Updating

.eslintignore

@@ -0,0 +1,4 @@
+**/webpack.config.js
+lib/**
+src/testdata/**
+tests/**

.eslintrc.json

@@ -0,0 +1,77 @@
+
+{
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "project": "./tsconfig.json"
+    },
+    "plugins": ["@typescript-eslint", "filenames", "github", "import", "no-async-foreach"],
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended",
+        "plugin:@typescript-eslint/recommended-requiring-type-checking",
+        "plugin:github/recommended",
+        "plugin:github/typescript",
+        "plugin:import/typescript"
+    ],
+    "rules": {
+        "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+        "i18n-text/no-en": "off",
+        "import/extensions": ["error", {
+            // Allow importing JSON files
+            "json": {}
+        }],
+        "import/no-amd": "error",
+        "import/no-commonjs": "error",
+        "import/no-cycle": "error",
+        "import/no-dynamic-require": "error",
+        // Disable the rule that checks that devDependencies aren't imported since we use a single
+        // linting configuration file for both source and test code.
+        "import/no-extraneous-dependencies": ["error", {"devDependencies": true}],
+        "import/no-namespace": "off",
+        "import/no-unresolved": "error",
+        "import/no-webpack-loader-syntax": "error",
+        "import/order": ["error", {
+            "alphabetize": {"order": "asc"},
+            "newlines-between": "always"
+        }],
+        "max-len": ["error", {
+            "code": 120,
+            "ignoreUrls": true,
+            "ignoreStrings": true,
+            "ignoreTemplateLiterals": true
+        }],
+        "no-async-foreach/no-async-foreach": "error",
+        "no-console": "off",
+        "no-sequences": "error",
+        "no-shadow": "off",
+        "@typescript-eslint/no-shadow": ["error"],
+        "one-var": ["error", "never"]
+    },
+    "overrides": [{
+        // "temporarily downgraded during transition to eslint
+        "files": "**",
+        "rules": {
+            "@typescript-eslint/ban-types": "off",
+            "@typescript-eslint/explicit-module-boundary-types": "off",
+            "@typescript-eslint/no-explicit-any": "off",
+            "@typescript-eslint/no-unsafe-assignment": "off",
+            "@typescript-eslint/no-unsafe-call": "off",
+            "@typescript-eslint/no-unsafe-member-access": "off",
+            "@typescript-eslint/no-unsafe-return": "off",
+            "@typescript-eslint/no-var-requires": "off",
+            "@typescript-eslint/prefer-regexp-exec": "off",
+            "@typescript-eslint/require-await": "off",
+            "@typescript-eslint/restrict-template-expressions": "off",
+            "func-style": "off",
+            "sort-imports": "off"
+        }
+    }],
+    "settings": {
+        "import/resolver": {
+            "node": {
+                "moduleDirectory": ["node_modules", "src"]
+            },
+            "typescript": {}
+        }
+    }
+}

.github/actions/check-codescanning-config/action.yml

@@ -29,16 +29,7 @@ inputs:
   tools:
     required: true
     description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
+      The url of codeql to use.
 
 runs:
   using: composite
@@ -61,12 +52,11 @@ runs:
     - name: Check config
       working-directory: ${{ github.action_path }}
       shell: bash
-      env:
-        EXPECTED_CONFIG_FILE_CONTENTS: '${{ inputs.expected-config-file-contents }}'
-      run: ts-node ./index.ts "$RUNNER_TEMP/user-config.yaml" "$EXPECTED_CONFIG_FILE_CONTENTS"
+      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
+
     - name: Clean up
       shell: bash
       if: always()
       run: |
-        rm -rf $RUNNER_TEMP/codescanning-config-cli-test
-        rm -rf $RUNNER_TEMP/user-config.yaml
+        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
+        rm -rf ${{ runner.temp }}/user-config.yaml

.github/actions/check-codescanning-config/index.ts

@@ -8,7 +8,7 @@ const actualConfig = loadActualConfig()
 
 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
-  core.setFailed('No expected configuration provided')
+  core.info('No expected configuration provided')
 } else {
   core.startGroup('Expected generated user config')
   core.info(yaml.dump(JSON.parse(rawExpectedConfig)))

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node20
+  using: node16
   main: index.js

.github/actions/prepare-test/action.yml

@@ -2,16 +2,12 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
   version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'latest', 'default', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
     required: true
   use-all-platform-bundle:
     description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
     default: 'false'
     required: false
-  setup-kotlin:
-    description: "If true, we setup kotlin"
-    default: 'true'
-    required: true
 outputs:
   tools-url:
     description: "The value that should be passed as the 'tools' input of the 'init' step."
@@ -29,54 +25,36 @@ runs:
     - id: get-url
       name: Determine URL
       shell: bash
-      env:
-        VERSION: ${{ inputs.version }}
-        USE_ALL_PLATFORM_BUNDLE: ${{ inputs.use-all-platform-bundle }}
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
-        if [[ "$VERSION" == "linked" ]]; then
-          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ "$VERSION" == "default" ]]; then
-          echo "tools-url=" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
-        fi
-
-        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
+        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
+          artifact_name="codeql-bundle.tar.gz"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
+          artifact_name="codeql-bundle-linux64.tar.gz"
         elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
+          artifact_name="codeql-bundle-osx64.tar.gz"
         elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
+          artifact_name="codeql-bundle-win64.tar.gz"
         else
           echo "::error::Unrecognized OS $RUNNER_OS"
           exit 1
         fi
 
-        if [[ "$VERSION" == "nightly-latest" ]]; then
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
           tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"nightly"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"stable"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
+        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version-manual/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "latest" ]]; then
+          echo "tools-url=latest" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "default" ]]; then
+          echo "tools-url=" >> $GITHUB_OUTPUT
         else
           echo "::error::Unrecognized version specified!"
           exit 1
         fi
-
-    - uses: fwilhe2/setup-kotlin@9c245a6425255f5e98ba1ce6c15d31fce7eca9da
-      if: ${{ inputs.setup-kotlin == 'true' }}
-      with:
-        version: 1.8.21

.github/actions/query-filter-test/action.yml

@@ -23,16 +23,7 @@ inputs:
   tools:
     required: true
     description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
+      The url of codeql to use.
 
 runs:
   using: composite
@@ -48,6 +39,7 @@ runs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
+        upload-database: false
         upload: never
       env:
         CODEQL_ACTION_TEST_MODE: "true"

.github/actions/release-branches/action.yml

@@ -1,28 +0,0 @@
-name: 'Release branches'
-description: 'Determine branches for release & backport'
-inputs:
-  major_version:
-    description: 'The version as extracted from the package.json file'
-    required: true
-  latest_tag:
-    description: 'The most recent tag published to the repository'
-    required: true
-outputs:
-  backport_source_branch:
-    description: "The release branch for the given tag"
-    value: ${{ steps.branches.outputs.backport_source_branch }}
-  backport_target_branches:
-    description: "JSON encoded list of branches to target with backports"
-    value: ${{ steps.branches.outputs.backport_target_branches }}
-runs:
-  using: "composite"
-  steps:
-    - id: branches
-      env:
-        MAJOR_VERSION: ${{ inputs.major_version }}
-        LATEST_TAG: ${{ inputs.latest_tag }}
-      run: |
-        python ${{ github.action_path }}/release-branches.py \
-            --major-version "$MAJOR_VERSION" \
-            --latest-tag "$LATEST_TAG"
-      shell: bash

.github/actions/release-branches/release-branches.py

@@ -1,55 +0,0 @@
-import argparse
-import json
-import os
-import configparser
-
-# Name of the remote
-ORIGIN = 'origin'
-
-script_dir = os.path.dirname(os.path.realpath(__file__))
-grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
-
-config = configparser.ConfigParser()
-with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
-    config.read_string('[default]\n' + stream.read())
-
-OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
-
-def main():
-
-  parser = argparse.ArgumentParser()
-  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
-  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
-  args = parser.parse_args()
-
-  major_version = args.major_version
-  latest_tag = args.latest_tag
-
-  print("major_version: " + major_version)
-  print("latest_tag: " + latest_tag)
-
-  # If this is a primary release, we backport to all supported branches,
-  # so we check whether the major_version taken from the package.json
-  # is greater than or equal to the latest tag pulled from the repo.
-  # For example...
-  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
-  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
-  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
-  consider_backports = ( major_version >= latest_tag.split(".")[0] )
-
-  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
-
-    f.write(f"backport_source_branch=releases/{major_version}\n")
-
-    backport_target_branches = []
-
-    if consider_backports:
-      for i in range(int(major_version.strip("v"))-1, 0, -1):
-        branch_name = f"releases/v{i}"
-        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
-          backport_target_branches.append(branch_name)
-
-    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
-
-if __name__ == "__main__":
-  main()

.github/actions/release-initialise/action.yml

@@ -1,33 +0,0 @@
-name: 'Prepare release job'
-description: 'Prepare for updating a release branch'
-
-runs:
-  using: "composite"
-  steps:
-
-    - name: Dump environment
-      run: env
-      shell: bash
-
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: '${{ toJson(github) }}'
-      run: echo "$GITHUB_CONTEXT"
-      shell: bash
-
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: 3.12
-
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install PyGithub==2.3.0 requests
-      shell: bash
-
-    - name: Update git config
-      run: |
-        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-        git config --global user.name "github-actions[bot]"
-      shell: bash

.github/actions/setup-swift/action.yml

@@ -11,7 +11,7 @@ runs:
       id: get_swift_version
       if: runner.os == 'Linux'
       shell: bash
-      env:
+      env: 
         CODEQL_PATH: ${{ inputs.codeql-path }}
       run: |
         SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
@@ -19,21 +19,19 @@ runs:
           VERSION="null"
         else
           VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version. 
           if [ $VERSION = "5.7" ]; then
             VERSION="5.7.0"
           elif [ $VERSION = "5.8" ]; then
             VERSION="5.8.0"
-          elif [ $VERSION = "5.9" ]; then
-            VERSION="5.9.0"
-          # setup-swift does not yet support v5.9.1 Remove this when it does.
-          elif [ $VERSION = "5.9.1" ]; then
-            VERSION="5.9.0"
-          fi
+          # setup-swift does not yet support v5.8.1 Remove this when it does.
+          elif [ $VERSION = "5.8.1" ]; then
+            VERSION="5.8.0"
+          fi 
         fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
 
-    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+    - uses: swift-actions/setup-swift@f51889efb55dccf13be0ee727e3d6c89a096fb4c # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
       if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
       with:
         swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/codeql/codeql-actions-config.yml

@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality

.github/copilot-instructions.md

@@ -1,5 +0,0 @@
-# CodeQL Action - Copilot Instructions
-
-The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` closely mirrors the TypeScript code it is generated from.
-
-GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that starts with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores.

.github/dependabot.yml

@@ -14,10 +14,6 @@ updates:
       # v7 requires ESM
       - dependency-name: "del"
         versions: ["^7.0.0"]
-      # This is broken due to the way configuration files have changed. 
-      # This might be fixed when we move to eslint v9.
-      - dependency-name: "eslint-plugin-import"
-        versions: [">=2.30.0"]
     groups:
       npm:
         patterns:

.github/releases.ini

@@ -1 +0,0 @@
-OLDEST_SUPPORTED_MAJOR_VERSION=3

.github/update-release-branch.py

@@ -1,7 +1,5 @@
 import argparse
 import datetime
-import fileinput
-import re
 from github import Github
 import json
 import os
@@ -15,9 +13,8 @@ No user facing changes.
 
 """
 
-# NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
-BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'
+SOURCE_BRANCH = 'main'
+TARGET_BRANCH = 'releases/v2'
 
 # Name of the remote
 ORIGIN = 'origin'
@@ -37,9 +34,7 @@ def branch_exists_on_remote(branch_name):
   return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
 
 # Opens a PR from the given branch to the target branch
-def open_pr(
-  repo, all_commits, source_branch_short_sha, new_branch_name, source_branch, target_branch,
-  conductor, is_primary_release, conflicted_files):
+def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conductor):
   # Sort the commits into the pull requests that introduced them,
   # and any commits that don't have a pull request
   pull_requests = []
@@ -61,7 +56,7 @@ def open_pr(
 
   # Start constructing the body text
   body = []
-  body.append(f'Merging {source_branch_short_sha} into `{target_branch}`.')
+  body.append(f'Merging {source_branch_short_sha} into {TARGET_BRANCH}.')
 
   body.append('')
   body.append(f'Conductor for this PR is @{conductor}.')
@@ -84,38 +79,20 @@ def open_pr(
 
   body.append('')
   body.append('Please do the following:')
-  if len(conflicted_files) > 0:
-    body.append(' - [ ] Ensure `package.json` file contains the correct version.')
-    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
-      'in the following files:')
-    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
-    body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
-      'branch to resolve the merge conflicts.')
   body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
   body.append(' - [ ] Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.')
-  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
+  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the {TARGET_BRANCH} branch.')
   body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')
-
-  if not is_primary_release:
-    body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.')
-    body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.')
-
-  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
   body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
+  body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.')
 
