_1.default.stub(actionsutil, "getCommitOid");
+    callback.withArgs("HEAD").resolves(currentSha);
    const actualRef = await actionsutil.getRef();
    t.deepEqual(actualRef, expectedRef);
+    callback.restore();
 });
-ava_1.default("getRef() returns head PR ref if GITHUB_SHA not currently checked out", async (t) => {
+ava_1.default("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
+    const expectedRef = "refs/pull/1/merge";
+    process.env["GITHUB_REF"] = expectedRef;
+    process.env["GITHUB_SHA"] = "b".repeat(40);
+    const sha = "a".repeat(40);
+    const callback = sinon_1.default.stub(actionsutil, "getCommitOid");
+    callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+    callback.withArgs("HEAD").resolves(sha);
+    const actualRef = await actionsutil.getRef();
+    t.deepEqual(actualRef, expectedRef);
+    callback.restore();
+});
+ava_1.default("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
    process.env["GITHUB_REF"] = "refs/pull/1/merge";
    process.env["GITHUB_SHA"] = "a".repeat(40);
-    sinon_1.default.stub(actionsutil, "getCommitOid").resolves("b".repeat(40));
+    const callback = sinon_1.default.stub(actionsutil, "getCommitOid");
+    callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
+    callback.withArgs("HEAD").resolves("b".repeat(40));
    const actualRef = await actionsutil.getRef();
    t.deepEqual(actualRef, "refs/pull/1/head");
+    callback.restore();
 });
 ava_1.default("getAnalysisKey() when a local run", async (t) => {
    process.env.CODEQL_LOCAL_RUN = "true";
--- a/lib/actions-util.test.js.map
+++ b/lib/actions-util.test.js.map
--- a/lib/analysis-paths.js
+++ b/lib/analysis-paths.js
@@ -28,7 +28,7 @@ function printPathFiltersWarning(config, logger) {
    // If any other languages are detected/configured then show a warning.
    if ((config.paths.length !== 0 || config.pathsIgnore.length !== 0) &&
        !config.languages.every(isInterpretedLanguage)) {
-        logger.warning('The "paths"/"paths-ignore" fields of the config only have effect for Javascript and Python');
+        logger.warning('The "paths"/"paths-ignore" fields of the config only have effect for JavaScript and Python');
    }
 }
 exports.printPathFiltersWarning = printPathFiltersWarning;
--- a/lib/api-client.js
+++ b/lib/api-client.js
@@ -20,11 +20,12 @@ var DisallowedAPIVersionReason;
    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_OLD"] = 0] = "ACTION_TOO_OLD";
    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_NEW"] = 1] = "ACTION_TOO_NEW";
 })(DisallowedAPIVersionReason = exports.DisallowedAPIVersionReason || (exports.DisallowedAPIVersionReason = {}));
-exports.getApiClient = function (apiDetails, allowLocalRun = false) {
+exports.getApiClient = function (apiDetails, { allowLocalRun = false, allowExternal = false } = {}) {
    if (util_1.isLocalRun() && !allowLocalRun) {
        throw new Error("Invalid API call in local run");
    }
-    return new githubUtils.GitHub(githubUtils.getOctokitOptions(apiDetails.auth, {
+    const auth = (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
+    return new githubUtils.GitHub(githubUtils.getOctokitOptions(auth, {
        baseUrl: getApiUrl(apiDetails.url),
        userAgent: "CodeQL Action",
        log: console_log_level_1.default({ level: "debug" }),
@@ -49,7 +50,7 @@ function getActionsApiClient(allowLocalRun = false) {
        auth: actions_util_1.getRequiredInput("token"),
        url: actions_util_1.getRequiredEnvParam("GITHUB_SERVER_URL"),
    };
-    return exports.getApiClient(apiDetails, allowLocalRun);
+    return exports.getApiClient(apiDetails, { allowLocalRun });
 }
 exports.getActionsApiClient = getActionsApiClient;
 //# sourceMappingURL=api-client.js.map
--- a/lib/api-client.js.map
+++ b/lib/api-client.js.map
@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,0EAAgD;AAEhD,iDAAuE;AACvE,iCAAoC;AAEpC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeY,QAAA,YAAY,GAAG,UAC1B,UAA4B,EAC5B,aAAa,GAAG,KAAK;IAErB,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IACD,OAAO,IAAI,WAAW,CAAC,MAAM,CAC3B,WAAW,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,EAAE;QAC7C,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,+BAAgB,CAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,kCAAmB,CAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,oBAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AACjD,CAAC;AAPD,kDAOC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,0EAAgD;AAEhD,iDAAuE;AACvE,iCAAoC;AAEpC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeY,QAAA,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAErD,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IAED,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,OAAO,IAAI,WAAW,CAAC,MAAM,CAC3B,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,+BAAgB,CAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,kCAAmB,CAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,oBAAY,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAPD,kDAOC"}
--- a/lib/api-client.test.js
+++ b/lib/api-client.test.js
@@ -0,0 +1,72 @@
+"use strict";
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    result["default"] = mod;
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const githubUtils = __importStar(require("@actions/github/lib/utils"));
+const ava_1 = __importDefault(require("ava"));
+const sinon_1 = __importDefault(require("sinon"));
+const api_client_1 = require("./api-client");
+const testing_utils_1 = require("./testing-utils");
+testing_utils_1.setupTests(ava_1.default);
+let githubStub;
+ava_1.default.beforeEach(() => {
+    githubStub = sinon_1.default.stub(githubUtils, "GitHub");
+});
+ava_1.default("Get the client API", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        externalRepoAuth: "abc",
+        url: "http://hucairz",
+    }, undefined, {
+        auth: "token xyz",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API external", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        externalRepoAuth: "abc",
+        url: "http://hucairz",
+    }, { allowExternal: true }, {
+        auth: "token abc",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API external not present", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        url: "http://hucairz",
+    }, { allowExternal: true }, {
+        auth: "token xyz",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API with github url", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        url: "https://github.com/some/invalid/url",
+    }, undefined, {
+        auth: "token xyz",
+        baseUrl: "https://api.github.com",
+        userAgent: "CodeQL Action",
+    });
+});
+function doTest(t, clientArgs, clientOptions, expected) {
+    api_client_1.getApiClient(clientArgs, clientOptions);
+    const firstCallArgs = githubStub.args[0];
+    // log is a function, so we don't need to test for equality of it
+    delete firstCallArgs[0].log;
+    t.deepEqual(firstCallArgs, [expected]);
+}
+//# sourceMappingURL=api-client.test.js.map
--- a/lib/api-client.test.js.map
+++ b/lib/api-client.test.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,kDAA0B;AAE1B,6CAA4C;AAC5C,mDAA6C;AAE7C,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,eAAK,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,yBAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}
--- a/lib/codeql.js
+++ b/lib/codeql.js
@@ -54,6 +54,11 @@ function getCodeQLActionRepository(mode, logger) {
    if (mode !== "actions") {
        return CODEQL_DEFAULT_ACTION_REPOSITORY;
    }
+    else {
+        return getActionsCodeQLActionRepository(logger);
+    }
+}
+function getActionsCodeQLActionRepository(logger) {
    if (process.env["GITHUB_ACTION_REPOSITORY"] !== undefined) {
        return process.env["GITHUB_ACTION_REPOSITORY"];
    }
@@ -69,7 +74,7 @@ function getCodeQLActionRepository(mode, logger) {
    const relativeScriptPathParts = actions_util_1.getRelativeScriptPath().split(path.sep);
    return `${relativeScriptPathParts[0]}/${relativeScriptPathParts[1]}`;
 }
-async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
+async function getCodeQLBundleDownloadURL(apiDetails, mode, variant, logger) {
    const codeQLActionRepository = getCodeQLActionRepository(mode, logger);
    const potentialDownloadSources = [
        // This GitHub instance, and this Action.
@@ -85,6 +90,30 @@ async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
        return !self.slice(0, index).some((other) => fast_deep_equal_1.default(source, other));
    });
    const codeQLBundleName = getCodeQLBundleName();
+    if (variant === util.GitHubVariant.GHAE) {
+        try {
+            const release = await api
+                .getApiClient(apiDetails)
+                .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+                tag: CODEQL_BUNDLE_VERSION,
+            });
+            const assetID = release.data.assets[codeQLBundleName];
+            if (assetID !== undefined) {
+                const download = await api
+                    .getApiClient(apiDetails)
+                    .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
+                const downloadURL = download.data.url;
+                logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
+                return downloadURL;
+            }
+            else {
+                logger.info(`Attempted to fetch bundle from GitHub AE endpoint but the bundle ${codeQLBundleName} was not found in the assets ${JSON.stringify(release.data.assets)}.`);
+            }
+        }
+        catch (e) {
+            logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
+        }
+    }
    for (const downloadSource of uniqueDownloadSources) {
        const [apiURL, repository] = downloadSource;
        // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
@@ -110,25 +139,6 @@ async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
        }
    }
-    try {
-        const release = await api
-            .getApiClient(apiDetails)
-            .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
-            tag: CODEQL_BUNDLE_VERSION,
-        });
-        const assetID = release.data.assets[codeQLBundleName];
-        if (assetID !== undefined) {
-            const download = await api
-                .getApiClient(apiDetails)
-                .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
-            const downloadURL = download.data.url;
-            logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
-            return downloadURL;
-        }
-    }
-    catch (e) {
-        logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
-    }
    return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }
 // We have to download CodeQL manually because the toolcache doesn't support Accept headers.
@@ -146,12 +156,7 @@ async function toolcacheDownloadTool(url, headers, tempDir, logger) {
    await pipeline(response.message, fs.createWriteStream(dest));
    return dest;
 }
-async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logger) {
-    // Setting these two env vars makes the toolcache code safe to use outside,
-    // of actions but this is obviously not a great thing we're doing and it would
-    // be better to write our own implementation to use outside of actions.
-    process.env["RUNNER_TEMP"] = tempDir;
-    process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+async function setupCodeQL(codeqlURL, apiDetails, tempDir, mode, variant, logger) {
    try {
        // We use the special value of 'latest' to prioritize the version in the
        // defaults over any pinned cached version.
@@ -181,7 +186,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logge
        }
        else {
            if (!codeqlURL) {
-                codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, logger);
+                codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, variant, logger);
            }
            const parsedCodeQLURL = new URL(codeqlURL);
            const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/codeql.test.js
+++ b/lib/codeql.test.js
@@ -24,15 +24,20 @@ const sampleApiDetails = {
    auth: "token",
    url: "https://github.com",
 };
+const sampleGHAEApiDetails = {
+    auth: "token",
+    url: "https://example.githubenterprise.com",
+};
 ava_1.default("download codeql bundle cache", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
        const versions = ["20200601", "20200610"];
        for (let i = 0; i < versions.length; i++) {
            const version = versions[i];
            nock_1.default("https://example.com")
                .get(`/download/codeql-bundle-${version}/codeql-bundle.tar.gz`)
                .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-            await codeql.setupCodeQL(`https://example.com/download/codeql-bundle-${version}/codeql-bundle.tar.gz`, sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+            await codeql.setupCodeQL(`https://example.com/download/codeql-bundle-${version}/codeql-bundle.tar.gz`, sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
            t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
        }
        const cachedVersions = toolcache.findAllVersions("CodeQL");
@@ -41,36 +46,39 @@ ava_1.default("download codeql bundle cache", async (t) => {
 });
 ava_1.default("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
        nock_1.default("https://example.com")
            .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
        nock_1.default("https://example.com")
            .get(`/download/codeql-bundle-20200610/codeql-bundle.tar.gz`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200610/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200610/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
    });
 });
 ava_1.default("don't download codeql bundle cache with pinned different version cached", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
        nock_1.default("https://example.com")
            .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 1);
    });
 });
 ava_1.default("download codeql bundle cache with different version cached (not pinned)", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
        nock_1.default("https://example.com")
            .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
        const platform = process.platform === "win32"
            ? "win64"
@@ -80,17 +88,18 @@ ava_1.default("download codeql bundle cache with different version cached (not p
        nock_1.default("https://github.com")
            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/codeql-bundle-${platform}.tar.gz`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 2);
    });
 });
-ava_1.default('download codeql bundle cache with pinned different version cached if "latests" tools specified', async (t) => {
+ava_1.default('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
    await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
        nock_1.default("https://example.com")
            .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
        const platform = process.platform === "win32"
            ? "win64"
@@ -100,11 +109,39 @@ ava_1.default('download codeql bundle cache with pinned different version cached
        nock_1.default("https://github.com")
            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/codeql-bundle-${platform}.tar.gz`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 2);
    });
 });
+ava_1.default("download codeql bundle from github ae endpoint", async (t) => {
+    await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
+        const bundleAssetID = 10;
+        const platform = process.platform === "win32"
+            ? "win64"
+            : process.platform === "linux"
+                ? "linux64"
+                : "osx64";
+        const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
+        nock_1.default("https://example.githubenterprise.com")
+            .get(`/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`)
+            .reply(200, {
+            assets: { [codeQLBundleName]: bundleAssetID },
+        });
+        nock_1.default("https://example.githubenterprise.com")
+            .get(`/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`)
+            .reply(200, {
+            url: `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`,
+        });
+        nock_1.default("https://example.githubenterprise.com")
+            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`)
+            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
+        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, "runner", util.GitHubVariant.GHAE, logging_1.getRunnerLogger(true));
+        const cachedVersions = toolcache.findAllVersions("CodeQL");
+        t.is(cachedVersions.length, 1);
+    });
+});
 ava_1.default("parse codeql bundle url version", (t) => {
    t.deepEqual(codeql.getCodeQLURLVersion("https://github.com/.../codeql-bundle-20200601/..."), "20200601");
 });
--- a/lib/codeql.test.js.map
+++ b/lib/codeql.test.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@@ -304,7 +304,7 @@ exports.getUnknownLanguagesError = getUnknownLanguagesError;
 async function getLanguagesInRepo(repository, apiDetails, logger) {
    logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
    const response = await api
-        .getApiClient(apiDetails, true)
+        .getApiClient(apiDetails, { allowLocalRun: true })
        .repos.listLanguages({
        owner: repository.owner,
        repo: repository.repo,
@@ -556,7 +556,9 @@ async function getRemoteConfig(configFile, apiDetails) {
    if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
        throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
    }
-    const response = await api.getApiClient(apiDetails, true).repos.getContent({
