Merge pull request #1444 from github/henrymercer/reporting-failed-run-improvements

Improve reporting failed runs via SARIF
Merge pull request #1460 from github/adityasharad/actions/code-scanning-schedule
2025-12-08 00:38:30 +08:00 · 2023-01-04 10:43:15 +00:00 · 2023-01-03 14:29:44 -08:00 · 2023-01-03 13:00:12 -08:00 · 2023-01-03 12:59:13 -08:00 · 2022-12-22 18:48:59 +00:00
896 changed files with 24747 additions and 44718 deletions
--- a/.eslintignore
+++ b/.eslintignore
@@ -1,5 +1,4 @@
 **/webpack.config.js
 lib/**
-runner/dist/**
 src/testdata/**
 tests/**
--- a/.github/check-codescanning-config/action.yml
+++ b/.github/check-codescanning-config/action.yml
@@ -42,6 +42,8 @@ runs:
        packs: ${{ inputs.packs }}
        tools: ${{ inputs.tools }}
        db-location: ${{ runner.temp }}/codescanning-config-cli-test
+      env:
+        CODEQL_ACTION_TEST_MODE: 'true'

    - name: Install dependencies
      shell: bash
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,20 +1,17 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: npm
    directory: "/"
    schedule:
-      interval: "weekly"
-      day: "thursday" # Gives us a working day to merge this before our typical release
+      interval: weekly
    labels:
-      - "Update dependencies"
+      - Update dependencies
    ignore:
      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
-  - package-ecosystem: "npm"
-    directory: "/runner"
+        update-types:
+          - version-update:semver-minor
+          - version-update:semver-patch
+  - package-ecosystem: github-actions
+    directory: "/"
    schedule:
-      interval: "weekly"
-      day: "thursday" # Gives us a working day to merge this before our typical release
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+      interval: weekly
--- a/.github/prepare-test/action.yml
+++ b/.github/prepare-test/action.yml
@@ -22,17 +22,17 @@ runs:
      run: |
        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
          export LATEST=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
-          echo "::set-output name=tools-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz"
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "::set-output name=tools-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$VERSION-manual/codeql-bundle.tar.gz"
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$VERSION-manual/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "::set-output name=tools-url::https://github.com/github/codeql-action/releases/download/codeql-bundle-$VERSION/codeql-bundle.tar.gz"
+          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$VERSION/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
        elif [[ ${{ inputs.version }} == "latest" ]]; then
-          echo "::set-output name=tools-url::latest"
+          echo "tools-url=latest" >> $GITHUB_OUTPUT
        elif [[ ${{ inputs.version }} == "cached" ]]; then
-          echo "::set-output name=tools-url::"
+          echo "tools-url=" >> $GITHUB_OUTPUT
        else
          echo "::error Unrecognized version specified!"
        fi
--- a/.github/query-filter-test/action.yml
+++ b/.github/query-filter-test/action.yml
@@ -35,14 +35,14 @@ runs:
        tools: ${{ inputs.tools }}
        db-location: ${{ runner.temp }}/query-filter-test
      env:
-        TEST_MODE: "true"
+        CODEQL_ACTION_TEST_MODE: "true"
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
        upload: false
      env:
-        TEST_MODE: "true"
+        CODEQL_ACTION_TEST_MODE: "true"
    - name: Check SARIF
      uses: ./../action/.github/check-sarif
      with:
--- a/.github/setup-swift/action.yml
+++ b/.github/setup-swift/action.yml
@@ -0,0 +1,32 @@
+name: "Set up Swift"
+description: Performs necessary steps to set up appropriate Swift version.
+inputs:
+  codeql-path:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Swift version
+      id: get_swift_version
+      # We don't support Swift on Windows or prior versions of CLI.
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      shell: bash
+      env: 
+        CODEQL_PATH: ${{inputs.codeql-path}}
+      run: |
+        if [ $RUNNER_OS = "macOS" ]; then
+          PLATFORM="osx64"
+        else # We do not run this step on Windows.
+          PLATFORM="linux64"
+        fi 
+        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
+        # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
+        if [ $VERSION = "5.7" ]; then
+          VERSION="5.7.0"
+        fi
+        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      with:
+        swift-version: "${{steps.get_swift_version.outputs.version}}"
--- a/.github/update-release-branch.py
+++ b/.github/update-release-branch.py
@@ -5,7 +5,7 @@ import json
 import os
 import subprocess

-EMPTY_CHANGELOG = """# CodeQL Action and CodeQL Runner Changelog
+EMPTY_CHANGELOG = """# CodeQL Action Changelog

 ## [UNRELEASED]

@@ -67,7 +67,7 @@ def open_pr(
  body.append('Merging ' + source_branch_short_sha + ' into ' + target_branch)

  body.append('')
-  body.append('Conductor for this PR is @' + conductor)
+  body.append(f'Conductor for this PR is @{conductor}.')

  # List all PRs merged
  if len(pull_requests) > 0:
@@ -75,32 +75,40 @@ def open_pr(
    body.append('Contains the following pull requests:')
    for pr in pull_requests:
      merger = get_merger_of_pr(repo, pr)
-      body.append('- #' + str(pr.number) + ' - ' + pr.title +' (@' + merger + ')')
+      body.append(f'- #{pr.number} (@{merger})')

  # List all commits not part of a PR
  if len(commits_without_pull_requests) > 0:
    body.append('')
    body.append('Contains the following commits not from a pull request:')
    for commit in commits_without_pull_requests:
-      author_description = ' (@' + commit.author.login + ')' if commit.author is not None else ''
-      body.append('- ' + commit.sha + ' - ' + get_truncated_commit_message(commit) + author_description)
+      author_description = f' (@{commit.author.login})' if commit.author is not None else ''
+      body.append(f'- {commit.sha} - {get_truncated_commit_message(commit)}{author_description}')

  body.append('')
-  body.append('Please review the following:')
+  body.append('Please do the following:')
  if len(conflicted_files) > 0:
-    body.append(' - [ ] The `package.json` file contains the correct version.')
-    body.append(' - [ ] You have added commits to this branch that resolve the merge conflicts ' +
+    body.append(' - [ ] Ensure `package.json` file contains the correct version.')
+    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
      'in the following files:')
    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
-    body.append(' - [ ] Another maintainer has reviewed the additional commits you added to this ' +
+    body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
      'branch to resolve the merge conflicts.')
-  body.append(' - [ ] The CHANGELOG displays the correct version and date.')
-  body.append(' - [ ] The CHANGELOG includes all relevant, user-facing changes since the last release.')
-  body.append(' - [ ] There are no unexpected commits being merged into the ' + target_branch + ' branch.')
-  body.append(' - [ ] The docs team is aware of any documentation changes that need to be released.')
+  body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
+  body.append(' - [ ] Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.')
+  body.append(' - [ ] Check that there are not any unexpected commits being merged into the ' + target_branch + ' branch.')
+  body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')
+
+  if not is_v2_release:
+    body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.')
+    body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
+
+  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
+
  if is_v2_release:
-    body.append(' - [ ] The mergeback PR is merged back into ' + source_branch + ' after this PR is merged.')
-    body.append(' - [ ] The v1 release PR is merged after this PR is merged.')
+    body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.')
+    body.append(' - [ ] Merge the v1 release PR that will automatically be created once this PR is merged.')

  title = 'Merge ' + source_branch + ' into ' + target_branch

--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -25,45 +25,41 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
+          version: stable-20211005
        - os: windows-2019
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
+          version: stable-20220120
        - os: windows-2019
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
-        - os: windows-2019
-          version: stable-20210809
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: "Analyze: 'ref' and 'sha' from inputs"
    timeout-minutes: 45
@@ -76,14 +72,17 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -92,6 +91,4 @@ jobs:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
-        TEST_MODE: true
-    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -29,9 +29,7 @@ jobs:
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
    name: autobuild-action
    timeout-minutes: 45
@@ -48,8 +46,6 @@ jobs:
      with:
        languages: csharp
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/autobuild
      env:
      # Explicitly disable the CLR tracer.
@@ -60,8 +56,6 @@ jobs:
        CORECLR_PROFILER: ''
        CORECLR_PROFILER_PATH_64: ''
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -71,4 +65,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -0,0 +1,88 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Export file baseline information
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  export-file-baseline-information:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: Export file baseline information
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        expected_baseline_languages="cpp cs go java js py rb swift"
+
+        for lang in ${expected_baseline_languages}; do
+          rule_name="${lang}/baseline/expected-extracted-files"
+          found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+            select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+          if [[ "${found_notification}" != "true" ]]; then
+            echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+            exit 1
+          else
+            echo "Found notification '${rule_name}'."
+          fi
+        done
+    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -43,8 +43,6 @@ jobs:
        languages: java
        ram: 230
        threads: 1
-      env:
-        TEST_MODE: true
    - name: Assert Results
      shell: bash
      run: |
@@ -65,4 +63,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -25,45 +25,41 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
+          version: stable-20211005
        - os: windows-2019
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
+          version: stable-20220120
        - os: windows-2019
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
-        - os: windows-2019
-          version: stable-20210809
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: 'Go: Custom queries'
    timeout-minutes: 45
@@ -76,7 +72,9 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v3
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
@@ -84,13 +82,10 @@ jobs:
        languages: go
        config-file: ./.github/codeql/custom-queries.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
    env:
-        TEST_MODE: true
-    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/go-tracing-autobuilder.yml
+++ b/.github/workflows/go-tracing-autobuilder.yml
@@ -3,7 +3,7 @@
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

-name: 'PR Check - Go: Custom tracing'
+name: 'PR Check - Go: tracing with autobuilder step'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -21,51 +21,35 @@ on:
    - ready_for_review
  workflow_dispatch: {}
 jobs:
-  go-custom-tracing:
+  go-tracing-autobuilder:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
-        - os: windows-2019
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
-        - os: windows-2019
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
-        - os: windows-2019
-          version: stable-20210809
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
-          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
-          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
-          version: nightly-latest
-    name: 'Go: Custom tracing'
+    name: 'Go: tracing with autobuilder step'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -76,21 +60,29 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v3
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
-    - name: Build code
-      shell: bash
-      run: go build main.go
+    - uses: ./../action/autobuild
    - uses: ./../action/analyze
+    - shell: bash
+      run: |
+        if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
+          echo "Expected the Go autobuilder to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
    env:
-        TEST_MODE: true
-    env:
-      CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@@ -0,0 +1,92 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: 'PR Check - Go: tracing with custom build steps'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-tracing-custom-build-steps:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: 'Go: tracing with custom build steps'
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+    - shell: bash
+      run: |
+        # Once we start running Bash 4.2 in all environments, we can replace the
+        # `! -z` flag with the more elegant `-v` which confirms that the variable
+        # is actually unset and not potentially set to a blank value.
+        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+          echo "Expected the Go autobuilder not to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/go-custom-tracing-autobuild.yml
+++ b/.github/workflows/go-custom-tracing-autobuild.yml
@@ -3,7 +3,7 @@
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

-name: 'PR Check - Go: Autobuild custom tracing'
+name: 'PR Check - Go: tracing with legacy workflow'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -21,22 +21,22 @@ on:
    - ready_for_review
  workflow_dispatch: {}
 jobs:
-  go-custom-tracing-autobuild:
+  go-tracing-legacy-workflow:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
@@ -49,7 +49,7 @@ jobs:
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-    name: 'Go: Autobuild custom tracing'
+    name: 'Go: tracing with legacy workflow'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -60,19 +60,16 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v3
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
-    - uses: ./../action/autobuild
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
@@ -81,6 +78,5 @@ jobs:
          exit 1
        fi
    env:
-      CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@@ -0,0 +1,79 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: 'PR Check - Packaging: Download using registries'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  init-with-registries:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: 'Packaging: Download using registries'
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Init with registries
+      uses: ./../action/init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        config-file: ./.github/codeql/codeql-config-registries.yml
+        languages: javascript
+        registries: |
+          - url: "https://ghcr.io/v2/"
+            packages: "*/*"
+            token: "${{ secrets.GITHUB_TOKEN }}"
+
+    - name: Verify packages installed
+      shell: bash
+      run: |
+        PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
+        CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
+
+        if [[ -d $PRIVATE_PACK ]]
+        then
+            echo "$PRIVATE_PACK was installed."
+        else
+            echo "::error $PRIVATE_PACK pack was not installed."
+            exit 1
+        fi
+
+        if [[ -d $CODEQL_PACK1 ]]
+        then
+            echo "$CODEQL_PACK1 was installed."
+        else
+            echo "::error $CODEQL_PACK1 pack was not installed."
+            exit 1
+        fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -52,8 +52,6 @@ jobs:
        languages: javascript
        source-root: ../new-source-root
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
      with:
        skip-queries: true
@@ -67,4 +65,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__ml-powered-queries.yml
+++ b/.github/workflows/__ml-powered-queries.yml
@@ -25,11 +25,11 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
          version: stable-20220120
        - os: macos-latest
          version: stable-20220120
-        - os: windows-latest
+        - os: windows-2019
          version: stable-20220120
        - os: ubuntu-latest
          version: cached
@@ -60,21 +60,22 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: javascript
        queries: security-extended
        source-root: ./../action/tests/ml-powered-queries-repo
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true

    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
-      env:
-        TEST_MODE: true

    - name: Upload SARIF
      uses: actions/upload-artifact@v3
@@ -85,24 +86,18 @@ jobs:

    - name: Check sarif
      uses: ./../action/.github/check-sarif
-      if: matrix.os != 'windows-latest' || matrix.version == 'latest' || matrix.version
-        == 'nightly-latest'
+    # Running on Windows requires CodeQL CLI 2.9.0+.
+      if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
        queries-not-run: foo,bar

    - name: Check results
-    # Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks
-    # against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the
-    # test starting to fail when the cached CodeQL Bundle gets updated. Once the CodeQL Bundle
-    # containing CodeQL CLI 2.9.0 has been fully released, we can drop this line and start running
-    # these checks on Windows and `cached`.
-      if: matrix.os != 'windows-latest' || matrix.version != 'cached'
      env:
-      # Running on Windows requires CodeQL CLI 2.9.0+, which has so far only made it to 'latest'.
-        SHOULD_RUN_ML_POWERED_QUERIES: ${{ matrix.os != 'windows-latest' || matrix.version
-          == 'latest' || matrix.version == 'nightly-latest' }}
+      # Running on Windows requires CodeQL CLI 2.9.0+.
+        SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220120' &&
+          runner.os == 'Windows') }}
      shell: bash
      run: |
        echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
@@ -137,4 +132,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -25,18 +25,18 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
@@ -60,20 +60,30 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
+      id: init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
+
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+
    - name: Build code
      shell: bash
      run: ./build.sh
+
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
-    - shell: bash
+
+    - name: Check language autodetect for all languages excluding Ruby, Swift
+      shell: bash
      run: |
        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -105,5 +115,28 @@ jobs:
          echo "Did not create a database for Python, or created it in the wrong location."
          exit 1
        fi
+
+    - name: Check language autodetect for Ruby
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest')
+      shell: bash
+      run: |
+        RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
+        if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Ruby, or created it in the wrong location."
+          exit 1
+        fi
+
+    - name: Check language autodetect for Swift
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest')
+      shell: bash
+      run: |
+        SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
+        if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Swift, or created it in the wrong location."
+          exit 1
+        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -29,23 +29,19 @@ jobs:
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
    timeout-minutes: 45
@@ -64,16 +60,12 @@ jobs:
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -99,4 +91,4 @@ jobs:
    env:
      CODEQL_PASS_CONFIG_TO_CLI: true

-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -29,23 +29,19 @@ jobs:
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Config and input'
    timeout-minutes: 45
@@ -64,16 +60,12 @@ jobs:
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -97,4 +89,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -29,23 +29,19 @@ jobs:
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Config file'
    timeout-minutes: 45
@@ -63,16 +59,12 @@ jobs:
        config-file: .github/codeql/codeql-config-packaging.yml
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -96,4 +88,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -29,23 +29,19 @@ jobs:
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Action input'
    timeout-minutes: 45
@@ -64,16 +60,12 @@ jobs:
        languages: javascript
        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Check results
      uses: ./../action/.github/check-sarif
@@ -97,4 +89,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -25,45 +25,41 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
+          version: stable-20211005
        - os: windows-2019
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
+          version: stable-20220120
        - os: windows-2019
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
-        - os: windows-2019
-          version: stable-20210809
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: Remote config file
    timeout-minutes: 45
@@ -76,19 +72,20 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
    env:
-        TEST_MODE: true
-    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -25,18 +25,8 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
-        - os: ubuntu-latest
-          version: stable-20210809
        - os: ubuntu-latest
          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
    name: RuboCop multi-language
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
@@ -69,6 +59,4 @@ jobs:
      with:
        sarif_file: rubocop.sarif
    env:
-        TEST_MODE: true
-    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/test-ruby.yml
+++ b/.github/workflows/test-ruby.yml
@@ -21,7 +21,7 @@ on:
    - ready_for_review
  workflow_dispatch: {}
 jobs:
-  test-ruby:
+  ruby:
    strategy:
      matrix:
        include:
@@ -52,12 +52,8 @@ jobs:
      with:
        languages: ruby
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -67,5 +63,4 @@ jobs:
          exit 1
        fi
    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES: 'true'
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -54,8 +54,6 @@ jobs:
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -63,8 +61,6 @@ jobs:
      with:
        skip-queries: true
        output: ${{ runner.temp }}/results
-      env:
-        TEST_MODE: true

    - name: Assert No Results
      shell: bash
@@ -77,8 +73,6 @@ jobs:
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
-      env:
-        TEST_MODE: true
    - name: Assert Results
      shell: bash
      run: |
@@ -94,4 +88,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@@ -0,0 +1,72 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Submit SARIF after failure
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  submit-sarif-failure:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+    name: Submit SARIF after failure
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/checkout@v3
+    - uses: ./init
+      with:
+        languages: javascript
+    - name: Fail
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
+      continue-on-error: true
+      run: exit 1
+    - uses: ./analyze
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
+      if: false
+      with:
+        category: /test-codeql-version:${{ matrix.version }}
+    env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
+      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
+      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
+      CODEQL_ACTION_TEST_MODE: false
+  # Mark telemetry for this workflow so it can be treated separately.
+      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
+
--- a/.github/workflows/__swift-autobuild.yml
+++ b/.github/workflows/__swift-autobuild.yml
@@ -0,0 +1,69 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Swift analysis using autobuild
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  swift-autobuild:
+    strategy:
+      matrix:
+        include:
+        - os: macos-latest
+          version: latest
+        - os: macos-latest
+          version: cached
+        - os: macos-latest
+          version: nightly-latest
+    name: Swift analysis using autobuild
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: swift
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
+    - uses: ./../action/autobuild
+    - uses: ./../action/analyze
+      id: analysis
+    - name: Check database
+      shell: bash
+      run: |
+        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
+        if [[ ! -d "$SWIFT_DB" ]]; then
+          echo "Did not create a database for Swift."
+          exit 1
+        fi
+    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -0,0 +1,78 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Swift analysis using a custom build command
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  swift-custom-build:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: Swift analysis using a custom build command
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: swift
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      id: analysis
+    - name: Check database
+      shell: bash
+      run: |
+        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
+        if [[ ! -d "$SWIFT_DB" ]]; then
+          echo "Did not create a database for Swift."
+          exit 1
+        fi
+    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@@ -49,14 +49,10 @@ jobs:
      with:
        languages: java
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/autobuild
      with:
        working-directory: autobuild-dir
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
@@ -66,4 +62,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -47,13 +47,9 @@ jobs:
    - uses: ./../action/init
      with:
        tools: ./codeql-bundle.tar.gz
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
    env:
-        TEST_MODE: true
-    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -42,19 +42,15 @@ jobs:
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
-      env:
-        TEST_MODE: true
    env:
      https_proxy: http://squid-proxy:3128
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
    container:
-      image: ubuntu:18.04
+      image: ubuntu:22.04
      options: --dns 127.0.0.1
    services:
      squid-proxy:
-        image: datadog/squid:latest
+        image: ubuntu/squid:latest
        ports:
        - 3128:3128
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -25,12 +25,12 @@ jobs:
    strategy:
      matrix:
        include:
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
-        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: ubuntu-latest
@@ -48,50 +48,57 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
    - uses: ./../action/analyze
      id: analysis
-      env:
-        TEST_MODE: true
    - shell: bash
      run: |
-        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
-        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for CPP, or created it in the wrong location."
+        CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
+        if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
+          echo "::error::Did not create a database for CPP, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
          exit 1
        fi
-        CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
-        if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for C Sharp, or created it in the wrong location."
+        CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
+        if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
+          echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
          exit 1
        fi
-        GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
-        if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Go, or created it in the wrong location."
+        GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
+        if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
+          echo "::error::Did not create a database for Go, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
          exit 1
        fi
-        JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
-        if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Java, or created it in the wrong location."
+        JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
+        if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
+          echo "::error::Did not create a database for Java, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
          exit 1
        fi
-        JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
-        if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Javascript, or created it in the wrong location."
+        JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
+        if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
+          echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
          exit 1
        fi
-        PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
-        if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Python, or created it in the wrong location."
+        PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
+        if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
+          echo "::error::Did not create a database for Python, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -25,45 +25,41 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
+          version: stable-20211005
        - os: windows-2019
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
+          version: stable-20220120
        - os: windows-2019
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
-        - os: windows-2019
-          version: stable-20210809
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
    timeout-minutes: 45
@@ -76,14 +72,17 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
-      env:
-        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
@@ -92,13 +91,9 @@ jobs:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
        upload: false
-      env:
-        TEST_MODE: true
    - uses: ./../action/upload-sarif
      with:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
-        TEST_MODE: true
-    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -25,45 +25,41 @@ jobs:
    strategy:
      matrix:
        include:
-        - os: ubuntu-latest
-          version: stable-20210308
+        - os: ubuntu-20.04
+          version: stable-20211005
        - os: macos-latest
-          version: stable-20210308
+          version: stable-20211005
        - os: windows-2019
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
        - os: macos-latest
-          version: stable-20210319
+          version: stable-20220120
        - os: windows-2019
-          version: stable-20210319
+          version: stable-20220120
        - os: ubuntu-latest
-          version: stable-20210809
+          version: stable-20220401
        - os: macos-latest
-          version: stable-20210809
-        - os: windows-2019
-          version: stable-20210809
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
-        - os: windows-2019
+        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
          version: nightly-latest
    name: Use a custom `checkout_path`
    timeout-minutes: 45
@@ -76,6 +72,11 @@ jobs:
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
    - uses: actions/checkout@v3
      with:
        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
@@ -87,8 +88,6 @@ jobs:
        languages: csharp,javascript
        source-path: x/y/z/some-path/tests/multi-language-repo
        debug: true
-      env:
-        TEST_MODE: true
    - name: Build code (non-windows)
      shell: bash
      if: ${{ runner.os != 'Windows' }}
@@ -105,16 +104,12 @@ jobs:
        ref: v1.1.0
        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        upload: false
-      env:
-        TEST_MODE: true

    - uses: ./../action/upload-sarif
      with:
        ref: v1.1.0
        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        checkout_path: x/y/z/some-path/tests/multi-language-repo
-      env:
-        TEST_MODE: true

    - name: Verify SARIF after upload
      shell: bash
@@ -145,4 +140,4 @@ jobs:
          exit 1
        fi
    env:
-      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,12 @@ on:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
+  schedule:
+    # Weekly on Sunday.
+    - cron: '30 1 * * 0'
+
+env:
+  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

 jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
@@ -51,7 +57,7 @@ jobs:
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
-        # If we're running on push, then we can skip running with `tools: latest` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
@@ -61,7 +67,7 @@ jobs:

        # Output a JSON-encoded list with the distinct versions to test against.
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
-        echo "::set-output name=versions::${VERSIONS_JSON}"
+        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

  build:
    needs: [check-codeql-versions]
@@ -75,8 +81,10 @@ jobs:
      security-events: write

    steps:
-    - uses: actions/checkout@v3
-    - uses: ./init
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Initialize CodeQL
+      uses: ./init
      id: init
      with:
        languages: javascript
@@ -85,4 +93,5 @@ jobs:
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
      run: ${{steps.init.outputs.codeql-path}} version --format=json
-    - uses: ./analyze
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -24,7 +24,6 @@ jobs:
    continue-on-error: true

    strategy:
-      fail-fast: true
      matrix:
        include:
        - os: ubuntu-latest
--- a/.github/workflows/debug-artifacts-failure.yml
+++ b/.github/workflows/debug-artifacts-failure.yml
@@ -23,6 +23,8 @@ jobs:
        os: [ubuntu-latest, macos-latest]
    name: Upload debug artifacts after failure in analyze
    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -35,14 +37,15 @@ jobs:
        uses: ./.github/prepare-test
        with:
          version: latest
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ^1.13.1
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          debug: true
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
-        env:
-          TEST_MODE: true
      - name: Build code
        shell: bash
        run: ./build.sh
@@ -51,8 +54,6 @@ jobs:
        with:
          expect-error: true
          ram: 1
-        env:
-          TEST_MODE: true
  download-and-check-artifacts:
    name: Download and check debug artifacts after failure in analyze
    needs: upload-artifacts
@@ -79,7 +80,7 @@ jobs:
                echo "Missing database initialization logs"
                exit 1
              fi
-              if [[ ! -d "$language/log" ]] ; then
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
                echo "Missing logs for $language"
                exit 1
              fi
@@ -87,4 +88,4 @@ jobs:
            popd
          done
        env:
-          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+          GO111MODULE: auto
--- a/.github/workflows/debug-artifacts.yml
+++ b/.github/workflows/debug-artifacts.yml
@@ -19,9 +19,34 @@ jobs:
  upload-artifacts:
    strategy:
      matrix:
-        os: [ubuntu-latest, macos-latest]
-        version: [stable-20210308, stable-20210319, stable-20210809, cached, latest, nightly-latest]
+        include:
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -32,21 +57,20 @@ jobs:
        uses: ./.github/prepare-test
        with:
          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ^1.13.1
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          debug: true
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
-        env:
-          TEST_MODE: true
      - name: Build code
        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis  
-        env:
-          TEST_MODE: true
  download-and-check-artifacts:
    name: Download and check debug artifacts
    needs: upload-artifacts
@@ -58,11 +82,17 @@ jobs:
      - name: Check expected artifacts exist
        shell: bash
        run: |
-          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
-          VERSIONS="stable-20210308 stable-20210319 stable-20210809 cached latest nightly-latest"
+          VERSIONS="stable-20211005 stable-20220120 stable-20220401 cached latest nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
-          for os in $OPERATING_SYSTEMS; do
          for version in $VERSIONS; do
+            if [[ "$version" =~ stable-(20211005|20220120|20210809) ]]; then
+              # Note the absence of the period in "ubuntu-2004": this is present in the image name
+              # but not the artifact name
+              OPERATING_SYSTEMS="ubuntu-2004 macos-latest"
+            else
+              OPERATING_SYSTEMS="ubuntu-latest macos-latest"
+            fi
+            for os in $OPERATING_SYSTEMS; do
              pushd "./my-debug-artifacts-$os-$version"
              echo "Artifacts from version $version on $os:"
              for language in $LANGUAGES; do
@@ -84,4 +114,4 @@ jobs:
            done
          done
        env:
-          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
+          GO111MODULE: auto
--- a/.github/workflows/expected-queries-runs.yml
+++ b/.github/workflows/expected-queries-runs.yml
@@ -17,6 +17,8 @@ on:
 jobs:
  expected-queries:
    name: Expected Queries Tests
+    env:
+      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
@@ -31,15 +33,11 @@ jobs:
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        TEST_MODE: true
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
        upload: false
-      env:
-        TEST_MODE: true

