Merge pull request #2683 from github/backport-v2.28.1-b6a472f63

Merge releases/v3 into releases/v2

.github/actions/check-codescanning-config/action.yml

@@ -61,12 +61,11 @@ runs:
     - name: Check config
       working-directory: ${{ github.action_path }}
       shell: bash
-      env:
-        EXPECTED_CONFIG_FILE_CONTENTS: '${{ inputs.expected-config-file-contents }}'
-      run: ts-node ./index.ts "$RUNNER_TEMP/user-config.yaml" "$EXPECTED_CONFIG_FILE_CONTENTS"
+      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
+
     - name: Clean up
       shell: bash
       if: always()
       run: |
-        rm -rf $RUNNER_TEMP/codescanning-config-cli-test
-        rm -rf $RUNNER_TEMP/user-config.yaml
+        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
+        rm -rf ${{ runner.temp }}/user-config.yaml

.github/actions/check-codescanning-config/index.ts

@@ -8,7 +8,7 @@ const actualConfig = loadActualConfig()
 
 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
-  core.setFailed('No expected configuration provided')
+  core.info('No expected configuration provided')
 } else {
   core.startGroup('Expected generated user config')
   core.info(yaml.dump(JSON.parse(rawExpectedConfig)))

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node20
+  using: node16
   main: index.js

.github/actions/prepare-test/action.yml

@@ -29,27 +29,24 @@ runs:
     - id: get-url
       name: Determine URL
       shell: bash
-      env:
-        VERSION: ${{ inputs.version }}
-        USE_ALL_PLATFORM_BUNDLE: ${{ inputs.use-all-platform-bundle }}
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
-        if [[ "$VERSION" == "linked" ]]; then
+        if [[ ${{ inputs.version }} == "linked" ]]; then
           echo "tools-url=linked" >> "$GITHUB_OUTPUT"
           exit 0
-        elif [[ "$VERSION" == "default" ]]; then
+        elif [[ ${{ inputs.version }} == "default" ]]; then
           echo "tools-url=" >> "$GITHUB_OUTPUT"
           exit 0
         fi
 
-        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
+        if [[ ${{ inputs.version }} == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
           extension="tar.zst"
         else
           extension="tar.gz"
         fi
 
-        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
+        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
           artifact_name="codeql-bundle.$extension"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
           artifact_name="codeql-bundle-linux64.$extension"
@@ -62,14 +59,14 @@ runs:
           exit 1
         fi
 
-        if [[ "$VERSION" == "nightly-latest" ]]; then
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
           tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"nightly"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
+        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"stable"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
+        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
         else
           echo "::error::Unrecognized version specified!"

.github/actions/release-branches/action.yml

@@ -18,11 +18,8 @@ runs:
   using: "composite"
   steps:
     - id: branches
-      env:
-        MAJOR_VERSION: ${{ inputs.major_version }}
-        LATEST_TAG: ${{ inputs.latest_tag }}
       run: |
         python ${{ github.action_path }}/release-branches.py \
-            --major-version "$MAJOR_VERSION" \
-            --latest-tag "$LATEST_TAG"
+            --major-version ${{ inputs.major_version }} \
+            --latest-tag ${{ inputs.latest_tag }}
       shell: bash

.github/codeql/codeql-actions-config.yml

@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality

.github/copilot-instructions.md

@@ -1,5 +0,0 @@
-# CodeQL Action - Copilot Instructions
-
-The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` closely mirrors the TypeScript code it is generated from.
-
-GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that starts with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores.

.github/dependabot.yml

@@ -2,6 +2,8 @@ version: 2
 updates:
   - package-ecosystem: npm
     directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     labels:
@@ -24,6 +26,8 @@ updates:
           - "*"
   - package-ecosystem: github-actions
     directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     groups:
@@ -32,6 +36,8 @@ updates:
           - "*"
   - package-ecosystem: github-actions
     directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     groups:

.github/releases.ini

@@ -1 +1 @@
-OLDEST_SUPPORTED_MAJOR_VERSION=3
+OLDEST_SUPPORTED_MAJOR_VERSION=2

.github/workflows/__all-platform-bundle.yml

@@ -32,10 +32,15 @@ jobs:
     name: All-platform bundle
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -45,11 +50,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'true'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - id: init
         uses: ./../action/init
         with:

.github/workflows/__analyze-ref-input.yml

@@ -36,10 +36,15 @@ jobs:
     name: "Analyze: 'ref' and 'sha' from inputs"
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -49,11 +54,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__autobuild-action.yml

@@ -36,10 +36,15 @@ jobs:
     name: autobuild-action
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -38,10 +38,15 @@ jobs:
     name: Autobuild direct tracing (custom working directory)
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__autobuild-direct-tracing.yml

@@ -38,10 +38,15 @@ jobs:
     name: Autobuild direct tracing
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__build-mode-autobuild.yml

@@ -32,10 +32,15 @@ jobs:
     name: Build mode autobuild
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__build-mode-manual.yml

@@ -32,10 +32,15 @@ jobs:
     name: Build mode manual
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -45,11 +50,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__build-mode-none.yml

@@ -34,10 +34,15 @@ jobs:
     name: Build mode none
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__build-mode-rollback.yml

@@ -32,10 +32,15 @@ jobs:
     name: Build mode rollback
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -32,10 +32,15 @@ jobs:
     name: Clean up database cluster directory
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__config-export.yml

@@ -42,10 +42,15 @@ jobs:
     name: Config export
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__config-input.yml

@@ -32,10 +32,15 @@ jobs:
     name: Config input
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__cpp-deptrace-disabled.yml

@@ -36,10 +36,15 @@ jobs:
     name: 'C/C++: disabling autoinstalling dependencies (Linux)'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -27,17 +27,20 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest
-            version: linked
           - os: macos-latest
             version: nightly-latest
     name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__cpp-deptrace-enabled.yml

@@ -36,10 +36,15 @@ jobs:
     name: 'C/C++: autoinstalling dependencies (Linux)'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__diagnostics-export.yml

@@ -42,10 +42,15 @@ jobs:
     name: Diagnostic export
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__export-file-baseline-information.yml

@@ -36,10 +36,15 @@ jobs:
     name: Export file baseline information
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -49,11 +54,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__extract-direct-to-toolcache.yml

@@ -36,10 +36,15 @@ jobs:
     name: Extract directly to toolcache
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__extractor-ram-threads.yml

@@ -32,10 +32,15 @@ jobs:
     name: Extractor ram and threads options test
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__go-custom-queries.yml

@@ -34,10 +34,15 @@ jobs:
     name: 'Go: Custom queries'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -47,11 +52,9 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
           go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           languages: go

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -32,10 +32,15 @@ jobs:
     name: 'Go: diagnostic when Go is changed after init step'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -45,11 +50,10 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
+      # We need a Go version that ships with statically linked binaries on Linux
           go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           languages: go

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -32,10 +32,15 @@ jobs:
     name: 'Go: diagnostic when `file` is not installed'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -45,11 +50,10 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
+      # We need a Go version that ships with statically linked binaries on Linux
           go-version: '>=1.21.0'
-          cache: false
       - name: Remove `file` program
         run: |
           echo $(which file)

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -32,10 +32,15 @@ jobs:
     name: 'Go: workaround for indirect tracing'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -45,11 +50,10 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
+      # We need a Go version that ships with statically linked binaries on Linux
           go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           languages: go

.github/workflows/__go-tracing-autobuilder.yml

@@ -27,6 +27,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
           - os: ubuntu-latest
             version: stable-v2.16.6
           - os: macos-latest
@@ -43,10 +47,6 @@ jobs:
             version: stable-v2.19.4
           - os: macos-latest
             version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -62,10 +62,15 @@ jobs:
     name: 'Go: tracing with autobuilder step'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -75,10 +80,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
-          go-version: '>=1.21.0'
+          go-version: ~1.23.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
           cache: false
       - uses: ./../action/init
         with:

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -27,6 +27,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
           - os: ubuntu-latest
             version: stable-v2.16.6
           - os: macos-latest
@@ -43,10 +47,6 @@ jobs:
             version: stable-v2.19.4
           - os: macos-latest
             version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -62,10 +62,15 @@ jobs:
     name: 'Go: tracing with custom build steps'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -75,10 +80,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
-          go-version: '>=1.21.0'
+          go-version: ~1.23.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
           cache: false
       - uses: ./../action/init
         with:

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -27,6 +27,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
           - os: ubuntu-latest
             version: stable-v2.16.6
           - os: macos-latest
@@ -43,10 +47,6 @@ jobs:
             version: stable-v2.19.4
           - os: macos-latest
             version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -62,10 +62,15 @@ jobs:
     name: 'Go: tracing with legacy workflow'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -75,10 +80,11 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
-          go-version: '>=1.21.0'
+          go-version: ~1.23.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
           cache: false
       - uses: ./../action/init
         with:

.github/workflows/__init-with-registries.yml

@@ -53,6 +53,11 @@ jobs:
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__javascript-source-root.yml

@@ -36,10 +36,15 @@ jobs:
     name: Custom source root
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__job-run-uuid-sarif.yml

@@ -32,10 +32,15 @@ jobs:
     name: Job run UUID added to SARIF
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__language-aliases.yml

@@ -32,10 +32,15 @@ jobs:
     name: Language aliases
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__multi-language-autodetect.yml

@@ -27,6 +27,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: macos-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.15.5
           - os: macos-latest
             version: stable-v2.16.6
           - os: ubuntu-latest
@@ -43,10 +47,6 @@ jobs:
             version: stable-v2.19.4
           - os: ubuntu-latest
             version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.20.7
           - os: macos-latest
             version: default
           - os: ubuntu-latest
@@ -62,10 +62,15 @@ jobs:
     name: Multi-language repository
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -75,11 +80,10 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
+      - uses: actions/setup-go@v5
         with:
           go-version: '>=1.21.0'
-          cache: false
+
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -48,10 +48,15 @@ jobs:
     name: 'Packaging: Config and input passed to the CLI'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -61,11 +66,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -48,10 +48,15 @@ jobs:
     name: 'Packaging: Config and input'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -61,11 +66,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-js.yml