+    const response = await api
+        .getApiClient(apiDetails, { allowLocalRun: true, allowExternal: true })
+        .repos.getContent({
        owner: pieces.groups.owner,
        repo: pieces.groups.repo,
        path: pieces.groups.path,
--- a/lib/config-utils.js.map
+++ b/lib/config-utils.js.map
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20210304"
+    "bundleVersion": "codeql-bundle-20210326"
 }
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -60,16 +60,14 @@ async function run() {
        url: actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
    };
    const gitHubVersion = await util_1.getGitHubVersion(apiDetails);
-    if (gitHubVersion !== undefined) {
-        util_1.checkGitHubVersionInRange(gitHubVersion, "actions", logger);
-    }
+    util_1.checkGitHubVersionInRange(gitHubVersion, "actions", logger);
    try {
        actionsUtil.prepareLocalRunEnvironment();
        const workflowErrors = await actionsUtil.validateWorkflow();
        if (!(await actionsUtil.sendStatusReport(await actionsUtil.createStatusReportBase("init", "starting", startedAt, workflowErrors)))) {
            return;
        }
-        const initCodeQLResult = await init_1.initCodeQL(actionsUtil.getOptionalInput("tools"), apiDetails, actionsUtil.getTemporaryDirectory(), actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"), "actions", logger);
+        const initCodeQLResult = await init_1.initCodeQL(actionsUtil.getOptionalInput("tools"), apiDetails, actionsUtil.getTemporaryDirectory(), "actions", gitHubVersion.type, logger);
        codeql = initCodeQLResult.codeql;
        toolsVersion = initCodeQLResult.toolsVersion;
        config = await init_1.initConfig(actionsUtil.getOptionalInput("languages"), actionsUtil.getOptionalInput("queries"), actionsUtil.getOptionalInput("config-file"), repository_1.parseRepositoryNwo(actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")), actionsUtil.getTemporaryDirectory(), actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"), codeql, actionsUtil.getRequiredEnvParam("GITHUB_WORKSPACE"), gitHubVersion, apiDetails, logger);
--- a/lib/init-action.js.map
+++ b/lib/init-action.js.map
@@ -1 +1 @@
-{"version":3,"file":"init-action.js","sourceRoot":"","sources":["../src/init-action.ts"],"names":[],"mappings":";;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAG9C,iCAMgB;AAChB,2CAAuC;AACvC,uCAA6C;AAC7C,6CAAkD;AAClD,iCAAqE;AAsBrE,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,MAA0B,EAC1B,YAAoB;;IAEpB,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,MAAM,EACN,SAAS,EACT,SAAS,CACV,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACpE,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CACvE,GAAG,CACJ,CAAC;IACF,MAAM,qBAAqB,GAAG,MAAM,CAAC,iBAAiB,CACpD,yBAAyB,CAC1B;QACC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,YAAY,SAAG,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,0CAAE,IAAI,EAAE,CAAC;IACnE,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;QAC9D,OAAO,CAAC,IAAI,CACV,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAC/D,CAAC;KACH;IACD,IAAI,YAAY,KAAK,SAAS,EAAE;QAC9B,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,YAAY,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;KAC1C;IAED,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,SAAS;QACT,kBAAkB,EAAE,iBAAiB,IAAI,EAAE;QAC3C,KAAK;QACL,YAAY,EAAE,WAAW;QACzB,uBAAuB,EAAE,qBAAqB;QAC9C,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAC1B,WAAW,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE;QACxD,sBAAsB,EAAE,YAAY;KACrC,CAAC;IAEF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,0BAAgB,EAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,MAAc,CAAC;IACnB,IAAI,YAAoB,CAAC;IAEzB,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;QAC3C,gBAAgB,EAAE,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC;QAC3E,GAAG,EAAE,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC;KAC1D,CAAC;IAEF,MAAM,aAAa,GAAG,MAAM,uBAAgB,CAAC,UAAU,CAAC,CAAC;IACzD,IAAI,aAAa,KAAK,SAAS,EAAE;QAC/B,gCAAyB,CAAC,aAAa,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;KAC7D;IAED,IAAI;QACF,WAAW,CAAC,0BAA0B,EAAE,CAAC;QAEzC,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,gBAAgB,EAAE,CAAC;QAE5D,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,UAAU,EACV,SAAS,EACT,cAAc,CACf,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,gBAAgB,GAAG,MAAM,iBAAU,CACvC,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,EACrC,UAAU,EACV,WAAW,CAAC,qBAAqB,EAAE,EACnC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,EACpD,SAAS,EACT,MAAM,CACP,CAAC;QACF,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;QACjC,YAAY,GAAG,gBAAgB,CAAC,YAAY,CAAC;QAE7C,MAAM,GAAG,MAAM,iBAAU,CACvB,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,EACzC,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,EACvC,WAAW,CAAC,gBAAgB,CAAC,aAAa,CAAC,EAC3C,+BAAkB,CAAC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,EACxE,WAAW,CAAC,qBAAqB,EAAE,EACnC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,EACpD,MAAM,EACN,WAAW,CAAC,mBAAmB,CAAC,kBAAkB,CAAC,EACnD,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;QAEF,IACE,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC;YAC1C,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,KAAK,MAAM,EACpE;YACA,IAAI;gBACF,MAAM,wBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;aACzC;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,CAAC,OAAO,CACZ,GAAG,GAAG,CAAC,OAAO,2FAA2F,CAC1G,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,CAAC,CAAC,OAAO,CACV,CACF,CAAC;QACF,OAAO;KACR;IAED,IAAI;QACF,mBAAmB;QACnB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE;YACX,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACxC,IAAI,CAAC,OAAO,CACV,6GAA6G,CAC9G,CAAC;SACH;QAED,mGAAmG;QACnG,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,MAAM,CAAC;QACtD,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAE7C,MAAM,YAAY,GAAG,MAAM,cAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnD,IAAI,YAAY,KAAK,SAAS,EAAE;YAC9B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBAC3D,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;aACjC;YAED,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,0BAAmB,CACvB,mBAAmB,EACnB,SAAS,EACT,MAAM,EACN,MAAM,EACN,YAAY,CACb,CAAC;aACH;SACF;QAED,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;KACjD;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action.js","sourceRoot":"","sources":["../src/init-action.ts"],"names":[],"mappings":";;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAG9C,iCAMgB;AAChB,2CAAuC;AACvC,uCAA6C;AAC7C,6CAAkD;AAClD,iCAAqE;AAsBrE,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,MAA0B,EAC1B,YAAoB;;IAEpB,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,MAAM,EACN,SAAS,EACT,SAAS,CACV,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACpE,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CACvE,GAAG,CACJ,CAAC;IACF,MAAM,qBAAqB,GAAG,MAAM,CAAC,iBAAiB,CACpD,yBAAyB,CAC1B;QACC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,YAAY,SAAG,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,0CAAE,IAAI,EAAE,CAAC;IACnE,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;QAC9D,OAAO,CAAC,IAAI,CACV,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAC/D,CAAC;KACH;IACD,IAAI,YAAY,KAAK,SAAS,EAAE;QAC9B,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,YAAY,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;KAC1C;IAED,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,SAAS;QACT,kBAAkB,EAAE,iBAAiB,IAAI,EAAE;QAC3C,KAAK;QACL,YAAY,EAAE,WAAW;QACzB,uBAAuB,EAAE,qBAAqB;QAC9C,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAC1B,WAAW,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE;QACxD,sBAAsB,EAAE,YAAY;KACrC,CAAC;IAEF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,0BAAgB,EAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,MAAc,CAAC;IACnB,IAAI,YAAoB,CAAC;IAEzB,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;QAC3C,gBAAgB,EAAE,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC;QAC3E,GAAG,EAAE,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC;KAC1D,CAAC;IAEF,MAAM,aAAa,GAAG,MAAM,uBAAgB,CAAC,UAAU,CAAC,CAAC;IACzD,gCAAyB,CAAC,aAAa,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAE5D,IAAI;QACF,WAAW,CAAC,0BAA0B,EAAE,CAAC;QAEzC,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,gBAAgB,EAAE,CAAC;QAE5D,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,UAAU,EACV,SAAS,EACT,cAAc,CACf,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,gBAAgB,GAAG,MAAM,iBAAU,CACvC,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,EACrC,UAAU,EACV,WAAW,CAAC,qBAAqB,EAAE,EACnC,SAAS,EACT,aAAa,CAAC,IAAI,EAClB,MAAM,CACP,CAAC;QACF,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;QACjC,YAAY,GAAG,gBAAgB,CAAC,YAAY,CAAC;QAE7C,MAAM,GAAG,MAAM,iBAAU,CACvB,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,EACzC,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,EACvC,WAAW,CAAC,gBAAgB,CAAC,aAAa,CAAC,EAC3C,+BAAkB,CAAC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,EACxE,WAAW,CAAC,qBAAqB,EAAE,EACnC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,EACpD,MAAM,EACN,WAAW,CAAC,mBAAmB,CAAC,kBAAkB,CAAC,EACnD,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;QAEF,IACE,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC;YAC1C,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,KAAK,MAAM,EACpE;YACA,IAAI;gBACF,MAAM,wBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;aACzC;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,CAAC,OAAO,CACZ,GAAG,GAAG,CAAC,OAAO,2FAA2F,CAC1G,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,CAAC,CAAC,OAAO,CACV,CACF,CAAC;QACF,OAAO;KACR;IAED,IAAI;QACF,mBAAmB;QACnB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE;YACX,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACxC,IAAI,CAAC,OAAO,CACV,6GAA6G,CAC9G,CAAC;SACH;QAED,mGAAmG;QACnG,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,MAAM,CAAC;QACtD,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAE7C,MAAM,YAAY,GAAG,MAAM,cAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnD,IAAI,YAAY,KAAK,SAAS,EAAE;YAC9B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBAC3D,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;aACjC;YAED,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,0BAAmB,CACvB,mBAAmB,EACnB,SAAS,EACT,MAAM,EACN,MAAM,EACN,YAAY,CACb,CAAC;aACH;SACF;QAED,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;KACjD;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/init.js
+++ b/lib/init.js
@@ -16,9 +16,9 @@ const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
 const tracer_config_1 = require("./tracer-config");
 const util = __importStar(require("./util"));
-async function initCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logger) {
+async function initCodeQL(codeqlURL, apiDetails, tempDir, mode, variant, logger) {
    logger.startGroup("Setup CodeQL tools");
-    const { codeql, toolsVersion } = await codeql_1.setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logger);
+    const { codeql, toolsVersion } = await codeql_1.setupCodeQL(codeqlURL, apiDetails, tempDir, mode, variant, logger);
    await codeql.printVersion();
    logger.endGroup();
    return { codeql, toolsVersion };
@@ -129,7 +129,7 @@ exports.injectWindowsTracer = injectWindowsTracer;
 async function installPythonDeps(codeql, logger) {
    logger.startGroup("Setup Python dependencies");
    const scriptsFolder = path.resolve(__dirname, "../python-setup");
-    // Setup tools on the Github hosted runners
+    // Setup tools on the GitHub hosted runners
    if (process.env["ImageOS"] !== undefined) {
        try {
            if (process.platform === "win32") {
--- a/lib/init.js.map
+++ b/lib/init.js.map
@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA+C;AAC/C,4DAA8C;AAG9C,mDAAwE;AACxE,6CAA+B;AAExB,KAAK,UAAU,UAAU,CAC9B,SAA6B,EAC7B,UAA4B,EAC5B,OAAe,EACf,QAAgB,EAChB,IAAe,EACf,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,oBAAW,CAChD,SAAS,EACT,UAAU,EACV,OAAO,EACP,QAAQ,EACR,IAAI,EACJ,MAAM,CACP,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AApBD,gCAoBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,UAAyB,EACzB,OAAe,EACf,YAAoB,EACpB,MAAc,EACd,YAAoB,EACpB,aAAiC,EACjC,UAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,UAAU,EACV,OAAO,EACP,YAAY,EACZ,MAAM,EACN,YAAY,EACZ,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA9BD,gCA8BC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B;IAE1B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAElC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE9E,sEAAsE;IACtE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,yBAAyB;QACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,EACpD,QAAQ,EACR,UAAU,CACX,CAAC;KACH;IAED,OAAO,MAAM,uCAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAnBD,0BAmBC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,2CAA2C;IAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,SAAS,EAAE;QACxC,IAAI;YACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC,CAChD,CAAC,IAAI,EAAE,CAAC;aACV;iBAAM;gBACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;aACV;SACF;QAAC,OAAO,CAAC,EAAE;YACV,mGAAmG;YACnG,uDAAuD;YACvD,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,OAAO,CACZ,mLAAmL,CACpL,CAAC;YACF,OAAO;SACR;KACF;IAED,uBAAuB;IACvB,IAAI;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE;gBAChE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,+IAA+I,CAChJ,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAnDD,8CAmDC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA+C;AAC/C,4DAA8C;AAG9C,mDAAwE;AACxE,6CAA+B;AAExB,KAAK,UAAU,UAAU,CAC9B,SAA6B,EAC7B,UAA4B,EAC5B,OAAe,EACf,IAAe,EACf,OAA2B,EAC3B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,oBAAW,CAChD,SAAS,EACT,UAAU,EACV,OAAO,EACP,IAAI,EACJ,OAAO,EACP,MAAM,CACP,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AApBD,gCAoBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,UAAyB,EACzB,OAAe,EACf,YAAoB,EACpB,MAAc,EACd,YAAoB,EACpB,aAAiC,EACjC,UAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,UAAU,EACV,OAAO,EACP,YAAY,EACZ,MAAM,EACN,YAAY,EACZ,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA9BD,gCA8BC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B;IAE1B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAElC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE9E,sEAAsE;IACtE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,yBAAyB;QACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,EACpD,QAAQ,EACR,UAAU,CACX,CAAC;KACH;IAED,OAAO,MAAM,uCAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAnBD,0BAmBC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,2CAA2C;IAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,SAAS,EAAE;QACxC,IAAI;YACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC,CAChD,CAAC,IAAI,EAAE,CAAC;aACV;iBAAM;gBACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;aACV;SACF;QAAC,OAAO,CAAC,EAAE;YACV,mGAAmG;YACnG,uDAAuD;YACvD,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,OAAO,CACZ,mLAAmL,CACpL,CAAC;YACF,OAAO;SACR;KACF;IAED,uBAAuB;IACvB,IAAI;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE;gBAChE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,+IAA+I,CAChJ,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAnDD,8CAmDC"}
--- a/lib/runner.js
+++ b/lib/runner.js
@@ -92,14 +92,14 @@ program
    .option("--tools-dir <dir>", "Directory to use for CodeQL tools and other files to store between runs. Default is a subdirectory of the home directory.")
    .option("--checkout-path <path>", "Checkout path. Default is the current working directory.")
    .option("--debug", "Print more verbose output", false)
-    // This prevents a message like: error: unknown option '--trace-process-level'
-    // Remove this if commander.js starts supporting hidden options.
-    .allowUnknownOption()
+    .option("--trace-process-name <string>", "(Advanced, windows-only) Inject a windows tracer of this process into a process with the given process name.")
+    .option("--trace-process-level <number>", "(Advanced, windows-only) Inject a windows tracer of this process into a parent process <number> levels up.")
    .action(async (cmd) => {
    const logger = logging_1.getRunnerLogger(cmd.debug);
    try {
        const tempDir = getTempDir(cmd.tempDir);
        const toolsDir = getToolsDir(cmd.toolsDir);
+        util_1.setupActionsVars(tempDir, toolsDir);
        // Wipe the temp dir
        logger.info(`Cleaning temp directory ${tempDir}`);
        fs.rmdirSync(tempDir, { recursive: true });
@@ -108,18 +108,16 @@ program
        const apiDetails = {
            auth,
            externalRepoAuth: auth,
-            url: util_1.parseGithubUrl(cmd.githubUrl),
+            url: util_1.parseGitHubUrl(cmd.githubUrl),
        };
        const gitHubVersion = await util_1.getGitHubVersion(apiDetails);
-        if (gitHubVersion !== undefined) {
-            util_1.checkGitHubVersionInRange(gitHubVersion, "runner", logger);
-        }
+        util_1.checkGitHubVersionInRange(gitHubVersion, "runner", logger);
        let codeql;
        if (cmd.codeqlPath !== undefined) {
            codeql = codeql_1.getCodeQL(cmd.codeqlPath);
        }
        else {
-            codeql = (await init_1.initCodeQL(undefined, apiDetails, tempDir, toolsDir, "runner", logger)).codeql;
+            codeql = (await init_1.initCodeQL(undefined, apiDetails, tempDir, "runner", gitHubVersion.type, logger)).codeql;
        }
        const config = await init_1.initConfig(cmd.languages, cmd.queries, cmd.configFile, repository_1.parseRepositoryNwo(cmd.repository), tempDir, toolsDir, codeql, cmd.checkoutPath || process.cwd(), gitHubVersion, apiDetails, logger);
        const tracerConfig = await init_1.runInit(codeql, config);
@@ -181,6 +179,7 @@ program
            throw new Error("Config file could not be found at expected location. " +
                "Was the 'init' command run with the same '--temp-dir' argument as this command.");
        }
