Update changelog and version after v3.30.4

Update default bundle to 2.23.1

.github/actions/check-codescanning-config/index.ts

@@ -6,6 +6,16 @@ import * as assert from 'assert'
 
 const actualConfig = loadActualConfig()
 
+function sortConfigArrays(config) {
+  for (const key of Object.keys(config)) {
+    const value = config[key];
+    if (key === 'queries' && Array.isArray(value)) {
+      config[key] = value.sort();
+    }
+  }
+  return config;
+}
+
 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
   core.setFailed('No expected configuration provided')
@@ -18,8 +28,8 @@ if (!rawExpectedConfig) {
 const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;
 
 assert.deepStrictEqual(
-  actualConfig,
-  expectedConfig,
+  sortConfigArrays(actualConfig),
+  sortConfigArrays(expectedConfig),
   'Expected configuration does not match actual configuration'
 );
 

.github/actions/prepare-test/action.yml

@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
   version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
     required: true
   use-all-platform-bundle:
     description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -35,7 +35,10 @@ runs:
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
-        if [[ "$VERSION" == "linked" ]]; then
+        if [[ "$VERSION" == "nightly" || "$VERSION" == "nightly-latest" ]]; then
+          echo "tools-url=nightly" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ "$VERSION" == "linked" ]]; then
           echo "tools-url=linked" >> "$GITHUB_OUTPUT"
           exit 0
         elif [[ "$VERSION" == "default" ]]; then
@@ -43,29 +46,20 @@ runs:
           exit 0
         fi
 
-        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
-        fi
-
         if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
+          artifact_name="codeql-bundle.tar.gz"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
+          artifact_name="codeql-bundle-linux64.tar.gz"
         elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
+          artifact_name="codeql-bundle-osx64.tar.gz"
         elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
+          artifact_name="codeql-bundle-win64.tar.gz"
         else
           echo "::error::Unrecognized OS $RUNNER_OS"
           exit 1
         fi
 
-        if [[ "$VERSION" == "nightly-latest" ]]; then
-          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"nightly"* ]]; then
+        if [[ "$VERSION" == *"nightly"* ]]; then
           version=`echo "$VERSION" | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
         elif [[ "$VERSION" == *"stable"* ]]; then

.github/codeql/codeql-actions-config.yml

@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality

.github/codeql/codeql-config-javascript.yml

@@ -7,9 +7,9 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
+  - uses: security-and-quality
   - uses: security-experimental
   - uses: security-extended
-  - uses: security-and-quality
 paths-ignore:
-  - tests
   - lib
+  - tests

.github/pull_request_template.md

@@ -1,4 +1,4 @@
-
+<!-- For GitHub staff: Remember that this is a public repository. -->
 
 ### Risk assessment
 

.github/workflows/__all-platform-bundle.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   all-platform-bundle:
     strategy:
@@ -59,7 +65,7 @@ jobs:
           use-all-platform-bundle: 'true'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -70,7 +76,6 @@ jobs:
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__analyze-ref-input.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   analyze-ref-input:
     strategy:
@@ -63,7 +69,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -74,7 +80,6 @@ jobs:
           config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
             github.sha }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:

.github/workflows/__autobuild-action.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   autobuild-action:
     strategy:
@@ -67,7 +73,6 @@ jobs:
           CORECLR_PROFILER_PATH_64: ''
       - uses: ./../action/analyze
       - name: Check database
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d csharp ]]; then

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Java to install
         required: false
         default: '17'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   autobuild-direct-tracing-with-working-dir:
     strategy:
@@ -70,7 +76,6 @@ jobs:
           java-version: ${{ inputs.java-version || '17' }}
           distribution: temurin
       - name: Test setup
-        shell: bash
         run: |
           # Make sure that Gradle build succeeds in autobuild-dir ...
           cp -a ../action/tests/java-repo autobuild-dir
@@ -82,7 +87,6 @@ jobs:
           languages: java
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check that indirect tracing is disabled
-        shell: bash
         run: |
           if [[ ! -z "${CODEQL_RUNNER}" ]]; then
             echo "Expected indirect tracing to be disabled, but the" \