-  if is_primary_release:
-    body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.')
-    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')
-
-  title = f'Merge {source_branch} into {target_branch}'
-  labels = ['Update dependencies'] if not is_primary_release else []
+  title = f'Merge {SOURCE_BRANCH} into {TARGET_BRANCH}'
 
   # Create the pull request
   # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
   # a maintainer can take the PR out of draft, thereby triggering the PR checks.
-  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
-  pr.add_to_labels(*labels)
-  print(f'Created PR #{str(pr.number)}')
+  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=TARGET_BRANCH, draft=True)
+  print(f'Created PR #{pr.number}')
 
   # Assign the conductor
   pr.add_to_assignees(conductor)
@@ -125,10 +102,10 @@ def open_pr(
 # since the last release to the target branch.
 # This will not include any commits that exist on the target branch
 # that aren't on the source branch.
-def get_commit_difference(repo, source_branch, target_branch):
+def get_commit_difference(repo):
   # Passing split nothing means that the empty string splits to nothing: compare `''.split() == []`
   # to `''.split('\n') == ['']`.
-  commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{target_branch}..{ORIGIN}/{source_branch}').strip().split()
+  commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{TARGET_BRANCH}..{ORIGIN}/{SOURCE_BRANCH}').strip().split()
 
   # Convert to full-fledged commit objects
   commits = [repo.get_commit(c) for c in commits]
@@ -172,78 +149,10 @@ def get_current_version():
   with open('package.json', 'r') as f:
     return json.load(f)['version']
 
-# `npm version` doesn't always work because of merge conflicts, so we
-# replace the version in package.json textually.
-def replace_version_package_json(prev_version, new_version):
-  prev_line_is_codeql = False
-  for line in fileinput.input('package.json', inplace = True, encoding='utf-8'):
-    if prev_line_is_codeql and f'\"version\": \"{prev_version}\"' in line:
-      print(line.replace(prev_version, new_version), end='')
-    else:
-      prev_line_is_codeql = False
-      print(line, end='') 
-    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
-
 def get_today_string():
   today = datetime.datetime.today()
   return '{:%d %b %Y}'.format(today)
 
-def process_changelog_for_backports(source_branch_major_version, target_branch_major_version):
-
-  # changelog entries can use the following format to indicate
-  # that they only apply to newer versions
-  some_versions_only_regex = re.compile(r'\[v(\d+)\+ only\]')
-
-  output = ''
-
-  with open('CHANGELOG.md', 'r') as f:
-
-    # until we find the first section, just duplicate all lines
-    found_first_section = False
-    while not found_first_section:
-      line = f.readline()
-      if not line:
-        raise Exception('Could not find any change sections in CHANGELOG.md') # EOF
-
-      if line.startswith('## '):
-        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
-        found_first_section = True
-
-      output += line
-
-    # found_content tracks whether we hit two headings in a row
-    found_content = False
-    output += '\n'
-    while True:
-      line = f.readline()
-      if not line:
-        break # EOF
-      line = line.rstrip('\n')
-
-      # filter out changenote entries that apply only to newer versions
-      match = some_versions_only_regex.search(line)
-      if match:
-        if int(target_branch_major_version) < int(match.group(1)):
-          continue
-
-      if line.startswith('## '):
-        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
-        if found_content == False:
-          # we have found two headings in a row, so we need to add the placeholder message.
-          output += 'No user facing changes.\n'
-        found_content = False
-        output += f'\n{line}\n\n'
-      else:
-        if line.strip() != '':
-          found_content = True
-          # we use the original line here, rather than the stripped version
-          # so that we preserve indentation
-          output += line + '\n'
-
-    with open('CHANGELOG.md', 'w') as f:
-      f.write(output)
-
 def update_changelog(version):
   if (os.path.exists('CHANGELOG.md')):
     content = ''
@@ -273,24 +182,6 @@ def main():
     required=True,
     help='The nwo of the repository, for example github/codeql-action.'
   )
-  parser.add_argument(
-    '--source-branch',
-    type=str,
-    required=True,
-    help='Source branch for release branch update.'
-  )
-  parser.add_argument(
-    '--target-branch',
-    type=str,
-    required=True,
-    help='Target branch for release branch update.'
-  )
-  parser.add_argument(
-    '--is-primary-release',
-    action='store_true',
-    default=False,
-    help='Whether this update is the primary release for the current major version.'
-  )
   parser.add_argument(
     '--conductor',
     type=str,
@@ -300,38 +191,24 @@ def main():
 
   args = parser.parse_args()
 
-  source_branch = args.source_branch
-  target_branch = args.target_branch
-  is_primary_release = args.is_primary_release
-
   repo = Github(args.github_token).get_repo(args.repository_nwo)
-
-  # the target branch will be of the form releases/vN, where N is the major version number
-  target_branch_major_version = target_branch.strip('releases/v')
-
-  # split version into major, minor, patch
-  _, v_minor, v_patch = get_current_version().split('.')
-
-  version = f"{target_branch_major_version}.{v_minor}.{v_patch}"
+  version = get_current_version()
 
   # Print what we intend to go
-  print(f'Considering difference between {source_branch} and {target_branch}...')
-  source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{source_branch}').strip()
-  print(f'Current head of {source_branch} is {source_branch_short_sha}.')
+  print(f'Considering difference between {SOURCE_BRANCH} and {TARGET_BRANCH}...')
+  source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{SOURCE_BRANCH}').strip()
+  print(f'Current head of {SOURCE_BRANCH} is {source_branch_short_sha}.')
 
   # See if there are any commits to merge in
-  commits = get_commit_difference(repo=repo, source_branch=source_branch, target_branch=target_branch)
+  commits = get_commit_difference(repo=repo)
   if len(commits) == 0:
-    print(f'No commits to merge from {source_branch} to {target_branch}.')
+    print(f'No commits to merge from {SOURCE_BRANCH} to {TARGET_BRANCH}.')
     return
 
-  # define distinct prefix in order to support specific pr checks on backports
-  branch_prefix = 'update' if is_primary_release else 'backport'
-
   # The branch name is based off of the name of branch being merged into
   # and the SHA of the branch being merged from. Thus if the branch already
   # exists we can assume we don't need to recreate it.
-  new_branch_name = f'{branch_prefix}-v{version}-{source_branch_short_sha}'
+  new_branch_name = f'update-v{version}-{source_branch_short_sha}'
   print(f'Branch name is {new_branch_name}.')
 
   # Check if the branch already exists. If so we can abort as this script
@@ -343,74 +220,17 @@ def main():
   # Create the new branch and push it to the remote
   print(f'Creating branch {new_branch_name}.')
 
-  # The process of creating the v{Older} release can run into merge conflicts. We commit the unresolved
-  # conflicts so a maintainer can easily resolve them (vs erroring and requiring maintainers to
-  # reconstruct the release manually)
-  conflicted_files = []
+  # If we're performing a standard release, there won't be any new commits on the target branch,
+  # as these will have already been merged back into the source branch. Therefore we can just
+  # start from the source branch.
+  run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{SOURCE_BRANCH}')
 
-  if not is_primary_release:
+  print('Updating changelog')
+  update_changelog(version)
 
-    # the source branch will be of the form releases/vN, where N is the major version number
-    source_branch_major_version = source_branch.strip('releases/v')
-
-    # If we're performing a backport, start from the target branch
-    print(f'Creating {new_branch_name} from the {ORIGIN}/{target_branch} branch')
-    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{target_branch}')
-
-    # Revert the commit that we made as part of the last release that updated the version number and
-    # changelog to refer to {older}.x.x variants. This avoids merge conflicts in the changelog and
-    # package.json files when we merge in the v{latest} branch.
-    # This commit will not exist the first time we release the v{N-1} branch from the v{N} branch, so we
-    # use `git log --grep` to conditionally revert the commit.
-    print('Reverting the version number and changelog updates from the last release to avoid conflicts')
-    vOlder_update_commits = run_git('log', '--grep', f'^{BACKPORT_COMMIT_MESSAGE}', '--format=%H').split()
-
-    if len(vOlder_update_commits) > 0:
-      print(f'  Reverting {vOlder_update_commits[0]}')
-      # Only revert the newest commit as older ones will already have been reverted in previous
-      # releases.
-      run_git('revert', vOlder_update_commits[0], '--no-edit')
-
-      # Also revert the "Update checked-in dependencies" commit created by Actions.
-      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
-      print(f'  Reverting {update_dependencies_commit}')
-      run_git('revert', update_dependencies_commit, '--no-edit')
-
-    else:
-      print('  Nothing to revert.')
-
-    print(f'Merging {ORIGIN}/{source_branch} into the release prep branch')
-    # Commit any conflicts (see the comment for `conflicted_files`)
-    run_git('merge', f'{ORIGIN}/{source_branch}', allow_non_zero_exit_code=True)
-    conflicted_files = run_git('diff', '--name-only', '--diff-filter', 'U').splitlines()
-    if len(conflicted_files) > 0:
-      run_git('add', '.')
-      run_git('commit', '--no-edit')
-
-    # Migrate the package version number from a vLatest version number to a vOlder version number
-    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version) # We rely on the `Update dependencies` workflow to update package-lock.json
-    run_git('add', 'package.json')
-
-    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
-    print(f'Migrating changelog notes from v{source_branch_major_version} to v{target_branch_major_version}')
-    process_changelog_for_backports(source_branch_major_version, target_branch_major_version)
-
-    # Amend the commit generated by `npm version` to update the CHANGELOG
-    run_git('add', 'CHANGELOG.md')
-    run_git('commit', '-m', f'{BACKPORT_COMMIT_MESSAGE}{version}')
-  else:
-    # If we're performing a standard release, there won't be any new commits on the target branch,
-    # as these will have already been merged back into the source branch. Therefore we can just
-    # start from the source branch.
-    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{source_branch}')
-
-    print('Updating changelog')
-    update_changelog(version)
-
-    # Create a commit that updates the CHANGELOG
-    run_git('add', 'CHANGELOG.md')
-    run_git('commit', '-m', f'Update changelog for v{version}')
+  # Create a commit that updates the CHANGELOG
+  run_git('add', 'CHANGELOG.md')
+  run_git('commit', '-m', f'Update changelog for v{version}')
 
   run_git('push', ORIGIN, new_branch_name)
 
@@ -420,11 +240,7 @@ def main():
     commits,
     source_branch_short_sha,
     new_branch_name,
-    source_branch=source_branch,
-    target_branch=target_branch,
     conductor=args.conductor,
-    is_primary_release=is_primary_release,
-    conflicted_files=conflicted_files
   )
 
 if __name__ == '__main__':

.github/workflows/__all-platform-bundle.yml

@@ -7,58 +7,61 @@ name: PR Check - All-platform bundle
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   all-platform-bundle:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: nightly-latest
     name: All-platform bundle
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'true'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - id: init
-        uses: ./../action/init
-        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'true'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - id: init
+      uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__analyze-ref-input.yml

@@ -7,65 +7,108 @@ name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   analyze-ref-input:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: windows-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: windows-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: windows-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: windows-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: windows-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: "Analyze: 'ref' and 'sha' from inputs"
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-action.yml

@@ -7,69 +7,76 @@ name: PR Check - autobuild-action
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   autobuild-action:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
     name: autobuild-action
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: csharp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        env:
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: csharp
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/autobuild
+      env:
       # Explicitly disable the CLR tracer.
-          COR_ENABLE_PROFILING: ''
-          COR_PROFILER: ''
-          COR_PROFILER_PATH_64: ''
-          CORECLR_ENABLE_PROFILING: ''
-          CORECLR_PROFILER: ''
-          CORECLR_PROFILER_PATH_64: ''
-      - uses: ./../action/analyze
-      - name: Check database
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d csharp ]]; then
-            echo "Did not find a C# database"
-            exit 1
-          fi
+        COR_ENABLE_PROFILING: ''
+        COR_PROFILER: ''
+        COR_PROFILER_PATH_64: ''
+        CORECLR_ENABLE_PROFILING: ''
+        CORECLR_PROFILER: ''
+        CORECLR_PROFILER_PATH_64: ''
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+    - name: Check database
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d csharp ]]; then
+          echo "Did not find a C# database"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -1,80 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing (custom working directory)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  autobuild-direct-tracing-with-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing (custom working directory)
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          build-mode: autobuild
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check that indirect tracing is disabled
-        shell: bash
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-direct-tracing.yml