    - name: Check Sarif
      uses: ./../action/.github/check-sarif
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -47,11 +47,10 @@ jobs:
        id: getVersion
        run: |
          VERSION="v$(jq '.version' -r 'package.json')"
-          echo "::set-output name=version::${VERSION}"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
          short_sha="${GITHUB_SHA:0:8}"
          NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
-          echo "::set-output name=newBranch::${NEW_BRANCH}"
-
+          echo "newBranch=${NEW_BRANCH}" >> $GITHUB_OUTPUT

      - name: Dump branches
        env:
@@ -77,7 +76,7 @@ jobs:
          exists="$?"
          if [ "${exists}" -eq 0 ]; then
            echo "Tag ${VERSION} exists. Not going to re-release."
-            echo "::set-output name=exists::true"
+            echo "exists=true" >> $GITHUB_OUTPUT
          else
            echo "Tag ${VERSION} does not exist yet."
          fi
@@ -114,7 +113,18 @@ jobs:
        run: |
          set -exu
          pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
-          pr_body="Updates version and changelog."
+          pr_body=$(cat << EOF
+            This PR bumps the version number and updates the changelog after the ${VERSION} release.
+
+            Please do the following:
+
+            - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
+            - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
+            - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
+            - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
+                  selected rather than "Squash and merge" or "Rebase and merge".
+          EOF
+          )

          # Update the version number ready for the next release
          npm version patch --no-git-tag-version
@@ -134,4 +144,5 @@ jobs:
            --title "${pr_title}" \
            --label "Update dependencies" \
            --body "${pr_body}" \
+            --assignee "${GITHUB_ACTOR}" \
            --draft
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -16,7 +16,6 @@ jobs:
    timeout-minutes: 45

    strategy:
-      fail-fast: true
      matrix:
        node-types-version: [12.12, current]

@@ -89,7 +88,7 @@ jobs:
          fi

      - name: Set up Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
        with:
          python-version: 3.8

--- a/.github/workflows/python-deps.yml
+++ b/.github/workflows/python-deps.yml
@@ -26,16 +26,9 @@ jobs:
    strategy:
        fail-fast: false
        matrix:
-          os: [ubuntu-latest, macos-latest]
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
+          python_version: [3]


    env:
@@ -62,7 +55,8 @@ jobs:
        cd $GITHUB_WORKSPACE/python-setup/tests/${PYTHON_DEPS_TYPE}/requests-${PYTHON_VERSION}

        case ${{ matrix.os }} in
-            ubuntu-latest*)     basePath="/opt";;
+            ubuntu-20.04*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
            macos-latest*)    basePath="/Users/runner";;
        esac
        echo ${basePath}
@@ -86,7 +80,7 @@ jobs:
    strategy:
        fail-fast: false
        matrix:
-          os: [ubuntu-latest, macos-latest]
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]

    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
@@ -108,7 +102,8 @@ jobs:
        cd $GITHUB_WORKSPACE/python-setup/tests/requirements/non-standard-location

        case ${{ matrix.os }} in
-            ubuntu-latest*)     basePath="/opt";;
+            ubuntu-20.04*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
            macos-latest*)    basePath="/Users/runner";;
        esac
        echo ${basePath}
@@ -133,16 +128,10 @@ jobs:
        fail-fast: false
        matrix:
          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
+          python_version: [3]

    env:
+      CODEQL_ACTION_TEST_MODE: true
      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
      PYTHON_VERSION: ${{ matrix.python_version }}

@@ -150,7 +139,7 @@ jobs:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3

-    - uses: actions/setup-python@v3
+    - uses: actions/setup-python@v4
      with:
        python-version: ${{ matrix.python_version }}

@@ -160,8 +149,6 @@ jobs:
        tools: latest
        languages: python
        setup-python-dependencies: false
-      env:
-        TEST_MODE: true

    - name: Test Auto Package Installation
      run: |
--- a/.github/workflows/runner-checks.yml
+++ b/.github/workflows/runner-checks.yml
@@ -1,413 +0,0 @@
-name: CodeQL Runner Checks
-
-on:
-  push:
-    branches: [main, releases/v1, releases/v2]
-  pull_request:
-    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
-    # by other workflows.
-    types: [opened, synchronize, reopened, ready_for_review]
-  workflow_dispatch:
-
-jobs:
-  runner-analyze-javascript-ubuntu:
-    name: Runner ubuntu JS analyze
-
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          # Pass --config-file here, but not for other jobs in this workflow.
-          # This means we're testing the config file parsing in the runner
-          # but not slowing down all jobs unnecessarily as it doesn't add much
-          # testing the parsing on different operating systems and languages.
-          runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Run analyze
-        run: |
-          runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-javascript-windows:
-    name: Runner windows JS analyze
-    timeout-minutes: 45
-    runs-on: windows-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages javascript --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Run analyze
-        run: |
-          runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-javascript-macos:
-    name: Runner macos JS analyze
-    timeout-minutes: 45
-    runs-on: macos-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Run analyze
-        run: |
-          runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-ubuntu:
-    name: Runner ubuntu C# analyze
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        run: |
-          . ./codeql-runner/codeql-env.sh
-          $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-windows:
-    name: Runner windows C# analyze
-
-    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
-    # `windows-latest`.
-    timeout-minutes: 45
-    runs-on: windows-2019
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: powershell
-        run: |
-          cat ./codeql-runner/codeql-env.sh | Invoke-Expression
-          $Env:CODEQL_EXTRACTOR_CSHARP_ROOT = "" # Unset an environment variable to make sure the tracer resists this
-          & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
-
-      - name: Upload tracer logs
-        uses: actions/upload-artifact@v3
-        with:
-          name: tracer-logs
-          path: ./codeql-runner/compound-build-tracer.log
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-macos:
-    name: Runner macos C# analyze
-    timeout-minutes: 45
-
-    runs-on: macos-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: bash
-        run: |
-          . ./codeql-runner/codeql-env.sh
-          $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-autobuild-ubuntu:
-    name: Runner ubuntu autobuild C# analyze
-    timeout-minutes: 45
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        run: |
-          ../action/runner/dist/codeql-runner-linux autobuild
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-autobuild-windows:
-    timeout-minutes: 45
-    name: Runner windows autobuild C# analyze
-
-    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
-    # `windows-latest`.
-    runs-on: windows-2019
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: powershell
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe autobuild
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-analyze-csharp-autobuild-macos:
-    name: Runner macos autobuild C# analyze
-
-    runs-on: macos-latest
-    timeout-minutes: 45
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../action
-          mv * .github ../action/
-          mv ../action/tests/multi-language-repo/{*,.github} .
-          mv ../action/.github/workflows .github
-
-      - name: Build runner
-        run: |
-          cd ../action/runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Build code
-        shell: bash
-        run: |
-          . codeql-runner/codeql-env.sh
-          CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')"
-          echo "$CODEQL_RUNNER"
-          $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild
-
-      - name: Run analyze
-        run: |
-          ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-  runner-upload-sarif:
-    name: Runner upload sarif
-
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-
-    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Upload with runner
-        run: |
-          # Deliberately don't use TEST_MODE here. This is specifically testing
-          # the compatibility with the API.
-          runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-
-  runner-extractor-ram-threads-options:
-    name: Runner ubuntu extractor RAM and threads options
-
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - name: Run init
-        run: |
-          runner/dist/codeql-runner-linux init --ram=230 --threads=1 --repository $GITHUB_REPOSITORY --languages java --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
-        env:
-          TEST_MODE: true
-
-      - name: Assert Results
-        shell: bash
-        run: |
-          . ./codeql-runner/codeql-env.sh
-          if [ "${CODEQL_RAM}" != "230" ]; then
-            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_THREADS}" != "1" ]; then
-            echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
-            exit 1
-          fi
--- a/.github/workflows/script/check-node-modules.sh
+++ b/.github/workflows/script/check-node-modules.sh
@@ -7,7 +7,10 @@ if [ ! -z "$(git status --porcelain)" ]; then
    >&2 echo "Failed: Repo should be clean before testing!"
    exit 1
 fi
-sudo npm install --force -g npm@latest
+# Pin npm to v8 since v9 doesn't support Node 12.
+# When updating this, make sure to update the npm version in
+# `.github/workflows/update-dependencies.yml` too.
+sudo npm install --force -g npm@^8.19.3
 # Reinstall modules and then clean to remove absolute paths
 # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
 npm ci
@@ -15,7 +18,7 @@ npm run removeNPMAbsolutePaths
 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
-    >&2 echo "Failed: node_modules are not up to date. Run 'npm ci && npm run removeNPMAbsolutePaths' on a macOS machine to update. Note it is important this command is run on macOS and not any other operating system as there is one dependency (fsevents) that is needed for macOS and may not be installed if the command is run on a Windows or Linux machine."
+    >&2 echo "Failed: node_modules are not up to date. Add the 'Update dependencies' label to your PR to update them. Note it is important that node modules are updated on macOS and not any other operating system as there is one dependency (fsevents) that is needed for macOS and may not be installed if dependencies are updated on a Windows or Linux machine."
    git status
    exit 1
 fi
--- a/.github/workflows/script/update-required-checks.sh
+++ b/.github/workflows/script/update-required-checks.sh
@@ -10,7 +10,7 @@ fi

 if [ "$#" -eq 1 ]; then
  # If we were passed an argument, use that as the SHA
-  GITHUB_SHA="$0"
+  GITHUB_SHA="$1"
 elif [ "$#" -gt 1 ]; then
  echo "Usage: $0 [SHA]"
  echo "Update the required checks based on the SHA, or main."
@@ -23,7 +23,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") or contains("update") | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"

 echo "$CHECKS" | jq

--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -27,7 +27,10 @@ jobs:
      run: |
        git fetch origin "$BRANCH" --depth=1
        git checkout "origin/$BRANCH"
-        sudo npm install --force -g npm@latest
+        # Pin npm to v8 since v9 doesn't support Node 12.
+        # When updating this, make sure to update the npm version in
+        # `.github/workflows/script/check-node-modules.sh` too.
+        sudo npm install --force -g npm@^8.19.3
        npm install
        npm ci
        npm run removeNPMAbsolutePaths
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -29,7 +29,7 @@ jobs:
        fetch-depth: 0

    - name: Set up Python
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
      with:
        python-version: 3.8

--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -13,7 +13,7 @@ jobs:

    steps:
      - name: Setup Python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
        with:
          python-version: "3.7"
      - name: Checkout CodeQL Action
@@ -35,7 +35,7 @@ jobs:
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
      - name: Commit Changes
-        uses: peter-evans/create-pull-request@c7f493a8000b8aeb17a1332e326ba76b57cb83eb # v3.4.1
+        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
        with:
          commit-message: Update supported GitHub Enterprise Server versions.
          title: Update supported GitHub Enterprise Server versions.
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,2 @@
-/runner/dist/
-/runner/node_modules/
 # Ignore for example failing-tests.json from AVA
 node_modules/.cache
--- a/.npmrc
+++ b/.npmrc
@@ -0,0 +1 @@
+lockfile-version=3
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,80 @@

 No user facing changes.

+## 2.1.37 - 14 Dec 2022
+
+- Update default CodeQL bundle version to 2.11.6. [#1433](https://github.com/github/codeql-action/pull/1433)
+
+## 2.1.36 - 08 Dec 2022
+
+- Update default CodeQL bundle version to 2.11.5. [#1412](https://github.com/github/codeql-action/pull/1412)
+- Add a step that tries to upload a SARIF file for the workflow run when that workflow run fails. This will help better surface failed code scanning workflow runs. [#1393](https://github.com/github/codeql-action/pull/1393)
+- Python automatic dependency installation will no longer consider dependecy code installed in venv as user-written, for projects using Poetry that specify `virtualenvs.in-project = true` in their `poetry.toml`. [#1419](https://github.com/github/codeql-action/pull/1419).
+
+## 2.1.35 - 01 Dec 2022
+
+No user facing changes.
+
+## 2.1.34 - 25 Nov 2022
+
+- Update default CodeQL bundle version to 2.11.4. [#1391](https://github.com/github/codeql-action/pull/1391)
+- Fixed a bug where some the `init` action and the `analyze` action would have different sets of experimental feature flags enabled. [#1384](https://github.com/github/codeql-action/pull/1384)
+
+## 2.1.33 - 16 Nov 2022
+
+- Go is now analyzed in the same way as other compiled languages such as C/C++, C#, and Java. This completes the rollout of the feature described in [CodeQL Action version 2.1.27](#2127---06-oct-2022). [#1322](https://github.com/github/codeql-action/pull/1322)
+- Bump the minimum CodeQL bundle version to 2.6.3. [#1358](https://github.com/github/codeql-action/pull/1358)
+
+## 2.1.32 - 14 Nov 2022
+
+- Update default CodeQL bundle version to 2.11.3. [#1348](https://github.com/github/codeql-action/pull/1348)
+- Update the ML-powered additional query pack for JavaScript to version 0.4.0. [#1351](https://github.com/github/codeql-action/pull/1351)
+
+## 2.1.31 - 04 Nov 2022
+
+- The `rb/weak-cryptographic-algorithm` Ruby query has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. For more information, see the corresponding change in the [github/codeql repository](https://github.com/github/codeql/pull/11129). [#1344](https://github.com/github/codeql-action/pull/1344)
+
+## 2.1.30 - 02 Nov 2022
+
+- Improve the error message when using CodeQL bundle version 2.7.2 and earlier in a workflow that runs on a runner image such as `ubuntu-22.04` that uses glibc version 2.34 and later. [#1334](https://github.com/github/codeql-action/pull/1334)
+
+## 2.1.29 - 26 Oct 2022
+
+- Update default CodeQL bundle version to 2.11.2. [#1320](https://github.com/github/codeql-action/pull/1320)
+
+## 2.1.28 - 18 Oct 2022
+
+- Update default CodeQL bundle version to 2.11.1. [#1294](https://github.com/github/codeql-action/pull/1294)
+- Replace uses of GitHub Actions command `set-output` because it is now deprecated. See more information in the [GitHub Changelog](https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/). [#1301](https://github.com/github/codeql-action/pull/1301)
+
+## 2.1.27 - 06 Oct 2022
+
+- We are rolling out a feature of the CodeQL Action in October 2022 that changes the way that Go code is analyzed to be more consistent with other compiled languages like C/C++, C#, and Java. You do not need to alter your code scanning workflows. If you encounter any problems, please [file an issue](https://github.com/github/codeql-action/issues) or open a private ticket with GitHub Support and request an escalation to engineering.
+
+## 2.1.26 - 29 Sep 2022
+
+- Update default CodeQL bundle version to 2.11.0. [#1267](https://github.com/github/codeql-action/pull/1267)
+
+## 2.1.25 - 21 Sep 2022
+
+- We will soon be rolling out a feature of the CodeQL Action that stores some information used to make future runs faster in the GitHub Actions cache. Initially, this will only be enabled on JavaScript repositories, but we plan to add more languages to this soon. The new feature can be disabled by passing the `trap-caching: false` option to your workflow's `init` step, for example if you are already using the GitHub Actions cache for a different purpose and are near the storage limit for it.
+- Add support for Python automatic dependency installation with Poetry 1.2 [#1258](https://github.com/github/codeql-action/pull/1258).
+
+## 2.1.24 - 16 Sep 2022
+
+No user facing changes.
+
+## 2.1.23 - 14 Sep 2022
+
+- Allow CodeQL packs to be downloaded from GitHub Enterprise Server instances, using the new `registries` input for the `init` action.  [#1221](https://github.com/github/codeql-action/pull/1221)
+- Update default CodeQL bundle version to 2.10.5. [#1240](https://github.com/github/codeql-action/pull/1240)
+
+## 2.1.22 - 01 Sep 2022
+
+- Downloading CodeQL packs has been moved to the `init` step. Previously, CodeQL packs were downloaded during the `analyze` step. [#1218](https://github.com/github/codeql-action/pull/1218)
+- Update default CodeQL bundle version to 2.10.4. [#1224](https://github.com/github/codeql-action/pull/1224)
+- The newly released [Poetry 1.2](https://python-poetry.org/blog/announcing-poetry-1.2.0) is not yet supported. In the most common case where the CodeQL Action is automatically installing Python dependencies, it will continue to install and use Poetry 1.1 on its own. However, in certain cases such as with self-hosted runners, you may need to ensure Poetry 1.1 is installed yourself.
+
 ## 2.1.21 - 25 Aug 2022

 - Improve error messages when the code scanning configuration file includes an invalid `queries` block or an invalid `query-filters` block. [#1208](https://github.com/github/codeql-action/pull/1208)
@@ -36,7 +110,7 @@ No user facing changes.
 ## 2.1.15 - 28 Jun 2022

 - CodeQL query packs listed in the `packs` configuration field will be skipped if their target language is not being analyzed in the current Actions job. Previously, this would throw an error. [#1116](https://github.com/github/codeql-action/pull/1116)
- The combination of python2 and poetry is no longer supported. See https://github.com/actions/setup-python/issues/374 for more details. [#1124](https://github.com/github/codeql-action/pull/1124)
+- The combination of python2 and poetry is no longer supported. See <https://github.com/actions/setup-python/issues/374> for more details. [#1124](https://github.com/github/codeql-action/pull/1124)
 - Update default CodeQL bundle version to 2.10.0. [#1123](https://github.com/github/codeql-action/pull/1123)

 ## 2.1.14 - 22 Jun 2022
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -38,10 +38,6 @@ To see the effect of your changes and to test them, push your changes in a branc

 As well as the unit tests (see _Common tasks_ above), there are integration tests, defined in `.github/workflows/integration-testing.yml`.  These are run by a CI check.  Depending on the change you’re making, you may want to add a test to this file or extend an existing one.

-### Building the CodeQL runner
-
-Navigate to the `runner` directory and run `npm install` to install dependencies needed only for compiling the CodeQL runner. Run `npm run build-runner` to output files to the `runner/dist` directory.
-
 ## Submitting a pull request

 1. [Fork][fork] and clone the repository
--- a/README.md
+++ b/README.md
@@ -59,9 +59,9 @@ jobs:
        uses: github/codeql-action/init@v2
        # Override language selection by uncommenting this and choosing your languages
        # with:
-        #   languages: go, javascript, csharp, python, cpp, java
+        #   languages: go, javascript, csharp, python, cpp, java, ruby