+        util_1.setupActionsVars(config.tempDir, config.toolCacheDir);
        importTracerEnvironment(config);
        let language = undefined;
        if (cmd.language !== undefined) {
@@ -224,18 +223,18 @@ program
    .action(async (cmd) => {
    const logger = logging_1.getRunnerLogger(cmd.debug);
    try {
-        const tempDir = getTempDir(cmd.tempDir);
-        const outputDir = cmd.outputDir || path.join(tempDir, "codeql-sarif");
        const config = await config_utils_1.getConfig(getTempDir(cmd.tempDir), logger);
        if (config === undefined) {
            throw new Error("Config file could not be found at expected location. " +
                "Was the 'init' command run with the same '--temp-dir' argument as this command.");
        }
+        util_1.setupActionsVars(config.tempDir, config.toolCacheDir);
        const auth = await util_1.getGitHubAuth(logger, cmd.githubAuth, cmd.githubAuthStdin);
        const apiDetails = {
            auth,
-            url: util_1.parseGithubUrl(cmd.githubUrl),
+            url: util_1.parseGitHubUrl(cmd.githubUrl),
        };
+        const outputDir = cmd.outputDir || path.join(config.tempDir, "codeql-sarif");
        await analyze_1.runAnalyze(outputDir, util_1.getMemoryFlag(cmd.ram), util_1.getAddSnippetsFlag(cmd.addSnippets), util_1.getThreadsFlag(cmd.threads, logger), config, logger);
        if (!cmd.upload) {
            logger.info("Not uploading results");
@@ -266,7 +265,7 @@ program
    const auth = await util_1.getGitHubAuth(logger, cmd.githubAuth, cmd.githubAuthStdin);
    const apiDetails = {
        auth,
-        url: util_1.parseGithubUrl(cmd.githubUrl),
+        url: util_1.parseGitHubUrl(cmd.githubUrl),
    };
    try {
        const gitHubVersion = await util_1.getGitHubVersion(apiDetails);
--- a/lib/runner.js.map
+++ b/lib/runner.js.map
--- a/lib/tracer-config.js
+++ b/lib/tracer-config.js
@@ -141,9 +141,9 @@ async function getCombinedTracerConfig(config, codeql) {
    else if (process.platform !== "win32") {
        mainTracerConfig.env["LD_PRELOAD"] = path.join(codeQLDir, "tools", "linux64", "${LIB}trace.so");
    }
-    // On macos it's necessary to prefix the build command with the runner exectuable
+    // On macos it's necessary to prefix the build command with the runner executable
    // on order to trace when System Integrity Protection is enabled.
-    // The exectuable also exists and works for other platforms so we output this env
+    // The executable also exists and works for other platforms so we output this env
    // var with a path to the runner regardless so it's always available.
    const runnerExeName = process.platform === "win32" ? "runner.exe" : "runner";
    mainTracerConfig.env["CODEQL_RUNNER"] = path.join(mainTracerConfig.env["CODEQL_DIST"], "tools", mainTracerConfig.env["CODEQL_PLATFORM"], runnerExeName);
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -44,6 +44,31 @@ function combineSarifFiles(sarifFiles) {
    return JSON.stringify(combinedSarif);
 }
 exports.combineSarifFiles = combineSarifFiles;
+// Populates the run.automationDetails.id field using the analysis_key and environment
+// and return an updated sarif file contents.
+function populateRunAutomationDetails(sarifContents, analysis_key, environment) {
+    if (analysis_key === undefined) {
+        return sarifContents;
+    }
+    let automationID = `${analysis_key}/`;
+    // the id has to be deterministic so we sort the fields
+    if (environment !== undefined && environment !== "null") {
+        const environmentObject = JSON.parse(environment);
+        for (const entry of Object.entries(environmentObject).sort()) {
+            automationID += `${entry[0]}:${entry[1]}/`;
+        }
+    }
+    const sarif = JSON.parse(sarifContents);
+    for (const run of sarif.runs || []) {
+        if (run.automationDetails === undefined) {
+            run.automationDetails = {
+                id: automationID,
+            };
+        }
+    }
+    return JSON.stringify(sarif);
+}
+exports.populateRunAutomationDetails = populateRunAutomationDetails;
 // Upload the given payload.
 // If the request fails then this will retry a small number of times.
 async function uploadPayload(payload, repositoryNwo, apiDetails, mode, logger) {
@@ -117,7 +142,20 @@ function getSarifFilePaths(sarifPath) {
 // Counts the number of results in the given SARIF file
 function countResultsInSarif(sarif) {
    let numResults = 0;
-    for (const run of JSON.parse(sarif).runs) {
+    let parsedSarif;
+    try {
+        parsedSarif = JSON.parse(sarif);
+    }
+    catch (e) {
+        throw new Error(`Invalid SARIF. JSON syntax error: ${e.message}`);
+    }
+    if (!Array.isArray(parsedSarif.runs)) {
+        throw new Error("Invalid SARIF. Missing 'runs' array.");
+    }
+    for (const run of parsedSarif.runs) {
+        if (!Array.isArray(run.results)) {
+            throw new Error("Invalid SARIF. Missing 'results' array in run.");
+        }
        numResults += run.results.length;
    }
    return numResults;
@@ -202,6 +240,7 @@ async function uploadFiles(sarifFiles, repositoryNwo, commitOid, ref, analysisKe
    }
    let sarifPayload = combineSarifFiles(sarifFiles);
    sarifPayload = fingerprints.addFingerprints(sarifPayload, checkoutPath, logger);
+    sarifPayload = populateRunAutomationDetails(sarifPayload, analysisKey, environment);
    const zippedSarif = zlib_1.default.gzipSync(sarifPayload).toString("base64");
    const checkoutURI = file_url_1.default(checkoutPath);
    const toolNames = util.getToolNames(sarifPayload);
--- a/lib/upload-lib.js.map
+++ b/lib/upload-lib.js.map
--- a/lib/upload-lib.test.js
+++ b/lib/upload-lib.test.js
@@ -82,4 +82,24 @@ ava_1.default("finding SARIF files", async (t) => {
        ]);
    });
 });
+ava_1.default("populateRunAutomationDetails", (t) => {
+    let sarif = '{"runs": [{}]}';
+    const analysisKey = ".github/workflows/codeql-analysis.yml:analyze";
+    let expectedSarif = '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/"}}]}';
+    let modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, '{"language": "javascript", "os": "linux"}');
+    t.deepEqual(modifiedSarif, expectedSarif);
+    // check the environment sorting
+    modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, '{"os": "linux", "language": "javascript"}');
+    t.deepEqual(modifiedSarif, expectedSarif);
+    // check that an empty environment produces the right results
+    expectedSarif =
+        '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/"}}]}';
+    modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, "{}");
+    t.deepEqual(modifiedSarif, expectedSarif);
+    // check that an empty environment produces the right results
+    sarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+    expectedSarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+    modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, '{"os": "linux", "language": "javascript"}');
+    t.deepEqual(modifiedSarif, expectedSarif);
+});
 //# sourceMappingURL=upload-lib.test.js.map
--- a/lib/upload-lib.test.js.map
+++ b/lib/upload-lib.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"upload-lib.test.js","sourceRoot":"","sources":["../src/upload-lib.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,8CAAuB;AAEvB,uCAA4C;AAC5C,mDAA6C;AAC7C,wDAA0C;AAC1C,iCAAkE;AAElE,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,MAAM,SAAS,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACnE,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,CACf,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9C,MAAM,SAAS,GAAG,GAAG,SAAS,sCAAsC,CAAC;IACrE,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,CACZ,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE;QAC9B,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE;QAC/C,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,mBAAmB,EACnB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,kCAAkC;QAClC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;IAED,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,cAAc,CAAC;IAClD,OAAO,CAAC,GAAG,CACT,mBAAmB,CACpB,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACrD,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;QACnD,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,0CAA0C,CAAC,CAAC;KAC3E;IAED,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,iDAAiD;QACjD,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;AACH,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACtC,MAAM,iBAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,kCAAkC;QAClC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QACnD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnD,2CAA2C;QAC3C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QAEjD,+CAA+C;QAC/C,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3D,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAChD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnE,4BAA4B;QAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;QACrE,EAAE,CAAC,WAAW,CACZ,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAC3C,MAAM,CACP,CAAC;QAEF,MAAM,UAAU,GAAG,SAAS,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAEzD,CAAC,CAAC,SAAS,CAAC,UAAU,EAAE;YACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;YACpC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"upload-lib.test.js","sourceRoot":"","sources":["../src/upload-lib.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,8CAAuB;AAEvB,uCAA4C;AAC5C,mDAA6C;AAC7C,wDAA0C;AAC1C,iCAAkE;AAElE,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,MAAM,SAAS,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACnE,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,CACf,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9C,MAAM,SAAS,GAAG,GAAG,SAAS,sCAAsC,CAAC;IACrE,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,CACZ,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE;QAC9B,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE;QAC/C,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,mBAAmB,EACnB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,kCAAkC;QAClC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;IAED,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,cAAc,CAAC;IAClD,OAAO,CAAC,GAAG,CACT,mBAAmB,CACpB,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACrD,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;QACnD,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,0CAA0C,CAAC,CAAC;KAC3E;IAED,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,iDAAiD;QACjD,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;AACH,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACtC,MAAM,iBAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,kCAAkC;QAClC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QACnD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnD,2CAA2C;QAC3C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QAEjD,+CAA+C;QAC/C,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3D,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAChD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnE,4BAA4B;QAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;QACrE,EAAE,CAAC,WAAW,CACZ,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAC3C,MAAM,CACP,CAAC;QAEF,MAAM,UAAU,GAAG,SAAS,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAEzD,CAAC,CAAC,SAAS,CAAC,UAAU,EAAE;YACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;YACpC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,8BAA8B,EAAE,CAAC,CAAC,EAAE,EAAE;IACzC,IAAI,KAAK,GAAG,gBAAgB,CAAC;IAC7B,MAAM,WAAW,GAAG,+CAA+C,CAAC;IAEpE,IAAI,aAAa,GACf,uHAAuH,CAAC;IAE1H,IAAI,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACxD,KAAK,EACL,WAAW,EACX,2CAA2C,CAC5C,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAE1C,gCAAgC;IAChC,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACpD,KAAK,EACL,WAAW,EACX,2CAA2C,CAC5C,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAE1C,6DAA6D;IAC7D,aAAa;QACX,0FAA0F,CAAC;IAC7F,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACpD,KAAK,EACL,WAAW,EACX,IAAI,CACL,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAE1C,6DAA6D;IAC7D,KAAK,GAAG,iDAAiD,CAAC;IAC1D,aAAa,GAAG,iDAAiD,CAAC;IAClE,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACpD,KAAK,EACL,WAAW,EACX,2CAA2C,CAC5C,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AAC5C,CAAC,CAAC,CAAC"}
--- a/lib/util.js
+++ b/lib/util.js
@@ -171,7 +171,7 @@ exports.getCodeQLDatabasePath = getCodeQLDatabasePath;
 * Parses user input of a github.com or GHES URL to a canonical form.
 * Removes any API prefix or suffix if one is present.
 */
-function parseGithubUrl(inputUrl) {
+function parseGitHubUrl(inputUrl) {
    const originalUrl = inputUrl;
    if (inputUrl.indexOf("://") === -1) {
        inputUrl = `https://${inputUrl}`;
@@ -205,7 +205,7 @@ function parseGithubUrl(inputUrl) {
    }
    return url.toString();
 }
-exports.parseGithubUrl = parseGithubUrl;
+exports.parseGitHubUrl = parseGitHubUrl;
 const GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
 const CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR = "CODEQL_ACTION_WARNED_ABOUT_VERSION";
 let hasBeenWarnedAboutVersion = false;
@@ -217,7 +217,7 @@ var GitHubVariant;
 })(GitHubVariant = exports.GitHubVariant || (exports.GitHubVariant = {}));
 async function getGitHubVersion(apiDetails) {
    // We can avoid making an API request in the standard dotcom case
-    if (parseGithubUrl(apiDetails.url) === exports.GITHUB_DOTCOM_URL) {
+    if (parseGitHubUrl(apiDetails.url) === exports.GITHUB_DOTCOM_URL) {
        return { type: GitHubVariant.DOTCOM };
    }
    // Doesn't strictly have to be the meta endpoint as we're only
@@ -320,4 +320,20 @@ async function getGitHubAuth(logger, githubAuth, fromStdIn, readable = process.s
    throw new Error("No GitHub authentication token was specified. Please provide a token via the GITHUB_TOKEN environment variable, or by adding the `--github-auth-stdin` flag and passing the token via standard input.");
 }
 exports.getGitHubAuth = getGitHubAuth;
+// Sets environment variables that make using some libraries designed for
+// use only on actions safe to use outside of actions.
+//
+// Obviously this is not a tremendously great thing we're doing and it
+// would be better to write our own implementation of libraries to use
+// outside of actions. For now this works well enough.
+//
+// Currently this list of libraries that is deemed to now be safe includes:
+// - @actions/tool-cache
+//
+// Also see "queries/unguarded-action-lib.ql".
+function setupActionsVars(tempDir, toolsDir) {
+    process.env["RUNNER_TEMP"] = tempDir;
+    process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+}
+exports.setupActionsVars = setupActionsVars;
 //# sourceMappingURL=util.js.map
--- a/lib/util.js.map
+++ b/lib/util.js.map
--- a/lib/util.test.js
+++ b/lib/util.test.js
@@ -102,27 +102,27 @@ ava_1.default("getExtraOptionsEnvParam() fails on invalid JSON", (t) => {
    t.throws(util.getExtraOptionsEnvParam);
    process.env.CODEQL_ACTION_EXTRA_OPTIONS = origExtraOptions;
 });
-ava_1.default("parseGithubUrl", (t) => {
-    t.deepEqual(util.parseGithubUrl("github.com"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("https://github.com"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("https://api.github.com"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("https://github.com/foo/bar"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("github.example.com"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://api.github.example.com"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com/api/v3"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com:1234"), "https://github.example.com:1234/");
-    t.deepEqual(util.parseGithubUrl("https://api.github.example.com:1234"), "https://github.example.com:1234/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com:1234/api/v3"), "https://github.example.com:1234/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com/base/path"), "https://github.example.com/base/path/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com/base/path/api/v3"), "https://github.example.com/base/path/");
-    t.throws(() => util.parseGithubUrl(""), {
+ava_1.default("parseGitHubUrl", (t) => {
+    t.deepEqual(util.parseGitHubUrl("github.com"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("https://github.com"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("https://api.github.com"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("https://github.com/foo/bar"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("github.example.com"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://api.github.example.com"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com/api/v3"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com:1234"), "https://github.example.com:1234/");
+    t.deepEqual(util.parseGitHubUrl("https://api.github.example.com:1234"), "https://github.example.com:1234/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com:1234/api/v3"), "https://github.example.com:1234/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com/base/path"), "https://github.example.com/base/path/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com/base/path/api/v3"), "https://github.example.com/base/path/");
+    t.throws(() => util.parseGitHubUrl(""), {
        message: '"" is not a valid URL',
    });
-    t.throws(() => util.parseGithubUrl("ssh://github.com"), {
+    t.throws(() => util.parseGitHubUrl("ssh://github.com"), {
        message: '"ssh://github.com" is not a http or https URL',
    });
-    t.throws(() => util.parseGithubUrl("http:///::::433"), {
+    t.throws(() => util.parseGitHubUrl("http:///::::433"), {
        message: '"http:///::::433" is not a valid URL',
    });
 });
--- a/node_modules/y18n/CHANGELOG.md
+++ b/node_modules/y18n/CHANGELOG.md
@@ -2,6 +2,13 @@