@@ -48,10 +48,15 @@ jobs:
     name: 'Packaging: Config file'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -61,11 +66,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging.yml

.github/workflows/__packaging-inputs-js.yml

@@ -48,10 +48,15 @@ jobs:
     name: 'Packaging: Action input'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -61,11 +66,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging2.yml

.github/workflows/__quality-queries.yml

@@ -1,100 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Quality queries input
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  quality-queries:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Quality queries input
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          quality-queries: code-quality
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-            const configSummary = run.properties.codeqlConfigSummary;
-
-            if (configSummary === undefined) {
-              core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
-            }
-            if (configSummary.disableDefaultQueries !== false) {
-              core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
-                `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
-            }
-            const expectedQueries = [{ type: 'builtinSuite', uses: 'code-quality' }];
-            // Use JSON.stringify to deep-equal the arrays.
-            if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
-              core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
-                `${JSON.stringify(configSummary.queries)}.`);
-            }
-            core.info('Finished config export tests.');
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__remote-config.yml

@@ -34,10 +34,15 @@ jobs:
     name: Remote config file
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -47,11 +52,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__resolve-environment-action.yml

@@ -48,10 +48,15 @@ jobs:
     name: Resolve environment
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__rubocop-multi-language.yml

@@ -32,10 +32,15 @@ jobs:
     name: RuboCop multi-language
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -46,7 +51,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
+        uses: ruby/setup-ruby@v1
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__ruby.yml

@@ -42,10 +42,15 @@ jobs:
     name: Ruby analysis
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__rust.yml

@@ -1,71 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Rust analysis
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  rust:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Rust analysis
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: rust
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-        env:
-          CODEQL_ACTION_RUST_ANALYSIS: true
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
-          if [[ ! -d "$RUST_DB" ]]; then
-            echo "Did not create a database for Rust."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__split-workflow.yml

@@ -42,10 +42,15 @@ jobs:
     name: Split workflow
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -55,11 +60,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__start-proxy.yml

@@ -36,10 +36,15 @@ jobs:
     name: Start proxy
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__submit-sarif-failure.yml

@@ -36,11 +36,15 @@ jobs:
     name: Submit SARIF after failure
     permissions:
       contents: read
-      security-events: write # needed to upload the SARIF file
-
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__swift-autobuild.yml

@@ -32,10 +32,15 @@ jobs:
     name: Swift analysis using autobuild
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__swift-custom-build.yml

@@ -36,10 +36,15 @@ jobs:
     name: Swift analysis using a custom build command
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -49,11 +54,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__test-autobuild-working-dir.yml

@@ -32,10 +32,15 @@ jobs:
     name: Autobuild working directory
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__test-local-codeql.yml

@@ -32,10 +32,15 @@ jobs:
     name: Local CodeQL bundle
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -45,11 +50,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - name: Fetch a CodeQL bundle
         shell: bash
         env:

.github/workflows/__test-proxy.yml

@@ -34,7 +34,7 @@ jobs:
     name: Proxy test
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -50,6 +50,11 @@ jobs:
           apt-add-repository https://cli.github.com/packages
           apt install -y gh
         env: {}
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__unset-environment.yml

@@ -34,10 +34,15 @@ jobs:
     name: Test unsetting environment variables
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -47,11 +52,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         id: init
         with:
@@ -59,6 +59,9 @@ jobs:
       # Swift is not supported on Ubuntu so we manually exclude it from the list here
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '>=1.21.0'
       - name: Build code
         shell: bash
         run: env -i PATH="$PATH" HOME="$HOME" ./build.sh

.github/workflows/__upload-ref-sha-input.yml

@@ -36,10 +36,15 @@ jobs:
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -49,11 +54,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -36,10 +36,15 @@ jobs:
     name: Use a custom `checkout_path`
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test
@@ -49,11 +54,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
       - name: Delete original checkout
         shell: bash
         run: |

.github/workflows/__zstd-bundle-streaming.yml

@@ -34,10 +34,15 @@ jobs:
     name: Zstandard bundle (streaming)
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/__zstd-bundle.yml

@@ -36,10 +36,15 @@ jobs:
     name: Zstandard bundle
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Setup Python on macOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
       - name: Check out repository
         uses: actions/checkout@v4
       - name: Prepare test

.github/workflows/check-expected-release-files.yml

@@ -13,9 +13,6 @@ jobs:
   check-expected-release-files:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout CodeQL Action
         uses: actions/checkout@v4

.github/workflows/codeql.yml

@@ -24,7 +24,7 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      contents: read
+      security-events: write
 
     steps:
     - uses: actions/checkout@v4
@@ -70,17 +70,16 @@ jobs:
         echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
         echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
 
-  analyze-javascript:
+  build:
     needs: [check-codeql-versions]
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
+        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-13,macos-14]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
     permissions:
-      contents: read
       security-events: write
 
     steps:
@@ -100,27 +99,3 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
-
-
-  analyze-actions:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Initialize CodeQL
-      uses: ./init
-      with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
-    - name: Perform CodeQL Analysis
-      uses: ./analyze
-      with:
-        category: "/language:actions"

.github/workflows/codescanning-config-cli.yml

@@ -3,9 +3,6 @@
 name: Code-Scanning config CLI tests
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  # Diff informed queries add an additional query filter which is not yet
-  # taken into account by these tests.
-  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
 
 on:
   push:
@@ -26,11 +23,6 @@ jobs:
   code-scanning-config-tests:
     continue-on-error: true
 
-    permissions:
-      contents: read
-      packages: read
-      security-events: read
-
     strategy:
       fail-fast: false
       matrix:

.github/workflows/debug-artifacts-failure-safe.yml

@@ -1,102 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist
-# when the analyze step fails.
-name: PR Check - Debug artifacts after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts after failure in analyze
-    continue-on-error: true
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    permissions:
-      contents: read
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump GitHub event
-        run: cat "${GITHUB_EVENT_PATH}"
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        env:
-          # Forces a failure in this step.
-          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
-        with:
-          expect-error: true
-  download-and-check-artifacts:
-    name: Download and check debug artifacts after failure in analyze
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            echo "Artifacts from version $version:"
-            pushd "./my-debug-artifacts-${version//./}"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-                echo "Missing a partial database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "log" ]] ; then
-                echo "Missing database initialization logs"
-                exit 1
-              fi
-              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto

.github/workflows/debug-artifacts-failure.yml

@@ -0,0 +1,87 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist
+# when the analyze step fails.
+name: PR Check - Debug artifacts after failure
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    name: Upload debug artifacts after failure in analyze
+    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump GitHub event
+        run: cat "${GITHUB_EVENT_PATH}"
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: linked
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+        env:
+          # Forces a failure in this step.
+          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
+        with:
+          expect-error: true
+  download-and-check-artifacts:
+    name: Download and check debug artifacts after failure in analyze
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          LANGUAGES="cpp csharp go java javascript python"
+          cd "./my-debug-artifacts"
+          echo "Artifacts from run:"
+          for language in $LANGUAGES; do
+            echo "- Checking $language"
+            if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+              echo "Missing a partial database bundle for $language"
+              exit 1
+            fi
+            if [[ ! -d "log" ]] ; then
+              echo "Missing database initialization logs"
+              exit 1
+            fi
+            if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+              echo "Missing logs for $language"
+              exit 1
+            fi
+          done
+        env:
+          GO111MODULE: auto

.github/workflows/debug-artifacts-safe.yml

@@ -1,97 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist.
-name: PR Check - Debug artifact upload
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.20.3 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto

.github/workflows/debug-artifacts.yml

@@ -0,0 +1,97 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist.
+name: PR Check - Debug artifact upload
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.15.5
+        - stable-v2.16.6
+        - stable-v2.17.6
+        - stable-v2.18.4
+        - stable-v2.19.4
+        - default
+        - linked
+        - nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
+          languages: cpp,csharp,go,java,javascript,python,ruby
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          VERSIONS="stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 stable-v2.19.4 default linked nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            pushd "./my-debug-artifacts-${version//./}"
+            echo "Artifacts from version $version:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "$language.sarif" ]] ; then
+                echo "Missing a SARIF file for $language"
+                exit 1
+              fi
+              if [[ ! -f "my-db-$language.zip" ]] ; then
+                echo "Missing a database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto

.github/workflows/expected-queries-runs.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     steps:
     - name: Check out repository
       uses: actions/checkout@v4

.github/workflows/post-release-mergeback.yml

@@ -27,10 +27,6 @@ jobs:
       BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
       HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
 
-    permissions:
-      contents: write # needed to create tags and push commits
-      pull-requests: write
-
     steps:
       - name: Dump environment
         run: env
@@ -168,7 +164,7 @@ jobs:
             --draft
 
       - name: Generate token
-        uses: actions/create-github-app-token@v2.0.6
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/pr-checks.yml

@@ -15,10 +15,12 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
-      security-events: write # needed to upload ESLint results
+      security-events: write
 
     strategy:
       fail-fast: false
+      matrix:
+        node-types-version: [16.11, current] # we backport this matrix job in order to maintain the same check names
 
     steps:
       - name: Checkout
@@ -30,18 +32,41 @@ jobs:
 
       - name: Upload sarif
         uses: github/codeql-action/upload-sarif@v3
+        # Only upload SARIF for the latest version of Node.js
+        if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
         with:
           sarif_file: eslint.sarif
           category: eslint
 
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
+
       - name: Check generated JS
+        if: matrix.node-types-version != 'current' # we do not need to test the newer node on the v2 branch
         run: .github/workflows/script/check-js.sh
 
   check-node-modules:
     if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check modules up to date
-    permissions:
-      contents: read
     runs-on: macos-latest
     timeout-minutes: 45
 