-      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
      # If this step fails, then you should remove it and run the build manually (see below).
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2
--- a/analyze/action.yml
+++ b/analyze/action.yml
@@ -12,6 +12,7 @@ inputs:
  upload:
    description: Upload the SARIF file to Code Scanning
    required: false
+    # If changing this, make sure to update workflow.ts accordingly.
    default: "true"
  cleanup-level:
    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
@@ -44,6 +45,7 @@ inputs:
  checkout_path:
    description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
    required: false
+    # If changing this, make sure to update workflow.ts accordingly.
    default: ${{ github.workspace }}
  ref:
    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is not available in pull requests from forks."
--- a/init/action.yml
+++ b/init/action.yml
@@ -10,9 +10,34 @@ inputs:
    description: The languages to be analysed
    required: false
  token:
+    description: GitHub token to use for authenticating with this instance of GitHub. To download custom packs from multiple registries, use the registries input.
    default: ${{ github.token }}
+    required: false
+  registries:
+    description: |
+      Use this input only when you need to download CodeQL packages from another instance of GitHub. If you only need to download packages from this GitHub instance, use the token input instead.
+
+      A YAML string that defines the list of GitHub container registries to use for downloading packs. The string is in the following form (the | is required on the first line):
+
+      registries: |
+          - url: https://containers.GHEHOSTNAME1/v2/
+            packages:
+              - my-company/*
+              - my-company2/*
+            token: \$\{{ secrets.GHEHOSTNAME1_TOKEN }}
+
+          - url: https://ghcr.io/v2/
+            packages: */*
+            token: \$\{{ secrets.GHCR_TOKEN }}
+
+      The `url` property contains the URL to the container registry you want to connect to.
+
+      The `packages` property contains a single glob string or a list of glob strings, specifying which packages should be retrieved from this particular container registry. Order is important. Earlier entries will match before later entries.
+
+      The `token` property contains a connection token for this registry.    required: false
  matrix:
    default: ${{ toJson(matrix) }}
+    required: false
  config-file:
    description: Path of the config file to use
    required: false
@@ -32,7 +57,7 @@ inputs:
      analyses, you must specify packs in the codeql-config.yml file.
    required: false
  external-repository-token:
-    description: A token for fetching external config files and queries if they reside in a private repository.
+    description: A token for fetching external config files and queries if they reside in a private repository in the same GitHub instance that is running this action.
    required: false
  setup-python-dependencies:
    description: Try to auto-install your python dependencies
--- a/lib/actions-util.js
+++ b/lib/actions-util.js
@@ -19,29 +19,24 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.getWorkflowRunID = exports.getWorkflow = exports.formatWorkflowCause = exports.formatWorkflowErrors = exports.validateWorkflow = exports.getWorkflowErrors = exports.WorkflowErrors = exports.patternIsSuperset = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const safeWhich = __importStar(require("@chrisgavin/safe-which"));
-const yaml = __importStar(require("js-yaml"));
 const api = __importStar(require("./api-client"));
 const sharedEnv = __importStar(require("./shared-environment"));
 const util_1 = require("./util");
+const workflow_1 = require("./workflow");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
-/**
- * The utils in this module are meant to be run inside of the action only.
- * Code paths from the runner should not enter this module.
- */
 /**
 * Wrapper around core.getInput for inputs that always have a value.
 * Also see getOptionalInput.
 *
- * This allows us to get stronger type checking of required/optional inputs
- * and make behaviour more consistent between actions and the runner.
+ * This allows us to get stronger type checking of required/optional inputs.
 */
 function getRequiredInput(name) {
    return core.getInput(name, { required: true });
@@ -51,8 +46,7 @@ exports.getRequiredInput = getRequiredInput;
 * Wrapper around core.getInput that converts empty inputs to undefined.
 * Also see getRequiredInput.
 *
- * This allows us to get stronger type checking of required/optional inputs
- * and make behaviour more consistent between actions and the runner.
+ * This allows us to get stronger type checking of required/optional inputs.
 */
 const getOptionalInput = function (name) {
    const value = core.getInput(name);
@@ -105,7 +99,7 @@ exports.getCommitOid = getCommitOid;
 * Returns undefined if run by other triggers or the merge base cannot be determined.
 */
 const determineMergeBaseCommitOid = async function () {
-    if (process.env.GITHUB_EVENT_NAME !== "pull_request") {
+    if (workflowEventName() !== "pull_request") {
        return undefined;
    }
    const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
@@ -151,225 +145,6 @@ const determineMergeBaseCommitOid = async function () {
    }
 };
 exports.determineMergeBaseCommitOid = determineMergeBaseCommitOid;
-function isObject(o) {
-    return o !== null && typeof o === "object";
-}
-const GLOB_PATTERN = new RegExp("(\\*\\*?)");
-function escapeRegExp(string) {
-    return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
-}
-function patternToRegExp(value) {
-    return new RegExp(`^${value
-        .toString()
-        .split(GLOB_PATTERN)
-        .reduce(function (arr, cur) {
-        if (cur === "**") {
-            arr.push(".*?");
-        }
-        else if (cur === "*") {
-            arr.push("[^/]*?");
-        }
-        else if (cur) {
-            arr.push(escapeRegExp(cur));
-        }
-        return arr;
-    }, [])
-        .join("")}$`);
-}
-// this function should return true if patternA is a superset of patternB
-// e.g: * is a superset of main-* but main-* is not a superset of *.
-function patternIsSuperset(patternA, patternB) {
-    return patternToRegExp(patternA).test(patternB);
-}
-exports.patternIsSuperset = patternIsSuperset;
-function branchesToArray(branches) {
-    if (typeof branches === "string") {
-        return [branches];
-    }
-    if (Array.isArray(branches)) {
-        if (branches.length === 0) {
-            return "**";
-        }
-        return branches;
-    }
-    return "**";
-}
-function toCodedErrors(errors) {
-    return Object.entries(errors).reduce((acc, [key, value]) => {
-        acc[key] = { message: value, code: key };
-        return acc;
-    }, {});
-}
-// code to send back via status report
-// message to add as a warning annotation to the run
-exports.WorkflowErrors = toCodedErrors({
-    MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
-    MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
-    PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
-    PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
-    CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
-});
-function getWorkflowErrors(doc) {
-    var _a, _b, _c, _d, _e;
-    const errors = [];
-    const jobName = process.env.GITHUB_JOB;
-    if (jobName) {
-        const job = (_a = doc === null || doc === void 0 ? void 0 : doc.jobs) === null || _a === void 0 ? void 0 : _a[jobName];
-        const steps = job === null || job === void 0 ? void 0 : job.steps;
-        if (Array.isArray(steps)) {
-            for (const step of steps) {
-                // this was advice that we used to give in the README
-                // we actually want to run the analysis on the merge commit
-                // to produce results that are more inline with expectations
-                // (i.e: this is what will happen if you merge this PR)
-                // and avoid some race conditions
-                if ((step === null || step === void 0 ? void 0 : step.run) === "git checkout HEAD^2") {
-                    errors.push(exports.WorkflowErrors.CheckoutWrongHead);
-                    break;
-                }
-            }
-        }
-    }
-    let missingPush = false;
-    if (doc.on === undefined) {
-        // this is not a valid config
-    }
-    else if (typeof doc.on === "string") {
-        if (doc.on === "pull_request") {
-            missingPush = true;
-        }
-    }
-    else if (Array.isArray(doc.on)) {
-        const hasPush = doc.on.includes("push");
-        const hasPullRequest = doc.on.includes("pull_request");
-        if (hasPullRequest && !hasPush) {
-            missingPush = true;
-        }
-    }
-    else if (isObject(doc.on)) {
-        const hasPush = Object.prototype.hasOwnProperty.call(doc.on, "push");
-        const hasPullRequest = Object.prototype.hasOwnProperty.call(doc.on, "pull_request");
-        if (!hasPush && hasPullRequest) {
-            missingPush = true;
-        }
-        if (hasPush && hasPullRequest) {
-            const paths = (_b = doc.on.push) === null || _b === void 0 ? void 0 : _b.paths;
-            // if you specify paths or paths-ignore you can end up with commits that have no baseline
-            // if they didn't change any files
-            // currently we cannot go back through the history and find the most recent baseline
-            if (Array.isArray(paths) && paths.length > 0) {
-                errors.push(exports.WorkflowErrors.PathsSpecified);
-            }
-            const pathsIgnore = (_c = doc.on.push) === null || _c === void 0 ? void 0 : _c["paths-ignore"];
-            if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
-                errors.push(exports.WorkflowErrors.PathsIgnoreSpecified);
-            }
-        }
-        // if doc.on.pull_request is null that means 'all branches'
-        // if doc.on.pull_request is undefined that means 'off'
-        // we only want to check for mismatched branches if pull_request is on.
-        if (doc.on.pull_request !== undefined) {
-            const push = branchesToArray((_d = doc.on.push) === null || _d === void 0 ? void 0 : _d.branches);
-            if (push !== "**") {
-                const pull_request = branchesToArray((_e = doc.on.pull_request) === null || _e === void 0 ? void 0 : _e.branches);
-                if (pull_request !== "**") {
-                    const difference = pull_request.filter((value) => !push.some((o) => patternIsSuperset(o, value)));
-                    if (difference.length > 0) {
-                        // there are branches in pull_request that may not have a baseline
-                        // because we are not building them on push
-                        errors.push(exports.WorkflowErrors.MismatchedBranches);
-                    }
-                }
-                else if (push.length > 0) {
-                    // push is set up to run on a subset of branches
-                    // and you could open a PR against a branch with no baseline
-                    errors.push(exports.WorkflowErrors.MismatchedBranches);
-                }
-            }
-        }
-    }
-    if (missingPush) {
-        errors.push(exports.WorkflowErrors.MissingPushHook);
-    }
-    return errors;
-}
-exports.getWorkflowErrors = getWorkflowErrors;
-async function validateWorkflow() {
-    let workflow;
-    try {
-        workflow = await getWorkflow();
-    }
-    catch (e) {
-        return `error: getWorkflow() failed: ${String(e)}`;
-    }
-    let workflowErrors;
-    try {
-        workflowErrors = getWorkflowErrors(workflow);
-    }
-    catch (e) {
-        return `error: getWorkflowErrors() failed: ${String(e)}`;
-    }
-    if (workflowErrors.length > 0) {
-        let message;
-        try {
-            message = formatWorkflowErrors(workflowErrors);
-        }
-        catch (e) {
-            return `error: formatWorkflowErrors() failed: ${String(e)}`;
-        }
-        core.warning(message);
-    }
-    return formatWorkflowCause(workflowErrors);
-}
-exports.validateWorkflow = validateWorkflow;
-function formatWorkflowErrors(errors) {
-    const issuesWere = errors.length === 1 ? "issue was" : "issues were";
-    const errorsList = errors.map((e) => e.message).join(" ");
-    return `${errors.length} ${issuesWere} detected with this workflow: ${errorsList}`;
-}
-exports.formatWorkflowErrors = formatWorkflowErrors;
-function formatWorkflowCause(errors) {
-    if (errors.length === 0) {
-        return undefined;
-    }
-    return errors.map((e) => e.code).join(",");
-}
-exports.formatWorkflowCause = formatWorkflowCause;
-async function getWorkflow() {
-    const relativePath = await getWorkflowPath();
-    const absolutePath = path.join((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), relativePath);
-    return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
-}
-exports.getWorkflow = getWorkflow;
-/**
- * Get the path of the currently executing workflow.
- */
-async function getWorkflowPath() {
-    const repo_nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY").split("/");
-    const owner = repo_nwo[0];
-    const repo = repo_nwo[1];
-    const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
-    const apiClient = api.getActionsApiClient();
-    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
-        owner,
-        repo,
-        run_id,
-    });
-    const workflowUrl = runsResponse.data.workflow_url;
-    const workflowResponse = await apiClient.request(`GET ${workflowUrl}`);
-    return workflowResponse.data.path;
-}
-/**
- * Get the workflow run ID.
- */
-function getWorkflowRunID() {
-    const workflowRunID = parseInt((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"), 10);
-    if (Number.isNaN(workflowRunID)) {
-        throw new Error("GITHUB_RUN_ID must define a non NaN workflow run ID");
-    }
-    return workflowRunID;
-}
-exports.getWorkflowRunID = getWorkflowRunID;
 /**
 * Get the analysis key parameter for the current job.
 *
@@ -383,7 +158,7 @@ async function getAnalysisKey() {
    if (analysisKey !== undefined) {
        return analysisKey;
    }
-    const workflowPath = await getWorkflowPath();
+    const workflowPath = await (0, workflow_1.getWorkflowPath)();
    const jobName = (0, util_1.getRequiredEnvParam)("GITHUB_JOB");
    analysisKey = `${workflowPath}:${jobName}`;
    core.exportVariable(analysisKeyEnvVar, analysisKey);
@@ -398,10 +173,10 @@ async function getAutomationID() {
 exports.getAutomationID = getAutomationID;
 function computeAutomationID(analysis_key, environment) {
    let automationID = `${analysis_key}/`;
+    const matrix = (0, util_1.parseMatrixInput)(environment);
+    if (matrix !== undefined) {
        // the id has to be deterministic so we sort the fields
-    if (environment !== undefined && environment !== "null") {
-        const environmentObject = JSON.parse(environment);
-        for (const entry of Object.entries(environmentObject).sort()) {
+        for (const entry of Object.entries(matrix).sort()) {
            if (typeof entry[1] === "string") {
                automationID += `${entry[0]}:${entry[1]}/`;
            }
@@ -432,7 +207,7 @@ async function getRef() {
    if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) {
        throw new Error("Both 'ref' and 'sha' are required if one of them is provided.");
    }
-    const ref = refInput || (0, util_1.getRequiredEnvParam)("GITHUB_REF");
+    const ref = refInput || getRefFromEnv();
    const sha = shaInput || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
    // If the ref is a user-provided input, we have to skip logic
    // and assume that it is really where they want to upload the results.
@@ -452,7 +227,7 @@ async function getRef() {
    // in actions/checkout@v1 this may not be true as it checks out the repository
    // using GITHUB_REF. There is a subtle race condition where
    // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
-    // git git-parse GITHUB_REF == git rev-parse HEAD instead.
+    // git rev-parse GITHUB_REF == git rev-parse HEAD instead.
    const hasChangedRef = sha !== head &&
        (await (0, exports.getCommitOid)(checkoutPath, ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !== head;
    if (hasChangedRef) {
@@ -465,6 +240,26 @@ async function getRef() {
    }
 }
 exports.getRef = getRef;
+function getRefFromEnv() {
+    // To workaround a limitation of Actions dynamic workflows not setting
+    // the GITHUB_REF in some cases, we accept also the ref within the
+    // CODE_SCANNING_REF variable. When possible, however, we prefer to use
+    // the GITHUB_REF as that is a protected variable and cannot be overwritten.
+    let refEnv;
+    try {
+        refEnv = (0, util_1.getRequiredEnvParam)("GITHUB_REF");
+    }
+    catch (e) {
+        // If the GITHUB_REF is not set, we try to rescue by getting the
+        // CODE_SCANNING_REF.
+        const maybeRef = process.env["CODE_SCANNING_REF"];
+        if (maybeRef === undefined || maybeRef.length === 0) {
+            throw e;
+        }
+        refEnv = maybeRef;
+    }
+    return refEnv;
+}
 function getActionsStatus(error, otherFailureCause) {
    if (error || otherFailureCause) {
        return error instanceof util_1.UserError ? "user-error" : "failure";
@@ -502,6 +297,12 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
    const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
    const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
    const actionRef = process.env["GITHUB_ACTION_REF"];
+    const testingEnvironment = process.env[sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT] || "";
+    // re-export the testing environment variable so that it is available to subsequent steps,
+    // even if it was only set for this step
+    if (testingEnvironment !== "") {
+        core.exportVariable(sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT, testingEnvironment);
+    }
    const statusReport = {
        workflow_run_id: workflowRunID,
        workflow_name: workflowName,
@@ -515,6 +316,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
        started_at: workflowStartedAt,
        action_started_at: actionStartedAt.toISOString(),
        status,
+        testing_environment: testingEnvironment,
        runner_os: runnerOs,
        action_version: pkg.version,
    };
@@ -563,13 +365,6 @@ const INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code sc
 * Returns whether sending the status report was successful of not.
 */
 async function sendStatusReport(statusReport) {
-    const gitHubVersion = await api.getGitHubVersionActionsOnly();
-    if ((0, util_1.isGitHubGhesVersionBelow)(gitHubVersion, "3.2.0")) {
-        // GHES 3.1 and earlier versions reject unexpected properties, which means
-        // that they will reject status reports with newly added properties.
-        // Inhibiting status reporting for GHES < 3.2 avoids such failures.
-        return true;
-    }
    const statusReportJSON = JSON.stringify(statusReport);
    core.debug(`Sending status report: ${statusReportJSON}`);
    // If in test mode we don't want to upload the results
@@ -579,7 +374,7 @@ async function sendStatusReport(statusReport) {
    }
    const nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY");
    const [owner, repo] = nwo.split("/");
-    const client = api.getActionsApiClient();
+    const client = api.getApiClient();
    try {
        await client.request("PUT /repos/:owner/:repo/code-scanning/analysis/status", {
            owner,
@@ -626,9 +421,21 @@ async function sendStatusReport(statusReport) {
    }
 }
 exports.sendStatusReport = sendStatusReport;
+function workflowEventName() {
+    // If the original event is dynamic CODESCANNING_EVENT_NAME will contain the right info (push/pull_request)
+    if (process.env["GITHUB_EVENT_NAME"] === "dynamic") {
+        const value = process.env["CODESCANNING_EVENT_NAME"];
+        if (value === undefined || value.length === 0) {
+            return process.env["GITHUB_EVENT_NAME"];
+        }
+        return value;
+    }
+    return process.env["GITHUB_EVENT_NAME"];
+}
+exports.workflowEventName = workflowEventName;
 // Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
 function workflowIsTriggeredByPushEvent() {
-    return process.env["GITHUB_EVENT_NAME"] === "push";
+    return workflowEventName() === "push";
 }
 // Is dependabot the actor that triggered the current workflow run.
 function isDependabotActor() {
--- a/lib/actions-util.js.map
+++ b/lib/actions-util.js.map
--- a/lib/actions-util.test.js
+++ b/lib/actions-util.test.js
@@ -25,14 +25,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
-const yaml = __importStar(require("js-yaml"));
 const sinon = __importStar(require("sinon"));
 const actionsutil = __importStar(require("./actions-util"));
 const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
-function errorCodes(actual, expected) {
-    return [actual.map(({ code }) => code), expected.map(({ code }) => code)];
-}
 (0, testing_utils_1.setupTests)(ava_1.default);
 (0, ava_1.default)("getRef() throws on the empty string", async (t) => {
    process.env["GITHUB_REF"] = "";
@@ -98,6 +94,30 @@ function errorCodes(actual, expected) {
        getAdditionalInputStub.restore();
    });
 });
+(0, ava_1.default)("getRef() returns CODE_SCANNING_REF as a fallback for GITHUB_REF", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/HEAD";
+        const currentSha = "a".repeat(40);
+        process.env["CODE_SCANNING_REF"] = expectedRef;
+        process.env["GITHUB_REF"] = "";
+        process.env["GITHUB_SHA"] = currentSha;
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+    });
+});
+(0, ava_1.default)("getRef() returns GITHUB_REF over CODE_SCANNING_REF if both are provided", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/merge";
+        const currentSha = "a".repeat(40);
+        process.env["CODE_SCANNING_REF"] = "refs/pull/1/HEAD";
+        process.env["GITHUB_REF"] = expectedRef;
+        process.env["GITHUB_SHA"] = currentSha;
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+    });
+});
 (0, ava_1.default)("getRef() throws an error if only `ref` is provided as an input", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -143,340 +163,9 @@ function errorCodes(actual, expected) {
    actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", undefined);
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/");
 });
-(0, ava_1.default)("getWorkflowErrors() when on is empty", (t) => {
-    const errors = actionsutil.getWorkflowErrors({ on: {} });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", (t) => {
-    const errors = actionsutil.getWorkflowErrors({ on: ["push"] });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", (t) => {
-    const errors = actionsutil.getWorkflowErrors({ on: ["pull_request"] });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MissingPushHook]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is valid", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: ["push", "pull_request"],
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: ["push", "pull_request", "schedule"],
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push should not have a path", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main"], paths: ["test/*"] },
-            pull_request: { branches: ["main"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.PathsSpecified]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: { push: { branches: ["main"] }, pull_request: { branches: "*" } },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: { push: { branches: "*" }, pull_request: { branches: "*" } },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-on:
-  push:
-  pull_request:
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is mismatched", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main"] },
-            pull_request: { branches: ["feature"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main", "feature"] },
-            pull_request: { branches: ["main"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push is mismatched for pull_request", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["main"] },
-            pull_request: { branches: ["main", "feature"] },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", (t) => {
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: {
-            push: 1,
-            pull_request: 1,
-        },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: 1,
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: [1],
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { 1: 1 },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: 1 },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: [1] },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: { steps: 1 } },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: 1,
-        jobs: { test: [undefined] },
-    }), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(1), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
-        on: {
-            push: {
-                branches: 1,
-            },
-            pull_request: {
-                branches: 1,
-            },
-        },
-    }), []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_request for every branch but push specifies branches", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-`));
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["feature/*"] },
-            pull_request: { branches: "feature/moose" },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.pull_request for mismatched wildcard branches", (t) => {
-    const errors = actionsutil.getWorkflowErrors({
-        on: {
-            push: { branches: ["feature/moose"] },
-            pull_request: { branches: "feature/*" },
-        },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
-});
-(0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", (t) => {
-    process.env.GITHUB_JOB = "test";
-    const errors = actionsutil.getWorkflowErrors({
-        on: ["push", "pull_request"],
-        jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
-    });
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]));
-});
-(0, ava_1.default)("formatWorkflowErrors() when there is one error", (t) => {
-    const message = actionsutil.formatWorkflowErrors([
-        actionsutil.WorkflowErrors.CheckoutWrongHead,
-    ]);
-    t.true(message.startsWith("1 issue was detected with this workflow:"));
-});
-(0, ava_1.default)("formatWorkflowErrors() when there are multiple errors", (t) => {
-    const message = actionsutil.formatWorkflowErrors([
-        actionsutil.WorkflowErrors.CheckoutWrongHead,
-        actionsutil.WorkflowErrors.PathsSpecified,
-    ]);
-    t.true(message.startsWith("2 issues were detected with this workflow:"));
-});
-(0, ava_1.default)("formatWorkflowCause() with no errors", (t) => {
-    const message = actionsutil.formatWorkflowCause([]);
-    t.deepEqual(message, undefined);
-});
-(0, ava_1.default)("formatWorkflowCause()", (t) => {
-    const message = actionsutil.formatWorkflowCause([
-        actionsutil.WorkflowErrors.CheckoutWrongHead,
-        actionsutil.WorkflowErrors.PathsSpecified,
-    ]);
-    t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
-    t.deepEqual(actionsutil.formatWorkflowCause([]), undefined);
-});
-(0, ava_1.default)("patternIsSuperset()", (t) => {
-    t.false(actionsutil.patternIsSuperset("main-*", "main"));
-    t.true(actionsutil.patternIsSuperset("*", "*"));
-    t.true(actionsutil.patternIsSuperset("*", "main-*"));
-    t.false(actionsutil.patternIsSuperset("main-*", "*"));
-    t.false(actionsutil.patternIsSuperset("main-*", "main"));
-    t.true(actionsutil.patternIsSuperset("main", "main"));
-    t.false(actionsutil.patternIsSuperset("*", "feature/*"));
-    t.true(actionsutil.patternIsSuperset("**", "feature/*"));
-    t.false(actionsutil.patternIsSuperset("feature-*", "**"));
-    t.false(actionsutil.patternIsSuperset("a/**/c", "a/**/d"));
-    t.false(actionsutil.patternIsSuperset("a/**/c", "a/**"));
-    t.true(actionsutil.patternIsSuperset("a/**", "a/**/c"));
-    t.true(actionsutil.patternIsSuperset("a/**/c", "a/main-**/c"));
-    t.false(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/d/**/c"));
-    t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/c/**/c"));
-    t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/d/**/c"));
-    t.false(actionsutil.patternIsSuperset("a/**/c/d/**/c", "a/**/b/**/c"));
-    t.false(actionsutil.patternIsSuperset("a/main-**/c", "a/**/c"));
-    t.true(actionsutil.patternIsSuperset("/robin/*/release/*", "/robin/moose/release/goose"));
-    t.false(actionsutil.patternIsSuperset("/robin/moose/release/goose", "/robin/*/release/*"));
-});
-(0, ava_1.default)("getWorkflowErrors() when branches contain dots", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-  on:
-    push:
-      branches: [4.1, master]
-    pull_request:
-      # The branches below must be a subset of the branches above
-      branches: [4.1, master]
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master, ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => {
-    process.env.GITHUB_JOB = "test";
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
-jobs:
-  test:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test2:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test3:
-    steps: []
-`));
-    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]));
-});
-(0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => {
-    process.env.GITHUB_JOB = "test3";
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
-jobs:
-  test:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test2:
-    steps:
-      - run: "git checkout HEAD^2"
-
-  test3:
-    steps: []
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() when on is missing", (t) => {
-    const errors = actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-`));
-    t.deepEqual(...errorCodes(errors, []));
-});
-(0, ava_1.default)("getWorkflowErrors() with a different on setup", (t) => {
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on: "workflow_dispatch"
-`)), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on: [workflow_dispatch]
-`)), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  workflow_dispatch: {}
-`)), []));
-});
-(0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => {
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on:
-  push:
-    branches: [master]
-`)), []));
-    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
-name: "CodeQL"
-on: ["push"]
-`)), []));
-});
 (0, ava_1.default)("initializeEnvironment", (t) => {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
-    t.deepEqual((0, util_1.getMode)(), util_1.Mode.actions);
+    (0, util_1.initializeEnvironment)("1.2.3");
    t.deepEqual(process.env.CODEQL_ACTION_VERSION, "1.2.3");
-    (0, util_1.initializeEnvironment)(util_1.Mode.runner, "4.5.6");
-    t.deepEqual((0, util_1.getMode)(), util_1.Mode.runner);
-    t.deepEqual(process.env.CODEQL_ACTION_VERSION, "4.5.6");
 });
 (0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
@@ -514,4 +203,12 @@ on: ["push"]
        getAdditionalInputStub.restore();
    });
 });
+(0, ava_1.default)("workflowEventName()", async (t) => {