.github/workflows/__autobuild-direct-tracing.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Java to install
         required: false
         default: '17'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   autobuild-direct-tracing:
     strategy:
@@ -70,7 +76,6 @@ jobs:
           java-version: ${{ inputs.java-version || '17' }}
           distribution: temurin
       - name: Set up Java test repo configuration
-        shell: bash
         run: |
           mv * .github ../action/tests/multi-language-repo/
           mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -85,7 +90,6 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
       - name: Check that indirect tracing is disabled
-        shell: bash
         run: |
           if [[ ! -z "${CODEQL_RUNNER}" ]]; then
             echo "Expected indirect tracing to be disabled, but the" \

.github/workflows/__build-mode-autobuild.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-autobuild:
     strategy:

.github/workflows/__build-mode-manual.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-manual:
     strategy:
@@ -59,7 +65,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -81,7 +87,6 @@ jobs:
           fi
 
       - name: Build code
-        shell: bash
         run: ./build.sh
 
       - uses: ./../action/analyze

.github/workflows/__build-mode-none.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-none:
     strategy:

.github/workflows/__build-mode-rollback.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build-mode-rollback:
     strategy:

.github/workflows/__bundle-toolcache.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   bundle-toolcache:
     strategy:
@@ -53,7 +59,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const fs = require('fs');
@@ -63,7 +69,7 @@ jobs:
       - name: Install @actions/tool-cache
         run: npm install @actions/tool-cache
       - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const toolcache = require('@actions/tool-cache');
@@ -82,7 +88,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const toolcache = require('@actions/tool-cache');

.github/workflows/__bundle-zstd.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   bundle-zstd:
     strategy:
@@ -53,7 +59,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const fs = require('fs');
@@ -78,7 +84,7 @@ jobs:
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
         with:

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cleanup-db-cluster-dir:
     strategy:

.github/workflows/__config-export.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   config-export:
     strategy:
@@ -74,7 +80,7 @@ jobs:
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check config properties appear in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
         with:

.github/workflows/__config-input.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   config-input:
     strategy:
@@ -42,7 +48,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__cpp-deptrace-disabled.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cpp-deptrace-disabled:
     strategy:
@@ -53,7 +59,6 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
-        shell: bash
         run: |
           cp -a ../action/tests/cpp-autobuild autobuild-dir
       - uses: ./../action/init
@@ -65,8 +70,7 @@ jobs:
           working-directory: autobuild-dir
         env:
           CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - shell: bash
-        run: |
+      - run: |
           if ls /usr/bin/errno; then
             echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
             exit 1

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cpp-deptrace-enabled-on-macos:
     strategy:
@@ -51,7 +57,6 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
-        shell: bash
         run: |
           cp -a ../action/tests/cpp-autobuild autobuild-dir
       - uses: ./../action/init
@@ -63,8 +68,7 @@ jobs:
           working-directory: autobuild-dir
         env:
           CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
           if ! ls /usr/bin/errno; then
             echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
           else

.github/workflows/__cpp-deptrace-enabled.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   cpp-deptrace-enabled:
     strategy:
@@ -53,7 +59,6 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
-        shell: bash
         run: |
           cp -a ../action/tests/cpp-autobuild autobuild-dir
       - uses: ./../action/init
@@ -65,8 +70,7 @@ jobs:
           working-directory: autobuild-dir
         env:
           CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
           if ! ls /usr/bin/errno; then
             echo "Did not autoinstall errno"
             exit 1

.github/workflows/__diagnostics-export.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   diagnostics-export:
     strategy:
@@ -64,7 +70,6 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Add test diagnostics
-        shell: bash
         env:
           CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
         run: |
@@ -86,7 +91,7 @@ jobs:
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
         with:

.github/workflows/__export-file-baseline-information.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   export-file-baseline-information:
     strategy:
@@ -63,7 +69,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -73,7 +79,6 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -85,7 +90,6 @@ jobs:
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check results
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           expected_baseline_languages="c csharp go java kotlin javascript python ruby"

.github/workflows/__extractor-ram-threads.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   extractor-ram-threads:
     strategy:
@@ -54,7 +60,6 @@ jobs:
           ram: 230
           threads: 1
       - name: Assert Results
-        shell: bash
         run: |
           if [ "${CODEQL_RAM}" != "230" ]; then
             echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"

.github/workflows/__go-custom-queries.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-custom-queries:
     strategy:
@@ -61,7 +67,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -71,7 +77,6 @@ jobs:
           config-file: ./.github/codeql/custom-queries.yml
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-indirect-tracing-workaround-diagnostic:
     strategy:
@@ -59,7 +65,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -68,18 +74,17 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
   # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version: '1.20'
       - name: Build code
-        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           SARIF_PATH: ${{ runner.temp }}/results/go.sarif
         with:

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-indirect-tracing-workaround-no-file-program:
     strategy:
@@ -59,7 +65,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -73,14 +79,13 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           SARIF_PATH: ${{ runner.temp }}/results/go.sarif
         with:

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-indirect-tracing-workaround:
     strategy:
@@ -59,7 +65,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -68,11 +74,9 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
           if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
             echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
               "CODEQL_ACTION_GO_BINARY environment variable is not set."