@@ -53,8 +78,6 @@ jobs:
   check-file-contents:
     if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check file contents
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
@@ -85,8 +108,6 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-    permissions:
-      contents: read
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
@@ -107,9 +128,6 @@ jobs:
     env:
       BASE_REF: ${{ github.base_ref }}
 
-    permissions:
-      contents: read
-
     steps:
       - uses: actions/checkout@v4
       - id: head-version

.github/workflows/python312-windows.yml

@@ -17,8 +17,6 @@ jobs:
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
-    permissions:
-      contents: read
     runs-on: windows-latest
 
     steps:

.github/workflows/query-filters.yml

@@ -20,8 +20,6 @@ jobs:
     name: Query Filters Tests
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    permissions:
-      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
     steps:
     - name: Check out repository
       uses: actions/checkout@v4

.github/workflows/rebuild.yml

@@ -11,9 +11,6 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.label.name == 'Rebuild'
 
-    permissions:
-      contents: write # needed to push rebuilt commit
-      pull-requests: write # needed to comment on the PR
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/test-codeql-bundle-all.yml

@@ -27,7 +27,7 @@ jobs:
     name: 'CodeQL Bundle All'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/update-bundle.yml

@@ -17,9 +17,6 @@ jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
     runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull requests
     steps:
       - name: Dump environment
         run: env

.github/workflows/update-dependencies.yml

@@ -9,9 +9,6 @@ jobs:
     timeout-minutes: 45
     runs-on: macos-latest
     if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
-    permissions:
-      contents: write # needed to push the updated dependencies
-      pull-requests: write # needed to comment on the PR
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4

.github/workflows/update-proxy-release.yml

@@ -1,101 +0,0 @@
-name: Update dependency proxy release assets
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
-        type: string
-        required: true
-
-jobs:
-  update:
-    name: Update code and create PR
-    timeout-minutes: 15
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push the updated files
-      pull-requests: write # needed to create the PR
-    env:
-      RELEASE_TAG: ${{ inputs.tag }}
-    steps:
-      - name: Check release tag format
-        id: checks
-        shell: bash
-        run: |
-          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
-            exit 1
-          fi
-
-          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
-
-      - name: Check that the release exists
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
-
-      - name: Install Node
-        uses: actions/setup-node@v4
-
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-          ref: main
-
-      - name: Update git config
-        shell: bash
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-
-      - name: Update release tag and version
-        shell: bash
-        run: |
-          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
-          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
-          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
-
-      - name: Compile TypeScript and commit changes
-        shell: bash
-        env:
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-        run: |
-          set -exu
-          git checkout -b "$TARGET_BRANCH"
-
-          npm run build
-          git add ./src/start-proxy-action.ts
-          git add ./lib
-          git commit -m "Update release used by \`start-proxy\` action"
-
-      - name: Push changes and open PR
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-          PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }}
-        run: |
-          set -exu
-          pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`"
-          pr_body=$(cat << EOF
-            This PR updates the \`start-proxy\` action to use the private registry proxy binaries that
-            are attached as release assets to the \`$RELEASE_TAG\` release.
-
-
-            Please do the following before merging:
-
-            - [ ] Verify that the changes to the code are correct.
-            - [ ] Mark the PR as ready for review to trigger the CI.
-          EOF
-          )
-
-          git push origin "$TARGET_BRANCH"
-          gh pr create \
-            --head "$TARGET_BRANCH" \
-            --base "main" \
-            --title "${pr_title}" \
-            --body "${pr_body}" \
-            $PR_FLAG

.github/workflows/update-release-branch.yml

@@ -22,8 +22,6 @@ jobs:
       latest_tag: ${{ steps.versions.outputs.latest_tag }}
       backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
       backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
-    permissions:
-      contents: read
     steps:
     - uses: actions/checkout@v4
       with:
@@ -65,9 +63,6 @@ jobs:
       REPOSITORY: "${{ github.repository }}"
       MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
       LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
     steps:
     - uses: actions/checkout@v4
       with:
@@ -119,12 +114,9 @@ jobs:
     env:
       SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
       TARGET_BRANCH: ${{ matrix.target_branch }}
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v2.0.6
+      uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -10,23 +10,20 @@ jobs:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql-action'
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
+    if: ${{ github.repository == 'github/codeql-action' }}
 
     steps:
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.13"
+          python-version: "3.7"
       - name: Checkout CodeQL Action
         uses: actions/checkout@v4
       - name: Checkout Enterprise Releases
         uses: actions/checkout@v4
         with:
           repository: github/enterprise-releases
-          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
+          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
           path: ${{ github.workspace }}/enterprise-releases/
       - name: Update Supported Enterprise Server Versions
         run: |

.pre-commit-config.yaml

@@ -1,20 +1,20 @@
 repos:
   - repo: local
     hooks:
-      - id: lint-ts
-        name: Lint typescript code
-        files: \.ts$
-        language: system
-        entry: npm run lint -- --fix
       - id: compile-ts
         name: Compile typescript
         files: \.[tj]s$
         language: system
         entry: npm run build
         pass_filenames: false
+      - id: lint-ts
+        name: Lint typescript code
+        files: \.ts$
+        language: system
+        entry: npm run lint -- --fix
       - id: pr-checks-sync
         name: Synchronize PR check workflows
         files: ^.github/workflows/__.*\.yml$|^pr-checks
         language: system
-        entry: pr-checks/sync.sh
+        entry: python3 pr-checks/sync.py
         pass_filenames: false

CHANGELOG.md

@@ -2,372 +2,276 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## [UNRELEASED]
+**This is the last planned release of the `v2`. To continue getting updates for the CodeQL Action, please switch to `v3`.**
 
-- Fix bug in PR analysis where user-provided `include` query filter fails to exclude non-included queries. [#2938](https://github.com/github/codeql-action/pull/2938)
-
-## 3.29.0 - 11 Jun 2025
-
-- Update default CodeQL bundle version to 2.22.0. [#2925](https://github.com/github/codeql-action/pull/2925)
-- Bump minimum CodeQL bundle version to 2.16.6. [#2912](https://github.com/github/codeql-action/pull/2912)
-
-## 3.28.19 - 03 Jun 2025
-
-- The CodeQL Action no longer includes its own copy of the extractor for the `actions` language, which is currently in public preview.
-  The `actions` extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the `actions` language _and_ you have pinned
-  your `tools:` property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable
-  `actions` analysis.
-- Update default CodeQL bundle version to 2.21.4. [#2910](https://github.com/github/codeql-action/pull/2910)
-
-## 3.28.18 - 16 May 2025
-
-- Update default CodeQL bundle version to 2.21.3. [#2893](https://github.com/github/codeql-action/pull/2893)
-- Skip validating SARIF produced by CodeQL for improved performance. [#2894](https://github.com/github/codeql-action/pull/2894)
-- The number of threads and amount of RAM used by CodeQL can now be set via the `CODEQL_THREADS` and `CODEQL_RAM` runner environment variables. If set, these environment variables override the `threads` and `ram` inputs respectively. [#2891](https://github.com/github/codeql-action/pull/2891)
-
-## 3.28.17 - 02 May 2025
-
-- Update default CodeQL bundle version to 2.21.2. [#2872](https://github.com/github/codeql-action/pull/2872)
-
-## 3.28.16 - 23 Apr 2025
-
-- Update default CodeQL bundle version to 2.21.1. [#2863](https://github.com/github/codeql-action/pull/2863)
-
-## 3.28.15 - 07 Apr 2025
-
-- Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. [#2842](https://github.com/github/codeql-action/pull/2842)
-
-## 3.28.14 - 07 Apr 2025
-
-- Update default CodeQL bundle version to 2.21.0. [#2838](https://github.com/github/codeql-action/pull/2838)
-
-## 3.28.13 - 24 Mar 2025
-
-No user facing changes.
-
-## 3.28.12 - 19 Mar 2025
-
-- Dependency caching should now cache more dependencies for Java `build-mode: none` extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
-- Update default CodeQL bundle version to 2.20.7. [#2810](https://github.com/github/codeql-action/pull/2810)
-
-## 3.28.11 - 07 Mar 2025
-
-- Update default CodeQL bundle version to 2.20.6. [#2793](https://github.com/github/codeql-action/pull/2793)
-
-## 3.28.10 - 21 Feb 2025
-
-- Update default CodeQL bundle version to 2.20.5. [#2772](https://github.com/github/codeql-action/pull/2772)
-- Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. [#2768](https://github.com/github/codeql-action/pull/2768)
-
-## 3.28.9 - 07 Feb 2025
-
-- Update default CodeQL bundle version to 2.20.4. [#2753](https://github.com/github/codeql-action/pull/2753)
-
-## 3.28.8 - 29 Jan 2025
-
-- Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. [#2744](https://github.com/github/codeql-action/pull/2744)
-
-## 3.28.7 - 29 Jan 2025
-
-No user facing changes.
-
-## 3.28.6 - 27 Jan 2025
-
-- Re-enable debug artifact upload for CLI versions 2.20.3 or greater. [#2726](https://github.com/github/codeql-action/pull/2726)
-
-## 3.28.5 - 24 Jan 2025
-
-- Update default CodeQL bundle version to 2.20.3. [#2717](https://github.com/github/codeql-action/pull/2717)
-
-## 3.28.4 - 23 Jan 2025
-
-No user facing changes.
-
-## 3.28.3 - 22 Jan 2025
-
-- Update default CodeQL bundle version to 2.20.2. [#2707](https://github.com/github/codeql-action/pull/2707)
-- Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the [CodeQL Action sync tool](https://github.com/github/codeql-action-sync-tool) and the Actions runner did not have Zstandard installed. [#2710](https://github.com/github/codeql-action/pull/2710)
-- Uploading debug artifacts for CodeQL analysis is temporarily disabled. [#2712](https://github.com/github/codeql-action/pull/2712)
-
-## 3.28.2 - 21 Jan 2025
-
-No user facing changes.
-
-## 3.28.1 - 10 Jan 2025
+## 2.28.1 - 10 Jan 2025
 
 - CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see [this changelog post](https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/). [#2677](https://github.com/github/codeql-action/pull/2677)
 - Update default CodeQL bundle version to 2.20.1. [#2678](https://github.com/github/codeql-action/pull/2678)
 
-## 3.28.0 - 20 Dec 2024
+## 2.28.0 - 20 Dec 2024
 
 - Bump the minimum CodeQL bundle version to 2.15.5. [#2655](https://github.com/github/codeql-action/pull/2655)
 - Don't fail in the unusual case that a file is on the search path. [#2660](https://github.com/github/codeql-action/pull/2660).
 