+    process.env["GITHUB_EVENT_NAME"] = "push";
+    t.deepEqual(actionsutil.workflowEventName(), "push");
+    process.env["GITHUB_EVENT_NAME"] = "dynamic";
+    t.deepEqual(actionsutil.workflowEventName(), "dynamic");
+    process.env["CODESCANNING_EVENT_NAME"] = "push";
+    t.deepEqual(actionsutil.workflowEventName(), "push");
+});
 //# sourceMappingURL=actions-util.test.js.map
--- a/lib/actions-util.test.js.map
+++ b/lib/actions-util.test.js.map
--- a/lib/analyze-action-env.test.js
+++ b/lib/analyze-action-env.test.js
@@ -45,6 +45,7 @@ const util = __importStar(require("./util"));
            .stub(actionsUtil, "createStatusReportBase")
            .resolves({});
        sinon.stub(actionsUtil, "sendStatusReport").resolves(true);
+        sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
        };
@@ -52,6 +53,7 @@ const util = __importStar(require("./util"));
            gitHubVersion,
            languages: [],
            packs: [],
+            trapCaches: {},
        });
        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
        requiredInputStub.withArgs("token").returns("fake-token");
--- a/lib/analyze-action-env.test.js.map
+++ b/lib/analyze-action-env.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEnE,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action-input.test.js
+++ b/lib/analyze-action-input.test.js
@@ -52,6 +52,7 @@ const util = __importStar(require("./util"));
            gitHubVersion,
            languages: [],
            packs: [],
+            trapCaches: {},
        });
        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
        requiredInputStub.withArgs("token").returns("fake-token");
@@ -60,6 +61,7 @@ const util = __importStar(require("./util"));
        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(util, "getGitHubVersion").resolves(gitHubVersion);
+        sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, {});
        process.env["CODEQL_THREADS"] = "1";
--- a/lib/analyze-action-input.test.js.map
+++ b/lib/analyze-action-input.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACnE,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -18,23 +18,32 @@ var __importStar = (this && this.__importStar) || function (mod) {
    __setModuleDefault(result, mod);
    return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runPromise = exports.sendStatusReport = void 0;
+const fs = __importStar(require("fs"));
+const path_1 = __importDefault(require("path"));
 // We need to import `performance` on Node 12
 const perf_hooks_1 = require("perf_hooks");
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze_1 = require("./analyze");
 const api_client_1 = require("./api-client");
+const autobuild_1 = require("./autobuild");
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const database_upload_1 = require("./database-upload");
 const feature_flags_1 = require("./feature-flags");
+const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
+const shared_environment_1 = require("./shared-environment");
 const trap_caching_1 = require("./trap-caching");
 const upload_lib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
+const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger) {
@@ -68,6 +77,62 @@ function hasBadExpectErrorInput() {
    return (actionsUtil.getOptionalInput("expect-error") !== "false" &&
        !util.isInTestMode());
 }
+/**
+ * Returns whether any TRAP files exist under the `db-go` folder,
+ * indicating whether Go extraction has extracted at least one file.
+ */
+function doesGoExtractionOutputExist(config) {
+    const golangDbDirectory = util.getCodeQLDatabasePath(config, languages_1.Language.go);
+    const trapDirectory = path_1.default.join(golangDbDirectory, "trap", languages_1.Language.go);
+    return (fs.existsSync(trapDirectory) &&
+        fs
+            .readdirSync(trapDirectory)
+            .some((fileName) => [
+            ".trap",
+            ".trap.gz",
+            ".trap.br",
+            ".trap.tar.gz",
+            ".trap.tar.br",
+            ".trap.tar",
+        ].some((ext) => fileName.endsWith(ext))));
+}
+/**
+ * We attempt to autobuild Go to preserve compatibility for users who have
+ * set up Go using a legacy scanning style CodeQL workflow, i.e. one without
+ * an autobuild step or manual build steps.
+ *
+ * - We detect whether an autobuild step is present by checking the
+ * `util.DID_AUTOBUILD_GO_ENV_VAR_NAME` environment variable, which is set
+ * when the autobuilder is invoked.
+ * - We detect whether the Go database has already been finalized in case it
+ * has been manually set in a prior Action step.
+ * - We approximate whether manual build steps are present by looking at
+ * whether any extraction output already exists for Go.
+ */
+async function runAutobuildIfLegacyGoWorkflow(config, logger) {
+    if (!config.languages.includes(languages_1.Language.go)) {
+        return;
+    }
+    if (process.env[util.DID_AUTOBUILD_GO_ENV_VAR_NAME] === "true") {
+        logger.debug("Won't run Go autobuild since it has already been run.");
+        return;
+    }
+    if ((0, analyze_1.dbIsFinalized)(config, languages_1.Language.go, logger)) {
+        logger.debug("Won't run Go autobuild since there is already a finalized database for Go.");
+        return;
+    }
+    // This captures whether a user has added manual build steps for Go
+    if (doesGoExtractionOutputExist(config)) {
+        logger.debug("Won't run Go autobuild since at least one file of Go code has already been extracted.");
+        // If the user has run the manual build step, and has set the `CODEQL_EXTRACTOR_GO_BUILD_TRACING`
+        // variable, we suggest they remove it from their workflow.
+        if ("CODEQL_EXTRACTOR_GO_BUILD_TRACING" in process.env) {
+            logger.warning(`The CODEQL_EXTRACTOR_GO_BUILD_TRACING environment variable has no effect on workflows with manual build steps, so we recommend that you remove it from your workflow.`);
+        }
+        return;
+    }
+    await (0, autobuild_1.runAutobuild)(languages_1.Language.go, config, logger);
+}
 async function run() {
    const startedAt = new Date();
    let uploadResult = undefined;
@@ -76,7 +141,7 @@ async function run() {
    let trapCacheUploadTime = undefined;
    let dbCreationTimings = undefined;
    let didUploadTrapCaches = false;
-    util.initializeEnvironment(util.Mode.actions, pkg.version);
+    util.initializeEnvironment(pkg.version);
    await util.checkActionVersion(pkg.version);
    const logger = (0, logging_1.getActionsLogger)();
    try {
@@ -90,21 +155,18 @@ async function run() {
        if (hasBadExpectErrorInput()) {
            throw new Error("`expect-error` input parameter is for internal use only. It should only be set by codeql-action or a fork.");
        }
-        await util.enrichEnvironment(util.Mode.actions, await (0, codeql_1.getCodeQL)(config.codeQLCmd));
-        const apiDetails = {
-            auth: actionsUtil.getRequiredInput("token"),
-            url: util.getRequiredEnvParam("GITHUB_SERVER_URL"),
-            apiURL: util.getRequiredEnvParam("GITHUB_API_URL"),
-        };
+        await util.enrichEnvironment(await (0, codeql_1.getCodeQL)(config.codeQLCmd));
+        const apiDetails = (0, api_client_1.getApiDetails)();
        const outputDir = actionsUtil.getRequiredInput("output");
        const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
        const memory = util.getMemoryFlag(actionsUtil.getOptionalInput("ram") || process.env["CODEQL_RAM"]);
        const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
-        const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
-        const featureFlags = new feature_flags_1.GitHubFeatureFlags(gitHubVersion, apiDetails, repositoryNwo, logger);
-        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger, featureFlags);
+        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+        const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
+        await runAutobuildIfLegacyGoWorkflow(config, logger);
+        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger);
        if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, actionsUtil.getOptionalInput("category"), config, logger);
+            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, actionsUtil.getOptionalInput("category"), config, logger, features);
        }
        if (actionsUtil.getOptionalInput("cleanup-level") !== "none") {
            await (0, analyze_1.runCleanup)(config, actionsUtil.getOptionalInput("cleanup-level") || "brutal", logger);
@@ -115,7 +177,7 @@ async function run() {
        }
        core.setOutput("db-locations", dbLocations);
        if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
-            uploadResult = await upload_lib.uploadFromActions(outputDir, config.gitHubVersion, apiDetails, logger);
+            uploadResult = await upload_lib.uploadFromActions(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), logger);
            core.setOutput("sarif-id", uploadResult.sarifID);
        }
        else {
@@ -134,12 +196,13 @@ async function run() {
        }
        else if (uploadResult !== undefined &&
            actionsUtil.getRequiredInput("wait-for-processing") === "true") {
-            await upload_lib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, apiDetails, (0, logging_1.getActionsLogger)());
+            await upload_lib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
        }
        // If we did not throw an error yet here, but we expect one, throw it.
        if (actionsUtil.getOptionalInput("expect-error") === "true") {
            core.setFailed(`expect-error input was set to true but no error was thrown.`);
        }
+        core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
    }
    catch (origError) {
        const error = origError instanceof Error ? origError : new Error(String(origError));
@@ -147,7 +210,6 @@ async function run() {
            hasBadExpectErrorInput()) {
            core.setFailed(error.message);
        }
-        console.log(error);
        if (error instanceof analyze_1.CodeQLAnalysisError) {
            const stats = { ...error.queriesStatusReport };
            await sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
@@ -177,8 +239,8 @@ async function runWrapper() {
    }
    catch (error) {
        core.setFailed(`analyze action failed: ${error}`);
-        console.log(error);
    }
+    await (0, util_1.checkForTimeout)();
 }
 void runWrapper();
 //# sourceMappingURL=analyze-action.js.map
--- a/lib/analyze-action.js.map
+++ b/lib/analyze-action.js.map
--- a/lib/analyze.js
+++ b/lib/analyze.js
@@ -32,7 +32,6 @@ const yaml = __importStar(require("js-yaml"));
 const analysisPaths = __importStar(require("./analysis-paths"));
 const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
-const count_loc_1 = require("./count-loc");
 const languages_1 = require("./languages");
 const sharedEnv = __importStar(require("./shared-environment"));
 const tracer_config_1 = require("./tracer-config");
@@ -70,18 +69,18 @@ async function setupPythonExtractor(logger) {
    logger.info(`Setting LGTM_PYTHON_SETUP_VERSION=${output}`);
    process.env["LGTM_PYTHON_SETUP_VERSION"] = output;
 }
-async function createdDBForScannedLanguages(codeql, config, logger, featureFlags) {
+async function createdDBForScannedLanguages(codeql, config, logger) {
    // Insert the LGTM_INDEX_X env vars at this point so they are set when
    // we extract any scanned languages.
    analysisPaths.includeAndExcludeAnalysisPaths(config);
    for (const language of config.languages) {
-        if ((0, languages_1.isScannedLanguage)(language, logger) &&
+        if ((0, languages_1.isScannedLanguage)(language) &&
            !dbIsFinalized(config, language, logger)) {
            logger.startGroup(`Extracting ${language}`);
            if (language === languages_1.Language.python) {
                await setupPythonExtractor(logger);
            }
-            await codeql.extractScannedLanguage(config, language, featureFlags);
+            await codeql.extractScannedLanguage(config, language);
            logger.endGroup();
        }
    }
@@ -99,10 +98,10 @@ function dbIsFinalized(config, language, logger) {
    }
 }
 exports.dbIsFinalized = dbIsFinalized;
-async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, featureFlags) {
+async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger) {
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    const extractionStart = perf_hooks_1.performance.now();
-    await createdDBForScannedLanguages(codeql, config, logger, featureFlags);
+    await createdDBForScannedLanguages(codeql, config, logger);
    const extractionTime = perf_hooks_1.performance.now() - extractionStart;
    const trapImportStart = perf_hooks_1.performance.now();
    for (const language of config.languages) {
@@ -122,20 +121,10 @@ async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger,
    };
 }
 // Runs queries and creates sarif files in the given folder
-async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, automationDetailsId, config, logger) {
+async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, automationDetailsId, config, logger, featureEnablement) {
    const statusReport = {};
-    let locPromise = Promise.resolve({});
-    const cliCanCountBaseline = await cliCanCountLoC();
-    const countLocDebugMode = process.env["INTERNAL_CODEQL_ACTION_DEBUG_LOC"] || config.debugMode;
-    if (!cliCanCountBaseline || countLocDebugMode) {
-        // count the number of lines in the background
-        locPromise = (0, count_loc_1.countLoc)(path.resolve(), 
-        // config.paths specifies external directories. the current
-        // directory is included in the analysis by default. Replicate
-        // that here.
-        config.paths, config.pathsIgnore, config.languages, logger);
-    }
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+    await util.logCodeScanningConfigInCli(codeql, featureEnablement, logger);
    for (const language of config.languages) {
        const queries = config.queries[language];
        const queryFilters = validateQueryFilters(config.originalUserInput["query-filters"]);
@@ -144,10 +133,10 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        const hasCustomQueries = (queries === null || queries === void 0 ? void 0 : queries.custom.length) > 0;
        const hasPackWithCustomQueries = packsWithVersion.length > 0;
        if (!hasBuiltinQueries && !hasCustomQueries && !hasPackWithCustomQueries) {
-            throw new Error(`Unable to analyse ${language} as no queries were selected for this language`);
+            throw new Error(`Unable to analyze ${language} as no queries were selected for this language`);
        }
        try {
-            if (await util.useCodeScanningConfigInCli(codeql)) {
+            if (await util.useCodeScanningConfigInCli(codeql, featureEnablement)) {
                // If we are using the code scanning config in the CLI,
                // much of the work needed to generate the query suites
                // is done in the CLI. We just need to make a single
@@ -170,15 +159,6 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                logger.info(analysisSummary);
            }
            else {
-                if (hasPackWithCustomQueries) {
-                    logger.info("Performing analysis with custom CodeQL Packs.");
-                    logger.startGroup(`Downloading custom packs for ${language}`);
-                    const results = await codeql.packDownload(packsWithVersion);
-                    logger.info(`Downloaded packs: ${results.packs
-                        .map((r) => `${r.name}@${r.version || "latest"}`)
-                        .join(", ")}`);
-                    logger.endGroup();
-                }
                logger.startGroup(`Running queries for ${language}`);
                const querySuitePaths = [];
                if (queries["builtin"].length > 0) {
@@ -208,21 +188,13 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                const startTimeInterpretResults = new Date().getTime();
                const sarifFile = path.join(sarifFolder, `${language}.sarif`);
                const analysisSummary = await runInterpretResults(language, querySuitePaths, sarifFile, config.debugMode);
-                if (!cliCanCountBaseline) {
-                    await injectLinesOfCode(sarifFile, language, locPromise);
-                }
                statusReport[`interpret_results_${language}_duration_ms`] =
                    new Date().getTime() - startTimeInterpretResults;
                logger.endGroup();
                logger.info(analysisSummary);
            }
-            if (!cliCanCountBaseline || countLocDebugMode) {
-                printLinesOfCodeSummary(logger, language, await locPromise);
-            }
-            if (cliCanCountBaseline) {
            logger.info(await runPrintLinesOfCode(language));
        }
-        }
        catch (e) {
            logger.info(String(e));
            if (e instanceof Error) {
@@ -237,9 +209,6 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        const databasePath = util.getCodeQLDatabasePath(config, language);
        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId);
    }
-    async function cliCanCountLoC() {
-        return await util.codeQlVersionAbove(await (0, codeql_1.getCodeQL)(config.codeQLCmd), codeql_1.CODEQL_VERSION_COUNTS_LINES);
-    }
    async function runPrintLinesOfCode(language) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
        return await codeql.databasePrintBaseline(databasePath);
@@ -293,7 +262,7 @@ function createQuerySuiteContents(queries, queryFilters) {
    return yaml.dump(queries.map((q) => ({ query: q })).concat(queryFilters));
 }
 exports.createQuerySuiteContents = createQuerySuiteContents;
-async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger, featureFlags) {
+async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger) {
    try {
        await (0, del_1.default)(outputDir, { force: true });
    }
@@ -303,7 +272,7 @@ async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger, f
        }
    }
    await fs.promises.mkdir(outputDir, { recursive: true });
-    const timings = await finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, featureFlags);
+    const timings = await finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger);
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    // WARNING: This does not _really_ end tracing, as the tracer will restore its
    // critical environment variables and it'll still be active for all processes
@@ -312,7 +281,7 @@ async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger, f
    // step.
    if (await util.codeQlVersionAbove(codeql, codeql_1.CODEQL_VERSION_NEW_TRACING)) {
        // Delete variables as specified by the end-tracing script
-        await (0, tracer_config_1.endTracingForCluster)(config, logger);
+        await (0, tracer_config_1.endTracingForCluster)(config);
    }
    else {
        // Delete the tracer config env var to avoid tracing ourselves
@@ -331,34 +300,6 @@ async function runCleanup(config, cleanupLevel, logger) {
    logger.endGroup();
 }
 exports.runCleanup = runCleanup;
-async function injectLinesOfCode(sarifFile, language, locPromise) {
-    var _a;
-    const lineCounts = await locPromise;
-    if (language in lineCounts) {
-        const sarif = JSON.parse(fs.readFileSync(sarifFile, "utf8"));
-        if (Array.isArray(sarif.runs)) {
-            for (const run of sarif.runs) {
-                run.properties = run.properties || {};
-                run.properties.metricResults = run.properties.metricResults || [];
-                for (const metric of run.properties.metricResults) {
-                    // Baseline is inserted when matching rule has tag lines-of-code
-                    if (metric.rule && metric.rule.toolComponent) {
-                        const matchingRule = run.tool.extensions[metric.rule.toolComponent.index].rules[metric.rule.index];
-                        if ((_a = matchingRule.properties.tags) === null || _a === void 0 ? void 0 : _a.includes("lines-of-code")) {
-                            metric.baseline = lineCounts[language];
-                        }
-                    }
-                }
-            }
-        }
-        fs.writeFileSync(sarifFile, JSON.stringify(sarif));
-    }
-}
-function printLinesOfCodeSummary(logger, language, lineCounts) {
-    if (language in lineCounts) {
-        logger.info(`Counted a baseline of ${lineCounts[language]} lines of code for ${language}.`);
-    }
-}
 // exported for testing
 function validateQueryFilters(queryFilters) {
    if (!queryFilters) {
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/lib/analyze.test.js
+++ b/lib/analyze.test.js
@@ -26,12 +26,8 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
 const yaml = __importStar(require("js-yaml"));
-const sinon = __importStar(require("sinon"));
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
-const codeql_test_1 = require("./codeql.test");
-const count = __importStar(require("./count-loc"));
-const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
@@ -41,12 +37,6 @@ const util = __importStar(require("./util"));
 // and correct case of builtin or custom. Also checks the correct search
 // paths are set in the database analyze invocation.
 (0, ava_1.default)("status report fields and search path setting", async (t) => {
-    const mockLinesOfCode = Object.values(languages_1.Language).reduce((obj, lang, i) => {
-        // use a different line count for each language
-        obj[lang] = i + 1;
-        return obj;
-    }, {});
-    sinon.stub(count, "countLoc").resolves(mockLinesOfCode);
    let searchPathsUsed = [];
    return await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -100,6 +90,7 @@ const util = __importStar(require("./util"));
                    }));
                    return "";
                },
+                databasePrintBaseline: async () => "",
            });
            searchPathsUsed = [];
            const config = {
@@ -133,7 +124,7 @@ const util = __importStar(require("./util"));
                builtin: ["foo.ql"],
                custom: [],
            };
-            const builtinStatusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, config, (0, logging_1.getRunnerLogger)(true));
+            const builtinStatusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)([]));
            const hasPacks = language in packs;
            const statusReportKeys = Object.keys(builtinStatusReport).sort();
            if (hasPacks) {
@@ -159,7 +150,7 @@ const util = __importStar(require("./util"));
                    },
                ],
            };
-            const customStatusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, config, (0, logging_1.getRunnerLogger)(true));
+            const customStatusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)([]));
            t.deepEqual(Object.keys(customStatusReport).length, 2);
            t.true(`analyze_custom_queries_${language}_duration_ms` in customStatusReport);
            const expectedSearchPathsUsed = hasPacks
@@ -168,32 +159,8 @@ const util = __importStar(require("./util"));
            t.deepEqual(searchPathsUsed, expectedSearchPathsUsed);
            t.true(`interpret_results_${language}_duration_ms` in customStatusReport);
        }
-        verifyLineCounts(tmpDir);
        verifyQuerySuites(tmpDir);
    });
-    function verifyLineCounts(tmpDir) {
-        // eslint-disable-next-line github/array-foreach
-        Object.keys(languages_1.Language).forEach((lang, i) => {
-            verifyLineCountForFile(path.join(tmpDir, `${lang}.sarif`), i + 1);
-        });
-    }
-    function verifyLineCountForFile(filePath, lineCount) {
-        const sarif = JSON.parse(fs.readFileSync(filePath, "utf8"));
-        t.deepEqual(sarif.runs[0].properties.metricResults, [
-            {
-                rule: {
-                    index: 0,
-                    toolComponent: {
-                        index: 0,
-                    },
-                },
-                value: 123,
-                baseline: lineCount,
-            },
-        ]);
-        // when the rule doesn't exist, it should not be added
-        t.deepEqual(sarif.runs[1].properties.metricResults, []);
-    }
    function verifyQuerySuites(tmpDir) {
        const qlsContent = [
            {
@@ -354,77 +321,4 @@ const convertPackToQuerySuiteEntryMacro = ava_1.default.macro({
 `;
    t.deepEqual(yamlResult, expected);
 });
-const stubConfig = {
-    languages: [languages_1.Language.cpp, languages_1.Language.go],
-    queries: {},
-    pathsIgnore: [],
-    paths: [],
-    originalUserInput: {},
-    tempDir: "",
-    codeQLCmd: "",
-    gitHubVersion: {
-        type: util.GitHubVariant.DOTCOM,
-    },
-    dbLocation: "",
-    packs: {},
-    debugMode: false,
-    debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
-    debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
-    augmentationProperties: {
-        injectedMlQueries: false,
-        packsInputCombines: false,
-        queriesInputCombines: false,
-    },
-    trapCaches: {},
-    trapCacheDownloadTime: 0,
-};
-for (const options of [
-    {
-        name: "Lua feature flag enabled, but old CLI",
-        version: "2.9.0",
-        featureFlags: [feature_flags_1.FeatureFlag.LuaTracerConfigEnabled],
-        yesFlagSet: false,
-        noFlagSet: false,
-    },
-    {
-        name: "Lua feature flag disabled, with old CLI",
-        version: "2.9.0",
-        featureFlags: [],
-        yesFlagSet: false,
-        noFlagSet: false,
-    },
-    {
-        name: "Lua feature flag enabled, with new CLI",
-        version: "2.10.0",
-        featureFlags: [feature_flags_1.FeatureFlag.LuaTracerConfigEnabled],
-        yesFlagSet: true,
-        noFlagSet: false,
-    },
-    {
-        name: "Lua feature flag disabled, with new CLI",
-        version: "2.10.0",
-        featureFlags: [],
-        yesFlagSet: false,
-        noFlagSet: true,
-    },
-]) {
-    (0, ava_1.default)(`createdDBForScannedLanguages() ${options.name}`, async (t) => {
-        const runnerConstructorStub = (0, codeql_test_1.stubToolRunnerConstructor)();
-        const codeqlObject = await (0, codeql_1.getCodeQLForTesting)("codeql/for-testing");
-        sinon.stub(codeqlObject, "getVersion").resolves(options.version);
-        const promise = (0, analyze_1.createdDBForScannedLanguages)(codeqlObject, stubConfig, (0, logging_1.getRunnerLogger)(true), (0, feature_flags_1.createFeatureFlags)(options.featureFlags));
-        // call listener on `codeql resolve extractor`
-        const mockToolRunner = runnerConstructorStub.getCall(0);
-        mockToolRunner.args[2].listeners.stdout('"/path/to/extractor"');
-        await promise;
-        if (options.yesFlagSet)
-            t.true(runnerConstructorStub.secondCall.args[1].includes("--internal-use-lua-tracing"), "--internal-use-lua-tracing should be present, but it is absent");
-        else
-            t.false(runnerConstructorStub.secondCall.args[1].includes("--internal-use-lua-tracing"), "--internal-use-lua-tracing should be absent, but it is present");
-        if (options.noFlagSet)
-            t.true(runnerConstructorStub.secondCall.args[1].includes("--no-internal-use-lua-tracing"), "--no-internal-use-lua-tracing should be present, but it is absent");
-        else
-            t.false(runnerConstructorStub.secondCall.args[1].includes("--no-internal-use-lua-tracing"), "--no-internal-use-lua-tracing should be absent, but it is present");
-    });
-}
 //# sourceMappingURL=analyze.test.js.map
--- a/lib/analyze.test.js.map
+++ b/lib/analyze.test.js.map
--- a/lib/api-client.js
+++ b/lib/api-client.js
@@ -22,8 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getGitHubVersionActionsOnly = exports.getActionsApiClient = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
-const path = __importStar(require("path"));
+exports.getGitHubVersion = exports.getApiClientWithExternalAuth = exports.getApiClient = exports.getApiDetails = exports.DisallowedAPIVersionReason = void 0;
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const retry = __importStar(require("@octokit/plugin-retry"));
 const console_log_level_1 = __importDefault(require("console-log-level"));
@@ -37,28 +36,14 @@ var DisallowedAPIVersionReason;
    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_OLD"] = 0] = "ACTION_TOO_OLD";
    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_NEW"] = 1] = "ACTION_TOO_NEW";
 })(DisallowedAPIVersionReason = exports.DisallowedAPIVersionReason || (exports.DisallowedAPIVersionReason = {}));
-const getApiClient = function (apiDetails, { allowExternal = false } = {}) {
+function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
    const auth = (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
    const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
-    const apiURL = apiDetails.apiURL || deriveApiUrl(apiDetails.url);
    return new retryingOctokit(githubUtils.getOctokitOptions(auth, {
-        baseUrl: apiURL,
-        userAgent: `CodeQL-${(0, util_1.getMode)()}/${pkg.version}`,
+        baseUrl: apiDetails.apiURL,
+        userAgent: `CodeQL-Action/${pkg.version}`,
        log: (0, console_log_level_1.default)({ level: "debug" }),
    }));
-};
-exports.getApiClient = getApiClient;
-// Once the runner is deleted, this can also be removed since the GitHub API URL is always available in an environment variable on Actions.
-function deriveApiUrl(githubUrl) {
-    const url = new URL(githubUrl);
-    // If we detect this is trying to connect to github.com
-    // then return with a fixed canonical URL.
-    if (url.hostname === "github.com" || url.hostname === "api.github.com") {
-        return "https://api.github.com";
-    }
-    // Add the /api/v3 API prefix
-    url.pathname = path.join(url.pathname, "api", "v3");
-    return url.toString();
 }
 function getApiDetails() {
    return {
@@ -67,30 +52,28 @@ function getApiDetails() {
        apiURL: (0, util_1.getRequiredEnvParam)("GITHUB_API_URL"),
    };
 }
-// Temporary function to aid in the transition to running on and off of github actions.
-// Once all code has been converted this function should be removed or made canonical
-// and called only from the action entrypoints.
-function getActionsApiClient() {
-    return (0, exports.getApiClient)(getApiDetails());
+exports.getApiDetails = getApiDetails;
+function getApiClient() {
+    return createApiClientWithDetails(getApiDetails());
 }
-exports.getActionsApiClient = getActionsApiClient;
+exports.getApiClient = getApiClient;
+function getApiClientWithExternalAuth(apiDetails) {
+    return createApiClientWithDetails(apiDetails, { allowExternal: true });
+}
+exports.getApiClientWithExternalAuth = getApiClientWithExternalAuth;
 let cachedGitHubVersion = undefined;
 /**
 * Report the GitHub server version. This is a wrapper around
 * util.getGitHubVersion() that automatically supplies GitHub API details using
- * GitHub Action inputs. If you need to get the GitHub server version from the
- * Runner, please call util.getGitHubVersion() instead.
+ * GitHub Action inputs.
 *
 * @returns GitHub version
 */
-async function getGitHubVersionActionsOnly() {
-    if (!util.isActions()) {
-        throw new Error("getGitHubVersionActionsOnly() works only in an action");