 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

+
+### 4.0.1 (2020-11-30)
+
+### Bug Fixes
+
+* address prototype pollution issue ([#108](https://www.github.com/yargs/y18n/issues/108)) ([a9ac604](https://www.github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25))
+
 <a name="4.0.0"></a>
 # [4.0.0](https://github.com/yargs/y18n/compare/v3.2.1...v4.0.0) (2017-10-10)

--- a/node_modules/y18n/index.js
+++ b/node_modules/y18n/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
  this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true

  // internal stuff.
-  this.cache = {}
+  this.cache = Object.create(null)
  this.writeQueue = []
 }

--- a/node_modules/y18n/package.json
+++ b/node_modules/y18n/package.json
@@ -1,6 +1,6 @@
 {
  "name": "y18n",
-  "version": "4.0.0",
+  "version": "4.0.1",
  "description": "the bare-bones internationalization library used by yargs",
  "main": "index.js",
  "scripts": {
--- a/package-lock.json
+++ b/package-lock.json
@@ -4506,9 +4506,9 @@
      "dev": true
    },
    "y18n": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz",
-      "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.1.tgz",
+      "integrity": "sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ==",
      "dev": true
    },
    "yargs": {
--- a/queries/unguarded-action-lib.ql
+++ b/queries/unguarded-action-lib.ql
@@ -19,6 +19,21 @@ predicate isSafeActionLib(string lib) {
  lib.matches("@actions/exec/%")
 }