@@ -1,81 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  autobuild-direct-tracing:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        shell: bash
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Check that indirect tracing is disabled
-        shell: bash
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-autobuild.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode autobuild
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode autobuild
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "autobuild" ]]; then
-            echo "Expected build mode to be 'autobuild' but was $build_mode"
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-manual.yml

@@ -1,76 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode manual
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-manual:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode manual
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: manual
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "manual" ]]; then
-            echo "Expected build mode to be 'manual' but was $build_mode"
-            exit 1
-          fi
-
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-none.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode none
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-none:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode none
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "none" ]]; then
-            echo "Expected build mode to be 'none' but was $build_mode"
-            exit 1
-          fi
-
-  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
-      - uses: ./../action/autobuild
-        if: matrix.version != 'nightly-latest'
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-rollback.yml

@@ -1,74 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode rollback
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-rollback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode rollback
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "autobuild" ]]; then
-            echo "Expected build mode to be 'autobuild' but was $build_mode"
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -1,69 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Clean up database cluster directory
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cleanup-db-cluster-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Clean up database cluster directory
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Add a file to the database cluster directory
-        run: |
-          mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
-          touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate file cleaned up
-        run: |
-          if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
-            echo "File was not cleaned up"
-            exit 1
-          fi
-          echo "File was cleaned up"
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-export.yml

@@ -7,94 +7,100 @@ name: PR Check - Config export
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   config-export:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: Config export
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          queries: security-extended
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        queries: security-extended
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check config properties appear in SARIF
+      uses: actions/github-script@v6
+      env:
+        SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+      with:
+        script: |
+          const fs = require('fs');
 
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-            const configSummary = run.properties.codeqlConfigSummary;
+          const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+          const run = sarif.runs[0];
+          const configSummary = run.properties.codeqlConfigSummary;
 
-            if (configSummary === undefined) {
-              core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
-            }
-            if (configSummary.disableDefaultQueries !== false) {
-              core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
-                `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
-            }
-            const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
-            // Use JSON.stringify to deep-equal the arrays.
-            if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
-              core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
-                `${JSON.stringify(configSummary.queries)}.`);
-            }
-            core.info('Finished config export tests.');
+          if (configSummary === undefined) {
+            core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
+          }
+          if (configSummary.disableDefaultQueries !== false) {
+            core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' + 
+              `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
+          }
+          const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
+          // Use JSON.stringify to deep-equal the arrays.
+          if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
+            core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` + 
+              `${JSON.stringify(configSummary.queries)}.`);
+          }
+          core.info('Finished config export tests.');
     env:
+      CODEQL_PASS_CONFIG_TO_CLI: true
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-input.yml

@@ -1,77 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Config input
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  config-input:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Config input
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Copy queries into workspace
-        run: |
-          cp -a ../action/queries .
-
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: javascript
-          build-mode: none
-          config: |
-            disable-default-queries: true
-            queries:
-              - name: Run custom query
-                uses: ./queries/default-setup-environment-variables.ql
-            paths-ignore:
-              - tests
-              - lib
-
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-
-      - name: Check SARIF
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/codeql-action/default-setup-env-vars
-          queries-not-run: javascript/codeql-action/default-setup-context-properties
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-disabled.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cpp-deptrace-disabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - shell: bash
-        run: |
-          if ls /usr/bin/errno; then
-            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cpp-deptrace-enabled-on-macos:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: macos-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
-          if ! ls /usr/bin/errno; then
-            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
-          else
-            echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-enabled.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cpp-deptrace-enabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies (Linux)'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
-          if ! ls /usr/bin/errno; then
-            echo "Did not autoinstall errno"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__diagnostics-export.yml

@@ -7,131 +7,146 @@ name: PR Check - Diagnostic export
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   diagnostics-export:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20230317
+        - os: macos-latest
+          version: stable-20230317
+        - os: windows-latest
+          version: stable-20230317
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: Diagnostic export
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Add test diagnostics
-        shell: bash
-        env:
-          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
-        run: |
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Add test diagnostics
+      shell: bash
+      env:
+        CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
+      run: |
+        for i in {1..2}; do
+          # Use the same location twice to test the workaround for the bug in CodeQL CLI 2.12.5 that
+          # produces an invalid diagnostic with multiple identical location objects.
           "$CODEQL_PATH" database add-diagnostic \
             "$RUNNER_TEMP/codeql_databases/javascript" \
             --file-path /path/to/file \
-            --plaintext-message "Plaintext message" \
+            --plaintext-message "Plaintext message $i" \
             --source-id "lang/diagnostics/example" \
             --source-name "Diagnostic name" \
             --ready-for-status-page
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
+        done
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check diagnostics appear in SARIF
+      uses: actions/github-script@v6
+      env:
+        SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+      with:
+        script: |
+          const fs = require('fs');
 
-            function checkStatusPageNotification(n) {
-              const expectedMessage = 'Plaintext message';
-              if (n.message.text !== expectedMessage) {
-                core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
-              }
-              if (n.locations.length !== 1) {
-                core.setFailed(`Expected the status page diagnostic to have exactly 1 location, but found ${n.locations.length}.`);
-              }
+          function checkStatusPageNotification(n) {
+            const expectedMessage = 'Plaintext message 1\n\nCodeQL also found 1 other diagnostic like this. See the workflow log for details.';
+            if (n.message.text !== expectedMessage) {
+              core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
             }
+            if (n.locations.length !== 1) {
+              core.setFailed(`Expected the status page diagnostic to have exactly 1 location, but found ${n.locations.length}.`);
+            }
+          }
 
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
+          const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+          const run = sarif.runs[0];
 
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'lang/diagnostics/example' && n.properties?.visibility?.statusPage
+          const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+          const statusPageNotifications = toolExecutionNotifications.filter(n =>
+            n.descriptor.id === 'lang/diagnostics/example' && n.properties?.visibility?.statusPage
+          );
+          if (statusPageNotifications.length !== 1) {
+            core.setFailed(
+              'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                `${statusPageNotifications.length}. All notification reporting descriptors: ` + 
+                `${JSON.stringify(toolExecutionNotifications)}.`
             );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-            checkStatusPageNotification(statusPageNotifications[0]);
+          }
+          checkStatusPageNotification(statusPageNotifications[0]);
 
-            const notifications = run.tool.driver.notifications;
-            const diagnosticNotification = notifications.filter(n =>
-              n.id === 'lang/diagnostics/example' && n.name === 'lang/diagnostics/example' &&
-                n.fullDescription.text === 'Diagnostic name'
+          const notifications = run.tool.driver.notifications;
+          const diagnosticNotification = notifications.filter(n =>
+            n.id === 'lang/diagnostics/example' && n.name === 'lang/diagnostics/example' &&
+              n.fullDescription.text === 'Diagnostic name'
+          );
+          if (diagnosticNotification.length !== 1) {
+            core.setFailed(
+              'Expected exactly one notification for this diagnostic in the ' +
+                `'runs[].tool.driver.notifications[]' SARIF property, but found ` +
+                `${diagnosticNotification.length}. All notifications: ` +
+                `${JSON.stringify(notifications)}.`
             );
-            if (diagnosticNotification.length !== 1) {
-              core.setFailed(
-                'Expected exactly one notification for this diagnostic in the ' +
-                  `'runs[].tool.driver.notifications[]' SARIF property, but found ` +
-                  `${diagnosticNotification.length}. All notifications: ` +
-                  `${JSON.stringify(notifications)}.`
-              );
-            }
+          }
 
-            core.info('Finished diagnostic export test');
+          core.info('Finished diagnostic export test');
     env:
       CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__export-file-baseline-information.yml

@@ -7,94 +7,96 @@ name: PR Check - Export file baseline information
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   export-file-baseline-information:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: Export file baseline information
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        if: runner.os == 'macOS'
-        with:
-          codeql-path: ${{ steps.init.outputs.codeql-path }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
-          if [[ $RUNNER_OS == "macOS" ]]; then
-            expected_baseline_languages+=" swift"
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        expected_baseline_languages="cpp cs go java js py rb"
+        if [[ $RUNNER_OS != "Windows" ]]; then
+          expected_baseline_languages+=" swift"
+        fi
 
-          for lang in ${expected_baseline_languages}; do
-            rule_name="cli/expected-extracted-files/${lang}"
-            found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
-              select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
-            if [[ "${found_notification}" != "true" ]]; then
-              echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
-              exit 1
-            else
-              echo "Found notification '${rule_name}'."
-            fi
-          done
+        for lang in ${expected_baseline_languages}; do
+          rule_name="${lang}/baseline/expected-extracted-files"
+          found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+            select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+          if [[ "${found_notification}" != "true" ]]; then
+            echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+            exit 1
+          else
+            echo "Found notification '${rule_name}'."
+          fi
+        done
     env:
-      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__extract-direct-to-toolcache.yml

@@ -1,96 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Extract directly to toolcache
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  extract-direct-to-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Extract directly to toolcache
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
-      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            if (allCodeqlVersions.length !== 0) {
-              throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
-            }
-            console.log('No versions of CodeQL found in the toolcache');
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
-            if (allCodeqlVersions.length === 0) {
-              throw new Error('CodeQL not found in toolcache');
-            }
-            if (allCodeqlVersions.length > 1) {
-              throw new Error('Multiple CodeQL versions found in toolcache');
-            }
-    env:
-      CODEQL_ACTION_EXTRACT_TOOLCACHE: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__extractor-ram-threads.yml

@@ -7,67 +7,72 @@ name: PR Check - Extractor ram and threads options test
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   extractor-ram-threads:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
     name: Extractor ram and threads options test
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: java
-          ram: 230
-          threads: 1
-      - name: Assert Results
-        shell: bash
-        run: |
-          if [ "${CODEQL_RAM}" != "230" ]; then
-            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_THREADS}" != "1" ]; then
-            echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: java
+        ram: 230
+        threads: 1
+    - name: Assert Results
+      shell: bash
+      run: |
+        if [ "${CODEQL_RAM}" != "230" ]; then
+          echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
+          exit 1
+        fi
+        if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
+          echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
+          exit 1
+        fi
+        if [ "${CODEQL_THREADS}" != "1" ]; then
+          echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
+          exit 1
+        fi
+        if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
+          echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-custom-queries.yml

@@ -7,60 +7,106 @@ name: 'PR Check - Go: Custom queries'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   go-custom-queries:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: windows-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: windows-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: windows-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: windows-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: windows-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: 'Go: Custom queries'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          config-file: ./.github/codeql/custom-queries.yml
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: go
+        config-file: ./.github/codeql/custom-queries.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -7,86 +7,90 @@ name: 'PR Check - Go: diagnostic when Go is changed after init step'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   go-indirect-tracing-workaround-diagnostic:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
+        - os: ubuntu-latest
+          version: stable-v2.14.6
     name: 'Go: diagnostic when Go is changed after init step'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+      # We need a Go version that ships with statically linked binaries on Linux
+        go-version: '>=1.21.0'
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
   # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '1.20'
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
-        with:
-          script: |
-            const fs = require('fs');
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.20'
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Check diagnostic appears in SARIF
+      uses: actions/github-script@v6
+      env:
+        SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+      with:
+        script: |
+          const fs = require('fs');
 
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
+          const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+          const run = sarif.runs[0];
 
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
+          const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+          const statusPageNotifications = toolExecutionNotifications.filter(n =>
+            n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
+          );
+          if (statusPageNotifications.length !== 1) {
+            core.setFailed(
+              'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+                `${JSON.stringify(toolExecutionNotifications)}.`
             );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
+          }
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -1,93 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Go: diagnostic when `file` is not installed'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  go-indirect-tracing-workaround-no-file-program:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when `file` is not installed'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - name: Remove `file` program
-        run: |
-          echo $(which file)
-          sudo rm -rf $(which file)
-          echo $(which file)
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'go/workflow/file-program-unavailable' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -7,82 +7,88 @@ name: 'PR Check - Go: workaround for indirect tracing'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   go-indirect-tracing-workaround:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
+        - os: ubuntu-latest
+          version: stable-v2.14.6
     name: 'Go: workaround for indirect tracing'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
-            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
-              "CODEQL_ACTION_GO_BINARY environment variable is not set."
-            exit 1
-          fi
-          if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
-            echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+      # We need a Go version that ships with statically linked binaries on Linux
+        go-version: '>=1.21.0'
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+    - shell: bash
+      run: |
+        if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
+          echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
+            "CODEQL_ACTION_GO_BINARY environment variable is not set."
+          exit 1
+        fi
+        if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
+          echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
+          exit 1
+        fi
 