-    }
+async function getGitHubVersion() {
    if (cachedGitHubVersion === undefined) {
        cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
    }
    return cachedGitHubVersion;
 }
-exports.getGitHubVersionActionsOnly = getGitHubVersionActionsOnly;
+exports.getGitHubVersion = getGitHubVersion;
 //# sourceMappingURL=api-client.js.map
--- a/lib/api-client.js.map
+++ b/lib/api-client.js.map
@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAiBM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACjE,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAfW,QAAA,YAAY,gBAevB;AAEF,2IAA2I;AAC3I,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAA4D;AAE5D,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAiBD,SAAS,0BAA0B,CACjC,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,UAAU,CAAC,MAAM;QAC1B,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;QACzC,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAgB,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAND,sCAMC;AAED,SAAgB,YAAY;IAC1B,OAAO,0BAA0B,CAAC,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAFD,oCAEC;AAED,SAAgB,4BAA4B,CAC1C,UAAoC;IAEpC,OAAO,0BAA0B,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;AACzE,CAAC;AAJD,oEAIC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;GAMG;AACI,KAAK,UAAU,gBAAgB;IACpC,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AALD,4CAKC"}
--- a/lib/api-client.test.js
+++ b/lib/api-client.test.js
@@ -25,9 +25,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
 const testing_utils_1 = require("./testing-utils");
-const util_1 = require("./util");
+const util = __importStar(require("./util"));
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 (0, testing_utils_1.setupTests)(ava_1.default);
@@ -37,66 +38,23 @@ ava_1.default.beforeEach(() => {
    pluginStub = sinon.stub(githubUtils.GitHub, "plugin");
    githubStub = sinon.stub();
    pluginStub.returns(githubStub);
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, pkg.version);
+    util.initializeEnvironment(pkg.version);
 });
-(0, ava_1.default)("Get the client API", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        externalRepoAuth: "abc",
-        url: "http://hucairz",
-    }, undefined, {
-        auth: "token xyz",
-        baseUrl: "http://hucairz/api/v3",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the client API external", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        externalRepoAuth: "abc",
-        url: "http://hucairz",
-    }, { allowExternal: true }, {
-        auth: "token abc",
-        baseUrl: "http://hucairz/api/v3",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the client API external not present", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        url: "http://hucairz",
-    }, { allowExternal: true }, {
-        auth: "token xyz",
-        baseUrl: "http://hucairz/api/v3",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the client API with github url", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        url: "https://github.com/some/invalid/url",
-    }, undefined, {
-        auth: "token xyz",
-        baseUrl: "https://api.github.com",
-        userAgent: `CodeQL-Action/${pkg.version}`,
-    });
-});
-(0, ava_1.default)("Get the API with an API URL directly", async (t) => {
-    doTest(t, {
-        auth: "xyz",
-        url: "http://github.localhost",
-        apiURL: "http://api.github.localhost",
-    }, undefined, {
+(0, ava_1.default)("getApiClient", async (t) => {
+    sinon.stub(actionsUtil, "getRequiredInput").withArgs("token").returns("xyz");
+    const requiredEnvParamStub = sinon.stub(util, "getRequiredEnvParam");
+    requiredEnvParamStub
+        .withArgs("GITHUB_SERVER_URL")
+        .returns("http://github.localhost");
+    requiredEnvParamStub
+        .withArgs("GITHUB_API_URL")
+        .returns("http://api.github.localhost");
+    (0, api_client_1.getApiClient)();
+    t.assert(githubStub.calledOnceWithExactly({
        auth: "token xyz",
        baseUrl: "http://api.github.localhost",
+        log: sinon.match.any,
        userAgent: `CodeQL-Action/${pkg.version}`,
+    }));
 });
-});
-function doTest(t, clientArgs, clientOptions, expected) {
-    (0, api_client_1.getApiClient)(clientArgs, clientOptions);
-    const firstCallArgs = githubStub.args[0];
-    // log is a function, so we don't need to test for equality of it
-    delete firstCallArgs[0].log;
-    t.deepEqual(firstCallArgs, [expected]);
-}
 //# sourceMappingURL=api-client.test.js.map
--- a/lib/api-client.test.js.map
+++ b/lib/api-client.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,6CAA+B;AAE/B,6CAA4C;AAC5C,mDAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAChC,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC/B,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sCAAsC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,yBAAyB;QAC9B,MAAM,EAAE,6BAA6B;KACtC,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,IAAA,yBAAY,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}
+{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,6CAA4C;AAC5C,mDAA6C;AAC7C,6CAA+B;AAE/B,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAChC,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC/B,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,cAAc,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/B,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7E,MAAM,oBAAoB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAC;IACrE,oBAAoB;SACjB,QAAQ,CAAC,mBAAmB,CAAC;SAC7B,OAAO,CAAC,yBAAyB,CAAC,CAAC;IACtC,oBAAoB;SACjB,QAAQ,CAAC,gBAAgB,CAAC;SAC1B,OAAO,CAAC,6BAA6B,CAAC,CAAC;IAE1C,IAAA,yBAAY,GAAE,CAAC;IAEf,CAAC,CAAC,MAAM,CACN,UAAU,CAAC,qBAAqB,CAAC;QAC/B,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,6BAA6B;QACtC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG;QACpB,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CAAC,CACH,CAAC;AACJ,CAAC,CAAC,CAAC"}
--- a/lib/api-compatibility.json
+++ b/lib/api-compatibility.json
@@ -1 +1 @@
-{ "maximumVersion": "3.7", "minimumVersion": "3.2" }
+{ "maximumVersion": "3.8", "minimumVersion": "3.3" }
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -21,14 +21,16 @@ var __importStar = (this && this.__importStar) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const actions_util_1 = require("./actions-util");
+const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
-const config_utils = __importStar(require("./config-utils"));
+const configUtils = __importStar(require("./config-utils"));
+const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 async function sendCompletedStatusReport(startedAt, allLanguages, failingLanguage, cause) {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, pkg.version);
+    (0, util_1.initializeEnvironment)(pkg.version);
    const status = (0, actions_util_1.getActionsStatus)(cause, failingLanguage);
    const statusReportBase = await (0, actions_util_1.createStatusReportBase)("autobuild", status, startedAt, cause === null || cause === void 0 ? void 0 : cause.message, cause === null || cause === void 0 ? void 0 : cause.stack);
    const statusReport = {
@@ -42,32 +44,41 @@ async function run() {
    const startedAt = new Date();
    const logger = (0, logging_1.getActionsLogger)();
    await (0, util_1.checkActionVersion)(pkg.version);
-    let language = undefined;
+    let currentLanguage = undefined;
+    let languages = undefined;
    try {
        if (!(await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("autobuild", "starting", startedAt)))) {
            return;
        }
-        const config = await config_utils.getConfig((0, actions_util_1.getTemporaryDirectory)(), logger);
+        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
+        const config = await configUtils.getConfig((0, actions_util_1.getTemporaryDirectory)(), logger);
        if (config === undefined) {
            throw new Error("Config file could not be found at expected location. Has the 'init' action been called?");
        }
-        language = (0, autobuild_1.determineAutobuildLanguage)(config, logger);
-        if (language !== undefined) {
+        languages = await (0, autobuild_1.determineAutobuildLanguages)(config, logger);
+        if (languages !== undefined) {
            const workingDirectory = (0, actions_util_1.getOptionalInput)("working-directory");
            if (workingDirectory) {
                logger.info(`Changing autobuilder working directory to ${workingDirectory}`);
                process.chdir(workingDirectory);
            }
+            for (const language of languages) {
+                currentLanguage = language;
                await (0, autobuild_1.runAutobuild)(language, config, logger);
+                if (language === languages_1.Language.go) {
+                    core.exportVariable(util_1.DID_AUTOBUILD_GO_ENV_VAR_NAME, "true");
+                }
+            }
        }
    }
    catch (error) {
        core.setFailed(`We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps.  ${error instanceof Error ? error.message : String(error)}`);
        console.log(error);
-        await sendCompletedStatusReport(startedAt, language ? [language] : [], language, error instanceof Error ? error : new Error(String(error)));
+        await sendCompletedStatusReport(startedAt, languages !== null && languages !== void 0 ? languages : [], currentLanguage, error instanceof Error ? error : new Error(String(error)));
        return;
    }
-    await sendCompletedStatusReport(startedAt, language ? [language] : []);
+    await sendCompletedStatusReport(startedAt, languages !== null && languages !== void 0 ? languages : []);
 }
 async function runWrapper() {
    try {
--- a/lib/autobuild-action.js.map
+++ b/lib/autobuild-action.js.map
@@ -1 +1 @@
-{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAOwB;AACxB,2CAAuE;AACvE,6DAA+C;AAE/C,uCAA6C;AAC7C,iCAAyE;AAEzE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,QAAQ,GAAyB,SAAS,CAAC;IAC/C,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CACzC,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QACF,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QACD,QAAQ,GAAG,IAAA,sCAA0B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;SAC9C;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAC1B,QAAQ,EACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAOwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,4DAA8C;AAC9C,2CAAuC;AACvC,uCAA6C;AAC7C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAEnC,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,eAAe,GAAyB,SAAS,CAAC;IACtD,IAAI,SAAS,GAA2B,SAAS,CAAC;IAClD,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE;gBAChC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE;oBAC5B,IAAI,CAAC,cAAc,CAAC,oCAA6B,EAAE,MAAM,CAAC,CAAC;iBAC5D;aACF;SACF;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,EAAE,EACf,eAAe,EACf,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,SAAS,aAAT,SAAS,cAAT,SAAS,GAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/autobuild.js
+++ b/lib/autobuild.js
@@ -1,28 +1,75 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.runAutobuild = exports.determineAutobuildLanguage = void 0;
+exports.runAutobuild = exports.determineAutobuildLanguages = void 0;
 const codeql_1 = require("./codeql");
 const languages_1 = require("./languages");
-function determineAutobuildLanguage(config, logger) {
+async function determineAutobuildLanguages(config, logger) {
    // Attempt to find a language to autobuild
    // We want pick the dominant language in the repo from the ones we're able to build
    // The languages are sorted in order specified by user or by lines of code if we got
    // them from the GitHub API, so try to build the first language on the list.
-    const autobuildLanguages = config.languages.filter((l) => (0, languages_1.isTracedLanguage)(l, logger));
-    const language = autobuildLanguages[0];
-    if (!language) {
+    const autobuildLanguages = config.languages.filter((l) => (0, languages_1.isTracedLanguage)(l));
+    if (!autobuildLanguages) {
        logger.info("None of the languages in this project require extra build steps");
        return undefined;
    }
-    logger.debug(`Detected dominant traced language: ${language}`);
-    if (autobuildLanguages.length > 1) {
-        logger.warning(`We will only automatically build ${language} code. If you wish to scan ${autobuildLanguages
+    /**
+     * Additionally autobuild Go in the autobuild Action to ensure backwards
+     * compatibility for users performing a multi-language build within a single
+     * job.
+     *
+     * For example, consider a user with the following workflow file:
+     *
+     * ```yml
+     * - uses: github/codeql-action/init@v2
+     *   with:
+     *     languages: go, java
+     * - uses: github/codeql-action/autobuild@v2
+     * - uses: github/codeql-action/analyze@v2
+     * ```
+     *
+     * - With Go extraction disabled, we will run the Java autobuilder in the
+     *   autobuild Action, ensuring we extract both Java and Go code.
+     * - With Go extraction enabled, taking the previous behavior we'd run the Go
+     *   autobuilder, since Go is first on the list of languages. We wouldn't run
+     *   the Java autobuilder at all and so we'd only extract Go code.
+     *
+     * We therefore introduce a special case here such that we'll autobuild Go
+     * in addition to the primary non-Go traced language in the autobuild Action.
+     *
+     * This special case behavior should be removed as part of the next major
+     * version of the CodeQL Action.
+     */
+    const autobuildLanguagesWithoutGo = autobuildLanguages.filter((l) => l !== languages_1.Language.go);
+    const languages = [];
+    // First run the autobuilder for the first non-Go traced language, if one
+    // exists.
+    if (autobuildLanguagesWithoutGo[0] !== undefined) {
+        languages.push(autobuildLanguagesWithoutGo[0]);
+    }
+    // If Go is requested, run the Go autobuilder last to ensure it doesn't
+    // interfere with the other autobuilder.
+    if (autobuildLanguages.length !== autobuildLanguagesWithoutGo.length) {
+        languages.push(languages_1.Language.go);
+    }
+    logger.debug(`Will autobuild ${languages.join(" and ")}.`);
+    // In general the autobuilders for other traced languages may conflict with
+    // each other. Therefore if a user has requested more than one non-Go traced
+    // language, we ask for manual build steps.
+    // Matrixing the build would also work, but that would change the SARIF
+    // categories, potentially leading to a "stale tips" situation where alerts
+    // that should be fixed remain on a repo since they are linked to SARIF
+    // categories that are no longer updated.
+    if (autobuildLanguagesWithoutGo.length > 1) {
+        logger.warning(`We will only automatically build ${languages.join(" and ")} code. If you wish to scan ${autobuildLanguagesWithoutGo
            .slice(1)
-            .join(" and ")}, you must replace this call with custom build steps.`);
+            .join(" and ")}, you must replace the autobuild step of your workflow with custom build steps. ` +
+            "For more information, see " +
+            "https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language");
    }
-    return language;
+    return languages;
 }
-exports.determineAutobuildLanguage = determineAutobuildLanguage;
+exports.determineAutobuildLanguages = determineAutobuildLanguages;
 async function runAutobuild(language, config, logger) {
    logger.startGroup(`Attempting to automatically build ${language} code`);
    const codeQL = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
--- a/lib/autobuild.js.map
+++ b/lib/autobuild.js.map
@@ -1 +1 @@
-{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,2CAAyD;AAGzD,SAAgB,0BAA0B,CACxC,MAA2B,EAC3B,MAAc;IAEd,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,EAAE,MAAM,CAAC,CAC5B,CAAC;IACF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;IAEvC,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;KAClB;IAED,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;IAE/D,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE;QACjC,MAAM,CAAC,OAAO,CACZ,oCAAoC,QAAQ,8BAA8B,kBAAkB;aACzF,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CAAC,OAAO,CAAC,uDAAuD,CACxE,CAAC;KACH;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AA/BD,gEA+BC;AAEM,KAAK,UAAU,YAAY,CAChC,QAAkB,EAClB,MAA2B,EAC3B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AATD,oCASC"}
+{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,2CAAyD;AAGlD,KAAK,UAAU,2BAA2B,CAC/C,MAA0B,EAC1B,MAAc;IAEd,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE;QACvB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;KAClB;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE;QAChD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;KAChD;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE;QACpE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;KAC7B;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE;QAC1C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,4BAA4B;YAC5B,0NAA0N,CAC7N,CAAC;KACH;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAtFD,kEAsFC;AAEM,KAAK,UAAU,YAAY,CAChC,QAAkB,EAClB,MAA0B,EAC1B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AATD,oCASC"}
--- a/lib/codeql.js
+++ b/lib/codeql.js
@@ -22,31 +22,30 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const toolcache = __importStar(require("@actions/tool-cache"));
 const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
 const yaml = __importStar(require("js-yaml"));
-const query_string_1 = __importDefault(require("query-string"));
 const semver = __importStar(require("semver"));
 const uuid_1 = require("uuid");
 const actions_util_1 = require("./actions-util");
 const api = __importStar(require("./api-client"));
 const defaults = __importStar(require("./defaults.json")); // Referenced from codeql-action-sync-tool!
 const error_matcher_1 = require("./error-matcher");
-const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const toolrunner_error_catcher_1 = require("./toolrunner-error-catcher");
 const trap_caching_1 = require("./trap-caching");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 class CommandInvocationError extends Error {
-    constructor(cmd, args, exitCode, error) {
+    constructor(cmd, args, exitCode, error, output) {
        super(`Failure invoking ${cmd} with arguments ${args}.\n
      Exit code ${exitCode} and error was:\n
      ${error}`);
+        this.output = output;
    }
 }
 exports.CommandInvocationError = CommandInvocationError;
@@ -59,29 +58,24 @@ const CODEQL_BUNDLE_VERSION = defaults.bundleVersion;
 exports.CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 /**
 * The oldest version of CodeQL that the Action will run with. This should be
- * at least three minor versions behind the current version. The version flags
- * below can be used to conditionally enable certain features on versions newer
- * than this. Please record the reason we cannot support an older version.
+ * at least three minor versions behind the current version and must include the
+ * CLI versions shipped with each supported version of GHES.
 *
- * Reason: First version containing fix for the "We still have not reached
- * idleness" deadlock.
+ * The version flags below can be used to conditionally enable certain features
+ * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.4.5";
+const CODEQL_MINIMUM_VERSION = "2.6.3";
 /**
 * Versions of CodeQL that version-flag certain functionality in the Action.
 * For convenience, please keep these in descending order. Once a version
 * flag is older than the oldest supported version above, it may be removed.
 */
-const CODEQL_VERSION_RAM_FINALIZE = "2.5.8";
-const CODEQL_VERSION_DIAGNOSTICS = "2.5.6";
-const CODEQL_VERSION_METRICS = "2.5.5";
-const CODEQL_VERSION_GROUP_RULES = "2.5.5";
-const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
-exports.CODEQL_VERSION_COUNTS_LINES = "2.6.2";
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
-exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
 exports.CODEQL_VERSION_CONFIG_FILES = "2.10.1";
+const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
+exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
+const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
 /**
 * This variable controls using the new style of tracing from the CodeQL
 * CLI. In particular, with versions above this we will use both indirect
@@ -92,6 +86,11 @@ exports.CODEQL_VERSION_CONFIG_FILES = "2.10.1";
 * versions above that.
 */
 exports.CODEQL_VERSION_NEW_TRACING = "2.7.0";
+/**
+ * Versions 2.7.3+ of the CodeQL CLI support build tracing with glibc 2.34 on Linux. Versions before
+ * this cannot perform build tracing when running on the Actions `ubuntu-22.04` runner image.
+ */
+exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = "2.7.3";
 /**
 * Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
 * resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
@@ -120,30 +119,16 @@ function getCodeQLBundleName() {
    return `codeql-bundle-${platform}.tar.gz`;
 }
 function getCodeQLActionRepository(logger) {
-    if (!util.isActions()) {
-        return exports.CODEQL_DEFAULT_ACTION_REPOSITORY;
-    }
-    else {
-        return getActionsCodeQLActionRepository(logger);
-    }
-}
-exports.getCodeQLActionRepository = getCodeQLActionRepository;
-function getActionsCodeQLActionRepository(logger) {
-    if (process.env["GITHUB_ACTION_REPOSITORY"] !== undefined) {
-        return process.env["GITHUB_ACTION_REPOSITORY"];
-    }
-    // The Actions Runner used with GitHub Enterprise Server 2.22 did not set the GITHUB_ACTION_REPOSITORY variable.
-    // This fallback logic can be removed after the end-of-support for 2.22 on 2021-09-23.
    if ((0, actions_util_1.isRunningLocalAction)()) {
        // This handles the case where the Action does not come from an Action repository,
        // e.g. our integration tests which use the Action code from the current checkout.
+        // In these cases, the GITHUB_ACTION_REPOSITORY environment variable is not set.
        logger.info("The CodeQL Action is checked out locally. Using the default CodeQL Action repository.");
        return exports.CODEQL_DEFAULT_ACTION_REPOSITORY;
    }
-    logger.info("GITHUB_ACTION_REPOSITORY environment variable was not set. Falling back to legacy method of finding the GitHub Action.");
-    const relativeScriptPathParts = (0, actions_util_1.getRelativeScriptPath)().split(path.sep);
-    return `${relativeScriptPathParts[0]}/${relativeScriptPathParts[1]}`;
+    return util.getRequiredEnvParam("GITHUB_ACTION_REPOSITORY");
 }
+exports.getCodeQLActionRepository = getCodeQLActionRepository;
 async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
    const codeQLActionRepository = getCodeQLActionRepository(logger);
    const potentialDownloadSources = [
@@ -163,14 +148,14 @@ async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
    if (variant === util.GitHubVariant.GHAE) {
        try {
            const release = await api
-                .getApiClient(apiDetails)
+                .getApiClient()
                .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
                tag: CODEQL_BUNDLE_VERSION,
            });
            const assetID = release.data.assets[codeQLBundleName];
            if (assetID !== undefined) {
                const download = await api
-                    .getApiClient(apiDetails)
+                    .getApiClient()
                    .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
                const downloadURL = download.data.url;
                logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
@@ -193,7 +178,7 @@ async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
        }
        const [repositoryOwner, repositoryName] = repository.split("/");
        try {
-            const release = await api.getApiClient(apiDetails).repos.getReleaseByTag({
+            const release = await api.getApiClient().repos.getReleaseByTag({
                owner: repositoryOwner,
                repo: repositoryName,
                tag: CODEQL_BUNDLE_VERSION,
@@ -218,13 +203,13 @@ async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
 * @param apiDetails
 * @param tempDir
 * @param variant
- * @param featureFlags
+ * @param features
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
 *        version requirement. Must be set to true outside tests.
- * @returns
+ * @returns a { CodeQL, toolsVersion } object.
 */
-async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, featureFlags, logger, checkVersion) {
+async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolcache, logger, checkVersion) {
    try {
        const forceLatestReason = 
        // We use the special value of 'latest' to prioritize the version in the
@@ -232,12 +217,11 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, featureFlags
        codeqlURL === "latest"
            ? '"tools: latest" was requested'
            : // If the user hasn't requested a particular CodeQL version, then bypass
-                // the toolcache when the appropriate feature flag is enabled. This
+                // the toolcache when the appropriate feature is enabled. This
                // allows us to quickly rollback a broken bundle that has made its way
                // into the toolcache.
-                codeqlURL === undefined &&
-                    (await featureFlags.getValue(feature_flags_1.FeatureFlag.BypassToolcacheEnabled))
-                    ? "a specific version of CodeQL was not requested and the bypass toolcache feature flag is enabled"
+                codeqlURL === undefined && bypassToolcache
+                    ? "a specific version of CodeQL was not requested and the bypass toolcache feature is enabled"
                    : undefined;
        const forceLatest = forceLatestReason !== undefined;
        if (forceLatest) {
@@ -265,6 +249,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, featureFlags
                    if (fs.existsSync(path.join(tmpCodeqlFolder, "pinned-version"))) {
                        logger.debug(`CodeQL in cache overriding the default ${CODEQL_BUNDLE_VERSION}`);
                        codeqlFolder = tmpCodeqlFolder;
+                        codeqlURLVersion = codeqlVersions[0];
                    }
                }
            }
@@ -276,7 +261,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, featureFlags
                    codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, variant, logger);
                }
                const parsedCodeQLURL = new URL(codeqlURL);
-                const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);
+                const searchParams = new URLSearchParams(parsedCodeQLURL.search);
                const headers = {
                    accept: "application/octet-stream",
                };
@@ -285,7 +270,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, featureFlags
                // This avoids leaking Enterprise tokens to dotcom.
                // We also don't want to send an authorization header if there's already a token provided in the URL.
                if (codeqlURL.startsWith(`${apiDetails.url}/`) &&
-                    parsedQueryString["token"] === undefined) {
+                    !searchParams.has("token")) {
                    logger.debug("Downloading CodeQL bundle with token.");
                    headers.authorization = `token ${apiDetails.auth}`;
                }
@@ -385,6 +370,7 @@ function setCodeQL(partialCodeql) {
        databaseRunQueries: resolveFunction(partialCodeql, "databaseRunQueries"),
        databaseInterpretResults: resolveFunction(partialCodeql, "databaseInterpretResults"),
        databasePrintBaseline: resolveFunction(partialCodeql, "databasePrintBaseline"),
+        diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
    };
    return cachedCodeQL;
 }
@@ -465,6 +451,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            // action/runner has been implemented in `codeql database trace-command`
            // _and_ is present in the latest supported CLI release.)
            const envFile = path.resolve(databasePath, "working", "env.tmp");
+            try {
                await runTool(cmd, [
                    "database",
                    "trace-command",
@@ -474,6 +461,22 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                    tracerEnvJs,
                    envFile,
                ]);
+            }
+            catch (e) {
+                if (e instanceof CommandInvocationError &&
+                    e.output.includes("undefined symbol: __libc_dlopen_mode, version GLIBC_PRIVATE") &&
+                    process.platform === "linux" &&
+                    !(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_TRACING_GLIBC_2_34))) {
+                    throw new util.UserError("The CodeQL CLI is incompatible with the version of glibc on your system. " +
+                        `Please upgrade to CodeQL CLI version ${exports.CODEQL_VERSION_TRACING_GLIBC_2_34} or ` +
+                        "later. If you cannot upgrade to a newer version of the CodeQL CLI, you can " +
+                        `alternatively run your workflow on another runner image such as "ubuntu-20.04" ` +
+                        "that has glibc 2.33 or earlier installed.");
+                }
+                else {
+                    throw e;
+                }
+            }
            return JSON.parse(fs.readFileSync(envFile, "utf-8"));
        },
        async databaseInit(databasePath, language, sourceRoot) {
@@ -486,36 +489,25 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                ...getExtraOptionsFromEnv(["database", "init"]),
            ]);
        },
-        async databaseInitCluster(config, sourceRoot, processName, processLevel, featureFlags, logger) {
+        async databaseInitCluster(config, sourceRoot, processName, featureEnablement) {
            const extraArgs = config.languages.map((language) => `--language=${language}`);
-            if (config.languages.filter((l) => (0, languages_1.isTracedLanguage)(l, logger)).length > 0) {
+            if (config.languages.filter((l) => (0, languages_1.isTracedLanguage)(l)).length > 0) {
                extraArgs.push("--begin-tracing");
                extraArgs.push(...(await (0, trap_caching_1.getTrapCachingExtractorConfigArgs)(config)));
-                if (processName !== undefined) {
                extraArgs.push(`--trace-process-name=${processName}`);
-                }
-                else {
-                    // We default to 3 if no other arguments are provided since this was the default
-                    // behaviour of the Runner. Note this path never happens in the CodeQL Action
-                    // because that always passes in a process name.
-                    extraArgs.push(`--trace-process-level=${processLevel || 3}`);
-                }
-                if (await util.codeQlVersionAbove(this, CODEQL_VERSION_LUA_TRACER_CONFIG)) {
-                    if ((await featureFlags.getValue(feature_flags_1.FeatureFlag.LuaTracerConfigEnabled)) &&
-                        // There's a bug in Lua tracing for Go on Windows in versions 2.10.3 and earlier,
-                        // so don't use Lua tracing when tracing Go on Windows.