.github/workflows/__go-tracing-autobuilder.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-tracing-autobuilder:
     strategy:
@@ -60,6 +66,10 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -89,7 +99,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -99,8 +109,7 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/autobuild
       - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
           if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
             echo "Expected the Go autobuilder to be run, but the" \
               "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-tracing-custom-build-steps:
     strategy:
@@ -60,6 +66,10 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -89,7 +99,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -98,11 +108,9 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: go build main.go
       - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
           # Once we start running Bash 4.2 in all environments, we can replace the
           # `! -z` flag with the more elegant `-v` which confirms that the variable
           # is actually unset and not potentially set to a blank value.

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   go-tracing-legacy-workflow:
     strategy:
@@ -60,6 +66,10 @@ jobs:
             version: stable-v2.21.4
           - os: macos-latest
             version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: macos-latest
+            version: stable-v2.22.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -89,7 +99,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -98,8 +108,7 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d go ]]; then
             echo "Did not find a Go database"

.github/workflows/__init-with-registries.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   init-with-registries:
     strategy:
@@ -78,7 +84,6 @@ jobs:
               token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Verify packages installed
-        shell: bash
         run: |
           PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
           CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
@@ -100,7 +105,6 @@ jobs:
           fi
 
       - name: Verify qlconfig.yml file was created
-        shell: bash
         run: |
           QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
           echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
@@ -115,7 +119,6 @@ jobs:
       - name: Verify contents of qlconfig.yml
     # yq is not available on windows
         if: runner.os != 'Windows'
-        shell: bash
         run: |
           QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
           cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'

.github/workflows/__javascript-source-root.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   javascript-source-root:
     strategy:
@@ -53,7 +59,6 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Move codeql-action
-        shell: bash
         run: |
           mkdir ../new-source-root
           mv * ../new-source-root
@@ -66,7 +71,6 @@ jobs:
         with:
           skip-queries: true
       - name: Assert database exists
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d javascript ]]; then

.github/workflows/__job-run-uuid-sarif.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   job-run-uuid-sarif:
     strategy:
@@ -63,7 +69,6 @@ jobs:
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Check results
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)

.github/workflows/__language-aliases.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   language-aliases:
     strategy:

.github/workflows/__multi-language-autodetect.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   multi-language-autodetect:
     strategy:
@@ -60,6 +66,10 @@ jobs:
             version: stable-v2.21.4
           - os: ubuntu-latest
             version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
           - os: macos-latest
             version: default
           - os: ubuntu-latest
@@ -89,12 +99,11 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - name: Use Xcode 16
-        shell: bash
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
 
@@ -107,7 +116,6 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
       - name: Build code
-        shell: bash
         run: ./build.sh
 
       - uses: ./../action/analyze
@@ -116,7 +124,6 @@ jobs:
           upload-database: false
 
       - name: Check language autodetect for all languages excluding Swift
-        shell: bash
         run: |
           CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
           if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -156,7 +163,6 @@ jobs:
 
       - name: Check language autodetect for Swift on macOS
         if: runner.os == 'macOS'
-        shell: bash
         run: |
           SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
           if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -164,4 +170,5 @@ jobs:
             exit 1
           fi
     env:
+      CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__overlay-init-fallback.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   overlay-init-fallback:
     strategy:
@@ -61,7 +67,6 @@ jobs:
         with:
           upload-database: false
       - name: Check database
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases/actions"
           if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-codescanning-config-inputs-js:
     strategy:
@@ -68,7 +74,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -82,7 +88,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -93,7 +99,6 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -109,7 +114,6 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__packaging-config-inputs-js.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-config-inputs-js:
     strategy:
@@ -68,7 +74,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -82,7 +88,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -93,7 +99,6 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -109,7 +114,6 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__packaging-config-js.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-config-js:
     strategy:
@@ -68,7 +74,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -82,7 +88,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -92,7 +98,6 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -108,7 +113,6 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__packaging-inputs-js.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   packaging-inputs-js:
     strategy:
@@ -68,7 +74,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -82,7 +88,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -93,7 +99,6 @@ jobs:
           packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -108,7 +113,6 @@ jobs:
           queries-not-run: foo,bar
 