-## 3.27.9 - 12 Dec 2024
+## 2.27.9 - 12 Dec 2024
 
 No user facing changes.
 
-## 3.27.8 - 12 Dec 2024
+## 2.27.8 - 12 Dec 2024
 
 - Fixed an issue where streaming the download and extraction of the CodeQL bundle did not respect proxy settings. [#2624](https://github.com/github/codeql-action/pull/2624)
 
-## 3.27.7 - 10 Dec 2024
+## 2.27.7 - 10 Dec 2024
 
 - We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. [#2631](https://github.com/github/codeql-action/pull/2631)
 - Update default CodeQL bundle version to 2.20.0. [#2636](https://github.com/github/codeql-action/pull/2636)
 
-## 3.27.6 - 03 Dec 2024
+## 2.27.6 - 03 Dec 2024
 
 - Update default CodeQL bundle version to 2.19.4. [#2626](https://github.com/github/codeql-action/pull/2626)
 
-## 3.27.5 - 19 Nov 2024
+## 2.27.5 - 19 Nov 2024
 
 No user facing changes.
 
-## 3.27.4 - 14 Nov 2024
+## 2.27.4 - 14 Nov 2024
 
 No user facing changes.
 
-## 3.27.3 - 12 Nov 2024
+## 2.27.3 - 12 Nov 2024
 
 No user facing changes.
 
-## 3.27.2 - 12 Nov 2024
+## 2.27.2 - 12 Nov 2024
 
 - Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". [#2590](https://github.com/github/codeql-action/pull/2590)
 
-## 3.27.1 - 08 Nov 2024
+## 2.27.1 - 08 Nov 2024
 
 - The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. [#2573](https://github.com/github/codeql-action/pull/2573)
 - Update default CodeQL bundle version to 2.19.3. [#2576](https://github.com/github/codeql-action/pull/2576)
 
-## 3.27.0 - 22 Oct 2024
+## 2.27.0 - 22 Oct 2024
 
 - Bump the minimum CodeQL bundle version to 2.14.6. [#2549](https://github.com/github/codeql-action/pull/2549)
 - Fix an issue where the `upload-sarif` Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the `upload-sarif` Action. [#2557](https://github.com/github/codeql-action/pull/2557)
 - Update default CodeQL bundle version to 2.19.2. [#2552](https://github.com/github/codeql-action/pull/2552)
 
-## 3.26.13 - 14 Oct 2024
+## 2.26.13 - 14 Oct 2024
 
 No user facing changes.
 
-## 3.26.12 - 07 Oct 2024
+## 2.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
-## 3.26.11 - 03 Oct 2024
+## 2.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
-
-  Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-
+  Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped to `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
-## 3.26.10 - 30 Sep 2024
+## 2.26.10 - 30 Sep 2024
 
 - We are rolling out a feature in September/October 2024 that sets up CodeQL using a bundle compressed with [Zstandard](http://facebook.github.io/zstd/). Our aim is to improve the performance of setting up CodeQL. [#2502](https://github.com/github/codeql-action/pull/2502)
 
-## 3.26.9 - 24 Sep 2024
+## 2.26.9 - 24 Sep 2024
 
 No user facing changes.
 
-## 3.26.8 - 19 Sep 2024
+## 2.26.8 - 19 Sep 2024
 
 - Update default CodeQL bundle version to 2.19.0. [#2483](https://github.com/github/codeql-action/pull/2483)
 
-## 3.26.7 - 13 Sep 2024
+## 2.26.7 - 13 Sep 2024
 
 - Update default CodeQL bundle version to 2.18.4. [#2471](https://github.com/github/codeql-action/pull/2471)
 
-## 3.26.6 - 29 Aug 2024
+## 2.26.6 - 29 Aug 2024
 
 - Update default CodeQL bundle version to 2.18.3. [#2449](https://github.com/github/codeql-action/pull/2449)
 
-## 3.26.5 - 23 Aug 2024
+## 2.26.5 - 23 Aug 2024
 
 - Fix an issue where the `csrutil` system call used for telemetry would fail on macOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)
 
-## 3.26.4 - 21 Aug 2024
+## 2.26.4 - 21 Aug 2024
 
 - _Deprecation:_ The `add-snippets` input on the `analyze` Action is deprecated and will be removed in the first release in August 2025. [#2436](https://github.com/github/codeql-action/pull/2436)
 - Fix an issue where the disk usage system call used for telemetry would fail on macOS ARM machines with System Integrity Protection disabled, and then surface a warning. The system call is now disabled for these machines. [#2434](https://github.com/github/codeql-action/pull/2434)
 
-## 3.26.3 - 19 Aug 2024
+## 2.26.3 - 19 Aug 2024
 
 - Fix an issue where the CodeQL Action could not write diagnostic messages on Windows. This issue did not impact analysis quality. [#2430](https://github.com/github/codeql-action/pull/2430)
 
-## 3.26.2 - 14 Aug 2024
+## 2.26.2 - 14 Aug 2024
 
 - Update default CodeQL bundle version to 2.18.2. [#2417](https://github.com/github/codeql-action/pull/2417)
 
-## 3.26.1 - 13 Aug 2024
+## 2.26.1 - 13 Aug 2024
 
 No user facing changes.
 
-## 3.26.0 - 06 Aug 2024
+## 2.26.0 - 06 Aug 2024
 
 - _Deprecation:_ Swift analysis on Ubuntu runner images is no longer supported. Please migrate to a macOS runner if this affects you. [#2403](https://github.com/github/codeql-action/pull/2403)
 - Bump the minimum CodeQL bundle version to 2.13.5. [#2408](https://github.com/github/codeql-action/pull/2408)
 
-## 3.25.15 - 26 Jul 2024
+## 2.25.15 - 26 Jul 2024
 
 - Update default CodeQL bundle version to 2.18.1. [#2385](https://github.com/github/codeql-action/pull/2385)
 
-## 3.25.14 - 25 Jul 2024
+## 2.25.14 - 25 Jul 2024
 
 - Experimental: add a new `start-proxy` action which starts the same HTTP proxy as used by [`github/dependabot-action`](https://github.com/github/dependabot-action). Do not use this in production as it is part of an internal experiment and subject to change at any time. [#2376](https://github.com/github/codeql-action/pull/2376)
 
-## 3.25.13 - 19 Jul 2024
+## 2.25.13 - 19 Jul 2024
 
 - Add `codeql-version` to outputs. [#2368](https://github.com/github/codeql-action/pull/2368)
 - Add a deprecation warning for customers using CodeQL version 2.13.4 and earlier. These versions of CodeQL were discontinued on 9 July 2024 alongside GitHub Enterprise Server 3.9, and will be unsupported by CodeQL Action versions 3.26.0 and later and versions 2.26.0 and later. [#2375](https://github.com/github/codeql-action/pull/2375)
   - If you are using one of these versions, please update to CodeQL CLI version 2.13.5 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.12.6 and 2.13.4, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.25.13` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.25.13` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
-## 3.25.12 - 12 Jul 2024
+## 2.25.12 - 12 Jul 2024
 
 - Improve the reliability and performance of analyzing code when analyzing a compiled language with the `autobuild` [build mode](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes) on GitHub Enterprise Server. This feature is already available to GitHub.com users. [#2353](https://github.com/github/codeql-action/pull/2353)
 - Update default CodeQL bundle version to 2.18.0. [#2364](https://github.com/github/codeql-action/pull/2364)
 
-## 3.25.11 - 28 Jun 2024
+## 2.25.11 - 28 Jun 2024
 
 - Avoid failing the workflow run if there is an error while uploading debug artifacts. [#2349](https://github.com/github/codeql-action/pull/2349)
 - Update default CodeQL bundle version to 2.17.6. [#2352](https://github.com/github/codeql-action/pull/2352)
 
-## 3.25.10 - 13 Jun 2024
+## 2.25.10 - 13 Jun 2024
 
 - Update default CodeQL bundle version to 2.17.5. [#2327](https://github.com/github/codeql-action/pull/2327)
 
-## 3.25.9 - 12 Jun 2024
+## 2.25.9 - 12 Jun 2024
 
 - Avoid failing database creation if the database folder already exists and contains some unexpected files. Requires CodeQL 2.18.0 or higher. [#2330](https://github.com/github/codeql-action/pull/2330)
 - The init Action will attempt to clean up the database cluster directory before creating a new database and at the end of the job. This will help to avoid issues where the database cluster directory is left in an inconsistent state. [#2332](https://github.com/github/codeql-action/pull/2332)
 
-## 3.25.8 - 04 Jun 2024
+## 2.25.8 - 04 Jun 2024
 
 - Update default CodeQL bundle version to 2.17.4. [#2321](https://github.com/github/codeql-action/pull/2321)
 
-## 3.25.7 - 31 May 2024
+## 2.25.7 - 31 May 2024
 
 - We are rolling out a feature in May/June 2024 that will reduce the Actions cache usage of the Action by keeping only the newest TRAP cache for each language. [#2306](https://github.com/github/codeql-action/pull/2306)
 
-## 3.25.6 - 20 May 2024
+## 2.25.6 - 20 May 2024
 
 - Update default CodeQL bundle version to 2.17.3. [#2295](https://github.com/github/codeql-action/pull/2295)
 