-                        // Once we've released a fix, we should add a version gate based on the fixed version.
-                        !(config.languages.includes(languages_1.Language.go) &&
-                            (0, languages_1.isTracedLanguage)(languages_1.Language.go, logger) &&
-                            process.platform === "win32")) {
-                        extraArgs.push("--internal-use-lua-tracing");
-                    }
-                    else {
+                if (
+                // There's a bug in Lua tracing for Go on Windows in versions earlier than
+                // `CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED`, so don't use Lua tracing
+                // when tracing Go on Windows on these CodeQL versions.
+                (await util.codeQlVersionAbove(this, CODEQL_VERSION_LUA_TRACER_CONFIG)) &&
+                    config.languages.includes(languages_1.Language.go) &&
+                    (0, languages_1.isTracedLanguage)(languages_1.Language.go) &&
+                    process.platform === "win32" &&
+                    !(await util.codeQlVersionAbove(this, CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED))) {
                    extraArgs.push("--no-internal-use-lua-tracing");
                }
            }
-            }
-            const configLocation = await generateCodescanningConfig(codeql, config);
+            const configLocation = await generateCodeScanningConfig(codeql, config, featureEnablement);
            if (configLocation) {
                extraArgs.push(`--codescanning-config=${configLocation}`);
            }
@@ -531,7 +523,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        },
        async runAutobuild(language) {
            const cmdName = process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
-            const autobuildCmd = path.join(path.dirname(cmd), language, "tools", cmdName);
+            // The autobuilder for Swift is located in the experimental/ directory.
+            const possibleExperimentalDir = language === languages_1.Language.swift ? "experimental" : "";
+            const autobuildCmd = path.join(path.dirname(cmd), possibleExperimentalDir, language, "tools", cmdName);
            // Update JAVA_TOOL_OPTIONS to contain '-Dhttp.keepAlive=false'
            // This is because of an issue with Azure pipelines timing out connections after 4 minutes
            // and Maven not properly handling closed connections
@@ -558,7 +552,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            // (https://github.com/actions/runner/pull/416).
            await runTool(autobuildCmd);
        },
-        async extractScannedLanguage(config, language, featureFlags) {
+        async extractScannedLanguage(config, language) {
            const databasePath = util.getCodeQLDatabasePath(config, language);
            // Get extractor location
            let extractorPath = "";
@@ -582,20 +576,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            // Set trace command
            const ext = process.platform === "win32" ? ".cmd" : ".sh";
            const traceCommand = path.resolve(JSON.parse(extractorPath), "tools", `autobuild${ext}`);
-            const extraArgs = [];
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_LUA_TRACER_CONFIG)) {
-                if (await featureFlags.getValue(feature_flags_1.FeatureFlag.LuaTracerConfigEnabled)) {
-                    extraArgs.push("--internal-use-lua-tracing");
-                }
-                else {
-                    extraArgs.push("--no-internal-use-lua-tracing");
-                }
-            }
            // Run trace command
            await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, [
                "database",
                "trace-command",
-                ...extraArgs,
                ...(await (0, trap_caching_1.getTrapCachingExtractorConfigArgsForLang)(config, language)),
                ...getExtraOptionsFromEnv(["database", "trace-command"]),
                databasePath,
@@ -609,11 +593,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                "finalize",
                "--finalize-dataset",
                threadsFlag,
+                memoryFlag,
                ...getExtraOptionsFromEnv(["database", "finalize"]),
                databasePath,
            ];
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_RAM_FINALIZE))
-                args.push(memoryFlag);
            await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, args, error_matcher_1.errorMatchers);
        },
        async resolveLanguages() {
@@ -683,7 +666,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (querySuitePath) {
                codeqlArgs.push(querySuitePath);
            }
-            await runTool(cmd, codeqlArgs);
+            await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
        },
        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId) {
            const codeqlArgs = [
@@ -694,26 +677,26 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                verbosityFlag,
                `--output=${sarifFile}`,
                addSnippetsFlag,
+                "--print-diagnostics-summary",
+                "--print-metrics-summary",
+                "--sarif-group-rules-by-pack",
                ...getExtraOptionsFromEnv(["database", "interpret-results"]),
            ];
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_DIAGNOSTICS))
-                codeqlArgs.push("--print-diagnostics-summary");
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_METRICS))
-                codeqlArgs.push("--print-metrics-summary");
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_GROUP_RULES))
-                codeqlArgs.push("--sarif-group-rules-by-pack");
            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_CUSTOM_QUERY_HELP))
                codeqlArgs.push("--sarif-add-query-help");
-            if (automationDetailsId !== undefined &&
-                (await util.codeQlVersionAbove(this, CODEQL_VERSION_SARIF_GROUP))) {
+            if (automationDetailsId !== undefined) {
                codeqlArgs.push("--sarif-category", automationDetailsId);
            }
+            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_FILE_BASELINE_INFORMATION)) {
+                codeqlArgs.push("--sarif-add-baseline-file-info");
+            }
            codeqlArgs.push(databasePath);
            if (querySuitePaths) {
                codeqlArgs.push(...querySuitePaths);
            }
            // capture stdout, which contains analysis summaries
-            return await runTool(cmd, codeqlArgs);
+            const returnState = await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
+            return returnState.stdout;
        },
        async databasePrintBaseline(databasePath) {
            const codeqlArgs = [
@@ -733,11 +716,18 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         * If no version is specified, then the latest version is
         * downloaded. The check to determine what the latest version is is done
         * each time this package is requested.
+         *
+         * Optionally, a `qlconfigFile` is included. If used, then this file
+         * is used to determine which registry each pack is downloaded from.
         */
-        async packDownload(packs) {
+        async packDownload(packs, qlconfigFile) {
+            const qlconfigArg = qlconfigFile
+                ? [`--qlconfig-file=${qlconfigFile}`]
+                : [];
            const codeqlArgs = [
                "pack",
                "download",
+                ...qlconfigArg,
                "--format=json",
                "--resolve-query-specs",
                ...getExtraOptionsFromEnv(["pack", "download"]),
@@ -782,9 +772,22 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            ];
            await new toolrunner.ToolRunner(cmd, args).exec();
        },
+        async diagnosticsExport(sarifFile, automationDetailsId) {
+            const args = [
+                "diagnostics",
+                "export",
+                "--format=sarif-latest",
+                `--output=${sarifFile}`,
+                ...getExtraOptionsFromEnv(["diagnostics", "export"]),
+            ];
+            if (automationDetailsId !== undefined) {
+                args.push("--sarif-category", automationDetailsId);
+            }
+            await new toolrunner.ToolRunner(cmd, args).exec();
+        },
    };
-    // To ensure that status reports include the CodeQL CLI version whereever
-    // possbile, we want to call getVersion(), which populates the version value
+    // To ensure that status reports include the CodeQL CLI version wherever
+    // possible, we want to call getVersion(), which populates the version value
    // used by status reporting, at the earliest opportunity. But invoking
    // getVersion() directly here breaks tests that only pretend to create a
    // CodeQL object. So instead we rely on the assumption that all non-test
@@ -857,17 +860,22 @@ async function runTool(cmd, args = []) {
    const exitCode = await new toolrunner.ToolRunner(cmd, args, {
        listeners: {
            stdout: (data) => {
-                output += data.toString();
+                output += data.toString("utf8");
            },
            stderr: (data) => {
-                const toRead = Math.min(maxErrorSize - error.length, data.length);
-                error += data.toString("utf8", 0, toRead);
+                let readStartIndex = 0;
+                // If the error is too large, then we only take the last 20,000 characters
+                if (data.length - maxErrorSize > 0) {
+                    // Eg: if we have 20,000 the start index should be 2.
+                    readStartIndex = data.length - maxErrorSize + 1;
+                }
+                error += data.toString("utf8", readStartIndex);
            },
        },
        ignoreReturnCode: true,
    }).exec();
    if (exitCode !== 0)
-        throw new CommandInvocationError(cmd, args, exitCode, error);
+        throw new CommandInvocationError(cmd, args, exitCode, error, output);
    return output;
 }
 /**
@@ -878,9 +886,9 @@ async function runTool(cmd, args = []) {
 * @param config The configuration to use.
 * @returns the path to the generated user configuration file.
 */
-async function generateCodescanningConfig(codeql, config) {
+async function generateCodeScanningConfig(codeql, config, featureEnablement) {
    var _a;
-    if (!(await util.useCodeScanningConfigInCli(codeql))) {
+    if (!(await util.useCodeScanningConfigInCli(codeql, featureEnablement))) {
        return;
    }
    const configLocation = path.resolve(config.tempDir, "user-config.yaml");
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/codeql.test.js
+++ b/lib/codeql.test.js
@@ -27,11 +27,13 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const toolcache = __importStar(require("@actions/tool-cache"));
+const safeWhich = __importStar(require("@chrisgavin/safe-which"));
 const ava_1 = __importDefault(require("ava"));
 const del_1 = __importDefault(require("del"));
 const yaml = __importStar(require("js-yaml"));
 const nock_1 = __importDefault(require("nock"));
 const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
 const codeql = __importStar(require("./codeql"));
 const defaults = __importStar(require("./defaults.json"));
 const feature_flags_1 = require("./feature-flags");
@@ -45,15 +47,17 @@ const sampleApiDetails = {
    auth: "token",
    url: "https://github.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 const sampleGHAEApiDetails = {
    auth: "token",
    url: "https://example.githubenterprise.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 let stubConfig;
 ava_1.default.beforeEach(() => {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
+    (0, util_1.initializeEnvironment)("1.2.3");
    stubConfig = {
        languages: [languages_1.Language.cpp],
        queries: {},
@@ -79,7 +83,7 @@ ava_1.default.beforeEach(() => {
        trapCacheDownloadTime: 0,
    };
 });
-async function mockApiAndSetupCodeQL({ apiDetails, featureFlags, isPinned, tmpDir, toolsInput, version, }) {
+async function mockApiAndSetupCodeQL({ apiDetails, bypassToolcache, isPinned, tmpDir, toolsInput, version, }) {
    var _a;
    const platform = process.platform === "win32"
        ? "win64"
@@ -93,7 +97,7 @@ async function mockApiAndSetupCodeQL({ apiDetails, featureFlags, isPinned, tmpDi
    (0, nock_1.default)(baseUrl)
        .get(relativeUrl)
        .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
-    await codeql.setupCodeQL(toolsInput ? toolsInput.input : `${baseUrl}${relativeUrl}`, apiDetails !== null && apiDetails !== void 0 ? apiDetails : sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, featureFlags !== null && featureFlags !== void 0 ? featureFlags : (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true), false);
+    return await codeql.setupCodeQL(toolsInput ? toolsInput.input : `${baseUrl}${relativeUrl}`, apiDetails !== null && apiDetails !== void 0 ? apiDetails : sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, !!bypassToolcache, (0, logging_1.getRunnerLogger)(true), false);
 }
 (0, ava_1.default)("download codeql bundle cache", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
@@ -101,8 +105,9 @@ async function mockApiAndSetupCodeQL({ apiDetails, featureFlags, isPinned, tmpDi
        const versions = ["20200601", "20200610"];
        for (let i = 0; i < versions.length; i++) {
            const version = versions[i];
-            await mockApiAndSetupCodeQL({ version, tmpDir });
+            const codeQLConfig = await mockApiAndSetupCodeQL({ version, tmpDir });
            t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
+            t.deepEqual(codeQLConfig.toolsVersion, version);
        }
        t.is(toolcache.findAllVersions("CodeQL").length, 2);
    });
@@ -110,26 +115,33 @@ async function mockApiAndSetupCodeQL({ apiDetails, featureFlags, isPinned, tmpDi
 (0, ava_1.default)("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        await mockApiAndSetupCodeQL({
+        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
            version: "20200601",
            isPinned: true,
            tmpDir,
        });
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        await mockApiAndSetupCodeQL({ version: "20200610", tmpDir });
+        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
+        const unpinnedCodeQLConfig = await mockApiAndSetupCodeQL({
+            version: "20200610",
+            tmpDir,
+        });
        t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
+        t.deepEqual(unpinnedCodeQLConfig.toolsVersion, "20200610");
    });
 });
 (0, ava_1.default)("don't download codeql bundle cache with pinned different version cached", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        await mockApiAndSetupCodeQL({
+        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
            version: "20200601",
            isPinned: true,
            tmpDir,
        });
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true), false);
+        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
+        const codeQLConfig = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
+        t.deepEqual(codeQLConfig.toolsVersion, "0.0.0-20200601");
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 1);
    });
@@ -137,14 +149,19 @@ async function mockApiAndSetupCodeQL({ apiDetails, featureFlags, isPinned, tmpDi
 (0, ava_1.default)("download codeql bundle cache with different version cached (not pinned)", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        await mockApiAndSetupCodeQL({ version: "20200601", tmpDir });
+        const cachedCodeQLConfig = await mockApiAndSetupCodeQL({
+            version: "20200601",
+            tmpDir,
+        });
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        await mockApiAndSetupCodeQL({
+        t.deepEqual(cachedCodeQLConfig.toolsVersion, "20200601");
+        const codeQLConfig = await mockApiAndSetupCodeQL({
            version: defaults.bundleVersion,
            tmpDir,
            apiDetails: sampleApiDetails,
            toolsInput: { input: undefined },
        });
+        t.deepEqual(codeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 2);
    });
@@ -152,18 +169,20 @@ async function mockApiAndSetupCodeQL({ apiDetails, featureFlags, isPinned, tmpDi
 (0, ava_1.default)('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        await mockApiAndSetupCodeQL({
+        const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
            version: "20200601",
            isPinned: true,
            tmpDir,
        });
        t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        await mockApiAndSetupCodeQL({
+        t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
+        const latestCodeQLConfig = await mockApiAndSetupCodeQL({
            version: defaults.bundleVersion,
            apiDetails: sampleApiDetails,
            toolsInput: { input: "latest" },
            tmpDir,
        });
+        t.deepEqual(latestCodeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 2);
    });
@@ -177,8 +196,8 @@ const TOOLCACHE_BYPASS_TEST_CASES = [
        false,
    ],
 ];
-for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCACHE_BYPASS_TEST_CASES) {
-    (0, ava_1.default)(`download codeql bundle ${shouldToolcacheBeBypassed ? "bypasses" : "does not bypass"} toolcache when feature flag ${isFeatureFlagEnabled ? "enabled" : "disabled"} and tools: ${toolsInput} passed`, async (t) => {
+for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCACHE_BYPASS_TEST_CASES) {
+    (0, ava_1.default)(`download codeql bundle ${shouldToolcacheBeBypassed ? "bypasses" : "does not bypass"} toolcache when feature ${isFeatureEnabled ? "enabled" : "disabled"} and tools: ${toolsInput} passed`, async (t) => {
        await util.withTmpDir(async (tmpDir) => {
            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
            await mockApiAndSetupCodeQL({
@@ -191,7 +210,7 @@ for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOO
            await mockApiAndSetupCodeQL({
                version: defaults.bundleVersion,
                apiDetails: sampleApiDetails,
-                featureFlags: (0, feature_flags_1.createFeatureFlags)(isFeatureFlagEnabled ? [feature_flags_1.FeatureFlag.BypassToolcacheEnabled] : []),
+                bypassToolcache: isFeatureEnabled,
                toolsInput: { input: toolsInput },
                tmpDir,
            });
@@ -223,7 +242,7 @@ for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOO
        (0, nock_1.default)("https://example.githubenterprise.com")
            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`)
            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true), false);
+        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, false, (0, logging_1.getRunnerLogger)(true), false);
        const cachedVersions = toolcache.findAllVersions("CodeQL");
        t.is(cachedVersions.length, 1);
    });
@@ -274,15 +293,14 @@ for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOO
 });
 (0, ava_1.default)("getCodeQLActionRepository", (t) => {
    const logger = (0, logging_1.getRunnerLogger)(true);
-    (0, util_1.initializeEnvironment)(util_1.Mode.runner, "1.2.3");
-    const repoActions = codeql.getCodeQLActionRepository(logger);
-    t.deepEqual(repoActions, "github/codeql-action");
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
+    (0, util_1.initializeEnvironment)("1.2.3");
    // isRunningLocalAction() === true
    delete process.env["GITHUB_ACTION_REPOSITORY"];
    process.env["RUNNER_TEMP"] = path.dirname(__dirname);
    const repoLocalRunner = codeql.getCodeQLActionRepository(logger);
    t.deepEqual(repoLocalRunner, "github/codeql-action");
+    // isRunningLocalAction() === false
+    sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
    process.env["GITHUB_ACTION_REPOSITORY"] = "xxx/yyy";
    const repoEnv = codeql.getCodeQLActionRepository(logger);
    t.deepEqual(repoEnv, "xxx/yyy");
@@ -291,6 +309,8 @@ for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOO
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
    sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
 });
@@ -298,44 +318,18 @@ for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOO
    const runnerConstructorStub = stubToolRunnerConstructor();
    const codeqlObject = await codeql.getCodeQLForTesting();
    sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
 });
-(0, ava_1.default)("databaseInitCluster() Lua feature flag enabled, but old CLI", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.9.0");
-    await codeqlObject.databaseInitCluster(stubConfig, "", undefined, undefined, (0, feature_flags_1.createFeatureFlags)([feature_flags_1.FeatureFlag.LuaTracerConfigEnabled]), (0, logging_1.getRunnerLogger)(true));
-    t.false(runnerConstructorStub.firstCall.args[1].includes("--internal-use-lua-tracing"), "--internal-use-lua-tracing should be absent, but it is present");
-    t.false(runnerConstructorStub.firstCall.args[1].includes("--no-internal-use-lua-tracing"), "--no-internal-use-lua-tracing should be absent, but it is present");
-});
-(0, ava_1.default)("databaseInitCluster() Lua feature flag disabled, with old CLI", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.9.0");
-    await codeqlObject.databaseInitCluster(stubConfig, "", undefined, undefined, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
-    t.false(runnerConstructorStub.firstCall.args[1].includes("--internal-use-lua-tracing"), "--internal-use-lua-tracing should be absent, but it is present");
-    t.false(runnerConstructorStub.firstCall.args[1].includes("--no-internal-use-lua-tracing"), "--no-internal-use-lua-tracing should be absent, but it is present");
-});
-(0, ava_1.default)("databaseInitCluster() Lua feature flag enabled, compatible CLI", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.10.0");
-    await codeqlObject.databaseInitCluster(stubConfig, "", undefined, undefined, (0, feature_flags_1.createFeatureFlags)([feature_flags_1.FeatureFlag.LuaTracerConfigEnabled]), (0, logging_1.getRunnerLogger)(true));
-    t.true(runnerConstructorStub.firstCall.args[1].includes("--internal-use-lua-tracing"), "--internal-use-lua-tracing should be present, but it is absent");
-});
-(0, ava_1.default)("databaseInitCluster() Lua feature flag disabled, compatible CLI", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.10.0");
-    await codeqlObject.databaseInitCluster(stubConfig, "", undefined, undefined, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
-    t.true(runnerConstructorStub.firstCall.args[1].includes("--no-internal-use-lua-tracing"), "--no-internal-use-lua-tracing should be present, but it is absent");
-});
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
    await util.withTmpDir(async (tempDir) => {
        const runnerConstructorStub = stubToolRunnerConstructor();
        const codeqlObject = await codeql.getCodeQLForTesting();
        sinon.stub(codeqlObject, "getVersion").resolves("2.8.1");
+        // safeWhich throws because of the test CodeQL object.
+        sinon.stub(safeWhich, "safeWhich").resolves("");
        const thisStubConfig = {
            ...stubConfig,
            tempDir,
@@ -345,7 +339,7 @@ for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOO
                packsInputCombines: false,
            },
        };
-        await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, undefined, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        // should NOT have used an config file
        const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -355,9 +349,6 @@ for (const [isFeatureFlagEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOO
 // Test macro for ensuring different variants of injected augmented configurations
 const injectedConfigMacro = ava_1.default.macro({
    exec: async (t, augmentationProperties, configOverride, expectedConfig) => {
-        const origCODEQL_PASS_CONFIG_TO_CLI = process.env.CODEQL_PASS_CONFIG_TO_CLI;
-        process.env["CODEQL_PASS_CONFIG_TO_CLI"] = "true";
-        try {
        await util.withTmpDir(async (tempDir) => {
            const runnerConstructorStub = stubToolRunnerConstructor();
            const codeqlObject = await codeql.getCodeQLForTesting();
@@ -370,7 +361,7 @@ const injectedConfigMacro = ava_1.default.macro({
                tempDir,
                augmentationProperties,
            };
-                await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, undefined, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), (0, logging_1.getRunnerLogger)(true));
            const args = runnerConstructorStub.firstCall.args[1];
            // should have used an config file
            const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -380,10 +371,6 @@ const injectedConfigMacro = ava_1.default.macro({
            t.deepEqual(augmentedConfig, expectedConfig);
            await (0, del_1.default)(configFile, { force: true });
        });
-        }
-        finally {
-            process.env["CODEQL_PASS_CONFIG_TO_CLI"] = origCODEQL_PASS_CONFIG_TO_CLI;
-        }
    },
    title: (providedTitle = "") => `databaseInitCluster() injected config: ${providedTitle}`,
 });
@@ -574,7 +561,7 @@ const injectedConfigMacro = ava_1.default.macro({
        sinon
            .stub(codeqlObject, "getVersion")
            .resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
-        await codeqlObject.databaseInitCluster(stubConfig, "", undefined, undefined, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        await codeqlObject.databaseInitCluster(stubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        // should have used an config file
        const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -584,6 +571,24 @@ const injectedConfigMacro = ava_1.default.macro({
        process.env["CODEQL_PASS_CONFIG_TO_CLI"] = origCODEQL_PASS_CONFIG_TO_CLI;
    }
 });
+(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info for 2.11.3", async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeqlObject, "getVersion").resolves("2.11.3");
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info should be present, but it is absent");
+});
+(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info for 2.11.2", async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeqlObject, "getVersion").resolves("2.11.2");
+    // safeWhich throws because of the test CodeQL object.
+    sinon.stub(safeWhich, "safeWhich").resolves("");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info must be absent, but it is present");
+});
 function stubToolRunnerConstructor() {
    const runnerObjectStub = sinon.createStubInstance(toolrunner.ToolRunner);
    runnerObjectStub.exec.resolves(0);
--- a/lib/codeql.test.js.map
+++ b/lib/codeql.test.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@@ -19,7 +19,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getConfig = exports.getPathToParsedConfigFile = exports.initConfig = exports.parsePacks = exports.validatePackSpecification = exports.prettyPrintPack = exports.parsePacksSpecification = exports.parsePacksFromConfig = exports.calculateAugmentation = exports.getDefaultConfig = exports.getUnknownLanguagesError = exports.getNoLanguagesError = exports.getConfigFileDirectoryGivenMessage = exports.getConfigFileFormatInvalidMessage = exports.getConfigFileRepoFormatInvalidMessage = exports.getConfigFileDoesNotExistErrorMessage = exports.getConfigFileOutsideWorkspaceErrorMessage = exports.getLocalPathDoesNotExist = exports.getLocalPathOutsideOfRepository = exports.getPacksStrInvalid = exports.getPacksInvalid = exports.getPacksInvalidSplit = exports.getPathsInvalid = exports.getPathsIgnoreInvalid = exports.getQueryUsesInvalid = exports.getQueriesMissingUses = exports.getQueriesInvalid = exports.getDisableDefaultQueriesInvalid = exports.getNameInvalid = exports.validateAndSanitisePath = exports.defaultAugmentationProperties = void 0;
+exports.downloadPacks = exports.getConfig = exports.getPathToParsedConfigFile = exports.initConfig = exports.parsePacks = exports.validatePackSpecification = exports.prettyPrintPack = exports.parsePacksSpecification = exports.parsePacksFromConfig = exports.calculateAugmentation = exports.getDefaultConfig = exports.getRawLanguages = exports.getLanguages = exports.getLanguagesInRepo = exports.getUnknownLanguagesError = exports.getNoLanguagesError = exports.getConfigFileDirectoryGivenMessage = exports.getConfigFileFormatInvalidMessage = exports.getConfigFileRepoFormatInvalidMessage = exports.getConfigFileDoesNotExistErrorMessage = exports.getConfigFileOutsideWorkspaceErrorMessage = exports.getLocalPathDoesNotExist = exports.getLocalPathOutsideOfRepository = exports.getPacksStrInvalid = exports.getPacksInvalid = exports.getPacksInvalidSplit = exports.getPathsInvalid = exports.getPathsIgnoreInvalid = exports.getQueryUsesInvalid = exports.getQueriesMissingUses = exports.getQueriesInvalid = exports.getDisableDefaultQueriesInvalid = exports.getNameInvalid = exports.validateAndSanitisePath = exports.defaultAugmentationProperties = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 // We need to import `performance` on Node 12
@@ -134,7 +134,7 @@ const builtinSuites = ["security-extended", "security-and-quality"];
 * Throws an error if suiteName is not a valid builtin suite.
 * May inject ML queries, and the return value will declare if this was done.
 */
-async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suiteName, featureFlags, configFile) {
+async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suiteName, featureEnablement, configFile) {
    var _a;
    let injectedMlQueries = false;
    const found = builtinSuites.find((suite) => suite === suiteName);
@@ -151,8 +151,7 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
        languages.includes("javascript") &&
        (found === "security-extended" || found === "security-and-quality") &&
        !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some(isMlPoweredJsQueriesPack)) &&
-        (await featureFlags.getValue(feature_flags_1.FeatureFlag.MlPoweredQueriesEnabled)) &&
-        (await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES))) {
+        (await featureEnablement.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, codeQL))) {
        if (!packs.javascript) {
            packs.javascript = [];
        }
@@ -227,7 +226,7 @@ async function addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetail
 *
 * @returns whether or not we injected ML queries into the packs
 */
-async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, tempDir, workspacePath, apiDetails, featureFlags, logger, configFile) {
+async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, tempDir, workspacePath, apiDetails, featureEnablement, logger, configFile) {
    queryUses = queryUses.trim();
    if (queryUses === "") {
        throw new Error(getQueryUsesInvalid(configFile));
@@ -239,7 +238,7 @@ async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, te
    }
    // Check for one of the builtin suites
    if (queryUses.indexOf("/") === -1 && queryUses.indexOf("@") === -1) {
-        return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureFlags, configFile);
+        return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureEnablement, configFile);