 
-          # Once we start running Bash 4.2 in all environments, we can replace the
-          # `! -z` flag with the more elegant `-v` which confirms that the variable
-          # is actually unset and not potentially set to a blank value.
-          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
-            echo "Expected the Go autobuilder not to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
+        # Once we start running Bash 4.2 in all environments, we can replace the
+        # `! -z` flag with the more elegant `-v` which confirms that the variable
+        # is actually unset and not potentially set to a blank value.
+        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+          echo "Expected the Go autobuilder not to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-autobuilder.yml

@@ -7,97 +7,102 @@ name: 'PR Check - Go: tracing with autobuilder step'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   go-tracing-autobuilder:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: 'Go: tracing with autobuilder step'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
-            echo "Expected the Go autobuilder to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+        go-version: ~1.21.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/autobuild
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+    - shell: bash
+      run: |
+        if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
+          echo "Expected the Go autobuilder to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -7,101 +7,106 @@ name: 'PR Check - Go: tracing with custom build steps'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   go-tracing-custom-build-steps:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: 'Go: tracing with custom build steps'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          # Once we start running Bash 4.2 in all environments, we can replace the
-          # `! -z` flag with the more elegant `-v` which confirms that the variable
-          # is actually unset and not potentially set to a blank value.
-          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
-            echo "Expected the Go autobuilder not to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+        go-version: ~1.21.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+    - shell: bash
+      run: |
+        # Once we start running Bash 4.2 in all environments, we can replace the
+        # `! -z` flag with the more elegant `-v` which confirms that the variable
+        # is actually unset and not potentially set to a blank value.
+        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+          echo "Expected the Go autobuilder not to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -7,91 +7,96 @@ name: 'PR Check - Go: tracing with legacy workflow'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   go-tracing-legacy-workflow:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: 'Go: tracing with legacy workflow'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+        go-version: ~1.21.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+    - shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__init-with-registries.yml

@@ -7,44 +7,42 @@ name: 'PR Check - Packaging: Download using registries'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   init-with-registries:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: 'Packaging: Download using registries'
     permissions:
       contents: read
@@ -53,77 +51,84 @@ jobs:
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Init with registries
-        uses: ./../action/init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          config-file: ./.github/codeql/codeql-config-registries.yml
-          languages: javascript
-          registries: |
-            - url: "https://ghcr.io/v2/"
-              packages: "*/*"
-              token: "${{ secrets.GITHUB_TOKEN }}"
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - name: Init with registries
+      uses: ./../action/init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        config-file: ./.github/codeql/codeql-config-registries.yml
+        languages: javascript
+        registries: |
+          - url: "https://ghcr.io/v2/"
+            packages: "*/*"
+            token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Verify packages installed
-        shell: bash
-        run: |
-          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
-          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
+    - name: Verify packages installed
+      shell: bash
+      run: |
+        PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
+        CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
 
-          if [[ -d $PRIVATE_PACK ]]
-          then
-              echo "$PRIVATE_PACK was installed."
-          else
-              echo "::error $PRIVATE_PACK pack was not installed."
-              exit 1
-          fi
+        if [[ -d $PRIVATE_PACK ]]
+        then
+            echo "$PRIVATE_PACK was installed."
+        else
+            echo "::error $PRIVATE_PACK pack was not installed."
+            exit 1
+        fi
 
-          if [[ -d $CODEQL_PACK1 ]]
-          then
-              echo "$CODEQL_PACK1 was installed."
-          else
-              echo "::error $CODEQL_PACK1 pack was not installed."
-              exit 1
-          fi
+        if [[ -d $CODEQL_PACK1 ]]
+        then
+            echo "$CODEQL_PACK1 was installed."
+        else
+            echo "::error $CODEQL_PACK1 pack was not installed."
+            exit 1
+        fi
 
-      - name: Verify qlconfig.yml file was created
-        shell: bash
-        run: |
-          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
-          if [[ -f $QLCONFIG_PATH ]]
-          then
-              echo "qlconfig.yml file was created."
-          else
-              echo "::error qlconfig.yml file was not created."
-              exit 1
-          fi
+    - name: Verify qlconfig.yml file was created
+      shell: bash
+      run: |
+        QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
+        echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
+        if [[ -f $QLCONFIG_PATH ]]
+        then
+            echo "qlconfig.yml file was created."
+        else
+            echo "::error qlconfig.yml file was not created."
+            exit 1
+        fi
 
-      - name: Verify contents of qlconfig.yml
+    - name: Verify contents of qlconfig.yml
     # yq is not available on windows
-        if: runner.os != 'Windows'
-        shell: bash
-        run: |
-          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
-          if [[ $? -eq 0 ]]
-          then
-              echo "Registry was added to qlconfig.yml file."
-          else
-              echo "::error Registry was not added to qlconfig.yml file."
-              echo "Contents of qlconfig.yml file:"
-              cat $QLCONFIG_PATH
-              exit 1
-          fi
+      if: runner.os != 'Windows'
+      shell: bash
+      run: |
+        QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
+        cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
+        if [[ $? -eq 0 ]]
+        then
+            echo "Registry was added to qlconfig.yml file."
+        else
+            echo "::error Registry was not added to qlconfig.yml file."
+            echo "Contents of qlconfig.yml file:"
+            cat $QLCONFIG_PATH
+            exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__javascript-source-root.yml

@@ -7,68 +7,75 @@ name: PR Check - Custom source root
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   javascript-source-root:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
     name: Custom source root
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../new-source-root
-          mv * ../new-source-root
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          source-root: ../new-source-root
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          skip-queries: true
-      - name: Assert database exists
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d javascript ]]; then
-            echo "Did not find a JavaScript database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../new-source-root
+        mv * ../new-source-root
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        source-root: ../new-source-root
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+        skip-queries: true
+        upload: never
+    - name: Assert database exists
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d javascript ]]; then
+          echo "Did not find a JavaScript database"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__job-run-uuid-sarif.yml

@@ -1,74 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Job run UUID added to SARIF
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  job-run-uuid-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Job run UUID added to SARIF
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
-          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
-            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
-            exit 1
-          else
-            echo "Found job run UUID '$actual'."
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__language-aliases.yml

@@ -7,58 +7,63 @@ name: PR Check - Language aliases
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   language-aliases:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
     name: Language aliases
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: C#,java-kotlin,swift,typescript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: C#,java-kotlin,swift,typescript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-      - name: Check languages
-        run: |
-          expected_languages="csharp,java,swift,javascript"
-          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
+    - name: Check languages
+      run: |
+        expected_languages="csharp,java,swift,javascript"
+        actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
 
-          if [ "$expected_languages" != "$actual_languages" ]; then
-            echo "Resolved languages did not match expected list. " \
-              "Expected languages: $expected_languages. Actual languages: $actual_languages."
-            exit 1
-          fi
+        if [ "$expected_languages" != "$actual_languages" ]; then
+          echo "Resolved languages did not match expected list. " \
+            "Expected languages: $expected_languages. Actual languages: $actual_languages."
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__multi-language-autodetect.yml

@@ -7,148 +7,147 @@ name: PR Check - Multi-language repository
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   multi-language-autodetect:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: nightly-latest
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Multi-language repository
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        id: init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      id: init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-      - uses: ./../action/.github/actions/setup-swift
-        if: runner.os == 'macOS'
-        with:
-          codeql-path: ${{ steps.init.outputs.codeql-path }}
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
 
-      - name: Build code
-        shell: bash
-        run: ./build.sh
+    - name: Build code
+      shell: bash
+      run: ./build.sh
 
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
+    - uses: ./../action/analyze
+      id: analysis
+      with:
+        upload-database: false
 
-      - name: Check language autodetect for all languages excluding Swift
-        shell: bash
-        run: |
-          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
-          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for CPP, or created it in the wrong location."
-            exit 1
-          fi
-          CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
-          if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for C Sharp, or created it in the wrong location."
-            exit 1
-          fi
-          GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
-          if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Go, or created it in the wrong location."
-            exit 1
-          fi
-          JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
-          if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Java, or created it in the wrong location."
-            exit 1
-          fi
-          JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
-          if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Javascript, or created it in the wrong location."
-            exit 1
-          fi
-          PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
-          if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Python, or created it in the wrong location."
-            exit 1
-          fi
-          RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
-          if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Ruby, or created it in the wrong location."
-            exit 1
-          fi
+    - name: Check language autodetect for all languages excluding Swift
+      shell: bash
+      run: |
+        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
+        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for CPP, or created it in the wrong location."
+          exit 1
+        fi
+        CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
+        if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for C Sharp, or created it in the wrong location."
+          exit 1
+        fi
+        GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
+        if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Go, or created it in the wrong location."
+          exit 1
+        fi
+        JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
+        if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Java, or created it in the wrong location."
+          exit 1
+        fi
+        JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
+        if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Javascript, or created it in the wrong location."
+          exit 1
+        fi
+        PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
+        if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Python, or created it in the wrong location."
+          exit 1
+        fi
+        RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
+        if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Ruby, or created it in the wrong location."
+          exit 1
+        fi
 
-      - name: Check language autodetect for Swift on macOS
-        if: runner.os == 'macOS'
-        shell: bash
-        run: |
-          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
-          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Swift, or created it in the wrong location."
-            exit 1
-          fi
+    - name: Check language autodetect for Swift
+      if: >-
+        env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' || 
+            (runner.os != 'Windows' && matrix.version == 'nightly-latest')
+      shell: bash
+      run: |
+        SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
+        if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Swift, or created it in the wrong location."
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -7,100 +7,102 @@ name: 'PR Check - Packaging: Config and input passed to the CLI'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-codescanning-config-inputs-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +codeql-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/actions/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: 
+          javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
+      CODEQL_PASS_CONFIG_TO_CLI: true
+
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-config-inputs-js.yml

@@ -7,100 +7,100 @@ name: 'PR Check - Packaging: Config and input'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-config-inputs-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: 'Packaging: Config and input'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +codeql-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/actions/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: 
+          javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-config-js.yml

@@ -7,99 +7,99 @@ name: 'PR Check - Packaging: Config file'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-config-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: 'Packaging: Config file'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging.yml
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging.yml
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/actions/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: 
+          javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-inputs-js.yml

@@ -7,99 +7,99 @@ name: 'PR Check - Packaging: Action input'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-inputs-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: 'Packaging: Action input'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging2.yml
-          languages: javascript
-          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging2.yml
+        languages: javascript
+        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/actions/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: 
+          javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__quality-queries.yml

@@ -1,117 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Quality queries input
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  quality-queries:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Quality queries input
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          quality-queries: code-quality
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload security SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Upload quality SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.quality.sarif.json
-          path: ${{ runner.temp }}/results/javascript.quality.sarif
-          retention-days: 7
-      - name: Check quality query does not appear in security SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-          EXPECT_PRESENT: 'false'
-        with:
-          script: ${{ env.CHECK_SCRIPT }}
-      - name: Check quality query appears in quality SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
-          EXPECT_PRESENT: 'true'
-        with:
-          script: ${{ env.CHECK_SCRIPT }}
-    env:
-      CHECK_SCRIPT: |
-        const fs = require('fs');
-
-        const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-        const expectPresent = JSON.parse(process.env['EXPECT_PRESENT']);
-        const run = sarif.runs[0];
-        const extensions = run.tool.extensions;
-
-        if (extensions === undefined) {
-          core.setFailed('`extensions` property not found in the SARIF run property bag.');
-        }
-
-        // ID of a query we want to check the presence for
-        const targetId = 'js/regex/always-matches';
-        const found = extensions.find(extension => extension.rules && extension.rules.find(rule => rule.id === targetId));
-
-        if (found && expectPresent) {
-          console.log(`Found rule with id '${targetId}'.`);
-        } else if (!found && !expectPresent) {
-          console.log(`Rule with id '${targetId}' was not found.`);
-        } else {
-          core.setFailed(`${ found ? "Found" : "Didn't find" } rule ${targetId}`);
-        }
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__remote-config.yml

@@ -7,60 +7,104 @@ name: PR Check - Remote config file
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   remote-config:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: windows-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: windows-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: windows-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: windows-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: windows-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: Remote config file
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__resolve-environment-action.yml