-## 3.25.5 - 13 May 2024
+## 2.25.5 - 13 May 2024
 
 - Add a compatibility matrix of supported CodeQL Action, CodeQL CLI, and GitHub Enterprise Server versions to the [README.md](README.md). [#2273](https://github.com/github/codeql-action/pull/2273)
 - Avoid printing out a warning for a missing `on.push` trigger when the CodeQL Action is triggered via a `workflow_call` event. [#2274](https://github.com/github/codeql-action/pull/2274)
 - The `tools: latest` input to the `init` Action has been renamed to `tools: linked`. This option specifies that the Action should use the tools shipped at the same time as the Action. The old name will continue to work for backwards compatibility, but we recommend that new workflows use the new name. [#2281](https://github.com/github/codeql-action/pull/2281)
 
-## 3.25.4 - 08 May 2024
+## 2.25.4 - 08 May 2024
 
 - Update default CodeQL bundle version to 2.17.2. [#2270](https://github.com/github/codeql-action/pull/2270)
 
-## 3.25.3 - 25 Apr 2024
+## 2.25.3 - 25 Apr 2024
 
 - Update default CodeQL bundle version to 2.17.1. [#2247](https://github.com/github/codeql-action/pull/2247)
 - Workflows running on `macos-latest` using CodeQL CLI versions before v2.15.1 will need to either upgrade their CLI version to v2.15.1 or newer, or change the platform to an Intel macOS runner, such as `macos-12`. ARM machines with SIP disabled, including the newest `macos-latest` image, are unsupported for CLI versions before 2.15.1. [#2261](https://github.com/github/codeql-action/pull/2261)
 
-## 3.25.2 - 22 Apr 2024
+## 2.25.2 - 22 Apr 2024
 
 No user facing changes.
 
-## 3.25.1 - 17 Apr 2024
+## 2.25.1 - 17 Apr 2024
 
 - We are rolling out a feature in April/May 2024 that improves the reliability and performance of analyzing code when analyzing a compiled language with the `autobuild` [build mode](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes). [#2235](https://github.com/github/codeql-action/pull/2235)
 - Fix a bug where the `init` Action would fail if `--overwrite` was specified in `CODEQL_ACTION_EXTRA_OPTIONS`. [#2245](https://github.com/github/codeql-action/pull/2245)
 
-## 3.25.0 - 15 Apr 2024
+## 2.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
-
   As a result, the following inputs and environment variables are now ignored:
-
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
-
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)
 - A more relevant log message and a diagnostic are now emitted when the `file` program is not installed on a Linux runner, but is required for Go tracing to succeed. [#2234](https://github.com/github/codeql-action/pull/2234)
 
-## 3.24.10 - 05 Apr 2024
+## 2.24.10 - 05 Apr 2024
 
 - Update default CodeQL bundle version to 2.17.0. [#2219](https://github.com/github/codeql-action/pull/2219)
 - Add a deprecation warning for customers using CodeQL version 2.12.5 and earlier. These versions of CodeQL were discontinued on 26 March 2024 alongside GitHub Enterprise Server 3.8, and will be unsupported by CodeQL Action versions 3.25.0 and later and versions 2.25.0 and later. [#2220](https://github.com/github/codeql-action/pull/2220)
   - If you are using one of these versions, please update to CodeQL CLI version 2.12.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.11.6 and 2.12.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.24.10` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.24.10` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
-## 3.24.9 - 22 Mar 2024
+## 2.24.9 - 22 Mar 2024
 
 - Update default CodeQL bundle version to 2.16.5. [#2203](https://github.com/github/codeql-action/pull/2203)
 
-## 3.24.8 - 18 Mar 2024
+## 2.24.8 - 18 Mar 2024
 
 - Improve the ease of debugging extraction issues by increasing the verbosity of the extractor logs when running in debug mode. [#2195](https://github.com/github/codeql-action/pull/2195)
 
-## 3.24.7 - 12 Mar 2024
+## 2.24.7 - 12 Mar 2024
 
 - Update default CodeQL bundle version to 2.16.4. [#2185](https://github.com/github/codeql-action/pull/2185)
 
-## 3.24.6 - 29 Feb 2024
+## 2.24.6 - 29 Feb 2024
 
 No user facing changes.
 
-## 3.24.5 - 23 Feb 2024
+## 2.24.5 - 23 Feb 2024
 
 - Update default CodeQL bundle version to 2.16.3. [#2156](https://github.com/github/codeql-action/pull/2156)
 
-## 3.24.4 - 21 Feb 2024
+## 2.24.4 - 21 Feb 2024
 
 - Fix an issue where an existing, but empty, `/sys/fs/cgroup/cpuset.cpus` file always resulted in a single-threaded run. [#2151](https://github.com/github/codeql-action/pull/2151)
 
-## 3.24.3 - 15 Feb 2024
+## 2.24.3 - 15 Feb 2024
 
 - Fix an issue where the CodeQL Action would fail to load a configuration specified by the `config` input to the `init` Action. [#2147](https://github.com/github/codeql-action/pull/2147)
 
-## 3.24.2 - 15 Feb 2024
+## 2.24.2 - 15 Feb 2024
 
 - Enable improved multi-threaded performance on larger runners for GitHub Enterprise Server users. This feature is already available to GitHub.com users. [#2141](https://github.com/github/codeql-action/pull/2141)
 
-## 3.24.1 - 13 Feb 2024
+## 2.24.1 - 13 Feb 2024
 
 - Update default CodeQL bundle version to 2.16.2. [#2124](https://github.com/github/codeql-action/pull/2124)
 - The CodeQL action no longer fails if it can't write to the telemetry api endpoint. [#2121](https://github.com/github/codeql-action/pull/2121)
 
-## 3.24.0 - 02 Feb 2024
+## 2.24.0 - 02 Feb 2024
 
 - CodeQL Python analysis will no longer install dependencies on GitHub Enterprise Server, as is already the case for GitHub.com. See [release notes for 3.23.0](#3230---08-jan-2024) for more details. [#2106](https://github.com/github/codeql-action/pull/2106)
 
-## 3.23.2 - 26 Jan 2024
+## 2.23.2 - 26 Jan 2024
 
 - On Linux, the maximum possible value for the `--threads` option now respects the CPU count as specified in `cgroup` files to more accurately reflect the number of available cores when running in containers. [#2083](https://github.com/github/codeql-action/pull/2083)
 - Update default CodeQL bundle version to 2.16.1. [#2096](https://github.com/github/codeql-action/pull/2096)
 
-## 3.23.1 - 17 Jan 2024
+## 2.23.1 - 17 Jan 2024
 
 - Update default CodeQL bundle version to 2.16.0. [#2073](https://github.com/github/codeql-action/pull/2073)
 - Change the retention period for uploaded debug artifacts to 7 days. Previously, this was whatever the repository default was. [#2079](https://github.com/github/codeql-action/pull/2079)
 
-## 3.23.0 - 08 Jan 2024
+## 2.23.0 - 08 Jan 2024
 
 - We are rolling out a feature in January 2024 that will disable Python dependency installation by default for all users. This improves the speed of analysis while having only a very minor impact on results. You can override this behavior by setting `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION=false` in your workflow, however we plan to remove this ability in future versions of the CodeQL Action. [#2031](https://github.com/github/codeql-action/pull/2031)
 - The CodeQL Action now requires CodeQL version 2.11.6 or later. For more information, see [the corresponding changelog entry for CodeQL Action version 2.22.7](#2227---16-nov-2023). [#2009](https://github.com/github/codeql-action/pull/2009)
 
-## 3.22.12 - 22 Dec 2023
+## 2.22.12 - 22 Dec 2023
 
 - Update default CodeQL bundle version to 2.15.5. [#2047](https://github.com/github/codeql-action/pull/2047)
 
-## 3.22.11 - 13 Dec 2023
+## 2.22.11 - 13 Dec 2023
 
-- [v3+ only] The CodeQL Action now runs on Node.js v20. [#2006](https://github.com/github/codeql-action/pull/2006)
+No user facing changes.
 
 ## 2.22.10 - 12 Dec 2023
 

CONTRIBUTING.md

@@ -27,7 +27,7 @@ You may want to run `tsc --watch` from the command line or inside of vscode in o
 
 ### Checking in compiled artifacts and `node_modules`
 
-Because CodeQL Action users consume the code directly from this repository, and there can be no build step during a GitHub Actions run, this repository contains all compiled artifacts and node modules. There is a PR check that will fail if any of the compiled artifacts are not up to date. Compiled artifacts are stored in the `lib/` directory. For all day-to-day development purposes, this folder can be ignored.
+Because CodeQL Action users consume the code directly from this repository, and there can be no build step during an GitHub Actions run, this repository contains all compiled artifacts and node modules. There is a PR check that will fail if any of the compiled artifacts are not up to date. Compiled artifacts are stored in the `lib/` directory. For all day-to-day development purposes, this folder can be ignored.
 
 Only run `npm install` if you are explicitly changing the set of dependencies in `package.json`. The `node_modules` directory should be up to date when you check out, but if for some reason, there is an inconsistency use `npm ci && npm run removeNPMAbsolutePaths` to ensure the directory is in a state consistent with the `package-lock.json`. Note that due to a macOS-specific dependency, this command should be run on a macOS machine. There is a PR check to ensure the consistency of the `node_modules` directory.
 
@@ -63,7 +63,7 @@ Here are a few things you can do that will increase the likelihood of your pull
     You can start a release by triggering this workflow via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
 1. The workflow run will open a pull request titled "Merge main into releases/v3". Follow the steps on the checklist in the pull request. Once you've checked off all but the last two of these, approve the PR and automerge it.
 1. When the "Merge main into releases/v3" pull request is merged into the `releases/v3` branch, a mergeback pull request to `main` will be automatically created. This mergeback pull request incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v3" pull request, and bumps the patch version of the CodeQL Action. 
-1. If a backport to an older major version is required, a pull request targeting that version's branch will also be automatically created.
+1. If a backport to an older major version is required, a pull request targeting that version's branch will also be automatically created
 1. Approve the mergeback and backport pull request (if applicable) and automerge them.
 