+/**
+ * Matches libraries that are not always safe to use outside of actions
+ * but can be made so by setting certain environment variables.
+ */
+predicate isSafeActionLibWithActionsEnvVars(string lib) {
+    lib = "@actions/tool-cache"
+}
+
+/**
+ * Matches the names of runner commands that set action env vars
+ */
+predicate commandSetsActionsEnvVars(string commandName) {
+    commandName = "init" or commandName = "autobuild" or commandName = "analyze"
+}
+
 /**
 * An import from a library that is meant for GitHub Actions and
 * we do not want to be using outside of actions.
@@ -45,6 +60,32 @@ class RunnerEntrypoint extends Function {
  RunnerEntrypoint() {
    getFile().getAbsolutePath().matches("%/runner.ts")
  }
+
+  /**
+   * Does this runner entry point set the RUNNER_TEMP and
+   * RUNNER_TOOL_CACHE env vars which make some actions libraries
+   * safe to use outside of actions.
+   * See "setupActionsVars" in "util.ts".
+   */
+  predicate setsActionsEnvVars() {
+    // This is matching code of the following format, where "this"
+    // is the function being passed to the "action" method.
+    //
+    // program
+    //   .command("init")
+    //   ...
+    //   .action(async (cmd: InitArgs) => {
+    //     ...
+    //   })
+    exists(MethodCallExpr actionCall,
+        MethodCallExpr commandCall |
+        commandCall.getMethodName() = "command" and
+        commandCall.getReceiver().(VarAccess).getVariable().getName() = "program" and
+        commandSetsActionsEnvVars(commandCall.getArgument(0).(StringLiteral).getValue()) and
+        actionCall.getMethodName() = "action" and
+        actionCall.getReceiver().getAChildExpr*() = commandCall and
+        actionCall.getArgument(0).getAChildExpr*() = this)
+  }
 }

 /**
@@ -114,6 +155,7 @@ Function calledBy(Function f) {
 from VarAccess v, ActionsLibImport actionsLib, RunnerEntrypoint runnerEntry 
 where actionsLib.getAProvidedVariable() = v.getVariable()
  and getAFunctionChildExpr(calledBy*(runnerEntry)) = v
+  and not (isSafeActionLibWithActionsEnvVars(actionsLib.getName()) and runnerEntry.setsActionsEnvVars())
 select v, "$@ is imported from $@ and this code can be called from $@",
  v, v.getName(),
  actionsLib, actionsLib.getName(),
--- a/runner/package-lock.json
+++ b/runner/package-lock.json
@@ -1194,24 +1194,24 @@
      }
    },
    "elliptic": {
-      "version": "6.5.3",
-      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz",
-      "integrity": "sha512-IMqzv5wNQf+E6aHeIqATs0tOLeOTwj1QKbRcS3jBbYkl5oLAserA8yJTT7/VyHUYG91PRmPyeQDObKLPpeS4dw==",
+      "version": "6.5.4",
+      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz",
+      "integrity": "sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==",
      "dev": true,
      "requires": {
-        "bn.js": "^4.4.0",
-        "brorand": "^1.0.1",
+        "bn.js": "^4.11.9",
+        "brorand": "^1.1.0",
        "hash.js": "^1.0.0",
-        "hmac-drbg": "^1.0.0",
-        "inherits": "^2.0.1",
-        "minimalistic-assert": "^1.0.0",
-        "minimalistic-crypto-utils": "^1.0.0"
+        "hmac-drbg": "^1.0.1",
+        "inherits": "^2.0.4",
+        "minimalistic-assert": "^1.0.1",
+        "minimalistic-crypto-utils": "^1.0.1"
      },
      "dependencies": {
        "bn.js": {
-          "version": "4.11.9",
-          "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.9.tgz",
-          "integrity": "sha512-E6QoYqCKZfgatHTdHzs1RRKP7ip4vvm+EyRUeE2RF0NblwVvb0p6jSVeNTOFxPn26QXN2o6SMfNxKp6kU8zQaw==",
+          "version": "4.12.0",
+          "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
+          "integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==",
          "dev": true
        }
      }
@@ -4684,9 +4684,9 @@
      "dev": true
    },
    "y18n": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz",
-      "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.1.tgz",
+      "integrity": "sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ==",
      "dev": true
    },
    "yallist": {
--- a/src/actions-util.test.ts
+++ b/src/actions-util.test.ts
@@ -25,20 +25,40 @@ test("getRef() returns merge PR ref if GITHUB_SHA still checked out", async (t)
  process.env["GITHUB_REF"] = expectedRef;
  process.env["GITHUB_SHA"] = currentSha;

-  sinon.stub(actionsutil, "getCommitOid").resolves(currentSha);
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("HEAD").resolves(currentSha);

  const actualRef = await actionsutil.getRef();
  t.deepEqual(actualRef, expectedRef);
+  callback.restore();
 });

-test("getRef() returns head PR ref if GITHUB_SHA not currently checked out", async (t) => {
+test("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
+  const expectedRef = "refs/pull/1/merge";
+  process.env["GITHUB_REF"] = expectedRef;
+  process.env["GITHUB_SHA"] = "b".repeat(40);
+  const sha = "a".repeat(40);
+
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+  callback.withArgs("HEAD").resolves(sha);
+
+  const actualRef = await actionsutil.getRef();
+  t.deepEqual(actualRef, expectedRef);
+  callback.restore();
+});
+
+test("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
  process.env["GITHUB_REF"] = "refs/pull/1/merge";
  process.env["GITHUB_SHA"] = "a".repeat(40);

-  sinon.stub(actionsutil, "getCommitOid").resolves("b".repeat(40));
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
+  callback.withArgs("HEAD").resolves("b".repeat(40));

  const actualRef = await actionsutil.getRef();
  t.deepEqual(actualRef, "refs/pull/1/head");
+  callback.restore();
 });

 test("getAnalysisKey() when a local run", async (t) => {
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@@ -75,7 +75,7 @@ export function prepareLocalRunEnvironment() {
 /**
 * Gets the SHA of the commit that is currently checked out.
 */
-export const getCommitOid = async function (): Promise<string> {
+export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
  // Try to use git to get the current commit SHA. If that fails then
  // log but otherwise silently fall back to using the SHA from the environment.
  // The only time these two values will differ is during analysis of a PR when
@@ -87,7 +87,7 @@ export const getCommitOid = async function (): Promise<string> {
    let commitOid = "";
    await new toolrunner.ToolRunner(
      await safeWhich.safeWhich("git"),
-      ["rev-parse", "HEAD"],
+      ["rev-parse", ref],
      {
        silent: true,
        listeners: {
@@ -396,7 +396,7 @@ export function getWorkflowRunID(): number {
 }

 /**
- * Get the analysis key paramter for the current job.
+ * Get the analysis key parameter for the current job.
 *
 * This will combine the workflow path and current job name.
 * Computing this the first time requires making requests to
@@ -425,19 +425,35 @@ export async function getRef(): Promise<string> {
  // Will be in the form "refs/heads/master" on a push event
  // or in the form "refs/pull/N/merge" on a pull_request event
  const ref = getRequiredEnvParam("GITHUB_REF");
+  const sha = getRequiredEnvParam("GITHUB_SHA");

  // For pull request refs we want to detect whether the workflow
  // has run `git checkout HEAD^2` to analyze the 'head' ref rather
  // than the 'merge' ref. If so, we want to convert the ref that
  // we report back.
  const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
-  const checkoutSha = await getCommitOid();
+  if (!pull_ref_regex.test(ref)) {
+    return ref;
+  }

-  if (
-    pull_ref_regex.test(ref) &&
-    checkoutSha !== getRequiredEnvParam("GITHUB_SHA")
-  ) {
-    return ref.replace(pull_ref_regex, "refs/pull/$1/head");
+  const head = await getCommitOid("HEAD");
+
+  // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+  // in actions/checkout@v1 this may not be true as it checks out the repository
+  // using GITHUB_REF. There is a subtle race condition where
+  // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
+  // git git-parse GITHUB_REF == git rev-parse HEAD instead.
+  const hasChangedRef =
+    sha !== head &&
+    (await getCommitOid(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
+      head;
+
+  if (hasChangedRef) {
+    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
+    core.debug(
+      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
+    );
+    return newRef;
  } else {
    return ref;
  }
@@ -556,12 +572,22 @@ export async function createStatusReportBase(

 interface HTTPError {
  status: number;
+  message?: string;
 }

 function isHTTPError(arg: any): arg is HTTPError {
  return arg?.status !== undefined && Number.isInteger(arg.status);
 }

+const GENERIC_403_MSG =
+  "The repo on which this action is running is not opted-in to CodeQL code scanning.";
+const GENERIC_404_MSG =
+  "Not authorized to used the CodeQL code scanning feature on this repo.";
+const OUT_OF_DATE_MSG =
+  "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+const INCOMPATIBLE_MSG =
+  "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
+
 /**
 * Send a status report to the code_scanning/analysis/status endpoint.
 *
@@ -598,32 +624,33 @@ export async function sendStatusReport<S extends StatusReportBase>(

    return true;
  } catch (e) {
+    console.log(e);
    if (isHTTPError(e)) {
      switch (e.status) {
        case 403:
-          core.setFailed(
-            "The repo on which this action is running is not opted-in to CodeQL code scanning."
-          );
+          if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+            core.setFailed(
+              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                "Uploading Code Scanning results requires write access. " +
+                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events."
+            );
+          } else {
+            core.setFailed(e.message || GENERIC_403_MSG);
+          }
          return false;
        case 404:
-          core.setFailed(
-            "Not authorized to used the CodeQL code scanning feature on this repo."
-          );
+          core.setFailed(GENERIC_404_MSG);
          return false;
        case 422:
          // schema incompatibility when reporting status
          // this means that this action version is no longer compatible with the API
          // we still want to continue as it is likely the analysis endpoint will work
          if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
-            core.debug(
-              "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."
-            );
+            core.debug(INCOMPATIBLE_MSG);
          } else {
-            core.debug(
-              "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."
-            );
+            core.debug(OUT_OF_DATE_MSG);
          }
-
          return true;
      }
    }
@@ -631,12 +658,22 @@ export async function sendStatusReport<S extends StatusReportBase>(
    // something else has gone wrong and the request/response will be logged by octokit
    // it's possible this is a transient error and we should continue scanning
    core.error(
-      "An unexpected error occured when sending code scanning status report."
+      "An unexpected error occurred when sending code scanning status report."
    );
    return true;
  }
 }

+// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
+function workflowIsTriggeredByPushEvent() {
+  return process.env["GITHUB_EVENT_NAME"] === "push";
+}
+
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+  return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
+
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 export function isRunningLocalAction(): boolean {
--- a/src/analysis-paths.ts
+++ b/src/analysis-paths.ts
@@ -34,7 +34,7 @@ export function printPathFiltersWarning(
    !config.languages.every(isInterpretedLanguage)
  ) {
    logger.warning(
-      'The "paths"/"paths-ignore" fields of the config only have effect for Javascript and Python'
+      'The "paths"/"paths-ignore" fields of the config only have effect for JavaScript and Python'
    );
  }
 }
--- a/src/api-client.test.ts
+++ b/src/api-client.test.ts
@@ -0,0 +1,94 @@
+import * as githubUtils from "@actions/github/lib/utils";
+import test, { ExecutionContext } from "ava";
+import sinon from "sinon";
+
+import { getApiClient } from "./api-client";
+import { setupTests } from "./testing-utils";
+
+setupTests(test);
+
+let githubStub: sinon.SinonStub;
+
+test.beforeEach(() => {
+  githubStub = sinon.stub(githubUtils, "GitHub");
+});
+
+test("Get the client API", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token abc",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external not present", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API with github url", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "https://github.com/some/invalid/url",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "https://api.github.com",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+function doTest(
+  t: ExecutionContext<unknown>,
+  clientArgs: any,
+  clientOptions: any,
+  expected: any
+) {
+  getApiClient(clientArgs, clientOptions);
+
+  const firstCallArgs = githubStub.args[0];
+  // log is a function, so we don't need to test for equality of it
+  delete firstCallArgs[0].log;
+  t.deepEqual(firstCallArgs, [expected]);
+}
--- a/src/api-client.ts
+++ b/src/api-client.ts
@@ -25,14 +25,17 @@ export interface GitHubApiExternalRepoDetails {
 }

 export const getApiClient = function (
-  apiDetails: GitHubApiDetails,
-  allowLocalRun = false
+  apiDetails: GitHubApiCombinedDetails,
+  { allowLocalRun = false, allowExternal = false } = {}
 ) {
  if (isLocalRun() && !allowLocalRun) {
    throw new Error("Invalid API call in local run");
  }
+
+  const auth =
+    (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
  return new githubUtils.GitHub(
-    githubUtils.getOctokitOptions(apiDetails.auth, {
+    githubUtils.getOctokitOptions(auth, {
      baseUrl: getApiUrl(apiDetails.url),
      userAgent: "CodeQL Action",
      log: consoleLogLevel({ level: "debug" }),
@@ -63,5 +66,5 @@ export function getActionsApiClient(allowLocalRun = false) {
    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
  };