@@ -7,84 +7,97 @@ name: PR Check - Resolve environment
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   resolve-environment-action:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-v2.13.4
+        - os: macos-latest
+          version: stable-v2.13.4
+        - os: windows-latest
+          version: stable-v2.13.4
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: Resolve environment
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: go,javascript-typescript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: ${{ matrix.version == 'stable-v2.13.4' && 'go' || 'go,javascript-typescript'
+          }}
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-      - name: Resolve environment for Go
-        uses: ./../action/resolve-environment
-        id: resolve-environment-go
-        with:
-          language: go
+    - name: Resolve environment for Go
+      uses: ./../action/resolve-environment
+      id: resolve-environment-go
+      with:
+        language: go
 
-      - name: Fail if Go configuration missing
-        if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
-        run: exit 1
+    - name: Fail if Go configuration missing
+      if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
+      run: exit 1
 
-      - name: Resolve environment for JavaScript/TypeScript
-        uses: ./../action/resolve-environment
-        id: resolve-environment-js
-        with:
-          language: javascript-typescript
+    - name: Resolve environment for JavaScript/TypeScript
+      if: matrix.version != 'stable-v2.13.4'
+      uses: ./../action/resolve-environment
+      id: resolve-environment-js
+      with:
+        language: javascript-typescript
 
-      - name: Fail if JavaScript/TypeScript configuration present
-        if:
-          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
-        run: exit 1
+    - name: Fail if JavaScript/TypeScript configuration present
+      if: matrix.version != 'stable-v2.13.4' && 
+        fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+      run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__rubocop-multi-language.yml

@@ -7,63 +7,68 @@ name: PR Check - RuboCop multi-language
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   rubocop-multi-language:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
+        - os: ubuntu-latest
+          version: default
     name: RuboCop multi-language
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Ruby
-        uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
-        with:
-          ruby-version: 2.6
-      - name: Install Code Scanning integration
-        shell: bash
-        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
-      - name: Install dependencies
-        shell: bash
-        run: bundle install
-      - name: RuboCop run
-        shell: bash
-        run: |
-          bash -c "
-            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
-            [[ $? -ne 2 ]]
-          "
-      - uses: ./../action/upload-sarif
-        with:
-          sarif_file: rubocop.sarif
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    - name: Install Code Scanning integration
+      shell: bash
+      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+    - name: Install dependencies
+      shell: bash
+      run: bundle install
+    - name: RuboCop run
+      shell: bash
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+    - uses: ./../action/upload-sarif
+      with:
+        sarif_file: rubocop.sarif
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__ruby.yml

@@ -7,69 +7,74 @@ name: PR Check - Ruby analysis
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   ruby:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Ruby analysis
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
-          if [[ ! -d "$RUBY_DB" ]]; then
-            echo "Did not create a database for Ruby."
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: ruby
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      id: analysis
+      with:
+        upload-database: false
+    - name: Check database
+      shell: bash
+      run: |
+        RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
+        if [[ ! -d "$RUBY_DB" ]]; then
+          echo "Did not create a database for Ruby."
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__rust.yml

@@ -1,71 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Rust analysis
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  rust:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Rust analysis
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: rust
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-        env:
-          CODEQL_ACTION_RUST_ANALYSIS: true
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
-          if [[ ! -d "$RUST_DB" ]]; then
-            echo "Did not create a database for Rust."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__scaling-reserved-ram.yml

@@ -0,0 +1,103 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Scaling reserved RAM
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  scaling-reserved-ram:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: Scaling reserved RAM
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      id: init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
+
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+
+    - uses: ./../action/analyze
+      id: analysis
+      with:
+        upload-database: false
+    env:
+      CODEQL_ACTION_SCALING_RESERVED_RAM: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__split-workflow.yml

@@ -7,98 +7,98 @@ name: PR Check - Split workflow
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   split-workflow:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Split workflow
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          skip-queries: true
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +codeql-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        skip-queries: true
+        output: ${{ runner.temp }}/results
+        upload-database: false
 
-      - name: Assert No Results
-        shell: bash
-        run: |
-          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
-            echo "Expected results directory to be empty after skipping query execution!"
-            exit 1
-          fi
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert No Results
+      shell: bash
+      run: |
+        if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
+          echo "Expected results directory to be empty after skipping query execution!"
+          exit 1
+        fi
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__start-proxy.yml

@@ -1,75 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Start proxy
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  start-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Start proxy
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: csharp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Setup proxy for registries
-        id: proxy
-        uses: ./../action/start-proxy
-        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
-            }]'
-
-      - name: Print proxy outputs
-        run: |
-          echo "${{ steps.proxy.outputs.proxy_host }}"
-          echo "${{ steps.proxy.outputs.proxy_port }}"
-          echo "${{ steps.proxy.outputs.proxy_urls }}"
-
-      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
-          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__submit-sarif-failure.yml

@@ -7,67 +7,70 @@ name: PR Check - Submit SARIF after failure
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   submit-sarif-failure:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
     name: Submit SARIF after failure
     permissions:
       contents: read
-      security-events: write # needed to upload the SARIF file
-
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/checkout@v4
-      - uses: ./init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Fail
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/checkout@v4
+    - uses: ./init
+      with:
+        languages: javascript
+    - name: Fail
     # We want this job to pass if the Action correctly uploads the SARIF file for
     # the failed run.
     # Setting this step to continue on error means that it is marked as completing
     # successfully, so will not fail the job.
-        continue-on-error: true
-        run: exit 1
-      - uses: ./analyze
+      continue-on-error: true
+      run: exit 1
+    - uses: ./analyze
     # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
     # above, we manually disable it with an `if` condition.
-        if: false
-        with:
-          category: /test-codeql-version:${{ matrix.version }}
+      if: false
+      with:
+        category: /test-codeql-version:${{ matrix.version }}
     env:
   # Internal-only environment variable used to indicate that the post-init Action
   # should expect to upload a SARIF file for the failed run.

.github/workflows/__swift-autobuild.yml

@@ -1,75 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Swift analysis using autobuild
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  swift-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: nightly-latest
-    name: Swift analysis using autobuild
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: swift
-          build-mode: autobuild
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{steps.init.outputs.codeql-path}}
-      - name: Check working directory
-        shell: bash
-        run: pwd
-      - uses: ./../action/autobuild
-        timeout-minutes: 30
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-          if [[ ! -d "$SWIFT_DB" ]]; then
-            echo "Did not create a database for Swift."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__swift-custom-build.yml

@@ -7,79 +7,85 @@ name: PR Check - Swift analysis using a custom build command
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   swift-custom-build:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: macos-latest
-            version: linked
-          - os: macos-latest
-            version: default
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Swift analysis using a custom build command
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: swift
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{steps.init.outputs.codeql-path}}
-      - name: Check working directory
-        shell: bash
-        run: pwd
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-          if [[ ! -d "$SWIFT_DB" ]]; then
-            echo "Did not create a database for Swift."
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: swift
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      id: analysis
+      with:
+        upload-database: false
+    - name: Check database
+      shell: bash
+      run: |
+        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
+        if [[ ! -d "$SWIFT_DB" ]]; then
+          echo "Did not create a database for Swift."
+          exit 1
+        fi
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-autobuild-working-dir.yml

@@ -7,66 +7,73 @@ name: PR Check - Autobuild working directory
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   test-autobuild-working-dir:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
     name: Autobuild working directory
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-      - name: Check database
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d java ]]; then
-            echo "Did not find a Java database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - name: Test setup
+      shell: bash
+      run: |
+        # Make sure that Gradle build succeeds in autobuild-dir ...
+        cp -a ../action/tests/java-repo autobuild-dir
+        # ... and fails if attempted in the current directory
+        echo > build.gradle
+    - uses: ./../action/init
+      with:
+        languages: java
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/autobuild
+      with:
+        working-directory: autobuild-dir
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+    - name: Check database
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d java ]]; then
+          echo "Did not find a Java database"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-local-codeql.yml

@@ -7,64 +7,67 @@ name: PR Check - Local CodeQL bundle
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   test-local-codeql:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: nightly-latest
     name: Local CodeQL bundle
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - name: Fetch a CodeQL bundle
-        shell: bash
-        env:
-          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
-        run: |
-          wget "$CODEQL_URL"
-      - id: init
-        uses: ./../action/init
-        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.zst
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - name: Fetch a CodeQL bundle
+      shell: bash
+      env:
+        CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+      run: |
+        wget "$CODEQL_URL"
+    - id: init
+      uses: ./../action/init
+      with:
+        tools: ./codeql-bundle-linux64.tar.gz
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-proxy.yml

@@ -7,70 +7,64 @@ name: PR Check - Proxy test
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   test-proxy:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
     name: Proxy test
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
-      - name: Set up GitHub CLI
-        run: |
-          apt update
-          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-add-repository https://cli.github.com/packages
-          apt install -y gh
-        env: {}
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'false'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
       https_proxy: http://squid-proxy:3128
       CODEQL_ACTION_TEST_MODE: true
     container:
       image: ubuntu:22.04
+      options: --dns 127.0.0.1
     services:
       squid-proxy:
         image: ubuntu/squid:latest
         ports:
-          - 3128:3128
+        - 3128:3128

.github/workflows/__unset-environment.yml

@@ -7,102 +7,118 @@ name: PR Check - Test unsetting environment variables
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   unset-environment:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
     name: Test unsetting environment variables
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        id: init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - shell: bash
-        run: |
-          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
-          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
-            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
-            exit 1
-          fi
-          CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
-          if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
-            echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
-            exit 1
-          fi
-          GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
-          if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
-            echo "::error::Did not create a database for Go, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
-            exit 1
-          fi
-          JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
-          if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
-            echo "::error::Did not create a database for Java, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
-            exit 1
-          fi
-          JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
-          if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
-            echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
-            exit 1
-          fi
-          PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
-          if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
-            echo "::error::Did not create a database for Python, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      id: init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
+    - name: Build code
+      shell: bash
+    # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+    # workaround for our PR checks.
+      run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME"
+        ./build.sh
+    - uses: ./../action/analyze
+      id: analysis
+      with:
+        upload-database: false
+    - shell: bash
+      run: |
+        CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
+        if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
+          echo "::error::Did not create a database for CPP, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
+          exit 1
+        fi
+        CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
+        if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
+          echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
+          exit 1
+        fi
+        GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
+        if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
+          echo "::error::Did not create a database for Go, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
+          exit 1
+        fi
+        JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
+        if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
+          echo "::error::Did not create a database for Java, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
+          exit 1
+        fi
+        JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
+        if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
+          echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
+          exit 1
+        fi
+        PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
+        if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
+          echo "::error::Did not create a database for Python, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__upload-quality-sarif.yml

@@ -1,78 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Upload-sarif: code quality endpoint'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-quality-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-    name: 'Upload-sarif: code quality endpoint'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-          quality-queries: code-quality
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__upload-ref-sha-input.yml

@@ -7,71 +7,113 @@ name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   upload-ref-sha-input:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: windows-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: windows-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: windows-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: windows-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: windows-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+        upload: never
+    - uses: ./../action/upload-sarif
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__with-checkout-path.yml

@@ -7,113 +7,157 @@ name: PR Check - Use a custom `checkout_path`
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   with-checkout-path:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
+        - os: ubuntu-latest
+          version: stable-20220908
+        - os: macos-latest
+          version: stable-20220908
+        - os: windows-latest
+          version: stable-20220908
+        - os: ubuntu-latest
+          version: stable-20221211
+        - os: macos-latest
+          version: stable-20221211
+        - os: windows-latest
+          version: stable-20221211
+        - os: ubuntu-latest
+          version: stable-20230418
+        - os: macos-latest
+          version: stable-20230418
+        - os: windows-latest
+          version: stable-20230418
+        - os: ubuntu-latest
+          version: stable-v2.13.5
+        - os: macos-latest
+          version: stable-v2.13.5
+        - os: windows-latest
+          version: stable-v2.13.5
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+        - os: macos-latest
+          version: stable-v2.14.6
+        - os: windows-latest
+          version: stable-v2.14.6
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: Use a custom `checkout_path`
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-          cache: false
-      - name: Delete original checkout
-        shell: bash
-        run: |
-          # delete the original checkout so we don't accidentally use it.
-          # Actions does not support deleting the current working directory, so we
-          # delete the contents of the directory instead.
-          rm -rf ./* .github .git
-  # Check out the actions repo again, but at a different location.
-  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v4
-        with:
-          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-          path: x/y/z/some-path
-
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/checkout@v4
+      with:
+        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        path: x/y/z/some-path
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
       # it's enough to test one compiled language and one interpreted language
-          languages: csharp,javascript
-          source-root: x/y/z/some-path/tests/multi-language-repo
+        languages: csharp,javascript
+        source-path: x/y/z/some-path/tests/multi-language-repo
+        debug: true
+    - name: Build code (non-windows)
+      shell: bash
+      if: ${{ runner.os != 'Windows' }}
+      run: |
+        $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
+    - name: Build code (windows)
+      shell: bash
+      if: ${{ runner.os == 'Windows' }}
+      run: |
+        x/y/z/some-path/tests/multi-language-repo/build.sh
+    - uses: ./../action/analyze
+      with:
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        upload: never
+        upload-database: false
 