 Once the mergeback and backport pull request have been merged, the release is complete.
@@ -109,7 +109,6 @@ To add a new major version of the Action:
 1. Change the `version` field of `package.json` by running `npm version x.y.z` where `x` is the new major version, and `y` and `z` match the latest minor and patch versions of the last release.
 1. Update appropriate documentation to explain the reasoning behind the releases: see [the diff](https://github.com/github/codeql-action/pull/2677/commits/913d60579d4b560addf53ec3c493d491dd3c1378) in our last major version deprecation for examples on which parts of the documentation should be updated.
 1. Consider the timeline behind deprecating the prior Action version: see [CodeQL Action deprecation documentation](#deprecating-a-codeql-action-major-version-write-access-required)
-1. If the new major version runs on a new version of Node, add a PR check to ensure the codebase continues to compile against the previous version of Node. See [Remove Node 16 compilation PR check](https://github.com/github/codeql-action/pull/2695) for an example.
 
 ## Deprecating a CodeQL Action major version (write access required)
 

README.md

@@ -55,7 +55,7 @@ For compiled languages:
 
 - `manual` build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.
 - `autobuild` build mode is simpler to set up, but will only work for projects with generic build steps that can be guessed by the heuristics of the autobuild scripts. If `autobuild` fails, then you must switch to `manual` or `none`. If `autobuild` succeeds, then the results and run time will be the same as `manual` mode.
-- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by Swift, Go, or Kotlin. It is in public preview for C/C++.
+- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by C/C++, Swift, Go, or Kotlin.
 
 
 ## Supported versions of the CodeQL Action
@@ -70,11 +70,10 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
-| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
-| `v3.28.6` | `2.20.3` | Enterprise Server 3.13 | |
+| `v3.26.6`  | `2.18.4` | Enterprise Server 3.15 | |
+| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
+| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
+| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

actions-extractor/codeql-extractor.yml

@@ -0,0 +1,44 @@
+name: "actions"
+aliases: []
+display_name: "GitHub Actions"
+version: 0.0.1
+column_kind: "utf16"
+unicode_newlines: true
+build_modes:
+  - none
+file_coverage_languages: []
+github_api_languages: []
+scc_languages: []
+file_types:
+  - name: workflow
+    display_name: GitHub Actions workflow files
+    extensions:
+      - .yml
+      - .yaml
+forwarded_extractor_name: javascript
+options:
+  trap:
+    title: TRAP options
+    description: Options about how the extractor handles TRAP files
+    type: object
+    visibility: 3
+    properties:
+      cache:
+        title: TRAP cache options
+        description: Options about how the extractor handles its TRAP cache
+        type: object
+        properties:
+          dir:
+            title: TRAP cache directory
+            description: The directory of the TRAP cache to use
+            type: string
+          bound:
+            title: TRAP cache bound
+            description: A soft limit (in MB) on the size of the TRAP cache
+            type: string
+            pattern: "[0-9]+"
+          write:
+            title: TRAP cache writeable
+            description: Whether to write to the TRAP cache as well as reading it
+            type: string
+            pattern: "(true|TRUE|false|FALSE)"

actions-extractor/tools/autobuild-impl.ps1

@@ -0,0 +1,40 @@
+if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
+    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
+} else {
+    Write-Output 'No path filters set. Using the default filters.'
+    $DefaultPathFilters = @(
+        'exclude:**/*',
+        'include:.github/workflows/**/*.yml',
+        'include:.github/workflows/**/*.yaml',
+        'include:**/action.yml',
+        'include:**/action.yaml'
+    )
+
+    $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
+}
+
+# Find the JavaScript extractor directory via `codeql resolve extractor`.
+$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
+if ($LASTEXITCODE -ne 0) {
+    throw 'Failed to resolve JavaScript extractor.'
+}
+
+Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
+
+# Run the JavaScript autobuilder.
+$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
+Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
+
+# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
+
+&$JavaScriptAutoBuild
+if ($LASTEXITCODE -ne 0) {
+    throw "JavaScript autobuilder failed."
+}

actions-extractor/tools/autobuild.cmd

@@ -0,0 +1,3 @@
+@echo off
+rem All of the work is done in the PowerShell script
+powershell.exe %~dp0autobuild-impl.ps1

actions-extractor/tools/autobuild.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -eu
+
+DEFAULT_PATH_FILTERS=$(cat << END
+exclude:**/*
+include:.github/workflows/**/*.yml
+include:.github/workflows/**/*.yaml
+include:**/action.yml
+include:**/action.yaml
+END
+)
+
+if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
+    echo "Path filters set. Passing them through to the JavaScript extractor."
+else
+    echo "No path filters set. Using the default filters."
+    LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
+    export LGTM_INDEX_FILTERS
+fi
+
+# Find the JavaScript extractor directory via `codeql resolve extractor`.
+CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
+export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
+
+echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
+
+# Run the JavaScript autobuilder
+JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
+echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
+
+# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
+env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
+    ${JAVASCRIPT_AUTO_BUILD}

analyze/action.yml

@@ -91,6 +91,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node16
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node20
+  using: node16
   main: '../lib/autobuild-action.js'

init/action.yml

@@ -83,9 +83,6 @@ inputs:
   queries:
     description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to use both sets of queries.
     required: false
-  quality-queries:
-    description: '[Internal] Comma-separated list of code quality queries to run.'
-    required: false
   packs:
     description: >-
       Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not
@@ -149,6 +146,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node16
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

justfile

@@ -1,30 +0,0 @@
-# Perform all working copy cleanup operations
-all: lint sync
-
-# Lint source typescript
-lint:
-    npm run lint-fix
-
-# Sync generated files (javascript and PR checks)
-sync: build update-pr-checks
-
-# Perform all necessary steps to update the PR checks
-update-pr-checks:
-    pr-checks/sync.sh
-
-# Transpile typescript code into javascript
-build:
-    npm run build
-
-# Build then run all the tests
-test: build
-    npm run test
-
-# Run the tests for a single file
-test_file filename: build
-    npx ava --verbose {{filename}}
-
-[doc("Refresh the .js build artefacts in the lib directory")]
-[confirm]
-refresh-lib:
-    rm -rf lib && npm run build

lib/analyze-action-post.js

@@ -38,14 +38,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
  * It will run after the all steps in this job, in reverse order in relation to
  * other `post:` hooks.
  */
-const fs = __importStar(require("fs"));
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
-const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
-const dependency_caching_1 = require("./dependency-caching");
 const environment_1 = require("./environment");
 const logging_1 = require("./logging");
 const util_1 = require("./util");
@@ -60,21 +57,7 @@ async function runWrapper() {
         if (process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true") {
             const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
             if (config !== undefined) {
-                const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
-                const version = await codeql.getVersion();
-                await debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, version.version);
-            }
-        }
-        // If we analysed Java in build-mode: none, we may have downloaded dependencies
-        // to the temp directory. Clean these up so they don't persist unnecessarily
-        // long on self-hosted runners.
-        const javaTempDependencyDir = (0, dependency_caching_1.getJavaTempDependencyDir)();
-        if (fs.existsSync(javaTempDependencyDir)) {
-            try {
-                fs.rmSync(javaTempDependencyDir, { recursive: true });
-            }
-            catch (error) {
-                logger.info(`Failed to remove temporary Java dependencies directory: ${(0, util_1.getErrorMessage)(error)}`);
+                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type));
             }
         }
     }

lib/analyze-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,uCAAyB;AAEzB,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,qCAAqC;AACrC,iDAA2C;AAC3C,kEAAoD;AACpD,6DAAgE;AAChE,+CAAuC;AACvC,uCAA6C;AAC7C,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC1C,MAAM,cAAc,CAAC,4BAA4B,CAC/C,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,OAAO,CAAC,OAAO,CAChB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,4EAA4E;QAC5E,+BAA+B;QAC/B,MAAM,qBAAqB,GAAG,IAAA,6CAAwB,GAAE,CAAC;QACzD,IAAI,EAAE,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,qBAAqB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CACT,2DAA2D,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,CAC1B,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/analyze-action.js

@@ -41,6 +41,7 @@ const fs = __importStar(require("fs"));
 const path_1 = __importDefault(require("path"));
 const perf_hooks_1 = require("perf_hooks");
 const core = __importStar(require("@actions/core"));
+const github = __importStar(require("@actions/github"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze_1 = require("./analyze");
 const api_client_1 = require("./api-client");
@@ -50,7 +51,6 @@ const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const database_upload_1 = require("./database-upload");
 const dependency_caching_1 = require("./dependency-caching");
-const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
@@ -160,14 +160,6 @@ async function run() {
     let dbCreationTimings = undefined;
     let didUploadTrapCaches = false;
     util.initializeEnvironment(actionsUtil.getActionVersion());
-    // Unset the CODEQL_PROXY_* environment variables, as they are not needed
-    // and can cause issues with the CodeQL CLI
-    // Check for CODEQL_PROXY_HOST: and if it is empty but set, unset it
-    if (process.env.CODEQL_PROXY_HOST === "") {
-        delete process.env.CODEQL_PROXY_HOST;
-        delete process.env.CODEQL_PROXY_PORT;
-        delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
-    }
     // Make inputs accessible in the `post` step, details at
     // https://github.com/github/codeql-action/issues/2553
     actionsUtil.persistInputs();
@@ -189,24 +181,22 @@ async function run() {
         const outputDir = actionsUtil.getRequiredInput("output");
         core.exportVariable(environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
         const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
-        const repositoryNwo = (0, repository_1.getRepositoryNwo)();
+        const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
         util.checkActionVersion(actionsUtil.getActionVersion(), gitHubVersion);
         const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
         const memory = util.getMemoryFlag(actionsUtil.getOptionalInput("ram") || process.env["CODEQL_RAM"], logger);
-        const branches = await (0, diff_informed_analysis_utils_1.getDiffInformedAnalysisBranches)(codeql, features, logger);
-        const diffRangePackDir = branches
-            ? await (0, analyze_1.setupDiffInformedQueryRun)(branches, logger)
-            : undefined;
+        const pull_request = github.context.payload.pull_request;
+        const diffRangePackDir = pull_request &&
+            (await (0, analyze_1.setupDiffInformedQueryRun)(pull_request.base.ref, pull_request.head.ref, codeql, logger, features));
         await (0, analyze_1.warnIfGoInstalledAfterInit)(config, logger);
         await runAutobuildIfLegacyGoWorkflow(config, logger);
         dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, codeql, config, logger);
-        const cleanupLevel = actionsUtil.getOptionalInput("cleanup-level") || "brutal";
         if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, cleanupLevel, diffRangePackDir, actionsUtil.getOptionalInput("category"), config, logger, features);
+            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, diffRangePackDir, actionsUtil.getOptionalInput("category"), config, logger, features);
         }
-        if (cleanupLevel !== "none") {
-            await (0, analyze_1.runCleanup)(config, cleanupLevel, logger);
+        if (actionsUtil.getOptionalInput("cleanup-level") !== "none") {
+            await (0, analyze_1.runCleanup)(config, actionsUtil.getOptionalInput("cleanup-level") || "brutal", logger);
         }
         const dbLocations = {};
         for (const language of config.languages) {
@@ -240,7 +230,7 @@ async function run() {
         }
         else if (uploadResult !== undefined &&
             actionsUtil.getRequiredInput("wait-for-processing") === "true") {
-            await uploadLib.waitForProcessing((0, repository_1.getRepositoryNwo)(), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
+            await uploadLib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
         }
         // If we did not throw an error yet here, but we expect one, throw it.
         if (actionsUtil.getOptionalInput("expect-error") === "true") {