       - name: Assert Results
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__quality-queries.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   quality-queries:
     strategy:
@@ -32,16 +38,58 @@ jobs:
         include:
           - os: ubuntu-latest
             version: linked
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
           - os: macos-latest
             version: linked
+            analysis-kinds: code-scanning
+          - os: macos-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: macos-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
           - os: windows-latest
             version: linked
+            analysis-kinds: code-scanning
+          - os: windows-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: windows-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
           - os: ubuntu-latest
             version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
           - os: macos-latest
             version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: macos-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: macos-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
           - os: windows-latest
             version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: windows-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: windows-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
     name: Quality queries input
     permissions:
       contents: read
@@ -61,33 +109,39 @@ jobs:
       - uses: ./../action/init
         with:
           languages: javascript
-          quality-queries: code-quality
+          analysis-kinds: ${{ matrix.analysis-kinds }}
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload security SARIF
+        if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/upload-artifact@v4
         with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          name: |
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Upload quality SARIF
+        if: contains(matrix.analysis-kinds, 'code-quality')
         uses: actions/upload-artifact@v4
         with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.quality.sarif.json
+          name: |
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
       - name: Check quality query does not appear in security SARIF
-        uses: actions/github-script@v7
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        uses: actions/github-script@v8
         env:
           SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
           EXPECT_PRESENT: 'false'
         with:
           script: ${{ env.CHECK_SCRIPT }}
       - name: Check quality query appears in quality SARIF
-        uses: actions/github-script@v7
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        uses: actions/github-script@v8
         env:
           SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
           EXPECT_PRESENT: 'true'

.github/workflows/__remote-config.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   remote-config:
     strategy:
@@ -61,7 +67,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -72,7 +78,6 @@ jobs:
           config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
             github.sha }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__resolve-environment-action.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   resolve-environment-action:
     strategy:

.github/workflows/__rubocop-multi-language.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   rubocop-multi-language:
     strategy:
@@ -49,17 +55,14 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0
+        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration
-        shell: bash
         run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
       - name: Install dependencies
-        shell: bash
         run: bundle install
       - name: RuboCop run
-        shell: bash
         run: |
           bash -c "
             bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif

.github/workflows/__ruby.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   ruby:
     strategy:
@@ -67,7 +73,6 @@ jobs:
         with:
           upload-database: false
       - name: Check database
-        shell: bash
         run: |
           RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
           if [[ ! -d "$RUBY_DB" ]]; then

.github/workflows/__rust.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   rust:
     strategy:
@@ -65,7 +71,6 @@ jobs:
         with:
           upload-database: false
       - name: Check database
-        shell: bash
         run: |
           RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
           if [[ ! -d "$RUST_DB" ]]; then

.github/workflows/__split-workflow.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   split-workflow:
     strategy:
@@ -69,7 +75,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -80,7 +86,6 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         with:
@@ -89,7 +94,6 @@ jobs:
           upload-database: false
 
       - name: Assert No Results
-        shell: bash
         run: |
           if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
             echo "Expected results directory to be empty after skipping query execution!"
@@ -100,7 +104,6 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Assert Results
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/results"
           # We should have 4 hits from these rules

.github/workflows/__start-proxy.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   start-proxy:
     strategy:

.github/workflows/__submit-sarif-failure.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   submit-sarif-failure:
     strategy:

.github/workflows/__swift-autobuild.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   swift-autobuild:
     strategy:
@@ -55,7 +61,6 @@ jobs:
           build-mode: autobuild
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check working directory
-        shell: bash
         run: pwd
       - uses: ./../action/autobuild
         timeout-minutes: 30
@@ -64,7 +69,6 @@ jobs:
         with:
           upload-database: false
       - name: Check database
-        shell: bash
         run: |
           SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
           if [[ ! -d "$SWIFT_DB" ]]; then

.github/workflows/__swift-custom-build.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   swift-custom-build:
     strategy:
@@ -63,12 +69,11 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - name: Use Xcode 16
-        shell: bash
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
       - uses: ./../action/init
@@ -77,17 +82,14 @@ jobs:
           languages: swift
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check working directory
-        shell: bash
         run: pwd
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         id: analysis
         with:
           upload-database: false
       - name: Check database
-        shell: bash
         run: |
           SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
           if [[ ! -d "$SWIFT_DB" ]]; then