-  return getApiClient(apiDetails, allowLocalRun);
+  return getApiClient(apiDetails, { allowLocalRun });
 }
--- a/src/codeql.test.ts
+++ b/src/codeql.test.ts
@@ -17,8 +17,15 @@ const sampleApiDetails = {
  url: "https://github.com",
 };

+const sampleGHAEApiDetails = {
+  auth: "token",
+  url: "https://example.githubenterprise.com",
+};
+
 test("download codeql bundle cache", async (t) => {
  await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
    const versions = ["20200601", "20200610"];

    for (let i = 0; i < versions.length; i++) {
@@ -35,8 +42,8 @@ test("download codeql bundle cache", async (t) => {
        `https://example.com/download/codeql-bundle-${version}/codeql-bundle.tar.gz`,
        sampleApiDetails,
        tmpDir,
-        tmpDir,
        "runner",
+        util.GitHubVariant.DOTCOM,
        getRunnerLogger(true)
      );

@@ -51,6 +58,8 @@ test("download codeql bundle cache", async (t) => {

 test("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
  await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
    nock("https://example.com")
      .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
      .replyWithFile(
@@ -62,8 +71,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve
      "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -80,8 +89,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve
      "https://example.com/download/codeql-bundle-20200610/codeql-bundle.tar.gz",
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -91,6 +100,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve

 test("don't download codeql bundle cache with pinned different version cached", async (t) => {
  await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
    nock("https://example.com")
      .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
      .replyWithFile(
@@ -102,8 +113,8 @@ test("don't download codeql bundle cache with pinned different version cached",
      "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -113,8 +124,8 @@ test("don't download codeql bundle cache with pinned different version cached",
      undefined,
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -126,6 +137,8 @@ test("don't download codeql bundle cache with pinned different version cached",

 test("download codeql bundle cache with different version cached (not pinned)", async (t) => {
  await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
    nock("https://example.com")
      .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
      .replyWithFile(
@@ -137,8 +150,8 @@ test("download codeql bundle cache with different version cached (not pinned)",
      "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -163,8 +176,8 @@ test("download codeql bundle cache with different version cached (not pinned)",
      undefined,
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -174,8 +187,10 @@ test("download codeql bundle cache with different version cached (not pinned)",
  });
 });

-test('download codeql bundle cache with pinned different version cached if "latests" tools specified', async (t) => {
+test('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
  await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
    nock("https://example.com")
      .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
      .replyWithFile(
@@ -187,8 +202,8 @@ test('download codeql bundle cache with pinned different version cached if "late
      "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -214,8 +229,8 @@ test('download codeql bundle cache with pinned different version cached if "late
      "latest",
      sampleApiDetails,
      tmpDir,
-      tmpDir,
      "runner",
+      util.GitHubVariant.DOTCOM,
      getRunnerLogger(true)
    );

@@ -225,6 +240,59 @@ test('download codeql bundle cache with pinned different version cached if "late
  });
 });

+test("download codeql bundle from github ae endpoint", async (t) => {
+  await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
+    const bundleAssetID = 10;
+
+    const platform =
+      process.platform === "win32"
+        ? "win64"
+        : process.platform === "linux"
+        ? "linux64"
+        : "osx64";
+    const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
+
+    nock("https://example.githubenterprise.com")
+      .get(
+        `/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`
+      )
+      .reply(200, {
+        assets: { [codeQLBundleName]: bundleAssetID },
+      });
+
+    nock("https://example.githubenterprise.com")
+      .get(
+        `/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`
+      )
+      .reply(200, {
+        url: `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`,
+      });
+
+    nock("https://example.githubenterprise.com")
+      .get(
+        `/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`
+      )
+      .replyWithFile(
+        200,
+        path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`)
+      );
+
+    await codeql.setupCodeQL(
+      undefined,
+      sampleGHAEApiDetails,
+      tmpDir,
+      "runner",
+      util.GitHubVariant.GHAE,
+      getRunnerLogger(true)
+    );
+
+    const cachedVersions = toolcache.findAllVersions("CodeQL");
+    t.is(cachedVersions.length, 1);
+  });
+});
+
 test("parse codeql bundle url version", (t) => {
  t.deepEqual(
    codeql.getCodeQLURLVersion(
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -137,8 +137,12 @@ function getCodeQLBundleName(): string {
 function getCodeQLActionRepository(mode: util.Mode, logger: Logger): string {
  if (mode !== "actions") {
    return CODEQL_DEFAULT_ACTION_REPOSITORY;
+  } else {
+    return getActionsCodeQLActionRepository(logger);
  }
+}

+function getActionsCodeQLActionRepository(logger: Logger): string {
  if (process.env["GITHUB_ACTION_REPOSITORY"] !== undefined) {
    return process.env["GITHUB_ACTION_REPOSITORY"];
  }
@@ -164,6 +168,7 @@ function getCodeQLActionRepository(mode: util.Mode, logger: Logger): string {
 async function getCodeQLBundleDownloadURL(
  apiDetails: api.GitHubApiDetails,
  mode: util.Mode,
+  variant: util.GitHubVariant,
  logger: Logger
 ): Promise<string> {
  const codeQLActionRepository = getCodeQLActionRepository(mode, logger);
@@ -183,6 +188,39 @@ async function getCodeQLBundleDownloadURL(
    }
  );
  const codeQLBundleName = getCodeQLBundleName();
+  if (variant === util.GitHubVariant.GHAE) {
+    try {
+      const release = await api
+        .getApiClient(apiDetails)
+        .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+          tag: CODEQL_BUNDLE_VERSION,
+        });
+      const assetID = release.data.assets[codeQLBundleName];
+      if (assetID !== undefined) {
+        const download = await api
+          .getApiClient(apiDetails)
+          .request(
+            "GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}",
+            { asset_id: assetID }
+          );
+        const downloadURL = download.data.url;
+        logger.info(
+          `Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`
+        );
+        return downloadURL;
+      } else {
+        logger.info(
+          `Attempted to fetch bundle from GitHub AE endpoint but the bundle ${codeQLBundleName} was not found in the assets ${JSON.stringify(
+            release.data.assets
+          )}.`
+        );
+      }
+    } catch (e) {
+      logger.info(
+        `Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`
+      );
+    }
+  }
  for (const downloadSource of uniqueDownloadSources) {
    const [apiURL, repository] = downloadSource;
    // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
@@ -213,31 +251,6 @@ async function getCodeQLBundleDownloadURL(
      );
    }
  }
-  try {
-    const release = await api
-      .getApiClient(apiDetails)
-      .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
-        tag: CODEQL_BUNDLE_VERSION,
-      });
-    const assetID = release.data.assets[codeQLBundleName];
-    if (assetID !== undefined) {
-      const download = await api
-        .getApiClient(apiDetails)
-        .request(
-          "GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}",
-          { asset_id: assetID }
-        );
-      const downloadURL = download.data.url;
-      logger.info(
-        `Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`
-      );
-      return downloadURL;
-    }
-  } catch (e) {
-    logger.info(
-      `Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`
-    );
-  }
  return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }

@@ -268,16 +281,10 @@ export async function setupCodeQL(
  codeqlURL: string | undefined,
  apiDetails: api.GitHubApiDetails,
  tempDir: string,
-  toolsDir: string,
  mode: util.Mode,
+  variant: util.GitHubVariant,
  logger: Logger
 ): Promise<{ codeql: CodeQL; toolsVersion: string }> {
-  // Setting these two env vars makes the toolcache code safe to use outside,
-  // of actions but this is obviously not a great thing we're doing and it would
-  // be better to write our own implementation to use outside of actions.
-  process.env["RUNNER_TEMP"] = tempDir;
-  process.env["RUNNER_TOOL_CACHE"] = toolsDir;
-
  try {
    // We use the special value of 'latest' to prioritize the version in the
    // defaults over any pinned cached version.
@@ -314,7 +321,12 @@ export async function setupCodeQL(
      logger.debug(`CodeQL found in cache ${codeqlFolder}`);
    } else {
      if (!codeqlURL) {
-        codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, logger);
+        codeqlURL = await getCodeQLBundleDownloadURL(
+          apiDetails,
+          mode,
+          variant,
+          logger
+        );
      }

      const parsedCodeQLURL = new URL(codeqlURL);
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -601,7 +601,7 @@ async function getLanguagesInRepo(
 ): Promise<Language[]> {
  logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
  const response = await api
-    .getApiClient(apiDetails, true)
+    .getApiClient(apiDetails, { allowLocalRun: true })
    .repos.listLanguages({
      owner: repository.owner,
      repo: repository.repo,
@@ -1013,7 +1013,7 @@ function getLocalConfig(configFile: string, checkoutPath: string): UserConfig {

 async function getRemoteConfig(
  configFile: string,
-  apiDetails: api.GitHubApiDetails
+  apiDetails: api.GitHubApiCombinedDetails
 ): Promise<UserConfig> {
  // retrieve the various parts of the config location, and ensure they're present
  const format = new RegExp(
@@ -1025,12 +1025,14 @@ async function getRemoteConfig(
    throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
  }

-  const response = await api.getApiClient(apiDetails, true).repos.getContent({
-    owner: pieces.groups.owner,
-    repo: pieces.groups.repo,
-    path: pieces.groups.path,
-    ref: pieces.groups.ref,
-  });
+  const response = await api
+    .getApiClient(apiDetails, { allowLocalRun: true, allowExternal: true })
+    .repos.getContent({
+      owner: pieces.groups.owner,
+      repo: pieces.groups.repo,
+      path: pieces.groups.path,
+      ref: pieces.groups.ref,
+    });

  let fileContents: string;
  if ("content" in response.data && response.data.content !== undefined) {
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,3 +1,3 @@
 {
-	"bundleVersion": "codeql-bundle-20210304"
+	"bundleVersion": "codeql-bundle-20210326"
 }
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -101,9 +101,7 @@ async function run() {
  };

  const gitHubVersion = await getGitHubVersion(apiDetails);
-  if (gitHubVersion !== undefined) {
-    checkGitHubVersionInRange(gitHubVersion, "actions", logger);
-  }
+  checkGitHubVersionInRange(gitHubVersion, "actions", logger);

  try {
    actionsUtil.prepareLocalRunEnvironment();
@@ -127,8 +125,8 @@ async function run() {
      actionsUtil.getOptionalInput("tools"),
      apiDetails,
      actionsUtil.getTemporaryDirectory(),
-      actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"),
      "actions",
+      gitHubVersion.type,
      logger
    );
    codeql = initCodeQLResult.codeql;
--- a/src/init.ts
+++ b/src/init.ts
@@ -17,8 +17,8 @@ export async function initCodeQL(
  codeqlURL: string | undefined,
  apiDetails: GitHubApiDetails,
  tempDir: string,
-  toolsDir: string,
  mode: util.Mode,
+  variant: util.GitHubVariant,
  logger: Logger
 ): Promise<{ codeql: CodeQL; toolsVersion: string }> {
  logger.startGroup("Setup CodeQL tools");
@@ -26,8 +26,8 @@ export async function initCodeQL(
    codeqlURL,
    apiDetails,
    tempDir,
-    toolsDir,
    mode,
+    variant,
    logger
  );
  await codeql.printVersion();
@@ -192,7 +192,7 @@ export async function installPythonDeps(codeql: CodeQL, logger: Logger) {

  const scriptsFolder = path.resolve(__dirname, "../python-setup");

-  // Setup tools on the Github hosted runners
+  // Setup tools on the GitHub hosted runners
  if (process.env["ImageOS"] !== undefined) {
    try {
      if (process.platform === "win32") {
--- a/src/runner.ts
+++ b/src/runner.ts
@@ -19,8 +19,9 @@ import {
  getGitHubVersion,
  getMemoryFlag,
  getThreadsFlag,
-  parseGithubUrl,
+  parseGitHubUrl,
  getGitHubAuth,
+  setupActionsVars,
 } from "./util";

 const program = new Command();
@@ -140,15 +141,22 @@ program
    "Checkout path. Default is the current working directory."
  )
  .option("--debug", "Print more verbose output", false)
-  // This prevents a message like: error: unknown option '--trace-process-level'
-  // Remove this if commander.js starts supporting hidden options.
-  .allowUnknownOption()
+  .option(
+    "--trace-process-name <string>",
+    "(Advanced, windows-only) Inject a windows tracer of this process into a process with the given process name."
+  )
+  .option(
+    "--trace-process-level <number>",
+    "(Advanced, windows-only) Inject a windows tracer of this process into a parent process <number> levels up."
+  )
  .action(async (cmd: InitArgs) => {
    const logger = getRunnerLogger(cmd.debug);
    try {
      const tempDir = getTempDir(cmd.tempDir);
      const toolsDir = getToolsDir(cmd.toolsDir);