-      - name: Build code
-        shell: bash
-        working-directory: x/y/z/some-path/tests/multi-language-repo
-        run: |
-          ./build.sh
+    - uses: ./../action/upload-sarif
+      with:
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
 
-      - uses: ./../action/analyze
-        with:
-          checkout_path: x/y/z/some-path/tests/multi-language-repo
-          ref: v1.1.0
-          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+    - name: Verify SARIF after upload
+      shell: bash
+      run: |
+        EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+        EXPECTED_REF="v1.1.0"
+        EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
 
-      - name: Verify SARIF after upload
-        shell: bash
-        run: |
-          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
-          EXPECTED_REF="v1.1.0"
-          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+        ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+        ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+        ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
 
-          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+        if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+          echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
 
-          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
-            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$RUNNER_TEMP/payload.json"
-            exit 1
-          fi
+        if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+          echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
 
-          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
-            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$RUNNER_TEMP/payload.json"
-            exit 1
-          fi
-
-          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
-            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$RUNNER_TEMP/payload.json"
-            exit 1
-          fi
+        if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+          echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle-streaming.yml

@@ -1,110 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle (streaming)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle-streaming:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle (streaming)
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.zst')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle.yml

@@ -1,113 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Zstandard bundle
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
-
-            if (!toolsUrl.endsWith(expectedExtension)) {
-              core.setFailed(
-                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/check-expected-release-files.yml

@@ -13,9 +13,6 @@ jobs:
   check-expected-release-files:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout CodeQL Action
         uses: actions/checkout@v4

.github/workflows/codeql.yml

@@ -2,16 +2,15 @@ name: "CodeQL action"
 
 on:
   push:
-    branches: [main, releases/v*]
+    branches: [main, releases/v2]
   pull_request:
-    branches: [main, releases/v*]
+    branches: [main, releases/v2]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
   schedule:
     # Weekly on Sunday.
     - cron: '30 1 * * 0'
-  workflow_dispatch:
 
 env:
   CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
@@ -24,7 +23,7 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      contents: read
+      security-events: write
 
     steps:
     - uses: actions/checkout@v4
@@ -41,7 +40,7 @@ jobs:
       id: init-latest
       uses: ./init
       with:
-        tools: linked
+        tools: latest
         languages: javascript
     - name: Compare default and latest CodeQL bundle versions
       id: compare
@@ -54,33 +53,31 @@ jobs:
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
         echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
 
-        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
+        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
         # be the same as `tools: null`. This allows us to make the job for each of the bundles a
         # required status check.
         #
-        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
         # the same as running with `tools: null`.
         if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
-          VERSIONS_JSON='[null, "linked"]'
+          VERSIONS_JSON='[null, "latest"]'
         fi
 
         # Output a JSON-encoded list with the distinct versions to test against.
         echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
         echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
 
-  analyze-javascript:
+  build:
     needs: [check-codeql-versions]
     strategy:
-      fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
+        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-11,macos-12,macos-13]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
     permissions:
-      contents: read
       security-events: write
 
     steps:
@@ -98,29 +95,3 @@ jobs:
       run: ${{steps.init.outputs.codeql-path}} version --format=json
     - name: Perform CodeQL Analysis
       uses: ./analyze
-      with:
-        category: "/language:javascript"
-
-
-  analyze-actions:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Initialize CodeQL
-      uses: ./init
-      with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
-    - name: Perform CodeQL Analysis
-      uses: ./analyze
-      with:
-        category: "/language:actions"

.github/workflows/codescanning-config-cli.yml

@@ -3,42 +3,32 @@
 name: Code-Scanning config CLI tests
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  # Diff informed queries add an additional query filter which is not yet
-  # taken into account by these tests.
-  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  CODEQL_PASS_CONFIG_TO_CLI: true
 
 on:
   push:
     branches:
     - main
-    - releases/v*
+    - releases/v2
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
   code-scanning-config-tests:
     continue-on-error: true
 
-    permissions:
-      contents: read
-      packages: read
-      security-events: read
-
     strategy:
-      fail-fast: false
       matrix:
         include:
         - os: ubuntu-latest
-          version: linked
+          version: latest
         - os: macos-latest
-          version: linked
+          version: latest
         - os: ubuntu-latest
           version: default
         - os: macos-latest
@@ -214,3 +204,15 @@ jobs:
         packs: + codeql/javascript-queries
         config-file-test: .github/codeql/other-config-properties.yml
         tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+    - name: Config not generated when env var is not set
+      if: success() || failure()
+      env:
+        CODEQL_PASS_CONFIG_TO_CLI: false
+      uses: ./../action/.github/actions/check-codescanning-config
+      with:
+        expected-config-file-contents: ""
+        languages: javascript
+        packs: + codeql/javascript-queries
+        config-file-test: .github/codeql/other-config-properties.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/debug-artifacts-failure-safe.yml

@@ -1,102 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist
-# when the analyze step fails.
-name: PR Check - Debug artifacts after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts after failure in analyze
-    continue-on-error: true
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    permissions:
-      contents: read
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump GitHub event
-        run: cat "${GITHUB_EVENT_PATH}"
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        env:
-          # Forces a failure in this step.
-          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
-        with:
-          expect-error: true
-  download-and-check-artifacts:
-    name: Download and check debug artifacts after failure in analyze
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            echo "Artifacts from version $version:"
-            pushd "./my-debug-artifacts-${version//./}"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-                echo "Missing a partial database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "log" ]] ; then
-                echo "Missing database initialization logs"
-                exit 1
-              fi
-              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto

.github/workflows/debug-artifacts-failure.yml

@@ -0,0 +1,93 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist
+# when the analyze step fails.
+name: PR Check - Debug artifacts after failure
+env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    name: Upload debug artifacts after failure in analyze
+    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Dump GitHub event
+        run: cat "${GITHUB_EVENT_PATH}"
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: latest
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis  
+        with:
+          expect-error: true
+          ram: 1
+  download-and-check-artifacts:
+    name: Download and check debug artifacts after failure in analyze
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for os in $OPERATING_SYSTEMS; do
+            pushd "./my-debug-artifacts-$os"
+            echo "Artifacts from run on $os:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+                echo "Missing a partial database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "log" ]] ; then
+                echo "Missing database initialization logs"
+                exit 1
+              fi
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto

.github/workflows/debug-artifacts-safe.yml

@@ -1,97 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist.
-name: PR Check - Debug artifact upload
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.20.3 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto

.github/workflows/debug-artifacts.yml

@@ -0,0 +1,103 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist.
+name: PR Check - Debug artifact upload
+env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      matrix:
+        os:
+        - ubuntu-latest
+        - macos-latest
+        version:
+        - stable-20220908
+        - stable-20221211
+        - stable-20230418
+        - stable-v2.13.5
+        - stable-v2.14.6
+        - default
+        - latest
+        - nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis  
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          VERSIONS="stable-20220908 stable-20221211 stable-20230418 stable-v2.13.5 stable-v2.14.6 default latest nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            for os in ubuntu-latest macos-latest; do
+              pushd "./my-debug-artifacts-$os-${version//./}"
+              echo "Artifacts from version $version on $os:"
+              for language in $LANGUAGES; do
+                echo "- Checking $language"
+                if [[ ! -f "$language.sarif" ]] ; then
+                  echo "Missing a SARIF file for $language"
+                  exit 1
+                fi
+                if [[ ! -f "my-db-$language.zip" ]] ; then
+                  echo "Missing a database bundle for $language"
+                  exit 1
+                fi
+                if [[ ! -d "$language/log" ]] ; then
+                  echo "Missing logs for $language"
+                  exit 1
+                fi
+              done
+              popd
+            done
+          done
+        env:
+          GO111MODULE: auto

.github/workflows/expected-queries-runs.yml

@@ -4,15 +4,13 @@ on:
   push:
     branches:
     - main
-    - releases/v*
+    - releases/v2
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
@@ -22,9 +20,6 @@ jobs:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: read
     steps:
     - name: Check out repository
       uses: actions/checkout@v4
@@ -32,7 +27,7 @@ jobs:
       id: prepare-test
       uses: ./.github/actions/prepare-test
       with:
-        version: linked
+        version: latest
     - uses: ./../action/init
       with:
         languages: javascript
@@ -40,6 +35,8 @@ jobs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: never
 
     - name: Check Sarif
       uses: ./../action/.github/actions/check-sarif

.github/workflows/post-release-mergeback.yml

@@ -1,9 +1,9 @@
-# This workflow runs after a merge to any release branch of the action. It:
-# 1. Tags the merge commit on the release branch that represents the new release with an `vN.x.y`
+# This workflow runs after a release of the action. It:
+# 1. Merges any changes from the release back into the main branch. Typically, this is just a single
+#    commit that updates the changelog.
+# 2. Tags the merge commit on the release branch that represents the new release with an `v2.x.y`
 #    tag
-# 2. Updates the `vN` tag to refer to this merge commit.
-# 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
-#    Typically, this is two commits – one to update the version number and one to update dependencies.
+# 3. Updates the `v2` tag to refer to this merge commit.
 name: Tag release and merge back
 
 on:
@@ -16,21 +16,16 @@ on:
 
   push:
     branches:
-      - releases/v*
+      - releases/v2
 
 jobs:
   merge-back:
     runs-on: ubuntu-latest
-    environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
       BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
       HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
 
-    permissions:
-      contents: write # needed to create tags and push commits
-      pull-requests: write
-
     steps:
       - name: Dump environment
         run: env
@@ -41,9 +36,7 @@ jobs:
         run: echo "${GITHUB_CONTEXT}"
 
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v3
 
       - name: Update git config
         run: |
@@ -58,8 +51,6 @@ jobs:
           short_sha="${GITHUB_SHA:0:8}"
           NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
           echo "newBranch=${NEW_BRANCH}" >> $GITHUB_OUTPUT
-          LATEST_RELEASE_BRANCH=$(git branch -r | grep -E "origin/releases/v[0-9]+$" | sed 's/origin\///g' | sort -V | tail -1 | xargs)
-          echo "latest_release_branch=${LATEST_RELEASE_BRANCH}" >> $GITHUB_OUTPUT
 
       - name: Dump branches
         env:
@@ -68,8 +59,6 @@ jobs:
           echo "BASE_BRANCH ${BASE_BRANCH}"
           echo "HEAD_BRANCH ${HEAD_BRANCH}"
           echo "NEW_BRANCH ${NEW_BRANCH}"
-          echo "LATEST_RELEASE_BRANCH ${LATEST_RELEASE_BRANCH}"
-          echo "GITHUB_REF ${GITHUB_REF}"
 
       - name: Create mergeback branch
         env:
@@ -100,6 +89,8 @@ jobs:
         env:
           VERSION: ${{ steps.getVersion.outputs.version }}
         run: |
+          # Unshallow the repo in order to allow pushes
+          git fetch --unshallow
           # Create the `vx.y.z` tag
           git tag --annotate "${VERSION}" --message "${VERSION}"
           # Update the `vx` tag
@@ -108,24 +99,13 @@ jobs:
           git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force
           # Push the tags, using:
           # - `--atomic` to make sure we either update both tags or neither (an intermediate state,
-          #   e.g. where we update the vN.x.y tag on the remote but not the vN tag, could result in
-          #   unwanted Dependabot updates, e.g. from vN to vN.x.y)
-          # - `--force` since we're overwriting the `vN` tag
+          #   e.g. where we update the v2.x.y tag on the remote but not the v2 tag, could result in
+          #   unwanted Dependabot updates, e.g. from v2 to v2.x.y)
+          # - `--force` since we're overwriting the `vx` tag
           git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"
 
-      - name: Prepare partial Changelog
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
-
-          echo "::group::Partial CHANGELOG"
-          cat $PARTIAL_CHANGELOG
-          echo "::endgroup::"
-
       - name: Create mergeback branch
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        if: steps.check.outputs.exists != 'true'
         env:
           VERSION: "${{ steps.getVersion.outputs.version }}"
           NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
@@ -149,8 +129,8 @@ jobs:
           # Update the version number ready for the next release
           npm version patch --no-git-tag-version
 