lib/analyze.js

@@ -36,7 +36,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.exportedForTesting = exports.CodeQLAnalysisError = void 0;
+exports.CodeQLAnalysisError = void 0;
 exports.runExtraction = runExtraction;
 exports.dbIsFinalized = dbIsFinalized;
 exports.setupDiffInformedQueryRun = setupDiffInformedQueryRun;
@@ -51,18 +51,17 @@ const io = __importStar(require("@actions/io"));
 const del_1 = __importDefault(require("del"));
 const yaml = __importStar(require("js-yaml"));
 const actionsUtil = __importStar(require("./actions-util"));
-const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
 const codeql_1 = require("./codeql");
-const dependency_caching_1 = require("./dependency-caching");
 const diagnostics_1 = require("./diagnostics");
-const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
+const gitUtils = __importStar(require("./git-utils"));
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
-const repository_1 = require("./repository");
+const tools_features_1 = require("./tools-features");
 const tracer_config_1 = require("./tracer-config");
+const upload_lib_1 = require("./upload-lib");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 class CodeQLAnalysisError extends Error {
@@ -96,19 +95,12 @@ async function runExtraction(codeql, config, logger) {
             if (language === languages_1.Language.python) {
                 await setupPythonExtractor(logger);
             }
-            if (config.buildMode) {
+            if (config.buildMode &&
+                (await codeql.supportsFeature(tools_features_1.ToolsFeature.TraceCommandUseBuildMode))) {
                 if (language === languages_1.Language.cpp &&
                     config.buildMode === util_1.BuildMode.Autobuild) {
                     await (0, autobuild_1.setupCppAutobuild)(codeql, logger);
                 }
-                // The Java `build-mode: none` extractor places dependencies (.jar files) in the
-                // database scratch directory by default. For dependency caching purposes, we want
-                // a stable path that caches can be restored into and that we can cache at the
-                // end of the workflow (i.e. that does not get removed when the scratch directory is).
-                if (language === languages_1.Language.java && config.buildMode === util_1.BuildMode.None) {
-                    process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] =
-                        (0, dependency_caching_1.getJavaTempDependencyDir)();
-                }
                 await codeql.extractUsingBuildMode(config, language);
             }
             else {
@@ -159,163 +151,124 @@ async function finalizeDatabaseCreation(codeql, config, threadsFlag, memoryFlag,
 /**
  * Set up the diff-informed analysis feature.
  *
+ * @param baseRef The base branch name, used for calculating the diff range.
+ * @param headRef The head branch name, used for calculating the diff range.
+ * @param codeql
+ * @param logger
+ * @param features
  * @returns Absolute path to the directory containing the extension pack for
  * the diff range information, or `undefined` if the feature is disabled.
  */
-async function setupDiffInformedQueryRun(branches, logger) {
+async function setupDiffInformedQueryRun(baseRef, headRef, codeql, logger, features) {
+    if (!(await features.getValue(feature_flags_1.Feature.DiffInformedQueries, codeql))) {
+        return undefined;
+    }
     return await (0, logging_1.withGroupAsync)("Generating diff range extension pack", async () => {
-        logger.info(`Calculating diff ranges for ${branches.base}...${branches.head}`);
-        const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
-        const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
-        if (packDir === undefined) {
-            logger.warning("Cannot create diff range extension pack for diff-informed queries; " +
-                "reverting to performing full analysis.");
-        }
-        else {
-            logger.info(`Successfully created diff range extension pack at ${packDir}.`);
-        }
-        return packDir;
+        const diffRanges = await getPullRequestEditedDiffRanges(baseRef, headRef, logger);
+        return writeDiffRangeDataExtensionPack(logger, diffRanges);
     });
 }
 /**
  * Return the file line ranges that were added or modified in the pull request.
  *
- * @param branches The base and head branches of the pull request.
+ * @param baseRef The base branch name, used for calculating the diff range.
+ * @param headRef The head branch name, used for calculating the diff range.
  * @param logger
  * @returns An array of tuples, where each tuple contains the absolute path of a
  * file, the start line and the end line (both 1-based and inclusive) of an
  * added or modified range in that file. Returns `undefined` if the action was
  * not triggered by a pull request or if there was an error.
  */
-async function getPullRequestEditedDiffRanges(branches, logger) {
-    const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
-    if (fileDiffs === undefined) {
+async function getPullRequestEditedDiffRanges(baseRef, headRef, logger) {
+    const checkoutPath = actionsUtil.getOptionalInput("checkout_path");
+    if (checkoutPath === undefined) {
         return undefined;
     }
-    if (fileDiffs.length >= 300) {
-        // The "compare two commits" API returns a maximum of 300 changed files. If
-        // we see that many changed files, it is possible that there could be more,
-        // with the rest being truncated. In this case, we should not attempt to
-        // compute the diff ranges, as the result would be incomplete.
-        logger.warning(`Cannot retrieve the full diff because there are too many ` +
-            `(${fileDiffs.length}) changed files in the pull request.`);
+    // To compute the merge bases between the base branch and the PR topic branch,
+    // we need to fetch the commit graph from the branch heads to those merge
+    // babes. The following 6-step procedure does so while limiting the amount of
+    // history fetched.
+    // Step 1: Deepen from the PR merge commit to the base branch head and the PR
+    // topic branch head, so that the PR merge commit is no longer considered a
+    // grafted commit.
+    await gitUtils.deepenGitHistory();
+    // Step 2: Fetch the base branch shallow history. This step ensures that the
+    // base branch name is present in the local repository. Normally the base
+    // branch name would be added by Step 4. However, if the base branch head is
+    // an ancestor of the PR topic branch head, Step 4 would fail without doing
+    // anything, so we need to fetch the base branch explicitly.
+    await gitUtils.gitFetch(baseRef, ["--depth=1"]);
+    // Step 3: Fetch the PR topic branch history, stopping when we reach commits
+    // that are reachable from the base branch head.
+    await gitUtils.gitFetch(headRef, [`--shallow-exclude=${baseRef}`]);
+    // Step 4: Fetch the base branch history, stopping when we reach commits that
+    // are reachable from the PR topic branch head.
+    await gitUtils.gitFetch(baseRef, [`--shallow-exclude=${headRef}`]);
+    // Step 5: Repack the history to remove the shallow grafts that were added by
+    // the previous fetches. This step works around a bug that causes subsequent
+    // deepening fetches to fail with "fatal: error in object: unshallow <SHA>".
+    // See https://stackoverflow.com/q/63878612
+    await gitUtils.gitRepack(["-d"]);
+    // Step 6: Deepen the history so that we have the merge bases between the base
+    // branch and the PR topic branch.
+    await gitUtils.deepenGitHistory();
+    // To compute the exact same diff as GitHub would compute for the PR, we need
+    // to use the same merge base as GitHub. That is easy to do if there is only
+    // one merge base, which is by far the most common case. If there are multiple
+    // merge bases, we stop without producing a diff range.
+    const mergeBases = await gitUtils.getAllGitMergeBases([baseRef, headRef]);
+    logger.info(`Merge bases: ${mergeBases.join(", ")}`);
+    if (mergeBases.length !== 1) {
+        logger.info("Cannot compute diff range because baseRef and headRef " +
+            `have ${mergeBases.length} merge bases (instead of exactly 1).`);
         return undefined;
     }
-    const results = [];
-    for (const filediff of fileDiffs) {
-        const diffRanges = getDiffRanges(filediff, logger);
-        if (diffRanges === undefined) {
-            return undefined;
-        }
-        results.push(...diffRanges);
+    const diffHunkHeaders = await gitUtils.getGitDiffHunkHeaders(mergeBases[0], headRef);
+    if (diffHunkHeaders === undefined) {
+        return undefined;
     }
-    return results;
-}
-async function getFileDiffsWithBasehead(branches, logger) {
-    // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
-    // to GITHUB_REPOSITORY.
-    const repositoryNwo = (0, repository_1.getRepositoryNwoFromEnv)("CODE_SCANNING_REPOSITORY", "GITHUB_REPOSITORY");
-    const basehead = `${branches.base}...${branches.head}`;
-    try {
-        const response = await (0, api_client_1.getApiClient)().rest.repos.compareCommitsWithBasehead({
-            owner: repositoryNwo.owner,
-            repo: repositoryNwo.repo,
-            basehead,
-            per_page: 1,
-        });
-        logger.debug(`Response from compareCommitsWithBasehead(${basehead}):` +
-            `\n${JSON.stringify(response, null, 2)}`);
-        return response.data.files;
-    }
-    catch (error) {
-        if (error.status) {
-            logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
-            logger.debug(`Error running compareCommitsWithBasehead(${basehead}):` +
-                `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
-                `\nError Response: ${JSON.stringify(error.response, null, 2)}`);
-            return undefined;
-        }
-        else {
-            throw error;
-        }
-    }
-}
-function getDiffRanges(fileDiff, logger) {
-    // Diff-informed queries expect the file path to be absolute. CodeQL always
-    // uses forward slashes as the path separator, so on Windows we need to
-    // replace any backslashes with forward slashes.
-    const filename = path
-        .join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
-        .replaceAll(path.sep, "/");
-    if (fileDiff.patch === undefined) {
-        if (fileDiff.changes === 0) {
-            // There are situations where a changed file legitimately has no diff.