+      setupActionsVars(tempDir, toolsDir);
+
      // Wipe the temp dir
      logger.info(`Cleaning temp directory ${tempDir}`);
      fs.rmdirSync(tempDir, { recursive: true });
@@ -163,13 +171,11 @@ program
      const apiDetails = {
        auth,
        externalRepoAuth: auth,
-        url: parseGithubUrl(cmd.githubUrl),
+        url: parseGitHubUrl(cmd.githubUrl),
      };

      const gitHubVersion = await getGitHubVersion(apiDetails);
-      if (gitHubVersion !== undefined) {
-        checkGitHubVersionInRange(gitHubVersion, "runner", logger);
-      }
+      checkGitHubVersionInRange(gitHubVersion, "runner", logger);

      let codeql: CodeQL;
      if (cmd.codeqlPath !== undefined) {
@@ -180,8 +186,8 @@ program
            undefined,
            apiDetails,
            tempDir,
-            toolsDir,
            "runner",
+            gitHubVersion.type,
            logger
          )
        ).codeql;
@@ -291,6 +297,7 @@ program
            "Was the 'init' command run with the same '--temp-dir' argument as this command."
        );
      }
+      setupActionsVars(config.tempDir, config.toolCacheDir);
      importTracerEnvironment(config);
      let language: Language | undefined = undefined;
      if (cmd.language !== undefined) {
@@ -381,8 +388,6 @@ program
  .action(async (cmd: AnalyzeArgs) => {
    const logger = getRunnerLogger(cmd.debug);
    try {
-      const tempDir = getTempDir(cmd.tempDir);
-      const outputDir = cmd.outputDir || path.join(tempDir, "codeql-sarif");
      const config = await getConfig(getTempDir(cmd.tempDir), logger);
      if (config === undefined) {
        throw new Error(
@@ -390,6 +395,7 @@ program
            "Was the 'init' command run with the same '--temp-dir' argument as this command."
        );
      }
+      setupActionsVars(config.tempDir, config.toolCacheDir);

      const auth = await getGitHubAuth(
        logger,
@@ -399,9 +405,11 @@ program

      const apiDetails = {
        auth,
-        url: parseGithubUrl(cmd.githubUrl),
+        url: parseGitHubUrl(cmd.githubUrl),
      };

+      const outputDir =
+        cmd.outputDir || path.join(config.tempDir, "codeql-sarif");
      await runAnalyze(
        outputDir,
        getMemoryFlag(cmd.ram),
@@ -483,7 +491,7 @@ program
    );
    const apiDetails = {
      auth,
-      url: parseGithubUrl(cmd.githubUrl),
+      url: parseGitHubUrl(cmd.githubUrl),
    };
    try {
      const gitHubVersion = await getGitHubVersion(apiDetails);
--- a/src/sarif_v2.1.0_schema.json
+++ b/src/sarif_v2.1.0_schema.json
@@ -2339,9 +2339,8 @@
          "description": "The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase culture code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646).",
          "type": "string",
          "default": "en-US",
-          "pattern": "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"
+          "pattern": "^[a-zA-Z]{2}(-[a-zA-Z]{2})?$"
        },
-
        "versionControlProvenance": {
          "description": "Specifies the revision in version control of the artifacts that were scanned.",
          "type": "array",
@@ -3040,7 +3039,7 @@
          "description": "The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase language code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646).",
          "type": "string",
          "default": "en-US",
-          "pattern": "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"
+          "pattern": "^[a-zA-Z]{2}(-[a-zA-Z]{2})?$"
        },

        "contents": {
--- a/src/tracer-config.ts
+++ b/src/tracer-config.ts
@@ -185,9 +185,9 @@ export async function getCombinedTracerConfig(
    );
  }

-  // On macos it's necessary to prefix the build command with the runner exectuable
+  // On macos it's necessary to prefix the build command with the runner executable
  // on order to trace when System Integrity Protection is enabled.
-  // The exectuable also exists and works for other platforms so we output this env
+  // The executable also exists and works for other platforms so we output this env
  // var with a path to the runner regardless so it's always available.
  const runnerExeName = process.platform === "win32" ? "runner.exe" : "runner";
  mainTracerConfig.env["CODEQL_RUNNER"] = path.join(
--- a/src/upload-lib.test.ts
+++ b/src/upload-lib.test.ts
@@ -131,3 +131,46 @@ test("finding SARIF files", async (t) => {
    ]);
  });
 });
+
+test("populateRunAutomationDetails", (t) => {
+  let sarif = '{"runs": [{}]}';
+  const analysisKey = ".github/workflows/codeql-analysis.yml:analyze";
+
+  let expectedSarif =
+    '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/"}}]}';
+
+  let modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    '{"language": "javascript", "os": "linux"}'
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+
+  // check the environment sorting
+  modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    '{"os": "linux", "language": "javascript"}'
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+
+  // check that an empty environment produces the right results
+  expectedSarif =
+    '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/"}}]}';
+  modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    "{}"
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+
+  // check that an empty environment produces the right results
+  sarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+  expectedSarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+  modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    '{"os": "linux", "language": "javascript"}'
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+});
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -40,6 +40,38 @@ export function combineSarifFiles(sarifFiles: string[]): string {
  return JSON.stringify(combinedSarif);
 }

+// Populates the run.automationDetails.id field using the analysis_key and environment
+// and return an updated sarif file contents.
+export function populateRunAutomationDetails(
+  sarifContents: string,
+  analysis_key: string | undefined,
+  environment: string | undefined
+): string {
+  if (analysis_key === undefined) {
+    return sarifContents;
+  }
+  let automationID = `${analysis_key}/`;
+
+  // the id has to be deterministic so we sort the fields
+  if (environment !== undefined && environment !== "null") {
+    const environmentObject = JSON.parse(environment);
+    for (const entry of Object.entries(environmentObject).sort()) {
+      automationID += `${entry[0]}:${entry[1]}/`;
+    }
+  }
+
+  const sarif = JSON.parse(sarifContents);
+  for (const run of sarif.runs || []) {
+    if (run.automationDetails === undefined) {
+      run.automationDetails = {
+        id: automationID,
+      };
+    }
+  }
+
+  return JSON.stringify(sarif);
+}
+
 // Upload the given payload.
 // If the request fails then this will retry a small number of times.
 async function uploadPayload(
@@ -176,7 +208,20 @@ function getSarifFilePaths(sarifPath: string) {
 // Counts the number of results in the given SARIF file
 export function countResultsInSarif(sarif: string): number {
  let numResults = 0;
-  for (const run of JSON.parse(sarif).runs) {
+  let parsedSarif;
+  try {
+    parsedSarif = JSON.parse(sarif);
+  } catch (e) {
+    throw new Error(`Invalid SARIF. JSON syntax error: ${e.message}`);
+  }
+  if (!Array.isArray(parsedSarif.runs)) {
+    throw new Error("Invalid SARIF. Missing 'runs' array.");
+  }
+
+  for (const run of parsedSarif.runs) {
+    if (!Array.isArray(run.results)) {
+      throw new Error("Invalid SARIF. Missing 'results' array in run.");
+    }
    numResults += run.results.length;
  }
  return numResults;
@@ -308,6 +353,11 @@ async function uploadFiles(
    checkoutPath,
    logger
  );
+  sarifPayload = populateRunAutomationDetails(
+    sarifPayload,
+    analysisKey,
+    environment
+  );

  const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = fileUrl(checkoutPath);
--- a/src/util.test.ts
+++ b/src/util.test.ts
@@ -125,62 +125,62 @@ test("getExtraOptionsEnvParam() fails on invalid JSON", (t) => {
  process.env.CODEQL_ACTION_EXTRA_OPTIONS = origExtraOptions;
 });

-test("parseGithubUrl", (t) => {
-  t.deepEqual(util.parseGithubUrl("github.com"), "https://github.com");
-  t.deepEqual(util.parseGithubUrl("https://github.com"), "https://github.com");
+test("parseGitHubUrl", (t) => {
+  t.deepEqual(util.parseGitHubUrl("github.com"), "https://github.com");
+  t.deepEqual(util.parseGitHubUrl("https://github.com"), "https://github.com");
  t.deepEqual(
-    util.parseGithubUrl("https://api.github.com"),
+    util.parseGitHubUrl("https://api.github.com"),
    "https://github.com"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://github.com/foo/bar"),
+    util.parseGitHubUrl("https://github.com/foo/bar"),
    "https://github.com"
  );

  t.deepEqual(
-    util.parseGithubUrl("github.example.com"),
+    util.parseGitHubUrl("github.example.com"),
    "https://github.example.com/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://github.example.com"),
+    util.parseGitHubUrl("https://github.example.com"),
    "https://github.example.com/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://api.github.example.com"),
+    util.parseGitHubUrl("https://api.github.example.com"),
    "https://github.example.com/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://github.example.com/api/v3"),
+    util.parseGitHubUrl("https://github.example.com/api/v3"),
    "https://github.example.com/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://github.example.com:1234"),
+    util.parseGitHubUrl("https://github.example.com:1234"),
    "https://github.example.com:1234/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://api.github.example.com:1234"),
+    util.parseGitHubUrl("https://api.github.example.com:1234"),
    "https://github.example.com:1234/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://github.example.com:1234/api/v3"),
+    util.parseGitHubUrl("https://github.example.com:1234/api/v3"),
    "https://github.example.com:1234/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://github.example.com/base/path"),
+    util.parseGitHubUrl("https://github.example.com/base/path"),
    "https://github.example.com/base/path/"
  );
  t.deepEqual(
-    util.parseGithubUrl("https://github.example.com/base/path/api/v3"),
+    util.parseGitHubUrl("https://github.example.com/base/path/api/v3"),
    "https://github.example.com/base/path/"
  );

-  t.throws(() => util.parseGithubUrl(""), {
+  t.throws(() => util.parseGitHubUrl(""), {
    message: '"" is not a valid URL',
  });
-  t.throws(() => util.parseGithubUrl("ssh://github.com"), {
+  t.throws(() => util.parseGitHubUrl("ssh://github.com"), {
    message: '"ssh://github.com" is not a http or https URL',
  });
-  t.throws(() => util.parseGithubUrl("http:///::::433"), {
+  t.throws(() => util.parseGitHubUrl("http:///::::433"), {
    message: '"http:///::::433" is not a valid URL',
  });
 });
--- a/src/util.ts
+++ b/src/util.ts
@@ -189,7 +189,7 @@ export function getCodeQLDatabasePath(tempDir: string, language: Language) {
 * Parses user input of a github.com or GHES URL to a canonical form.
 * Removes any API prefix or suffix if one is present.
 */
-export function parseGithubUrl(inputUrl: string): string {
+export function parseGitHubUrl(inputUrl: string): string {
  const originalUrl = inputUrl;
  if (inputUrl.indexOf("://") === -1) {
    inputUrl = `https://${inputUrl}`;
@@ -247,7 +247,7 @@ export async function getGitHubVersion(
  apiDetails: GitHubApiDetails
 ): Promise<GitHubVersion> {
  // We can avoid making an API request in the standard dotcom case
-  if (parseGithubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) {
+  if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) {
    return { type: GitHubVariant.DOTCOM };
  }