    }
    // Otherwise, must be a reference to another repo
    await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
@@ -386,11 +385,12 @@ function getUnknownLanguagesError(languages) {
 }
 exports.getUnknownLanguagesError = getUnknownLanguagesError;
 /**
- * Gets the set of languages in the current repository
+ * Gets the set of languages in the current repository that are
+ * scannable by CodeQL.
 */
-async function getLanguagesInRepo(repository, apiDetails, logger) {
+async function getLanguagesInRepo(repository, logger) {
    logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
-    const response = await api.getApiClient(apiDetails).repos.listLanguages({
+    const response = await api.getApiClient().repos.listLanguages({
        owner: repository.owner,
        repo: repository.repo,
    });
@@ -408,6 +408,7 @@ async function getLanguagesInRepo(repository, apiDetails, logger) {
    }
    return [...languages];
 }
+exports.getLanguagesInRepo = getLanguagesInRepo;
 /**
 * Get the languages to analyse.
 *
@@ -418,19 +419,17 @@ async function getLanguagesInRepo(repository, apiDetails, logger) {
 * If no languages could be detected from either the workflow or the repository
 * then throw an error.
 */
-async function getLanguages(codeQL, languagesInput, repository, apiDetails, logger) {
-    // Obtain from action input 'languages' if set
-    let languages = (languagesInput || "")
-        .split(",")
-        .map((x) => x.trim())
-        .filter((x) => x.length > 0);
-    logger.info(`Languages from configuration: ${JSON.stringify(languages)}`);
-    if (languages.length === 0) {
-        // Obtain languages as all languages in the repo that can be analysed
-        languages = await getLanguagesInRepo(repository, apiDetails, logger);
+async function getLanguages(codeQL, languagesInput, repository, logger) {
+    // Obtain languages without filtering them.
+    const { rawLanguages, autodetected } = await getRawLanguages(languagesInput, repository, logger);
+    let languages = rawLanguages.map(languages_1.resolveAlias);
+    if (autodetected) {
        const availableLanguages = await codeQL.resolveLanguages();
        languages = languages.filter((value) => value in availableLanguages);
-        logger.info(`Automatically detected languages: ${JSON.stringify(languages)}`);
+        logger.info(`Automatically detected languages: ${languages.join(", ")}`);
+    }
+    else {
+        logger.info(`Languages from configuration: ${languages.join(", ")}`);
    }
    // If the languages parameter was not given and no languages were
    // detected then fail here as this is a workflow configuration error.
@@ -441,26 +440,58 @@ async function getLanguages(codeQL, languagesInput, repository, apiDetails, logg
    const parsedLanguages = [];
    const unknownLanguages = [];
    for (const language of languages) {
+        // We know this is not an alias since we resolved it above.
        const parsedLanguage = (0, languages_1.parseLanguage)(language);
        if (parsedLanguage === undefined) {
            unknownLanguages.push(language);
        }
-        else if (parsedLanguages.indexOf(parsedLanguage) === -1) {
+        else if (!parsedLanguages.includes(parsedLanguage)) {
            parsedLanguages.push(parsedLanguage);
        }
    }
+    // Any unknown languages here would have come directly from the input
+    // since we filter unknown languages coming from the GitHub API.
    if (unknownLanguages.length > 0) {
        throw new Error(getUnknownLanguagesError(unknownLanguages));
    }
    return parsedLanguages;
 }
-async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, resultMap, packs, tempDir, workspacePath, apiDetails, featureFlags, logger) {
+exports.getLanguages = getLanguages;
+/**
+ * Gets the set of languages in the current repository without checking to
+ * see if these languages are actually supported by CodeQL.
+ *
+ * @param languagesInput The languages from the workflow input
+ * @param repository the owner/name of the repository
+ * @param logger a logger
+ * @returns A tuple containing a list of languages in this repository that might be
+ * analyzable and whether or not this list was determined automatically.
+ */
+async function getRawLanguages(languagesInput, repository, logger) {
+    // Obtain from action input 'languages' if set
+    let rawLanguages = (languagesInput || "")
+        .split(",")
+        .map((x) => x.trim().toLowerCase())
+        .filter((x) => x.length > 0);
+    let autodetected;
+    if (rawLanguages.length) {
+        autodetected = false;
+    }
+    else {
+        autodetected = true;
+        // Obtain all languages in the repo that can be analysed
+        rawLanguages = (await getLanguagesInRepo(repository, logger));
+    }
+    return { rawLanguages, autodetected };
+}
+exports.getRawLanguages = getRawLanguages;
+async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, resultMap, packs, tempDir, workspacePath, apiDetails, featureEnablement, logger) {
    let injectedMlQueries = false;
    queriesInput = queriesInput.trim();
    // "+" means "don't override config file" - see shouldAddConfigFileQueries
    queriesInput = queriesInput.replace(/^\+/, "");
    for (const query of queriesInput.split(",")) {
-        const didInject = await parseQueryUses(languages, codeQL, resultMap, packs, query, tempDir, workspacePath, apiDetails, featureFlags, logger);
+        const didInject = await parseQueryUses(languages, codeQL, resultMap, packs, query, tempDir, workspacePath, apiDetails, featureEnablement, logger);
        injectedMlQueries = injectedMlQueries || didInject;
    }
    return injectedMlQueries;
@@ -478,8 +509,8 @@ function shouldAddConfigFileQueries(queriesInput) {
 /**
 * Get the default config for when the user has not supplied one.
 */
-async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureFlags, logger) {
-    const languages = await getLanguages(codeQL, languagesInput, repository, apiDetails, logger);
+async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
+    const languages = await getLanguages(codeQL, languagesInput, repository, logger);
    const queries = {};
    for (const language of languages) {
        queries[language] = {
@@ -496,7 +527,7 @@ async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput,
        : {};
    if (rawQueriesInput) {
        augmentationProperties.injectedMlQueries =
-            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureFlags, logger);
+            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureEnablement, logger);
    }
    const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logger);
    return {
@@ -532,7 +563,7 @@ async function downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logg
 /**
 * Load the config from the given file.
 */
-async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureFlags, logger) {
+async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
    var _a;
    let parsedYAML;
    if (isLocal(configFile)) {
@@ -553,7 +584,7 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
            throw new Error(getNameInvalid(configFile));
        }
    }
-    const languages = await getLanguages(codeQL, languagesInput, repository, apiDetails, logger);
+    const languages = await getLanguages(codeQL, languagesInput, repository, logger);
    const queries = {};
    for (const language of languages) {
        queries[language] = {
@@ -581,7 +612,7 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
    // in the config file.
    if (rawQueriesInput) {
        augmentationProperties.injectedMlQueries =
-            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureFlags, logger);
+            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureEnablement, logger);
    }
    if (shouldAddConfigFileQueries(rawQueriesInput) &&
        QUERIES_PROPERTY in parsedYAML) {
@@ -593,7 +624,7 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
            if (typeof query[QUERIES_USES_PROPERTY] !== "string") {
                throw new Error(getQueriesMissingUses(configFile));
            }
-            await parseQueryUses(languages, codeQL, queries, packs, query[QUERIES_USES_PROPERTY], tempDir, workspacePath, apiDetails, featureFlags, logger, configFile);
+            await parseQueryUses(languages, codeQL, queries, packs, query[QUERIES_USES_PROPERTY], tempDir, workspacePath, apiDetails, featureEnablement, logger, configFile);
        }
    }
    if (PATHS_IGNORE_PROPERTY in parsedYAML) {
@@ -883,16 +914,16 @@ function dbLocationOrDefault(dbLocation, tempDir) {
 * This will parse the config from the user input if present, or generate
 * a default config. The parsed config is then stored to a known location.
 */
-async function initConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureFlags, logger) {
+async function initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
    var _a, _b, _c;
    let config;
    // If no config file was provided create an empty one
    if (!configFile) {
        logger.debug("No configuration file was provided");
-        config = await getDefaultConfig(languagesInput, queriesInput, packsInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureFlags, logger);
+        config = await getDefaultConfig(languagesInput, queriesInput, packsInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
    }
    else {
-        config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureFlags, logger);
+        config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
    }
    // The list of queries should not be empty for any language. If it is then
    // it is a user configuration error.
@@ -905,11 +936,29 @@ async function initConfig(languagesInput, queriesInput, packsInput, configFile,
                "Please make sure that the default queries are enabled, or you are specifying queries to run.");
        }
    }
+    // When using the codescanning config in the CLI, pack downloads
+    // happen in the CLI during the `database init` command, so no need
+    // to download them here.
+    await (0, util_1.logCodeScanningConfigInCli)(codeQL, featureEnablement, logger);
+    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
+        const registries = parseRegistries(registriesInput);
+        await downloadPacks(codeQL, config.languages, config.packs, registries, apiDetails, config.tempDir, logger);
+    }
    // Save the config so we can easily access it again in the future
    await saveConfig(config, logger);
    return config;
 }
 exports.initConfig = initConfig;
+function parseRegistries(registriesInput) {
+    try {
+        return registriesInput
+            ? yaml.load(registriesInput)
+            : undefined;
+    }
+    catch (e) {
+        throw new Error("Invalid registries input. Must be a YAML string.");
+    }
+}
 function isLocal(configPath) {
    // If the path starts with ./, look locally
    if (configPath.indexOf("./") === 0) {
@@ -937,7 +986,7 @@ async function getRemoteConfig(configFile, apiDetails) {
        throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
    }
    const response = await api
-        .getApiClient(apiDetails, { allowExternal: true })
+        .getApiClientWithExternalAuth(apiDetails)
        .repos.getContent({
        owner: pieces.groups.owner,
        repo: pieces.groups.repo,
@@ -989,4 +1038,95 @@ async function getConfig(tempDir, logger) {
    return JSON.parse(configString);
 }
 exports.getConfig = getConfig;
+async function downloadPacks(codeQL, languages, packs, registries, apiDetails, tmpDir, logger) {
+    let qlconfigFile;
+    let registriesAuthTokens;
+    if (registries) {
+        if (!(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD))) {
+            throw new Error(`'registries' input is not supported on CodeQL versions less than ${codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD}.`);
+        }
+        // generate a qlconfig.yml file to hold the registry configs.
+        const qlconfig = createRegistriesBlock(registries);
+        qlconfigFile = path.join(tmpDir, "qlconfig.yml");
+        fs.writeFileSync(qlconfigFile, yaml.dump(qlconfig), "utf8");
+        registriesAuthTokens = registries
+            .map((registry) => `${registry.url}=${registry.token}`)
+            .join(",");
+    }
+    await wrapEnvironment({
+        GITHUB_TOKEN: apiDetails.auth,
+        CODEQL_REGISTRIES_AUTH: registriesAuthTokens,
+    }, async () => {
+        let numPacksDownloaded = 0;
+        logger.startGroup("Downloading packs");
+        for (const language of languages) {
+            const packsWithVersion = packs[language];
+            if (packsWithVersion === null || packsWithVersion === void 0 ? void 0 : packsWithVersion.length) {
+                logger.info(`Downloading custom packs for ${language}`);
+                const results = await codeQL.packDownload(packsWithVersion, qlconfigFile);
+                numPacksDownloaded += results.packs.length;
+                logger.info(`Downloaded: ${results.packs
+                    .map((r) => `${r.name}@${r.version || "latest"}`)
+                    .join(", ")}`);
+            }
+        }
+        if (numPacksDownloaded > 0) {
+            logger.info(`Downloaded ${numPacksDownloaded} ${packs === 1 ? "pack" : "packs"}`);
+        }
+        else {
+            logger.info("No packs to download");
+        }
+        logger.endGroup();
+    });
+}
+exports.downloadPacks = downloadPacks;
+function createRegistriesBlock(registries) {
+    if (!Array.isArray(registries) ||
+        registries.some((r) => !r.url || !r.packages)) {
+        throw new Error("Invalid 'registries' input. Must be an array of objects with 'url' and 'packages' properties.");
+    }
+    // be sure to remove the `token` field from the registry before writing it to disk.
+    const safeRegistries = registries.map((registry) => ({
+        // ensure the url ends with a slash to avoid a bug in the CLI 2.10.4
+        url: !(registry === null || registry === void 0 ? void 0 : registry.url.endsWith("/")) ? `${registry.url}/` : registry.url,
+        packages: registry.packages,
+    }));
+    const qlconfig = {
+        registries: safeRegistries,
+    };
+    return qlconfig;
+}
+/**
+ * Create a temporary environment based on the existing environment and overridden
+ * by the given environment variables that are passed in as arguments.
+ *
+ * Use this new environment in the context of the given operation. After completing
+ * the operation, restore the original environment.
+ *
+ * This function does not support un-setting environment variables.
+ *
+ * @param env
+ * @param operation
+ */
+async function wrapEnvironment(env, operation) {
+    // Remember the original env
+    const oldEnv = { ...process.env };
+    // Set the new env
+    for (const [key, value] of Object.entries(env)) {
+        // Ignore undefined keys
+        if (value !== undefined) {
+            process.env[key] = value;
+        }
+    }
+    try {
+        // Run the operation
+        await operation();
+    }
+    finally {
+        // Restore the old env
+        for (const [key, value] of Object.entries(oldEnv)) {
+            process.env[key] = value;
+        }
+    }
+}
 //# sourceMappingURL=config-utils.js.map
--- a/lib/config-utils.js.map
+++ b/lib/config-utils.js.map
--- a/lib/config-utils.test.js
+++ b/lib/config-utils.test.js
@@ -26,6 +26,7 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const github = __importStar(require("@actions/github"));
 const ava_1 = __importDefault(require("ava"));
+const yaml = __importStar(require("js-yaml"));
 const sinon = __importStar(require("sinon"));
 const api = __importStar(require("./api-client"));
 const codeql_1 = require("./codeql");
@@ -33,6 +34,7 @@ const configUtils = __importStar(require("./config-utils"));
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 (0, testing_utils_1.setupTests)(ava_1.default);
@@ -41,6 +43,7 @@ const sampleApiDetails = {
    externalRepoAuth: "token",
    url: "https://github.example.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 const gitHubVersion = { type: util.GitHubVariant.DOTCOM };
 // Returns the filepath of the newly-created file
@@ -59,6 +62,7 @@ function mockGetContents(content) {
        .stub(client.repos, "getContent")
        .resolves(response);
    sinon.stub(api, "getApiClient").value(() => client);
+    sinon.stub(api, "getApiClientWithExternalAuth").value(() => client);
    return spyGetContents;
 }
 function mockListLanguages(languages) {
@@ -88,9 +92,12 @@ function mockListLanguages(languages) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
-        const config = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), logger);
-        t.deepEqual(config, await configUtils.getDefaultConfig(languages, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), logger));
+        const config = await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger);
+        t.deepEqual(config, await configUtils.getDefaultConfig(languages, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger));
    });
 });
 (0, ava_1.default)("loading config saves config", async (t) => {
@@ -107,12 +114,15 @@ function mockListLanguages(languages) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        // Sanity check the saved config file does not already exist
        t.false(fs.existsSync(configUtils.getPathToParsedConfigFile(tmpDir)));
        // Sanity check that getConfig returns undefined before we have called initConfig
        t.deepEqual(await configUtils.getConfig(tmpDir, logger), undefined);
-        const config1 = await configUtils.initConfig("javascript,python", undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), logger);
+        const config1 = await configUtils.initConfig("javascript,python", undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), logger);
        // The saved config file should now exist
        t.true(fs.existsSync(configUtils.getPathToParsedConfigFile(tmpDir)));
        // And that same newly-initialised config should now be returned by getConfig
@@ -128,7 +138,7 @@ function mockListLanguages(languages) {
 (0, ava_1.default)("load input outside of workspace", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, "../input", undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, "../input", undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -141,7 +151,7 @@ function mockListLanguages(languages) {
        // no filename given, just a repo
        const configFile = "octo-org/codeql-config@main";
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -155,7 +165,7 @@ function mockListLanguages(languages) {
        const configFile = "input";
        t.false(fs.existsSync(path.join(tmpDir, configFile)));
        try {
-            await configUtils.initConfig(languages, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -178,6 +188,9 @@ function mockListLanguages(languages) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        // Just create a generic config object with non-default values for all fields
        const inputFileContents = `
@@ -228,7 +241,7 @@ function mockListLanguages(languages) {
        };
        const languages = "javascript";
        const configFilePath = createConfigFile(inputFileContents, tmpDir);
-        const actualConfig = await configUtils.initConfig(languages, undefined, undefined, configFilePath, undefined, false, false, "my-artifact", "my-db", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const actualConfig = await configUtils.initConfig(languages, undefined, undefined, undefined, configFilePath, undefined, false, false, "my-artifact", "my-db", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Should exactly equal the object we constructed earlier
        t.deepEqual(actualConfig, expectedConfig);
    });
@@ -254,6 +267,9 @@ function mockListLanguages(languages) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        // The important point of this config is that it doesn't specify
        // the disable-default-queries field.
@@ -264,7 +280,7 @@ function mockListLanguages(languages) {
        fs.mkdirSync(path.join(tmpDir, "foo"));
        const languages = "javascript";
        const configFilePath = createConfigFile(inputFileContents, tmpDir);
-        await configUtils.initConfig(languages, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        await configUtils.initConfig(languages, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolve queries was called correctly
        t.deepEqual(resolveQueriesArgs.length, 1);
        t.deepEqual(resolveQueriesArgs[0].queries, [
@@ -305,9 +321,12 @@ function queriesToResolvedQueryForm(queries) {
                resolveQueriesArgs.push({ queries, extraSearchPath });
                return queriesToResolvedQueryForm(queries);
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, undefined, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for the default queries
        // and once for `./foo` from the config file.
@@ -338,9 +357,12 @@ function queriesToResolvedQueryForm(queries) {
                resolveQueriesArgs.push({ queries, extraSearchPath });
                return queriesToResolvedQueryForm(queries);
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for the default queries and once for `./override`,
        // but won't be called for './foo' from the config file.
@@ -370,9 +392,12 @@ function queriesToResolvedQueryForm(queries) {
                resolveQueriesArgs.push({ queries, extraSearchPath });
                return queriesToResolvedQueryForm(queries);
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for `./workflow-query`,
        // but won't be called for the default one since that was disabled
@@ -396,9 +421,12 @@ function queriesToResolvedQueryForm(queries) {
                resolveQueriesArgs.push({ queries, extraSearchPath });
                return queriesToResolvedQueryForm(queries);
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly:
        // It'll be called once for the default queries,
        // and then once for each of the two queries from the workflow
@@ -435,9 +463,12 @@ function queriesToResolvedQueryForm(queries) {
                resolveQueriesArgs.push({ queries, extraSearchPath });
                return queriesToResolvedQueryForm(queries);
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const languages = "javascript";
-        const config = await configUtils.initConfig(languages, testQueries, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const config = await configUtils.initConfig(languages, testQueries, undefined, undefined, configFilePath, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        // Check resolveQueries was called correctly
        // It'll be called once for the default queries,
        // once for each of additional1 and additional2,
@@ -474,9 +505,12 @@ function queriesToResolvedQueryForm(queries) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        try {
-            await configUtils.initConfig(languages, queries, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(languages, queries, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            t.fail("initConfig did not throw error");
        }
        catch (err) {
@@ -498,6 +532,9 @@ function queriesToResolvedQueryForm(queries) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const inputFileContents = `
      name: my config
@@ -519,7 +556,7 @@ function queriesToResolvedQueryForm(queries) {
        fs.mkdirSync(path.join(tmpDir, "foo/bar/dev"), { recursive: true });
        const configFile = "octo-org/codeql-config/config.yaml@main";
        const languages = "javascript";
-        await configUtils.initConfig(languages, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.assert(spyGetContents.called);
    });
 });
@@ -529,7 +566,7 @@ function queriesToResolvedQueryForm(queries) {
        mockGetContents(dummyResponse);
        const repoReference = "octo-org/codeql-config/config.yaml@main";
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -545,7 +582,7 @@ function queriesToResolvedQueryForm(queries) {
        mockGetContents(dummyResponse);
        const repoReference = "octo-org/codeql-config/config.yaml@main";
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, repoReference, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -560,9 +597,12 @@ function queriesToResolvedQueryForm(queries) {
            async resolveLanguages() {
                return {};
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        try {
-            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(undefined, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -574,7 +614,7 @@ function queriesToResolvedQueryForm(queries) {
    return await util.withTmpDir(async (tmpDir) => {
        const languages = "rubbish,english";
        try {
-            await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+            await configUtils.initConfig(languages, undefined, undefined, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, (0, codeql_1.getCachedCodeQL)(), tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
            throw new Error("initConfig did not throw error");
        }
        catch (err) {
@@ -592,6 +632,9 @@ function queriesToResolvedQueryForm(queries) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const inputFileContents = `
      name: my config
@@ -602,7 +645,7 @@ function queriesToResolvedQueryForm(queries) {
        const configFile = path.join(tmpDir, "codeql-config.yaml");
        fs.writeFileSync(configFile, inputFileContents);
        const languages = "javascript";
-        const { packs } = await configUtils.initConfig(languages, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const { packs } = await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.deepEqual(packs, {
            [languages_1.Language.javascript]: ["a/b@1.2.3"],
        });
@@ -620,6 +663,9 @@ function queriesToResolvedQueryForm(queries) {
                    multipleDeclaredLanguages: {},
                };
            },
+            async packDownload() {
+                return { packs: [] };
+            },
        });
        const inputFileContents = `
      name: my config
@@ -636,7 +682,7 @@ function queriesToResolvedQueryForm(queries) {
        fs.writeFileSync(configFile, inputFileContents);
        fs.mkdirSync(path.join(tmpDir, "foo"));
        const languages = "javascript,python,cpp";
-        const { packs, queries } = await configUtils.initConfig(languages, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example" }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+        const { packs, queries } = await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example" }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
        t.deepEqual(packs, {
            [languages_1.Language.javascript]: ["a/b@1.2.3"],
            [languages_1.Language.python]: ["c/d@1.2.3"],
@@ -673,13 +719,16 @@ function doInvalidInputTest(testName, inputFileContents, expectedErrorMessageGen
                        multipleDeclaredLanguages: {},
                    };
                },
+                async packDownload() {
+                    return { packs: [] };
+                },
            });
            const languages = "javascript";
            const configFile = "input";
            const inputFile = path.join(tmpDir, configFile);
            fs.writeFileSync(inputFile, inputFileContents, "utf8");
            try {
-                await configUtils.initConfig(languages, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)([]), (0, logging_1.getRunnerLogger)(true));
+                await configUtils.initConfig(languages, undefined, undefined, undefined, configFile, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
                throw new Error("initConfig did not throw error");
            }
            catch (err) {
@@ -885,11 +934,7 @@ function parseInputAndConfigMacro(t, packsFromConfig, packsFromInput, languages,
    languages, "/a/b", mockLogger), expected);
 }
 parseInputAndConfigMacro.title = (providedTitle) => `Parse Packs input and config: ${providedTitle}`;
-const mockLogger = {
-    info: (message) => {
-        console.log(message);
-    },
-};
+const mockLogger = (0, logging_1.getRunnerLogger)(true);
 function parseInputAndConfigErrorMacro(t, packsFromConfig, packsFromInput, languages, packsFromInputOverride, expected) {
    t.throws(() => {
        configUtils.parsePacks(packsFromConfig, packsFromInput, packsFromInputOverride, languages, "/a/b", mockLogger);
@@ -921,7 +966,7 @@ parseInputAndConfigErrorMacro.title = (providedTitle) => `Parse Packs input and
 (0, ava_1.default)("input with + only", parseInputAndConfigErrorMacro, {}, " + ", [languages_1.Language.cpp], true, /remove the '\+'/);
 (0, ava_1.default)("input with invalid pack name", parseInputAndConfigErrorMacro, {}, " xxx", [languages_1.Language.cpp], false, /"xxx" is not a valid pack/);
 const mlPoweredQueriesMacro = ava_1.default.macro({
-    exec: async (t, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString) => {
+    exec: async (t, codeQLVersion, isMlPoweredQueriesEnabled, packsInput, queriesInput, expectedVersionString) => {
        return await util.withTmpDir(async (tmpDir) => {
            const codeQL = (0, codeql_1.setCodeQL)({
                async getVersion() {
@@ -936,10 +981,11 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
                        multipleDeclaredLanguages: {},
                    };
                },
+                async packDownload() {
+                    return { packs: [] };
+                },
            });
-            const { packs } = await configUtils.initConfig("javascript", queriesInput, packsInput, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, feature_flags_1.createFeatureFlags)(isMlPoweredQueriesFlagEnabled
-                ? [feature_flags_1.FeatureFlag.MlPoweredQueriesEnabled]
-                : []), (0, logging_1.getRunnerLogger)(true));
+            const { packs } = await configUtils.initConfig("javascript", queriesInput, packsInput, undefined, undefined, undefined, false, false, "", "", { owner: "github", repo: "example " }, tmpDir, codeQL, tmpDir, gitHubVersion, sampleApiDetails, (0, testing_utils_1.createFeatures)(isMlPoweredQueriesEnabled ? [feature_flags_1.Feature.MlPoweredQueriesEnabled] : []), (0, logging_1.getRunnerLogger)(true));
            if (expectedVersionString !== undefined) {
                t.deepEqual(packs, {
                    [languages_1.Language.javascript]: [
@@ -952,14 +998,12 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
            }
        });
    },
-    title: (_providedTitle, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString) => `ML-powered queries ${expectedVersionString !== undefined
+    title: (_providedTitle, codeQLVersion, isMlPoweredQueriesEnabled, packsInput, queriesInput, expectedVersionString) => `ML-powered queries ${expectedVersionString !== undefined
        ? `${expectedVersionString} are`
-        : "aren't"} loaded for packs: ${packsInput}, queries: ${queriesInput} using CLI v${codeQLVersion} when feature flag is ${isMlPoweredQueriesFlagEnabled ? "enabled" : "disabled"}`,
+        : "aren't"} loaded for packs: ${packsInput}, queries: ${queriesInput} using CLI v${codeQLVersion} when feature is ${isMlPoweredQueriesEnabled ? "enabled" : "disabled"}`,
 });
-// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