.github/workflows/__test-autobuild-working-dir.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   test-autobuild-working-dir:
     strategy:
@@ -49,7 +55,6 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Test setup
-        shell: bash
         run: |
           # Make sure that Gradle build succeeds in autobuild-dir ...
           cp -a ../action/tests/java-repo autobuild-dir
@@ -64,7 +69,6 @@ jobs:
           working-directory: autobuild-dir
       - uses: ./../action/analyze
       - name: Check database
-        shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases"
           if [[ ! -d java ]]; then

.github/workflows/__test-local-codeql.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   test-local-codeql:
     strategy:
@@ -41,7 +47,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: nightly-latest
+            version: linked
     name: Local CodeQL bundle
     permissions:
       contents: read
@@ -59,16 +65,13 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Fetch a CodeQL bundle
-        shell: bash
-        env:
-          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Fetch latest CodeQL bundle
         run: |
-          wget "$CODEQL_URL"
+          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
       - id: init
         uses: ./../action/init
         with:
@@ -76,7 +79,6 @@ jobs:
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ./codeql-bundle-linux64.tar.zst
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
     env:

.github/workflows/__test-proxy.yml

@@ -24,6 +24,12 @@ on:
     inputs: {}
   workflow_call:
     inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   test-proxy:
     strategy:

.github/workflows/__unset-environment.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   unset-environment:
     strategy:
@@ -61,7 +67,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -73,14 +79,12 @@ jobs:
           languages: cpp,csharp,go,java,javascript,python,ruby
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Build code
-        shell: bash
         run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
       - uses: ./../action/analyze
         id: analysis
         with:
           upload-database: false
-      - shell: bash
-        run: |
+      - run: |
           CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
           if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
             echo "::error::Did not create a database for CPP, or created it in the wrong location." \

.github/workflows/__upload-quality-sarif.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   upload-quality-sarif:
     strategy:
@@ -63,19 +69,16 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-          quality-queries: code-quality
+          languages: csharp,java,javascript,python
+          analysis-kinds: code-quality
       - name: Build code
-        shell: bash
         run: ./build.sh
   # Generate some SARIF we can upload with the upload-sarif step
       - uses: ./../action/analyze
@@ -84,8 +87,12 @@ jobs:
           sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           upload: never
       - uses: ./../action/upload-sarif
+        id: upload-sarif
         with:
           ref: refs/heads/main
           sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      - name: Check output from `upload-sarif` step
+        if: fromJSON(steps.upload-sarif.outputs.sarif-ids)[0].analysis != 'code-quality'
+        run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__upload-ref-sha-input.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   upload-ref-sha-input:
     strategy:
@@ -63,7 +69,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
@@ -74,7 +80,6 @@ jobs:
           config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
             github.sha }}
       - name: Build code
-        shell: bash
         run: ./build.sh
   # Generate some SARIF we can upload with the upload-sarif step
       - uses: ./../action/analyze

.github/workflows/__with-checkout-path.yml

@@ -34,6 +34,12 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   with-checkout-path:
     strategy:
@@ -63,12 +69,11 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
       - name: Delete original checkout
-        shell: bash
         run: |
           # delete the original checkout so we don't accidentally use it.
           # Actions does not support deleting the current working directory, so we
@@ -89,7 +94,6 @@ jobs:
           source-root: x/y/z/some-path/tests/multi-language-repo
 
       - name: Build code
-        shell: bash
         working-directory: x/y/z/some-path/tests/multi-language-repo
         run: |
           ./build.sh
@@ -101,7 +105,6 @@ jobs:
           sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
 
       - name: Verify SARIF after upload
-        shell: bash
         run: |
           EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
           EXPECTED_REF="v1.1.0"

.github/workflows/check-expected-release-files.yml

@@ -9,6 +9,10 @@ on:
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   check-expected-release-files:
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -13,6 +13,10 @@ on:
     - cron: '30 1 * * 0'
   workflow_dispatch:
 
+defaults:
+  run:
+    shell: bash
+
 env:
   CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
 
@@ -91,22 +95,29 @@ jobs:
       id: init
       with:
         languages: javascript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config-javascript.yml
         tools: ${{ matrix.tools }}
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
-      run: ${{steps.init.outputs.codeql-path}} version --format=json
+      run: >
+        "$CODEQL" version --format=json
+      env:
+        CODEQL: ${{steps.init.outputs.codeql-path}}
     - name: Perform CodeQL Analysis
       uses: ./analyze
       with:
         category: "/language:javascript"
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
 