-          # Update the changelog, adding a new version heading directly above the most recent existing one
-          awk '!f && /##/{print "'"## [UNRELEASED]\n\nNo user facing changes.\n"'"; f=1}1' CHANGELOG.md > temp && mv temp CHANGELOG.md
+          # Update the changelog
+          perl -i -pe 's/^/## \[UNRELEASED\]\n\nNo user facing changes.\n\n/ if($.==5)' CHANGELOG.md
           git add .
           git commit -m "Update changelog and version after ${VERSION}"
 
@@ -166,23 +146,3 @@ jobs:
             --body "${pr_body}" \
             --assignee "${GITHUB_ACTOR}" \
             --draft
-
-      - name: Generate token
-        uses: actions/create-github-app-token@v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.AUTOMATION_APP_ID }}
-          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
-      - name: Create the GitHub release
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: |
-          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
-          gh release create \
-            "$VERSION" \
-            --latest=false \
-            --title "$VERSION" \
-            --notes-file "$PARTIAL_CHANGELOG"

.github/workflows/pr-checks.yml

@@ -2,6 +2,7 @@ name: PR Checks
 
 on:
   push:
+    branches: [main, releases/v2]
   pull_request:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
@@ -13,35 +14,19 @@ jobs:
     name: Check JS
     runs-on: ubuntu-latest
     timeout-minutes: 45
-    permissions:
-      contents: read
-      security-events: write # needed to upload ESLint results
-
-    strategy:
-      fail-fast: false
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Lint
-        id: lint
-        run: npm run-script lint-ci
-
-      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: eslint.sarif
-          category: eslint
+        run: npm run-script lint
 
       - name: Check generated JS
         run: .github/workflows/script/check-js.sh
 
   check-node-modules:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check modules up to date
-    permissions:
-      contents: read
     runs-on: macos-latest
     timeout-minutes: 45
 
@@ -51,10 +36,7 @@ jobs:
         run: .github/workflows/script/check-node-modules.sh
 
   check-file-contents:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check file contents
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
@@ -63,7 +45,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v4
         with:
           python-version: 3.11
 
@@ -78,15 +60,11 @@ jobs:
         run: .github/workflows/script/verify-pr-checks.sh
 
   npm-test:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Unit Test
     needs: [check-js, check-node-modules]
     strategy:
-      fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-    permissions:
-      contents: read
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
@@ -98,47 +76,3 @@ jobs:
           # we won't be able to find them on Windows.
           npm config set script-shell bash
           npm test
-
-  check-node-version:
-    if: github.event.pull_request
-    name: Check Action Node versions
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    env:
-      BASE_REF: ${{ github.base_ref }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v4
-      - id: head-version
-        name: Verify all Actions use the same Node version
-        run: |
-          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
-          echo "NODE_VERSION: ${NODE_VERSION}"
-          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
-            echo "::error::More than one node version used in 'action.yml' files."
-            exit 1
-          fi
-          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
-
-      - id: checkout-base
-        name: 'Backport: Check out base ref'
-        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ env.BASE_REF }}
-
-      - name: 'Backport: Verify Node versions unchanged'
-        if: steps.checkout-base.outcome == 'success'
-        env:
-          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
-        run: |
-          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
-          echo "HEAD_VERSION: ${HEAD_VERSION}"
-          echo "BASE_VERSION: ${BASE_VERSION}"
-          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
-            echo "::error::Cannot change the Node version of an Action in a backport PR."
-            exit 1
-          fi

.github/workflows/publish-immutable-action.yml

@@ -1,35 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Check release name
-        id: check
-        env:
-          RELEASE_NAME: ${{ github.event.release.name }}
-        run: |
-          echo "Release name: ${{ github.event.release.name }}"
-          if [[ $RELEASE_NAME == v* ]]; then
-            echo "This is a CodeQL Action release. Create an Immutable Action"
-            echo "is-action-release=true" >> $GITHUB_OUTPUT
-          else
-            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
-            echo "is-action-release=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Checking out
-        if: steps.check.outputs.is-action-release == 'true'
-        uses: actions/checkout@v4
-      - name: Publish
-        if: steps.check.outputs.is-action-release == 'true'
-        id: publish
-        uses: actions/publish-immutable-action@v0.0.4

.github/workflows/python-deps.yml

@@ -0,0 +1,174 @@
+name: Test Python Package Installation
+
+on:
+  push:
+    branches: [main, releases/v2]
+  pull_request:
+    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
+    # by other workflows.
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      # Changes to this workflow.
+      - '.github/workflows/python-deps.yml'
+      # Changes to the Python package installation scripts and their tests.
+      - 'python-setup/**'
+      # Changes to the default CodeQL bundle version.
+      - '**/defaults.json'
+  schedule:
+    # Weekly on Monday.
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  test-setup-python-scripts:
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
+          python_deps_type: [pipenv, poetry, requirements, setup_py]
+          python_version: [3]
+
+
+    env:
+      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: ./init
+      id: init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      run: |
+        set -x
+        $GITHUB_WORKSPACE/python-setup/install_tools.sh
+
+        cd $GITHUB_WORKSPACE/python-setup/tests/${PYTHON_DEPS_TYPE}/requests-${PYTHON_VERSION}
+
+        case ${{ matrix.os }} in
+            ubuntu-20.04*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
+            macos-latest*)    basePath="/Users/runner";;
+        esac
+        echo ${basePath}
+
+        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
+    - name: Setup for extractor
+      run: |
+        echo $CODEQL_PYTHON
+        # only run if $CODEQL_PYTHON is set
+        if [ ! -z $CODEQL_PYTHON ]; then
+            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
+        fi
+
+    - name: Verify packages installed
+      run: |
+        $GITHUB_WORKSPACE/python-setup/tests/check_requests.sh ${PYTHON_VERSION} 2.31.0
+
+  # This one shouldn't fail, but also won't install packages
+  test-setup-python-scripts-non-standard-location:
+    runs-on: ${{ matrix.os }}
+    strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: ./init
+      id: init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      run: |
+        set -x
+        $GITHUB_WORKSPACE/python-setup/install_tools.sh
+
+        cd $GITHUB_WORKSPACE/python-setup/tests/requirements/non-standard-location
+
+        case ${{ matrix.os }} in
+            ubuntu-20.04*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
+            macos-latest*)    basePath="/Users/runner";;
+        esac
+        echo ${basePath}
+
+        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
+
+    - name: Setup for extractor
+      run: |
+        echo $CODEQL_PYTHON
+        # only run if $CODEQL_PYTHON is set
+        if [ ! -z $CODEQL_PYTHON ]; then
+            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
+        fi
+
+    - name: Verify packages installed
+      run: |
+        test -z $LGTM_INDEX_IMPORT_PATH
+
+  test-setup-python-scripts-windows:
+    runs-on: windows-latest
+    strategy:
+        fail-fast: false
+        matrix:
+          python_deps_type: [pipenv, poetry, requirements, setup_py]
+          python_version: [3]
+
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python_version }}
+
+    - name: Initialize CodeQL
+      id: init
+      uses: ./init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      env:
+        CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
+      run: |
+        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\install_tools.ps1"
+        powershell -File $cmd
+
+        cd $Env:GITHUB_WORKSPACE\\python-setup/tests/$Env:PYTHON_DEPS_TYPE/requests-$Env:PYTHON_VERSION
+        $codeql_dist = (get-item $Env:CODEQL_PATH).Directory.FullName
+        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\auto_install_packages.py $codeql_dist
+
+    - name: Setup for extractor
+      run: |
+        echo $Env:CODEQL_PYTHON
+
+        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\tests\\from_python_exe.py $Env:CODEQL_PYTHON
+
+    - name: Verify packages installed
+      run: |
+        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\tests\\check_requests.ps1"
+        powershell -File $cmd $Env:PYTHON_VERSION 2.31.0

.github/workflows/python312-windows.yml

@@ -1,43 +0,0 @@
-name: Test that the workaround for python 3.12 on windows works
-
-on:
-  push:
-    branches: [main, releases/v*]
-  pull_request:
-    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
-    # by other workflows.
-    types: [opened, synchronize, reopened, ready_for_review]
-  schedule:
-    # Weekly on Monday.
-    - cron: '0 0 * * 1'
-  workflow_dispatch:
-
-jobs:
-  test-setup-python-scripts:
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: windows-latest
-
-    steps:
-    - uses: actions/setup-python@v5
-      with:
-        python-version: 3.12
-
-    - uses: actions/checkout@v4
-
-    - name: Prepare test
-      uses: ./.github/actions/prepare-test
-      with:
-        version: default
-
-    - name: Initialize CodeQL
-      uses: ./../action/init
-      with:
-        tools: linked
-        languages: python
-
-    - name: Analyze
-      uses: ./../action/analyze

.github/workflows/query-filters.yml

@@ -4,15 +4,13 @@ on:
   push:
     branches:
     - main
-    - releases/v*
+    - releases/v2
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
@@ -20,8 +18,6 @@ jobs:
     name: Query Filters Tests
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    permissions:
-      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
     steps:
     - name: Check out repository
       uses: actions/checkout@v4
@@ -29,7 +25,7 @@ jobs:
       id: prepare-test
       uses: ./.github/actions/prepare-test
       with:
-        version: linked
+        version: latest
 
     - name: Check SARIF for default queries with Single include, Single exclude
       uses: ./../action/.github/actions/query-filter-test

.github/workflows/rebuild.yml

@@ -1,82 +0,0 @@
-name: Rebuild Action
-
-on:
-  pull_request:
-    types: [labeled]
-  workflow_dispatch:
-
-jobs:
-  rebuild:
-    name: Rebuild Action
-    runs-on: ubuntu-latest
-    if: github.event.label.name == 'Rebuild'
-
-    permissions:
-      contents: write # needed to push rebuilt commit
-      pull-requests: write # needed to comment on the PR
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-
-      - name: Remove label
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
-            --remove-label "Rebuild"
-
-      - name: Merge in changes from base branch
-        env:
-          BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
-        run: |
-          git fetch origin "$BASE_BRANCH"
-
-          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected"
-
-          # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
-          # since `node_modules/@types/semver/README.md` fails it.
-          if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
-            echo "Merge conflicts detected outside of lib/ directory. Please resolve them manually."
-            git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
-            exit 1
-          fi
-
-      - name: Compile TypeScript
-        run: |
-          npm install
-          npm run lint -- --fix
-          npm run build
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.11
-
-      - name: Generate workflows
-        run: |
-          cd pr-checks
-          python -m pip install --upgrade pip
-          pip install ruamel.yaml==0.17.31
-          python3 sync.py
-
-      - name: Check for changes and push
-        env:
-          BRANCH: ${{ github.event.pull_request.head.ref }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          if [ ! -z "$(git status --porcelain)" ]; then
-            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-            git config --global user.name "github-actions[bot]"
-            git add --all
-            git commit -m "Rebuild"
-            git push origin "HEAD:$BRANCH"
-            echo "Pushed a commit to rebuild the Action." \
-              "Please mark the PR as ready for review to trigger PR checks." |
-              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
-            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
-          fi

.github/workflows/script/check-js.sh

@@ -7,7 +7,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
     >&2 echo "Failed: Repo should be clean before testing!"
     exit 1
 fi
-# Wipe the lib directory in case there are extra unnecessary files in there
+# Wipe the lib directory incase there are extra unnecessary files in there
 rm -rf lib
 # Generate the JavaScript files
 npm run-script build

.github/workflows/script/prepare_changelog.py

@@ -1,37 +0,0 @@
-import os
-import sys
-
-EMPTY_CHANGELOG = 'No changes.\n\n'
-
-# Prepare the changelog for the new release
-# This function will extract the part of the changelog that
-# we want to include in the new release.
-def extract_changelog_snippet(changelog_file, version_tag):
-  output = ''
-  if (not os.path.exists(changelog_file)):
-    output = EMPTY_CHANGELOG
-
-  else:
-    with open('CHANGELOG.md', 'r') as f:
-      lines = f.readlines()
-
-      # Include everything up to, but excluding the second heading
-      found_first_section = False
-      for i, line in enumerate(lines):
-        if line.startswith('## '):
-          if found_first_section:
-            break
-          found_first_section = True
-        output += line
-
-  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
-
-  return output
-
-
-if len(sys.argv) < 3:
-  raise Exception('Expecting argument: changelog_file version_tag')
-changelog_file = sys.argv[1]
-version_tag = sys.argv[2]
-
-print(extract_changelog_snippet(changelog_file, version_tag))