-// Test that ML-powered queries aren't run on v2.7.4 of the CLI.
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined);
-// Test that ML-powered queries aren't run when the feature flag is off.
+// macro, codeQLVersion, isMlPoweredQueriesEnabled, packsInput, queriesInput, expectedVersionString
+// Test that ML-powered queries aren't run when the feature is off.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined);
 // Test that the ~0.1.0 version of ML-powered queries is run on v2.8.3 of the CLI.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.8.3", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
@@ -986,6 +1030,12 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.9.3+.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.9.3", true, undefined, "security-and-quality", "~0.3.0");
+// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
+// CLI 2.11.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-extended", "~0.4.0");
+// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
+// CLI 2.11.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-and-quality", "~0.4.0");
 const calculateAugmentationMacro = ava_1.default.macro({
    exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedAugmentationProperties) => {
        const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages);
@@ -1039,4 +1089,231 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
 (0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with multiple languages", "   +  a/b, c/d ", undefined, [languages_1.Language.javascript, languages_1.Language.java], /Cannot specify a 'packs' input in a multi-language analysis/);
 (0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with no languages", "   +  a/b, c/d ", undefined, [], /No languages specified/);
 (0, ava_1.default)(calculateAugmentationErrorMacro, "Invalid packs", " a-pack-without-a-scope ", undefined, [languages_1.Language.javascript], /"a-pack-without-a-scope" is not a valid pack/);
+(0, ava_1.default)("downloadPacks-no-registries", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const packDownloadStub = sinon.stub();
+        packDownloadStub.callsFake((packs) => ({
+            packs,
+        }));
+        const codeQL = (0, codeql_1.setCodeQL)({
+            packDownload: packDownloadStub,
+        });
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        // packs are supplied for go, java, and python
+        // analyzed languages are java, javascript, and python
+        await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {
+            java: ["a", "b"],
+            go: ["c", "d"],
+            python: ["e", "f"],
+        }, undefined, // registries
+        sampleApiDetails, tmpDir, logger);
+        // Expecting packs to be downloaded once for java and once for python
+        t.deepEqual(packDownloadStub.callCount, 2);
+        // no config file was created, so pass `undefined` as the config file path
+        t.deepEqual(packDownloadStub.firstCall.args, [["a", "b"], undefined]);
+        t.deepEqual(packDownloadStub.secondCall.args, [["e", "f"], undefined]);
+    });
+});
+(0, ava_1.default)("downloadPacks-with-registries", async (t) => {
+    // same thing, but this time include a registries block and
+    // associated env vars
+    return await util.withTmpDir(async (tmpDir) => {
+        process.env.GITHUB_TOKEN = "not-a-token";
+        process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        const registries = [
+            {
+                // no slash
+                url: "http://ghcr.io",
+                packages: ["codeql/*", "dsp-testing/*"],
+                token: "not-a-token",
+            },
+            {
+                // with slash
+                url: "https://containers.GHEHOSTNAME1/v2/",
+                packages: "semmle/*",
+                token: "still-not-a-token",
+            },
+        ];
+        // append a slash to the first url
+        const expectedRegistries = registries.map((r, i) => ({
+            packages: r.packages,
+            url: i === 0 ? `${r.url}/` : r.url,
+        }));
+        const expectedConfigFile = path.join(tmpDir, "qlconfig.yml");
+        const packDownloadStub = sinon.stub();
+        packDownloadStub.callsFake((packs, configFile) => {
+            t.deepEqual(configFile, expectedConfigFile);
+            // verify the env vars were set correctly
+            t.deepEqual(process.env.GITHUB_TOKEN, sampleApiDetails.auth);
+            t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, "http://ghcr.io=not-a-token,https://containers.GHEHOSTNAME1/v2/=still-not-a-token");
+            // verify the config file contents were set correctly
+            const config = yaml.load(fs.readFileSync(configFile, "utf8"));
+            t.deepEqual(config.registries, expectedRegistries);
+            return {
+                packs,
+            };
+        });
+        const codeQL = (0, codeql_1.setCodeQL)({
+            packDownload: packDownloadStub,
+            getVersion: () => Promise.resolve("2.10.5"),
+        });
+        // packs are supplied for go, java, and python
+        // analyzed languages are java, javascript, and python
+        await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {
+            java: ["a", "b"],
+            go: ["c", "d"],
+            python: ["e", "f"],
+        }, registries, sampleApiDetails, tmpDir, logger);
+        // Same packs are downloaded as in previous test
+        t.deepEqual(packDownloadStub.callCount, 2);
+        t.deepEqual(packDownloadStub.firstCall.args, [
+            ["a", "b"],
+            expectedConfigFile,
+        ]);
+        t.deepEqual(packDownloadStub.secondCall.args, [
+            ["e", "f"],
+            expectedConfigFile,
+        ]);
+        // Verify that the env vars were unset.
+        t.deepEqual(process.env.GITHUB_TOKEN, "not-a-token");
+        t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, "not-a-registries-auth");
+    });
+});
+(0, ava_1.default)("downloadPacks-with-registries fails on 2.10.3", async (t) => {
+    // same thing, but this time include a registries block and
+    // associated env vars
+    return await util.withTmpDir(async (tmpDir) => {
+        process.env.GITHUB_TOKEN = "not-a-token";
+        process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        const registries = [
+            {
+                url: "http://ghcr.io",
+                packages: ["codeql/*", "dsp-testing/*"],
+                token: "not-a-token",
+            },
+            {
+                url: "https://containers.GHEHOSTNAME1/v2/",
+                packages: "semmle/*",
+                token: "still-not-a-token",
+            },
+        ];
+        const codeQL = (0, codeql_1.setCodeQL)({
+            getVersion: () => Promise.resolve("2.10.3"),
+        });
+        await t.throwsAsync(async () => {
+            return await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {}, registries, sampleApiDetails, tmpDir, logger);
+        }, { instanceOf: Error }, "'registries' input is not supported on CodeQL versions less than 2.10.4.");
+    });
+});
+(0, ava_1.default)("downloadPacks-with-registries fails with invalid registries block", async (t) => {
+    // same thing, but this time include a registries block and
+    // associated env vars
+    return await util.withTmpDir(async (tmpDir) => {
+        process.env.GITHUB_TOKEN = "not-a-token";
+        process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        const registries = [
+            {
+                // missing url property
+                packages: ["codeql/*", "dsp-testing/*"],
+                token: "not-a-token",
+            },
+            {
+                url: "https://containers.GHEHOSTNAME1/v2/",
+                packages: "semmle/*",
+                token: "still-not-a-token",
+            },
+        ];
+        const codeQL = (0, codeql_1.setCodeQL)({
+            getVersion: () => Promise.resolve("2.10.4"),
+        });
+        await t.throwsAsync(async () => {
+            return await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {}, registries, sampleApiDetails, tmpDir, logger);
+        }, { instanceOf: Error }, "Invalid 'registries' input. Must be an array of objects with 'url' and 'packages' properties.");
+    });
+});
+// getLanguages
+const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
+// eslint-disable-next-line github/array-foreach
+[
+    {
+        name: "languages from input",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "jAvAscript, \n jaVa",
+        languagesInRepository: ["SwiFt", "other"],
+        expectedLanguages: ["javascript", "java"],
+        expectedApiCall: false,
+    },
+    {
+        name: "languages from github api",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "",
+        languagesInRepository: ["  jAvAscript\n \t", " jaVa", "SwiFt", "other"],
+        expectedLanguages: ["javascript", "java"],
+        expectedApiCall: true,
+    },
+    {
+        name: "aliases from input",
+        codeqlResolvedLanguages: ["javascript", "csharp", "cpp", "java", "python"],
+        languagesInput: "  typEscript\n \t, C#, c , KoTlin",
+        languagesInRepository: ["SwiFt", "other"],
+        expectedLanguages: ["javascript", "csharp", "cpp", "java"],
+        expectedApiCall: false,
+    },
+    {
+        name: "duplicate languages from input",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "jAvAscript, \n jaVa, kotlin, typescript",
+        languagesInRepository: ["SwiFt", "other"],
+        expectedLanguages: ["javascript", "java"],
+        expectedApiCall: false,
+    },
+    {
+        name: "aliases from github api",
+        codeqlResolvedLanguages: ["javascript", "csharp", "cpp", "java", "python"],
+        languagesInput: "",
+        languagesInRepository: ["  typEscript\n \t", " C#", "c", "other"],
+        expectedLanguages: ["javascript", "csharp", "cpp"],
+        expectedApiCall: true,
+    },
+    {
+        name: "no languages",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "",
+        languagesInRepository: [],
+        expectedApiCall: true,
+        expectedError: configUtils.getNoLanguagesError(),
+    },
+    {
+        name: "unrecognized languages from input",
+        codeqlResolvedLanguages: ["javascript", "java", "python"],
+        languagesInput: "a, b, c, javascript",
+        languagesInRepository: [],
+        expectedApiCall: false,
+        expectedError: configUtils.getUnknownLanguagesError(["a", "b"]),
+    },
+].forEach((args) => {
+    (0, ava_1.default)(`getLanguages: ${args.name}`, async (t) => {
+        const mockRequest = (0, testing_utils_1.mockLanguagesInRepo)(args.languagesInRepository);
+        const languages = args.codeqlResolvedLanguages.reduce((acc, lang) => ({
+            ...acc,
+            [lang]: true,
+        }), {});
+        const codeQL = (0, codeql_1.setCodeQL)({
+            resolveLanguages: () => Promise.resolve(languages),
+        });
+        if (args.expectedLanguages) {
+            // happy path
+            const actualLanguages = await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, mockLogger);
+            t.deepEqual(actualLanguages.sort(), args.expectedLanguages.sort());
+        }
+        else {
+            // there is an error
+            await t.throwsAsync(async () => await configUtils.getLanguages(codeQL, args.languagesInput, mockRepositoryNwo, mockLogger), { message: args.expectedError });
+        }
+        t.deepEqual(mockRequest.called, args.expectedApiCall);
+    });
+});
 //# sourceMappingURL=config-utils.test.js.map
--- a/lib/config-utils.test.js.map
+++ b/lib/config-utils.test.js.map
--- a/lib/count-loc.js
+++ b/lib/count-loc.js
@@ -1,70 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.countLoc = void 0;
-const github_linguist_1 = require("github-linguist");
-const languages_1 = require("./languages");
-// Map from linguist language names to language prefixes used in the action and codeql
-const linguistToMetrics = {
-    c: languages_1.Language.cpp,
-    "c++": languages_1.Language.cpp,
-    "c#": languages_1.Language.csharp,
-    go: languages_1.Language.go,
-    java: languages_1.Language.java,
-    javascript: languages_1.Language.javascript,
-    python: languages_1.Language.python,
-    ruby: languages_1.Language.ruby,
-    typescript: languages_1.Language.javascript,
-};
-const nameToLinguist = Object.entries(linguistToMetrics).reduce((obj, [key, name]) => {
-    if (!obj[name]) {
-        obj[name] = [];
-    }
-    obj[name].push(key);
-    return obj;
-}, {});
-/**
- * Count the lines of code of the specified language using the include
- * and exclude glob paths.
- *
- * @param cwd the root directory to start the count from
- * @param include glob patterns to include in the search for relevant files
- * @param exclude glob patterns to exclude in the search for relevant files
- * @param dbLanguages list of languages to include in the results
- * @param logger object to log results
- */
-async function countLoc(cwd, include, exclude, dbLanguages, logger) {
-    const result = await new github_linguist_1.LocDir({
-        cwd,
-        include: Array.isArray(include) && include.length > 0 ? include : ["**"],
-        exclude,
-        analysisLanguages: dbLanguages.flatMap((lang) => nameToLinguist[lang]),
-    }).loadInfo();
-    // The analysis counts LoC in all languages. We need to
-    // extract the languages we care about. Also, note that
-    // the analysis uses slightly different names for language.
-    const lineCounts = Object.entries(result.languages).reduce((obj, [language, { code }]) => {
-        const metricsLanguage = linguistToMetrics[language];
-        if (metricsLanguage && dbLanguages.includes(metricsLanguage)) {
-            obj[metricsLanguage] = code + (obj[metricsLanguage] || 0);
-        }
-        return obj;
-    }, {});
-    if (Object.keys(lineCounts).length) {
-        logger.debug("Lines of code count:");
-        for (const [language, count] of Object.entries(lineCounts)) {
-            logger.debug(`  ${language}: ${count}`);
-        }
-    }
-    else {
-        logger.info("Could not determine the baseline lines of code count in this repository. " +
-            "Because of this, it will not be possible to compare the lines " +
-            "of code analyzed by code scanning with the baseline. This will not affect " +
-            "the results produced by code scanning. If you have any questions, you can " +
-            "raise an issue at https://github.com/github/codeql-action/issues. Please " +
-            "include a link to the repository if public, or otherwise information about " +
-            "the code scanning workflow you are using.");
-    }
-    return lineCounts;
-}
-exports.countLoc = countLoc;
-//# sourceMappingURL=count-loc.js.map
--- a/lib/count-loc.js.map
+++ b/lib/count-loc.js.map
@@ -1 +0,0 @@
-{"version":3,"file":"count-loc.js","sourceRoot":"","sources":["../src/count-loc.ts"],"names":[],"mappings":";;;AAAA,qDAAyC;AAEzC,2CAAuC;AAGvC,sFAAsF;AACtF,MAAM,iBAAiB,GAA6B;IAClD,CAAC,EAAE,oBAAQ,CAAC,GAAG;IACf,KAAK,EAAE,oBAAQ,CAAC,GAAG;IACnB,IAAI,EAAE,oBAAQ,CAAC,MAAM;IACrB,EAAE,EAAE,oBAAQ,CAAC,EAAE;IACf,IAAI,EAAE,oBAAQ,CAAC,IAAI;IACnB,UAAU,EAAE,oBAAQ,CAAC,UAAU;IAC/B,MAAM,EAAE,oBAAQ,CAAC,MAAM;IACvB,IAAI,EAAE,oBAAQ,CAAC,IAAI;IACnB,UAAU,EAAE,oBAAQ,CAAC,UAAU;CAChC,CAAC;AAEF,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC7D,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE;IACnB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QACd,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;KAChB;IACD,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,GAAG,CAAC;AACb,CAAC,EACD,EAAgC,CACjC,CAAC;AAEF;;;;;;;;;GASG;AACI,KAAK,UAAU,QAAQ,CAC5B,GAAW,EACX,OAAiB,EACjB,OAAiB,EACjB,WAAuB,EACvB,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAI,wBAAM,CAAC;QAC9B,GAAG;QACH,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACxE,OAAO;QACP,iBAAiB,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;KACvE,CAAC,CAAC,QAAQ,EAAE,CAAC;IAEd,uDAAuD;IACvD,uDAAuD;IACvD,2DAA2D;IAC3D,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACxD,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE;QAC5B,MAAM,eAAe,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,eAAe,IAAI,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE;YAC5D,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;SAC3D;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,EAA8B,CAC/B,CAAC;IAEF,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE;QAClC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;YAC1D,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,KAAK,KAAK,EAAE,CAAC,CAAC;SACzC;KACF;SAAM;QACL,MAAM,CAAC,IAAI,CACT,2EAA2E;YACzE,gEAAgE;YAChE,4EAA4E;YAC5E,4EAA4E;YAC5E,2EAA2E;YAC3E,6EAA6E;YAC7E,2CAA2C,CAC9C,CAAC;KACH;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AA9CD,4BA8CC"}
--- a/lib/count-loc.test.js
+++ b/lib/count-loc.test.js
@@ -1,78 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const path = __importStar(require("path"));
-const ava_1 = __importDefault(require("ava"));
-const count_loc_1 = require("./count-loc");
-const languages_1 = require("./languages");
-const logging_1 = require("./logging");
-const testing_utils_1 = require("./testing-utils");
-(0, testing_utils_1.setupTests)(ava_1.default);
-(0, ava_1.default)("ensure lines of code works for cpp and js", async (t) => {
-    const results = await (0, count_loc_1.countLoc)(path.join(__dirname, "../tests/multi-language-repo"), [], [], [languages_1.Language.cpp, languages_1.Language.javascript], (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(results, {
-        cpp: 6,
-        javascript: 9,
-    });
-});
-(0, ava_1.default)("ensure lines of code works for csharp", async (t) => {
-    const results = await (0, count_loc_1.countLoc)(path.join(__dirname, "../tests/multi-language-repo"), [], [], [languages_1.Language.csharp], (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(results, {
-        csharp: 10,
-    });
-});
-(0, ava_1.default)("ensure lines of code can handle undefined language", async (t) => {
-    const results = await (0, count_loc_1.countLoc)(path.join(__dirname, "../tests/multi-language-repo"), [], [], [languages_1.Language.javascript, languages_1.Language.python, "hucairz"], (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(results, {
-        javascript: 9,
-        python: 5,
-    });
-});
-(0, ava_1.default)("ensure lines of code can handle empty languages", async (t) => {
-    const results = await (0, count_loc_1.countLoc)(path.join(__dirname, "../tests/multi-language-repo"), [], [], [], (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(results, {});
-});
-(0, ava_1.default)("ensure lines of code can handle includes", async (t) => {
-    // note that "**" is always included. The includes are for extra
-    // directories outside the normal structure.
-    const results = await (0, count_loc_1.countLoc)(path.join(__dirname, "../tests/multi-language-repo"), ["../../src/testdata"], [], [languages_1.Language.javascript], (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(results, {
-        javascript: 12,
-    });
-});
-(0, ava_1.default)("ensure lines of code can handle empty includes", async (t) => {
-    // note that "**" is always included. The includes are for extra
-    // directories outside the normal structure.
-    const results = await (0, count_loc_1.countLoc)(path.join(__dirname, "../tests/multi-language-repo"), ["idontexist"], [], [languages_1.Language.javascript], (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(results, {
-    // should get no results
-    });
-});
-(0, ava_1.default)("ensure lines of code can handle exclude", async (t) => {
-    const results = await (0, count_loc_1.countLoc)(path.join(__dirname, "../tests/multi-language-repo"), [], ["**/*.py"], [languages_1.Language.javascript, languages_1.Language.python], (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(results, {
-        javascript: 9,
-    });
-});
-//# sourceMappingURL=count-loc.test.js.map
--- a/lib/count-loc.test.js.map
+++ b/lib/count-loc.test.js.map
@@ -1 +0,0 @@
-{"version":3,"file":"count-loc.test.js","sourceRoot":"","sources":["../src/count-loc.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,2CAAuC;AACvC,2CAAuC;AACvC,uCAA4C;AAC5C,mDAA6C;AAE7C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,CAAC,oBAAQ,CAAC,GAAG,EAAE,oBAAQ,CAAC,UAAU,CAAC,EACnC,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,GAAG,EAAE,CAAC;QACN,UAAU,EAAE,CAAC;KACd,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,uCAAuC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACxD,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,CAAC,oBAAQ,CAAC,MAAM,CAAC,EACjB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,MAAM,EAAE,EAAE;KACX,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oDAAoD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrE,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,CAAC,oBAAQ,CAAC,UAAU,EAAE,oBAAQ,CAAC,MAAM,EAAE,SAAqB,CAAC,EAC7D,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,UAAU,EAAE,CAAC;QACb,MAAM,EAAE,CAAC;KACV,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iDAAiD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClE,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,EAAE,EACF,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,0CAA0C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC3D,gEAAgE;IAChE,4CAA4C;IAC5C,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,CAAC,oBAAoB,CAAC,EACtB,EAAE,EACF,CAAC,oBAAQ,CAAC,UAAU,CAAC,EACrB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,UAAU,EAAE,EAAE;KACf,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,gDAAgD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjE,gEAAgE;IAChE,4CAA4C;IAC5C,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,CAAC,YAAY,CAAC,EACd,EAAE,EACF,CAAC,oBAAQ,CAAC,UAAU,CAAC,EACrB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;IACnB,wBAAwB;KACzB,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,CAAC,SAAS,CAAC,EACX,CAAC,oBAAQ,CAAC,UAAU,EAAE,oBAAQ,CAAC,MAAM,CAAC,EACtC,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,UAAU,EAAE,CAAC;KACd,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/database-upload.js
+++ b/lib/database-upload.js
@@ -41,7 +41,7 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
        logger.debug("Not analyzing default branch. Skipping upload.");
        return;
    }
-    const client = (0, api_client_1.getApiClient)(apiDetails);
+    const client = (0, api_client_1.getApiClient)();
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    for (const language of config.languages) {
        // Upload the database bundle.
--- a/lib/database-upload.js.map
+++ b/lib/database-upload.js.map
@@ -1 +1 @@
-{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,UAAU,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,8BAA8B;QAC9B,2EAA2E;QAC3E,8EAA8E;QAC9E,wEAAwE;QACxE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAC7B,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CACnD,CAAC;QACF,IAAI;YACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;gBACE,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,QAAQ;gBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;gBAC5B,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE;oBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;oBACzC,cAAc,EAAE,iBAAiB;iBAClC;aACF,CACF,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;SAChE;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AAxDD,0CAwDC"}
+{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,8BAA8B;QAC9B,2EAA2E;QAC3E,8EAA8E;QAC9E,wEAAwE;QACxE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAC7B,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CACnD,CAAC;QACF,IAAI;YACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;gBACE,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,QAAQ;gBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;gBAC5B,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE;oBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;oBACzC,cAAc,EAAE,iBAAiB;iBAClC;aACF,CACF,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;SAChE;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AAxDD,0CAwDC"}
--- a/lib/database-upload.test.js
+++ b/lib/database-upload.test.js
@@ -36,7 +36,7 @@ const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 ava_1.default.beforeEach(() => {
-    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
+    (0, util_1.initializeEnvironment)("1.2.3");
 });
 const testRepoName = { owner: "github", repo: "example" };
 const testApiDetails = {
--- a/lib/database-upload.test.js.map
+++ b/lib/database-upload.test.js.map
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20220811"
+    "bundleVersion": "codeql-bundle-20221211"
 }
--- a/lib/error-matcher.js
+++ b/lib/error-matcher.js
@@ -12,6 +12,10 @@ exports.namedMatchersForTesting = {
        message: "No code found during the build. Please see:\n" +
            "https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning#no-code-found-during-the-build",
    },
+    fatalError: {
+        outputRegex: new RegExp("A fatal error occurred"),
+        message: "A fatal error occurred.",
+    },
 };
 // we collapse the matches into an array for use in execErrorCatcher
 exports.errorMatchers = Object.values(exports.namedMatchersForTesting);
--- a/lib/error-matcher.js.map
+++ b/lib/error-matcher.js.map
@@ -1 +1 @@
-{"version":3,"file":"error-matcher.js","sourceRoot":"","sources":["../src/error-matcher.ts"],"names":[],"mappings":";;;AAQA,qCAAqC;AACxB,QAAA,uBAAuB,GAAoC;IACtE;;MAEE;IACF,iBAAiB,EAAE;QACjB,QAAQ,EAAE,EAAE;QACZ,WAAW,EAAE,IAAI,MAAM,CAAC,2CAA2C,CAAC;QACpE,OAAO,EACL,+CAA+C;YAC/C,yJAAyJ;KAC5J;CACF,CAAC;AAEF,oEAAoE;AACvD,QAAA,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,+BAAuB,CAAC,CAAC"}
+{"version":3,"file":"error-matcher.js","sourceRoot":"","sources":["../src/error-matcher.ts"],"names":[],"mappings":";;;AAQA,qCAAqC;AACxB,QAAA,uBAAuB,GAAoC;IACtE;;MAEE;IACF,iBAAiB,EAAE;QACjB,QAAQ,EAAE,EAAE;QACZ,WAAW,EAAE,IAAI,MAAM,CAAC,2CAA2C,CAAC;QACpE,OAAO,EACL,+CAA+C;YAC/C,yJAAyJ;KAC5J;IACD,UAAU,EAAE;QACV,WAAW,EAAE,IAAI,MAAM,CAAC,wBAAwB,CAAC;QACjD,OAAO,EAAE,yBAAyB;KACnC;CACF,CAAC;AAEF,oEAAoE;AACvD,QAAA,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,+BAAuB,CAAC,CAAC"}
--- a/lib/error-matcher.test.js
+++ b/lib/error-matcher.test.js
@@ -16,6 +16,9 @@ NB We test the regexes for all the matchers against example log output snippets.
  2020-09-07T17:39:53.9251124Z [2020-09-07 17:39:53] [ERROR] Spawned process exited abnormally (code 255; tried to run: [/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/javascript/tools/autobuild.sh])
  `));
 });
+(0, ava_1.default)("fatalError matches against example log output", async (t) => {
+    t.assert(testErrorMatcher("fatalError", "A fatal error occurred: Could not process query metadata for test-query.ql"));
+});
 function testErrorMatcher(matcherName, logSample) {
    if (!(matcherName in error_matcher_1.namedMatchersForTesting)) {
        throw new Error(`Unknown matcher ${matcherName}`);
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				{"version":3,"file":"count-loc.js","sourceRoot":"","sources":["../src/count-loc.ts"],"names":[],"mappings":";;;AAAA,qDAAyC;AAEzC,2CAAuC;AAGvC,sFAAsF;AACtF,MAAM,iBAAiB,GAA6B;IAClD,CAAC,EAAE,oBAAQ,CAAC,GAAG;IACf,KAAK,EAAE,oBAAQ,CAAC,GAAG;IACnB,IAAI,EAAE,oBAAQ,CAAC,MAAM;IACrB,EAAE,EAAE,oBAAQ,CAAC,EAAE;IACf,IAAI,EAAE,oBAAQ,CAAC,IAAI;IACnB,UAAU,EAAE,oBAAQ,CAAC,UAAU;IAC/B,MAAM,EAAE,oBAAQ,CAAC,MAAM;IACvB,IAAI,EAAE,oBAAQ,CAAC,IAAI;IACnB,UAAU,EAAE,oBAAQ,CAAC,UAAU;CAChC,CAAC;AAEF,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC7D,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE;IACnB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QACd,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;KAChB;IACD,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,GAAG,CAAC;AACb,CAAC,EACD,EAAgC,CACjC,CAAC;AAEF;;;;;;;;;GASG;AACI,KAAK,UAAU,QAAQ,CAC5B,GAAW,EACX,OAAiB,EACjB,OAAiB,EACjB,WAAuB,EACvB,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAI,wBAAM,CAAC;QAC9B,GAAG;QACH,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACxE,OAAO;QACP,iBAAiB,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;KACvE,CAAC,CAAC,QAAQ,EAAE,CAAC;IAEd,uDAAuD;IACvD,uDAAuD;IACvD,2DAA2D;IAC3D,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACxD,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE;QAC5B,MAAM,eAAe,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,eAAe,IAAI,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE;YAC5D,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;SAC3D;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,EAA8B,CAC/B,CAAC;IAEF,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE;QAClC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACrC,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;YAC1D,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,KAAK,KAAK,EAAE,CAAC,CAAC;SACzC;KACF;SAAM;QACL,MAAM,CAAC,IAAI,CACT,2EAA2E;YACzE,gEAAgE;YAChE,4EAA4E;YAC5E,4EAA4E;YAC5E,2EAA2E;YAC3E,6EAA6E;YAC7E,2CAA2C,CAC9C,CAAC;KACH;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AA9CD,4BA8CC"}
				`@@ -1 +0,0 @@`
				{"version":3,"file":"count-loc.test.js","sourceRoot":"","sources":["../src/count-loc.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,2CAAuC;AACvC,2CAAuC;AACvC,uCAA4C;AAC5C,mDAA6C;AAE7C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,CAAC,oBAAQ,CAAC,GAAG,EAAE,oBAAQ,CAAC,UAAU,CAAC,EACnC,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,GAAG,EAAE,CAAC;QACN,UAAU,EAAE,CAAC;KACd,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,uCAAuC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACxD,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,CAAC,oBAAQ,CAAC,MAAM,CAAC,EACjB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,MAAM,EAAE,EAAE;KACX,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oDAAoD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrE,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,CAAC,oBAAQ,CAAC,UAAU,EAAE,oBAAQ,CAAC,MAAM,EAAE,SAAqB,CAAC,EAC7D,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,UAAU,EAAE,CAAC;QACb,MAAM,EAAE,CAAC;KACV,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iDAAiD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClE,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,EAAE,EACF,EAAE,EACF,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,0CAA0C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC3D,gEAAgE;IAChE,4CAA4C;IAC5C,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,CAAC,oBAAoB,CAAC,EACtB,EAAE,EACF,CAAC,oBAAQ,CAAC,UAAU,CAAC,EACrB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,UAAU,EAAE,EAAE;KACf,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,gDAAgD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjE,gEAAgE;IAChE,4CAA4C;IAC5C,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,CAAC,YAAY,CAAC,EACd,EAAE,EACF,CAAC,oBAAQ,CAAC,UAAU,CAAC,EACrB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;IACnB,wBAAwB;KACzB,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAQ,EAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,EACpD,EAAE,EACF,CAAC,SAAS,CAAC,EACX,CAAC,oBAAQ,CAAC,UAAU,EAAE,oBAAQ,CAAC,MAAM,CAAC,EACtC,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;IAEF,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE;QACnB,UAAU,EAAE,CAAC;KACd,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}