-            // For example, the file may be a binary file, or that the file may have
-            // been renamed with no changes to its contents. In these cases, the
-            // file would be reported as having 0 changes, and we can return an empty
-            // array to indicate no diff range in this file.
-            return [];
-        }
-        // If a file is reported to have nonzero changes but no patch, that may be
-        // due to the file diff being too large. In this case, we should fall back
-        // to a special diff range that covers the entire file.
-        return [
-            {
-                path: filename,
-                startLine: 0,
-                endLine: 0,
-            },
-        ];
-    }
-    // The 1-based file line number of the current line
-    let currentLine = 0;
-    // The 1-based file line number that starts the current range of added lines
-    let additionRangeStartLine = undefined;
-    const diffRanges = [];
-    const diffLines = fileDiff.patch.split("\n");
-    // Adding a fake context line at the end ensures that the following loop will
-    // always terminate the last range of added lines.
-    diffLines.push(" ");
-    for (const diffLine of diffLines) {
-        if (diffLine.startsWith("-")) {
-            // Ignore deletions completely -- we do not even want to consider them when
-            // calculating consecutive ranges of added lines.
-            continue;
-        }
-        if (diffLine.startsWith("+")) {
-            if (additionRangeStartLine === undefined) {
-                additionRangeStartLine = currentLine;
+    const results = new Array();
+    let changedFile = "";
+    for (const line of diffHunkHeaders) {
+        if (line.startsWith("+++ ")) {
+            const filePath = gitUtils.decodeGitFilePath(line.substring(4));
+            if (filePath.startsWith("b/")) {
+                // The file was edited: track all hunks in the file
+                changedFile = filePath.substring(2);
             }
-            currentLine++;
-            continue;
-        }
-        if (additionRangeStartLine !== undefined) {
-            // Any line that does not start with a "+" or "-" terminates the current
-            // range of added lines.
-            diffRanges.push({
-                path: filename,
-                startLine: additionRangeStartLine,
-                endLine: currentLine - 1,
-            });
-            additionRangeStartLine = undefined;
-        }
-        if (diffLine.startsWith("@@ ")) {
-            // A new hunk header line resets the current line number.
-            const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
-            if (match === null) {
-                logger.warning(`Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`);
+            else if (filePath === "/dev/null") {
+                // The file was deleted: skip all hunks in the file
+                changedFile = "";
+            }
+            else {
+                logger.warning(`Failed to parse diff hunk header line: ${line}`);
                 return undefined;
             }
-            currentLine = parseInt(match[1], 10);
             continue;
         }
-        if (diffLine.startsWith(" ")) {
-            // An unchanged context line advances the current line number.
-            currentLine++;
-            continue;
+        if (line.startsWith("@@ ")) {
+            if (changedFile === "")
+                continue;
+            const match = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,(\d+))? @@/);
+            if (match === null) {
+                logger.warning(`Failed to parse diff hunk header line: ${line}`);
+                return undefined;
+            }
+            const startLine = parseInt(match[1], 10);
+            const numLines = parseInt(match[2], 10);
+            if (numLines === 0) {
+                // The hunk was a deletion: skip it
+                continue;
+            }
+            const endLine = startLine + (numLines || 1) - 1;
+            results.push({
+                path: path.join(checkoutPath, changedFile),
+                startLine,
+                endLine,
+            });
         }
     }
-    return diffRanges;
+    return results;
 }
 /**
  * Create an extension pack in the temporary directory that contains the file
@@ -331,21 +284,8 @@ function writeDiffRangeDataExtensionPack(logger, ranges) {
     if (ranges === undefined) {
         return undefined;
     }
-    if (ranges.length === 0) {
-        // An empty diff range means that there are no added or modified lines in
-        // the pull request. But the `restrictAlertsTo` extensible predicate
-        // interprets an empty data extension differently, as an indication that
-        // all alerts should be included. So we need to specifically set the diff
-        // range to a non-empty list that cannot match any alert location.
-        ranges = [{ path: "", startLine: 0, endLine: 0 }];
-    }
     const diffRangeDir = path.join(actionsUtil.getTemporaryDirectory(), "pr-diff-range");
-    // We expect the Actions temporary directory to already exist, so are mainly
-    // using `recursive: true` to avoid errors if the directory already exists,
-    // for example if the analyze Action is run multiple times in the same job.
-    // This is not really something that is supported, but we make use of it in
-    // tests.
-    fs.mkdirSync(diffRangeDir, { recursive: true });
+    fs.mkdirSync(diffRangeDir);
     fs.writeFileSync(path.join(diffRangeDir, "qlpack.yml"), `
 name: codeql-action/pr-diff-range
 version: 0.0.0
@@ -360,16 +300,10 @@ extensions:
   - addsTo:
       pack: codeql/util
       extensible: restrictAlertsTo
-      checkPresence: false
     data:
 `;
     let data = ranges
-        .map((range) => 
-    // Using yaml.dump() with `forceQuotes: true` ensures that all special
-    // characters are escaped, and that the path is always rendered as a
-    // quoted string on a single line.
-    `      - [${yaml.dump(range.path, { forceQuotes: true }).trim()}, ` +
-        `${range.startLine}, ${range.endLine}]\n`)
+        .map((range) => `      - ["${range.path}", ${range.startLine}, ${range.endLine}]\n`)
         .join("");
     if (!data) {
         // Ensure that the data extension is not empty, so that a pull request with
@@ -380,27 +314,22 @@ extensions:
     const extensionFilePath = path.join(diffRangeDir, "pr-diff-range.yml");
     fs.writeFileSync(extensionFilePath, extensionContents);
     logger.debug(`Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`);
-    // Write the diff ranges to a JSON file, for action-side alert filtering by the
-    // upload-lib module.
-    (0, diff_informed_analysis_utils_1.writeDiffRangesJsonFile)(logger, ranges);
     return diffRangeDir;
 }
 // Runs queries and creates sarif files in the given folder
-async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, cleanupLevel, diffRangePackDir, automationDetailsId, config, logger, features) {
+async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, diffRangePackDir, automationDetailsId, config, logger, features) {
     const statusReport = {};
-    const queryFlags = [memoryFlag, threadsFlag];
-    if (cleanupLevel !== "overlay") {
-        queryFlags.push("--expect-discarded-cache");
-    }
-    statusReport.analysis_is_diff_informed = diffRangePackDir !== undefined;
-    if (diffRangePackDir) {
-        queryFlags.push(`--additional-packs=${diffRangePackDir}`);
-        queryFlags.push("--extension-packs=codeql-action/pr-diff-range");
-    }
+    const dataExtensionFlags = diffRangePackDir
+        ? [
+            `--additional-packs=${diffRangePackDir}`,
+            "--extension-packs=codeql-action/pr-diff-range",
+        ]
+        : [];
     const sarifRunPropertyFlag = diffRangePackDir
         ? "--sarif-run-property=incrementalMode=diff-informed"
         : undefined;
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+    const queryFlags = [memoryFlag, threadsFlag, ...dataExtensionFlags];
     for (const language of config.languages) {
         try {
             const sarifFile = path.join(sarifFolder, `${language}.sarif`);
@@ -426,7 +355,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
             logger.endGroup();
             logger.info(analysisSummary);
             if (await features.getValue(feature_flags_1.Feature.QaTelemetryEnabled)) {
-                const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile);
+                const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile, logger);
                 const perQueryAlertCountEventReport = {
                     event: "codeql database interpret-results",
                     started_at: startTimeInterpretResults.toISOString(),
@@ -442,6 +371,9 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                 }
                 statusReport["event_reports"].push(perQueryAlertCountEventReport);
             }
+            if (!(await util.codeQlVersionAtLeast(codeql, codeql_1.CODEQL_VERSION_ANALYSIS_SUMMARY_V2))) {
+                await runPrintLinesOfCode(language);
+            }
         }
         catch (e) {
             statusReport.analyze_failure_language = language;
@@ -454,7 +386,8 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
         return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", sarifRunPropertyFlag, automationDetailsId, config, features);
     }
     /** Get an object with all queries and their counts parsed from a SARIF file path. */
-    function getPerQueryAlertCounts(sarifPath) {
+    function getPerQueryAlertCounts(sarifPath, log) {
+        (0, upload_lib_1.validateSarifFileSchema)(sarifPath, log);
         const sarifObject = JSON.parse(fs.readFileSync(sarifPath, "utf8"));
         // We do not need to compute fingerprints because we are not sending data based off of locations.
         // Generate the query: alert count object
@@ -472,6 +405,10 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
         }
         return perQueryAlertCounts;
     }
+    async function runPrintLinesOfCode(language) {
+        const databasePath = util.getCodeQLDatabasePath(config, language);
+        return await codeql.databasePrintBaseline(databasePath);
+    }
 }
 async function runFinalize(outputDir, threadsFlag, memoryFlag, codeql, config, logger) {
     try {
@@ -524,7 +461,4 @@ async function runCleanup(config, cleanupLevel, logger) {
     }
     logger.endGroup();
 }
-exports.exportedForTesting = {
-    getDiffRanges,
-};
 //# sourceMappingURL=analyze.js.map