.github/workflows/script/update-node-modules.sh

@@ -1,12 +1,9 @@
-#!/bin/bash
-set -eu
-
-if [ "$1" != "update" ] && [ "$1" != "check-only" ]; then
+if [ "$1" != "update" && "$1" != "check-only" ]; then
     >&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
     exit 1
 fi
 
-npm install --force -g npm@9.2.0
+sudo npm install --force -g npm@9.2.0
 
 # clean the npm cache to ensure we don't have any files owned by root
 sudo npm cache clean --force

.github/workflows/script/update-required-checks.sh

@@ -2,11 +2,6 @@
 # Update the required checks based on the current branch.
 # Typically, this will be main.
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-REPO_DIR="$(dirname "$SCRIPT_DIR")"
-GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
-source "$GRANDPARENT_DIR/releases.ini"
-
 if ! gh auth status 2>/dev/null; then
   gh auth status
   echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
@@ -27,29 +22,14 @@ fi
 
 echo "Getting checks for $GITHUB_SHA"
 
-# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 
 echo "{\"contexts\": ${CHECKS}}" > checks.json
 
-echo "Updating main"
-gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
-
-# list all branchs on origin remote matching releases/v*
-BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
-
-for BRANCH in $BRANCHES; do
-
-  # strip exact 'releases/v' prefix from $BRANCH using count of characters
-  VERSION="${BRANCH:10}"
-
-  if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
-    echo "Skipping $BRANCH"
-    continue
-  fi
-
+for BRANCH in main releases/v2; do
   echo "Updating $BRANCH"
   gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
 done

.github/workflows/test-codeql-bundle-all.yml

@@ -2,24 +2,24 @@ name: 'PR Check - CodeQL Bundle All'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
     - main
-    - releases/v*
+    - releases/v2
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   test-codeql-bundle-all:
     strategy:
-      fail-fast: false
       matrix:
         include:
         - os: ubuntu-latest
@@ -27,7 +27,7 @@ jobs:
     name: 'CodeQL Bundle All'
     permissions:
       contents: read
-      security-events: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -42,12 +42,15 @@ jobs:
     - id: init
       uses: ./../action/init
       with:
-        # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-        languages: cpp,csharp,go,java,javascript,python,ruby 
         tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/actions/setup-swift
+      with:
+        codeql-path: ${{ steps.init.outputs.codeql-path }}
     - name: Build code
       shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/update-bundle.yml

@@ -17,9 +17,6 @@ jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
     runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull requests
     steps:
       - name: Dump environment
         run: env
@@ -57,7 +54,7 @@ jobs:
           cli_version=$(jq -r '.cliVersion' src/defaults.json)
           pr_url=$(gh pr create \
             --title "Update default bundle to $cli_version" \
-            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
             --assignee "$GITHUB_ACTOR" \
             --draft \
           )

.github/workflows/update-dependencies.yml

@@ -9,9 +9,6 @@ jobs:
     timeout-minutes: 45
     runs-on: macos-latest
     if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
-    permissions:
-      contents: write # needed to push the updated dependencies
-      pull-requests: write # needed to comment on the PR
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4

.github/workflows/update-proxy-release.yml

@@ -1,101 +0,0 @@
-name: Update dependency proxy release assets
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
-        type: string
-        required: true
-
-jobs:
-  update:
-    name: Update code and create PR
-    timeout-minutes: 15
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push the updated files
-      pull-requests: write # needed to create the PR
-    env:
-      RELEASE_TAG: ${{ inputs.tag }}
-    steps:
-      - name: Check release tag format
-        id: checks
-        shell: bash
-        run: |
-          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
-            exit 1
-          fi
-
-          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
-
-      - name: Check that the release exists
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
-
-      - name: Install Node
-        uses: actions/setup-node@v4
-
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-          ref: main
-
-      - name: Update git config
-        shell: bash
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-
-      - name: Update release tag and version
-        shell: bash
-        run: |
-          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
-          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
-          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
-
-      - name: Compile TypeScript and commit changes
-        shell: bash
-        env:
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-        run: |
-          set -exu
-          git checkout -b "$TARGET_BRANCH"
-
-          npm run build
-          git add ./src/start-proxy-action.ts
-          git add ./lib
-          git commit -m "Update release used by \`start-proxy\` action"
-
-      - name: Push changes and open PR
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-          PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }}
-        run: |
-          set -exu
-          pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`"
-          pr_body=$(cat << EOF
-            This PR updates the \`start-proxy\` action to use the private registry proxy binaries that
-            are attached as release assets to the \`$RELEASE_TAG\` release.
-
-
-            Please do the following before merging:
-
-            - [ ] Verify that the changes to the code are correct.
-            - [ ] Mark the PR as ready for review to trigger the CI.
-          EOF
-          )
-
-          git push origin "$TARGET_BRANCH"
-          gh pr create \
-            --head "$TARGET_BRANCH" \
-            --base "main" \
-            --title "${pr_title}" \
-            --body "${pr_body}" \
-            $PR_FLAG

.github/workflows/update-release-branch.yml

@@ -1,149 +1,46 @@
 name: Update release branch
 on:
   # You can trigger this workflow via workflow dispatch to start a release.
-  # This will open a PR to update the latest release branch.
+  # This will open a PR to update the v2 release branch.
   workflow_dispatch:
 
-  # When a release is complete this workflow will open up backport PRs to older release branches.
-  # NB while it will trigger on any release branch update, the backport job will not proceed for
-  # anything other than than releases/v{latest}
-  push:
-    branches:
-      - releases/*
-
 jobs:
-
-  prepare:
-    runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql-action'
-    outputs:
-      version: ${{ steps.versions.outputs.version }}
-      major_version: ${{ steps.versions.outputs.major_version }}
-      latest_tag: ${{ steps.versions.outputs.latest_tag }}
-      backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
-      backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
-    permissions:
-      contents: read
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0  # Need full history for calculation of diffs
-    - uses: ./.github/actions/release-initialise
-
-    - name: Get version tags
-      id: versions
-      run: |
-        VERSION="v$(jq '.version' -r 'package.json')"
-        echo "version=${VERSION}" >> $GITHUB_OUTPUT
-        MAJOR_VERSION=$(cut -d '.' -f1 <<< "${VERSION}")
-        echo "major_version=${MAJOR_VERSION}" >> $GITHUB_OUTPUT
-        LATEST_TAG=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
-        echo "latest_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
-
-    - id: branches
-      name: Determine older release branches
-      uses: ./.github/actions/release-branches
-      with:
-        major_version: ${{ steps.versions.outputs.major_version }}
-        latest_tag: ${{ steps.versions.outputs.latest_tag }}
-
-    - name: debug logging
-      run: |
-        echo 'version: ${{ steps.versions.outputs.version }}'
-        echo 'major_version: ${{ steps.versions.outputs.major_version }}'
-        echo 'latest_tag: ${{ steps.versions.outputs.latest_tag }}'
-        echo 'backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}'
-        echo 'backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}'
-
   update:
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    if: github.event_name == 'workflow_dispatch'
-    needs: [prepare]
-    env:
-      REF_NAME: "${{ github.ref_name }}"
-      REPOSITORY: "${{ github.repository }}"
-      MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
-      LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
+    if: github.repository == 'github/codeql-action'
     steps:
+    - name: Dump environment
+      run: env
+
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: '${{ toJson(github) }}'
+      run: echo "$GITHUB_CONTEXT"
+
     - uses: actions/checkout@v4
       with:
-        fetch-depth: 0  # Need full history for calculation of diffs
-    - uses: ./.github/actions/release-initialise
+        # Need full history so we calculate diffs
+        fetch-depth: 0
 
-    # when the workflow has been manually triggered on main,
-    # we know that we definitely want the release branch to exist
-    - name: Ensure release branch exists
-      run: |
-        echo "MAJOR_VERSION ${MAJOR_VERSION}"
-        RELEASE_BRANCH=releases/${MAJOR_VERSION}
-        if git checkout $RELEASE_BRANCH > /dev/null 2>&1; then
-            echo "Branch $RELEASE_BRANCH already exists"
-            echo ""
-        else
-            echo "Creating $RELEASE_BRANCH branch"
-            git checkout -b ${RELEASE_BRANCH} ${LATEST_TAG}
-            git push --set-upstream origin ${RELEASE_BRANCH}
-            git branch --show-current
-            echo ""
-        fi
-        echo "Returning to branch: ${REF_NAME}"
-        git checkout ${REF_NAME}
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.8
 
-    - name: Update current release branch
-      if: github.event_name == 'workflow_dispatch'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install PyGithub==1.55 requests
+
+    - name: Update git config
+      run: |
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git config --global user.name "github-actions[bot]"
+
+    - name: Update release branch
       run: |
-        echo SOURCE_BRANCH=${REF_NAME}
-        echo TARGET_BRANCH=releases/${MAJOR_VERSION}
         python .github/update-release-branch.py \
           --github-token ${{ secrets.GITHUB_TOKEN }} \
           --repository-nwo ${{ github.repository }} \
-          --source-branch '${{ env.REF_NAME }}' \
-          --target-branch 'releases/${{ env.MAJOR_VERSION }}' \
-          --is-primary-release \
-          --conductor ${GITHUB_ACTOR}
-
-  backport:
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    environment: Automation
-    needs: [prepare]
-    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        target_branch: ${{ fromJson(needs.prepare.outputs.backport_target_branches) }}
-    env:
-      SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
-      TARGET_BRANCH: ${{ matrix.target_branch }}
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
-    steps:
-    - name: Generate token
-      uses: actions/create-github-app-token@v2.0.6
-      id: app-token
-      with:
-        app-id: ${{ vars.AUTOMATION_APP_ID }}
-        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
-    - name: Checkout
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0  # Need full history for calculation of diffs
-        token: ${{ steps.app-token.outputs.token }}
-    - uses: ./.github/actions/release-initialise
-
-    - name: Update older release branch
-      run: |
-        echo SOURCE_BRANCH=${SOURCE_BRANCH}
-        echo TARGET_BRANCH=${TARGET_BRANCH}
-        python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
-          --repository-nwo ${{ github.repository }} \
-          --source-branch ${SOURCE_BRANCH} \
-          --target-branch ${TARGET_BRANCH} \
           --conductor ${GITHUB_ACTOR}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -10,23 +10,20 @@ jobs:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql-action'
-    permissions:
-      contents: write # needed to push commits
-      pull-requests: write # needed to create pull request
+    if: ${{ github.repository == 'github/codeql-action' }}
 
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v4
         with:
-          python-version: "3.13"
+          python-version: "3.7"
       - name: Checkout CodeQL Action
         uses: actions/checkout@v4
       - name: Checkout Enterprise Releases
         uses: actions/checkout@v4
         with:
           repository: github/enterprise-releases
-          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
+          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
           path: ${{ github.workspace }}/enterprise-releases/
       - name: Update Supported Enterprise Server Versions
         run: |
@@ -57,8 +54,7 @@ jobs:
             git push origin update-supported-enterprise-server-versions
 
             body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-            body+="version is about to be feature frozen, or because an old release has been deprecated."
-            body+=$'\n\n'
+            body+="version is about to be feature frozen, or because an old release has been deprecated.\n\n"
             body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
             body+="deprecate the corresponding version of CodeQL."
 

.gitignore

@@ -1,11 +1,2 @@
 # Ignore for example failing-tests.json from AVA
-node_modules/.cache/
-# Java build files
-.gradle/
-*.class
-# macOS
-.DS_Store
-# eslint sarif report
-eslint.sarif
-# for local incremental compilation
-tsconfig.tsbuildinfo
+node_modules/.cache

.pre-commit-config.yaml

@@ -1,20 +0,0 @@
-repos:
-  - repo: local
-    hooks:
-      - id: lint-ts
-        name: Lint typescript code
-        files: \.ts$
-        language: system
-        entry: npm run lint -- --fix
-      - id: compile-ts
-        name: Compile typescript
-        files: \.[tj]s$
-        language: system
-        entry: npm run build
-        pass_filenames: false
-      - id: pr-checks-sync
-        name: Synchronize PR check workflows
-        files: ^.github/workflows/__.*\.yml$|^pr-checks
-        language: system
-        entry: pr-checks/sync.sh
-        pass_filenames: false

.vscode/settings.json

@@ -12,8 +12,5 @@
   "git.ignoreLimitWarning": true,
   // Use the vendored TypeScript version to have a consistent development experience across
   // machines.
-  "typescript.tsdk": "node_modules/typescript/lib",
-  "[typescript]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode"
-  },
+  "typescript.tsdk": "node_modules/typescript/lib"
 }