@@ -390,3 +390,19 @@ export async function getGitHubAuth(
    "No GitHub authentication token was specified. Please provide a token via the GITHUB_TOKEN environment variable, or by adding the `--github-auth-stdin` flag and passing the token via standard input."
  );
 }
+
+// Sets environment variables that make using some libraries designed for
+// use only on actions safe to use outside of actions.
+//
+// Obviously this is not a tremendously great thing we're doing and it
+// would be better to write our own implementation of libraries to use
+// outside of actions. For now this works well enough.
+//
+// Currently this list of libraries that is deemed to now be safe includes:
+// - @actions/tool-cache
+//
+// Also see "queries/unguarded-action-lib.ql".
+export function setupActionsVars(tempDir: string, toolsDir: string) {
+  process.env["RUNNER_TEMP"] = tempDir;
+  process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+}
--- a/tests/multi-language-repo/.github/codeql/custom-queries.yml
+++ b/tests/multi-language-repo/.github/codeql/custom-queries.yml
@@ -23,7 +23,7 @@ queries:
    uses: Anthophila/go-querypack@master
  - name: Cpp queries 
    uses: Anthophila/cpp-querypack@second-branch
-  - name: Javascript queries 
+  - name: JavaScript queries 
    uses: Anthophila/javascript-querypack/show_ifs2.ql@master
  - name: Python queries 
    uses: Anthophila/python-querypack/show_ifs2.ql@second-branch 
--- a/tests/multi-language-repo/codeql-qlpacks/javascript-qlpack/show_ifs.ql
+++ b/tests/multi-language-repo/codeql-qlpacks/javascript-qlpack/show_ifs.ql
@@ -1,6 +1,6 @@
 /**
- * @name Show Javascript Ifs
- * @description Show Javascript Ifs
+ * @name Show JavaScript Ifs
+ * @description Show JavaScript Ifs
 * @kind problem
 * @id inrepo-javascript-querypack/show-ifs
 */
Author	SHA1	Message	Date
David Verdeguer	8bd2b3516b	Merge pull request #446 from github/daverlo/runAutomationDetails Add automationdetails id to runs	2021-04-19 11:30:53 +02:00
David Verdeguer	bc14da99c5	Merge branch 'main' into daverlo/runAutomationDetails	2021-04-19 10:47:18 +02:00
David Verdeguer	351d36fd18	Add test for existing automationDetails	2021-04-19 09:04:58 +02:00
Andrew Eisenberg	c87ee1c65a	[Runner] Throw error on unknown option in init command And explicitly document the advanced --trace-process-name and --trace-process-level args.	2021-04-16 12:09:26 -07:00
David Verdeguer	0ece0d074b	Fix populateRunAutomationDetails for null environments	2021-04-16 09:24:34 +02:00
David Verdeguer	de611b2de3	Prevent the automationDetails to be regenerated if it already exists	2021-04-16 07:47:42 +02:00
David Verdeguer	47755f0910	Add automationdetails id to runs	2021-04-15 16:20:49 +02:00
Andrew Eisenberg	6aebd1b98a	Fixes a regex for language and locale recognition See https://github.com/oasis-tcs/sarif-spec/pull/490 See #418 Note that this changes the sarif spec file. Unless this change is actually merged in the sarif spec repo, the version used by the action will be slightly different.	2021-04-14 08:10:56 -07:00
Aditya Sharad	0c2281fb06	Merge pull request #441 from adityasharad/tests/matrix-tools-latest PR checks: Run integration tests against both `tools: null` and `tools: latest`	2021-04-09 16:24:56 -07:00
Aditya Sharad	fcf0863613	Merge branch 'main' into tests/matrix-tools-latest	2021-04-09 16:11:35 -07:00
Andrew Eisenberg	534192fa05	Use externalRepoAuth when getting a remote config This allows users to specify a different token for retrieving the codeql config from a different repository. Fixes https://github.com/github/advanced-security-field/issues/185	2021-04-09 15:00:57 -07:00
Aditya Sharad	64b50fa2a6	Code scanning: Compare the default and latest CodeQL tools bundles Create a prerequisite job that runs the init step twice, with `tools: null` and `tools: latest`. Use the outputs of these steps to compare the two CodeQL versions. Pass the list of distinct tool versions for the analysis job to matrix over. This lets us test the analysis against both versions, while avoiding duplication when they are actually the same version.	2021-04-09 14:51:18 -07:00
Aditya Sharad	51b1d7d81f	PR checks: Compare the default and latest CodeQL tools bundles Create a prerequisite job that runs the init step twice, with `tools: null` and `tools: latest`. Use the outputs of these steps to compare the two CodeQL versions. Pass the list of distinct tool versions for the integration tests to use in their matrix strategy. This avoids redundant test jobs when the default and latest bundles are actually the same version of CodeQL. `~` is accepted by JSON but not by the Actions context language, so we use `null` to indicate the default version.	2021-04-09 13:38:30 -07:00
Aditya Sharad	f9a19da7bf	PR checks: Run integration tests against both `tools: null` and `tools: latest` Always test against both the default and latest CodeQL bundle. This improves test coverage shortly after a CodeQL bundle release, where the latest bundle may not yet be built into the Actions VM image as the default bundle. It also saves a manual step during bundle release testing, since we no longer need to temporarily change the PR checks to `tools: latest`. There is some redundancy when the latest bundle is the same as the default bundle on the VM image, but this can be considered a test for the `tools: latest` configuration.	2021-04-08 13:39:01 -07:00
Aditya Sharad	7f9fb10a74	Merge pull request #437 from github/dependabot/npm_and_yarn/runner/y18n-4.0.1 Bump y18n from 4.0.0 to 4.0.1 in /runner	2021-04-01 14:57:41 -07:00
Aditya Sharad	2f9f143d73	Merge branch 'main' into dependabot/npm_and_yarn/runner/y18n-4.0.1	2021-04-01 14:18:52 -07:00
Aditya Sharad	356d7a0637	Merge pull request #436 from github/dependabot/npm_and_yarn/y18n-4.0.1 Bump y18n from 4.0.0 to 4.0.1	2021-04-01 14:18:21 -07:00
Robert	def266fc62	update node modules	2021-04-01 10:37:02 +01:00
dependabot[bot]	5c715f3945	Bump y18n from 4.0.0 to 4.0.1 in /runner Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/yargs/y18n/releases) - [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md) - [Commits](https://github.com/yargs/y18n/commits) Signed-off-by: dependabot[bot] <support@github.com>	2021-04-01 06:56:53 +00:00
dependabot[bot]	d0b1259bbe	Bump y18n from 4.0.0 to 4.0.1 Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/yargs/y18n/releases) - [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md) - [Commits](https://github.com/yargs/y18n/commits) Signed-off-by: dependabot[bot] <support@github.com>	2021-03-31 22:46:11 +00:00
Aditya Sharad	8f0d3f7541	Merge pull request #435 from github/robertbrignull/dependabot_error Add special error message case for dependabot	2021-03-31 07:47:05 -07:00
Robert	ca27066d09	fix grammar / punctuation	2021-03-31 11:05:30 +01:00
Robert	2f93805cef	check push event	2021-03-30 16:53:02 +01:00
Robert	d4edded3ea	Add special dependabot error message	2021-03-30 14:09:06 +01:00
Henning Makholm	bf8daada40	Merge pull request #433 from github/hmakholm/pr/2.5.0 Update CodeQL bundle to 20210326	2021-03-26 19:16:50 +01:00
Henning Makholm	996a90bf48	Revert "Temporarily use the latest version for testing" This reverts commit `d8216decae`.	2021-03-26 18:06:32 +01:00
Robin Neatherway	d8216decae	Temporarily use the latest version for testing	2021-03-26 15:17:17 +01:00
Henning Makholm	1d93ad95c1	Update CodeQL bundle to 20210326	2021-03-26 15:03:49 +01:00
Simon Engledew	bb012c4070	Merge pull request #432 from github/simon-engledew/fix-ref-check Fix rev-parse errors	2021-03-25 14:02:01 +00:00
Simon Engledew	ba14abbca7	Rewrite the ref to correctly point to refs/remotes Fixes the rev-parse issues caused by https://github.com/github/codeql-action/pull/428	2021-03-25 13:08:55 +00:00
Simon Engledew	972dc3e3f9	Merge pull request #428 from github/simon-engledew/detect-merge Fix race condition with actions/checkout@v1	2021-03-23 06:18:28 +00:00
Simon Engledew	9165099103	Skip doing work if it is not necessary	2021-03-22 15:50:04 +00:00
Simon Engledew	36a9516acc	PR feedback	2021-03-22 15:09:33 +00:00
Simon Engledew	ef92c5ac5f	Count the number of parents of the current commit to check it is still a merge Work around a race condition in actions where sometimes GITHUB_SHA != git rev-parse head	2021-03-22 12:05:00 +00:00
Aditya Sharad	5d467d014b	Merge pull request #427 from github/hmakholm/pr/2.4.6	2021-03-20 15:52:17 -07:00
Henning Makholm	f8e31274f4	Revert "Temporarily use the latest version for testing" This reverts commit `e700075082`.	2021-03-20 01:13:11 +01:00
Robin Neatherway	e700075082	Temporarily use the latest version for testing	2021-03-20 00:35:46 +01:00
Henning Makholm	d2f4021928	Update CodeQL bundle to 20210319	2021-03-20 00:30:46 +01:00
Josh Soref	c4fced7348	Fix spelling errors spelling: executable spelling: github spelling: javascript spelling: latest spelling: occurred spelling: parameter Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>	2021-03-18 09:40:47 -07:00
Andrew Eisenberg	08fae3caba	Display better error message on invalid sarif Specifically, some third party tools do not include a `results` block for runs when there is an error. This change adds a more explicit error message for this situation.	2021-03-18 09:03:42 -07:00
Andrew Eisenberg	ffd96b38fb	Ensure error correct error message on 403 error	2021-03-17 07:55:21 -07:00
Robert	0f834639e4	Merge pull request #423 from github/robertbrignull/toolcache-query-safety Make unguarded-action-lib better at ignoring uses of toolcache	2021-03-16 16:13:33 +00:00
Robert	5004a54ed3	Merge branch 'main' into robertbrignull/toolcache-query-safety	2021-03-16 15:29:47 +00:00
Robert	8373707722	Merge pull request #422 from github/robertbrignull/getActionsCodeQLActionRepository Make control flow cleaer to fix unguarded-action-lib alert	2021-03-16 15:22:37 +00:00
Robert	378f30f95d	call setupActionsVars in the tests too	2021-03-16 13:43:28 +00:00
Robert	d698cb3d2b	Make unguarded-action-lib better at ignoring uses of toolcache	2021-03-16 13:14:17 +00:00
Robert	09024e50d4	make control flow cleaer to fix query alert	2021-03-16 12:07:00 +00:00
Chris Gavin	daff33213e	Merge pull request #417 from github/dependabot/npm_and_yarn/runner/elliptic-6.5.4 Bump elliptic from 6.5.3 to 6.5.4 in /runner	2021-03-16 10:11:36 +00:00
Chris Gavin	4c3c9b0d41	Merge branch 'main' into dependabot/npm_and_yarn/runner/elliptic-6.5.4	2021-03-16 09:52:57 +00:00
dependabot[bot]	4df078eec5	Bump elliptic from 6.5.3 to 6.5.4 in /runner Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.3 to 6.5.4. - [Release notes](https://github.com/indutny/elliptic/releases) - [Commits](https://github.com/indutny/elliptic/compare/v6.5.3...v6.5.4) Signed-off-by: dependabot[bot] <support@github.com>	2021-03-11 04:41:48 +00:00
Chris Gavin	cfec2bbc35	Merge pull request #409 from github/check-ghae-endpoint-first-only-on-ghae When downloading the CodeQL bundle, only use the GitHub AE endpoint on GitHub AE, and check it first.	2021-03-10 13:03:16 +00:00
Chris Gavin	18f6367c46	Merge branch 'main' into check-ghae-endpoint-first-only-on-ghae	2021-03-10 12:23:15 +00:00
Aditya Sharad	2fcc4eb030	Merge pull request #414 from github/hmakholm/pr/2.4.5 Update CodeQL bundle to 20210308	2021-03-09 10:35:53 -08:00
Henning Makholm	27ed6ac804	Revert "Temporarily use the latest version for testing" This reverts commit `c78d81fa3e`.	2021-03-09 19:03:10 +01:00
Robin Neatherway	c78d81fa3e	Temporarily use the latest version for testing	2021-03-09 18:21:32 +01:00
Henning Makholm	bcca43b391	Update CodeQL bundle to 20210308	2021-03-09 17:43:35 +01:00
Chris Gavin	bb51ece0b4	When downloading the CodeQL bundle, only use the GitHub AE endpoint on GitHub AE, and check it first.	2021-03-07 11:18:54 +00:00
				`@@ -0,0 +1 @@`
				{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,kDAA0B;AAE1B,6CAA4C;AAC5C,mDAA6C;AAE7C,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,eAAK,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,yBAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}