-
-  analyze-actions:
+  analyze-other:
     runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: python
 
     permissions:
       contents: read
@@ -118,9 +129,15 @@ jobs:
     - name: Initialize CodeQL
       uses: ./init
       with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
+        languages: ${{ matrix.language }}
+        build-mode: none
+        config: >
+          paths-ignore:
+            - lib
+            - tests
+          queries:
+            - uses: security-and-quality
     - name: Perform CodeQL Analysis
       uses: ./analyze
       with:
-        category: "/language:actions"
+        category: "/language:${{ matrix.language }}"

.github/workflows/codescanning-config-cli.yml

@@ -22,6 +22,10 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   code-scanning-config-tests:
     continue-on-error: true
@@ -57,7 +61,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v5
       with:
         node-version: '20'
         cache: 'npm'
@@ -176,13 +180,13 @@ jobs:
       with:
         expected-config-file-contents: |
           {
-            "queries": [
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" },
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
-            ],
             "packs": {
               "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
-            }
+            },
+            "queries": [
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" },
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }
+            ]
           }
         languages: javascript
         queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql

.github/workflows/debug-artifacts-failure-safe.yml

@@ -17,6 +17,11 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   upload-artifacts:
     strategy:
@@ -45,7 +50,7 @@ jobs:
         uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
       - uses: ./../action/init
@@ -55,7 +60,6 @@ jobs:
           debug-artifact-name: my-debug-artifacts
           debug-database-name: my-db
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         id: analysis
@@ -75,7 +79,6 @@ jobs:
       - name: Download all artifacts
         uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
-        shell: bash
         run: |
           LANGUAGES="cpp csharp go java javascript python"
           for version in $VERSIONS; do

.github/workflows/debug-artifacts-safe.yml

@@ -16,6 +16,11 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   upload-artifacts:
     strategy:
@@ -41,7 +46,7 @@ jobs:
         uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
       - uses: ./../action/init
@@ -54,7 +59,6 @@ jobs:
           # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
           languages: cpp,csharp,go,java,javascript,python,ruby
       - name: Build code
-        shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
         id: analysis
@@ -69,7 +73,6 @@ jobs:
       - name: Download all artifacts
         uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
-        shell: bash
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/post-release-mergeback.yml

@@ -18,6 +18,10 @@ on:
     branches:
       - releases/v*
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   merge-back:
     runs-on: ubuntu-latest
@@ -43,7 +47,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
 
       - name: Update git config
         run: |
@@ -135,7 +139,7 @@ jobs:
           token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v2.1.1
+        uses: actions/create-github-app-token@v2.1.4
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/pr-checks.yml

@@ -8,6 +8,10 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
   workflow_dispatch:
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   unit-tests:
     name: Unit Tests
@@ -22,16 +26,20 @@ jobs:
     timeout-minutes: 45
 
     steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
       - uses: actions/checkout@v5
       
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '20.x'
           cache: 'npm'
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: 3.11
 
@@ -51,6 +59,10 @@ jobs:
       - name: Run unit tests
         run: npm test
 
+      - name: Run pr-checks tests
+        working-directory: pr-checks
+        run: python -m unittest discover
+
       - name: Lint
         if: matrix.os != 'windows-latest'
         run: npm run lint-ci

.github/workflows/prepare-release.yml

@@ -22,6 +22,10 @@ on:
     paths:
       - .github/workflows/prepare-release.yml
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   prepare:
     name: "Prepare release"

.github/workflows/publish-immutable-action.yml

@@ -4,6 +4,10 @@ on:
   release:
     types: [published]
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   publish:
     runs-on: ubuntu-latest

.github/workflows/python312-windows.yml

@@ -12,6 +12,10 @@ on:
     - cron: '0 0 * * 1'
   workflow_dispatch:
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   test-setup-python-scripts:
     env:
@@ -22,7 +26,7 @@ jobs:
     runs-on: windows-latest
 
     steps:
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@v6
       with:
         python-version: 3.12
 

.github/workflows/query-filters.yml

@@ -15,6 +15,10 @@ on:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   query-filters:
     name: Query Filters Tests
@@ -27,7 +31,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Install Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v5
       with:
         node-version: 20.x
         cache: npm

.github/workflows/rebuild.yml

@@ -5,12 +5,20 @@ on:
     types: [labeled]
   workflow_dispatch:
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   rebuild:
     name: Rebuild Action
     runs-on: ubuntu-latest
     if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch'
 
+    env:
+      HEAD_REF: ${{ github.event.pull_request.head.ref || github.event.ref }}
+      BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}
+
     permissions:
       contents: write # needed to push rebuilt commit
       pull-requests: write # needed to comment on the PR
@@ -19,7 +27,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref || github.event.ref }}
+          ref: ${{ env.HEAD_REF }}
 
       - name: Remove label
         if: github.event_name == 'pull_request'
@@ -37,8 +45,6 @@ jobs:
 
       - name: Merge in changes from base branch
         id: merge
-        env:
-          BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}
         run: |
           git fetch origin "$BASE_BRANCH"
 
@@ -68,13 +74,20 @@ jobs:
           npm run build
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: 3.11
 
-      - name: Generate workflows
+      - name: Sync back version updates to generated workflows
+        # Only sync back versions on Dependabot update PRs
+        if: startsWith(env.HEAD_REF, 'dependabot/')
+        working-directory: pr-checks
+        run: |
+          python3 sync_back.py -v
+
+      - name: Generate workflows
+        working-directory: pr-checks
         run: |
-          cd pr-checks
           python -m pip install --upgrade pip
           pip install ruamel.yaml==0.17.31
           python3 sync.py

.github/workflows/rollback-release.yml

@@ -14,6 +14,10 @@ on:
       - .github/workflows/rollback-release.yml
       - .github/actions/prepare-mergeback-branch/**
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   prepare:
     name: "Prepare release"
@@ -53,7 +57,6 @@ jobs:
 
       - name: Create tag for testing
         if: github.event_name != 'workflow_dispatch'
-        shell: bash
         run: git tag v0.0.0
 
       # We start by preparing the mergeback branch, mainly so that we have the updated changelog
@@ -96,7 +99,6 @@ jobs:
           echo "::endgroup::"
 
       - name: Create tags
-        shell: bash
         env:
           # We usually expect to checkout `inputs.rollback-tag` (required for `workflow_dispatch`),
           # but use `v0.0.0` for testing.
@@ -111,7 +113,6 @@ jobs:
       - name: Push tags
         # skip when testing
         if: github.event_name == 'workflow_dispatch'
-        shell: bash
         env:
           RELEASE_TAG: ${{ needs.prepare.outputs.version }}
           MAJOR_VERSION_TAG: ${{ needs.prepare.outputs.major_version }}
@@ -132,7 +133,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.1.1
+        uses: actions/create-github-app-token@v2.1.4
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
@@ -160,7 +161,6 @@ jobs:
           echo "Created draft rollback release at $RELEASE_URL" >> $GITHUB_STEP_SUMMARY
 
       - name: Update changelog
-        shell: bash
         env:
           NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
           NEW_BRANCH: "${{ steps.mergeback-branch.outputs.new-branch }}"

.github/workflows/script/update-required-checks.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 # Update the required checks based on the current branch.
-# Typically, this will be main.
+
+set -euo pipefail
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 REPO_DIR="$(dirname "$SCRIPT_DIR")"
@@ -32,6 +33,12 @@ CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs -
 
 echo "$CHECKS" | jq
 
+# Fail if there are no checks
+if [ -z "$CHECKS" ] || [ "$(echo "$CHECKS" | jq '. | length')" -eq 0 ]; then
+  echo "No checks found for $GITHUB_SHA"
+  exit 1
+fi
+
 echo "{\"contexts\": ${CHECKS}}" > checks.json
 
 echo "Updating main"

.github/workflows/test-codeql-bundle-all.yml

@@ -16,6 +16,9 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch: {}
+defaults:
+  run:
+    shell: bash
 jobs:
   test-codeql-bundle-all:
     strategy:
@@ -46,7 +49,6 @@ jobs:
         languages: cpp,csharp,go,java,javascript,python,ruby 
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
-      shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
     env:

.github/workflows/update-bundle.yml

@@ -13,6 +13,10 @@ on:
     # to filter pre-release attribute.
     types: [published]
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
@@ -37,7 +41,7 @@ jobs:
           git config --global user.name "github-actions[bot]"
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '20.x'
           cache: 'npm'

.github/workflows/update-proxy-release.yml

@@ -7,6 +7,10 @@ on:
         type: string
         required: true
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   update:
     name: Update code and create PR
@@ -20,7 +24,6 @@ jobs:
     steps:
       - name: Check release tag format
         id: checks
-        shell: bash
         run: |
           if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
@@ -30,14 +33,13 @@ jobs:
           echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
 
       - name: Check that the release exists
-        shell: bash
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         run: |
           (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
 
       - name: Install Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
 
       - name: Checkout repository
         uses: actions/checkout@v5
@@ -46,20 +48,17 @@ jobs:
           ref: main
 
       - name: Update git config
-        shell: bash
         run: |
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Update release tag and version
-        shell: bash
         run: |
           NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
           sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
           sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
 
       - name: Compile TypeScript and commit changes
-        shell: bash
         env:
           TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
         run: |
@@ -72,7 +71,6 @@ jobs:
           git commit -m "Update release used by \`start-proxy\` action"
 
       - name: Push changes and open PR
-        shell: bash
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}

.github/workflows/update-release-branch.yml

@@ -11,6 +11,10 @@ on:
     branches:
       - releases/*
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
 
   prepare:
@@ -89,7 +93,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v2.1.1
+      uses: actions/create-github-app-token@v2.1.4
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.13"
       - name: Checkout CodeQL Action

CHANGELOG.md

@@ -6,10 +6,27 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
-## 3.30.0 - 01 Sep 2025
+## v3.30.4 - 23 Sep 2025
+
+This release rolls back 3.30.3 due to issues with that release. It is identical to 0.0.0.
+
+## 3.30.3 - 10 Sep 2025
 
 No user facing changes.
 
+## 3.30.2 - 09 Sep 2025
+
+- Fixed a bug which could cause language autodetection to fail. [#3084](https://github.com/github/codeql-action/pull/3084)
+- Experimental: The `quality-queries` input that was added in `3.29.2` as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new `analysis-kinds` input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. [#3064](https://github.com/github/codeql-action/pull/3064)
+
+## 3.30.1 - 05 Sep 2025
+
+- Update default CodeQL bundle version to 2.23.0. [#3077](https://github.com/github/codeql-action/pull/3077)
+
+## 3.30.0 - 01 Sep 2025
+
+- Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. [#3054](https://github.com/github/codeql-action/pull/3054)
+
 ## 3.29.11 - 21 Aug 2025
 
 - Update default CodeQL bundle version to 2.22.4. [#3044](https://github.com/github/codeql-action/pull/3044)
@@ -1019,3 +1036,4 @@ No user facing changes.
 - Add this changelog file. [#507](https://github.com/github/codeql-action/pull/507)
 - Improve grouping of analysis logs. Add a new log group containing a summary of metrics and diagnostics, if they were produced by CodeQL builtin queries. [#515](https://github.com/github/codeql-action/pull/515)
 - Add metrics and diagnostics summaries from custom query suites to the analysis summary log group. [#532](https://github.com/github/codeql-action/pull/532)
+

CONTRIBUTING.md

@@ -60,7 +60,7 @@ Here are a few things you can do that will increase the likelihood of your pull
 
     You can start a release by triggering this workflow via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
 1. The workflow run will open a pull request titled "Merge main into releases/v3". Follow the steps on the checklist in the pull request. Once you've checked off all but the last two of these, approve the PR and automerge it.
-1. When the "Merge main into releases/v3" pull request is merged into the `releases/v3` branch, a mergeback pull request to `main` will be automatically created. This mergeback pull request incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v3" pull request, and bumps the patch version of the CodeQL Action. 
+1. When the "Merge main into releases/v3" pull request is merged into the `releases/v3` branch, a mergeback pull request to `main` will be automatically created. This mergeback pull request incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v3" pull request, and bumps the patch version of the CodeQL Action.
 1. If a backport to an older major version is required, a pull request targeting that version's branch will also be automatically created.
 1. Approve the mergeback and backport pull request (if applicable) and automerge them.
 
@@ -68,11 +68,12 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 ## Keeping the PR checks up to date (admin access required)
 
-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. You can regenerate the checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
 
-1. By default, this script retrieves the checks from the latest SHA on `main`, so make sure that your `main` branch is up to date.
-2. Run the script. If there's a reason to, you can pass in a different SHA as a CLI argument.
-3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
+- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
+- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
+
+After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
 
 Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
 

analyze/action.yml

@@ -58,7 +58,7 @@ inputs:
     # If changing this, make sure to update workflow.ts accordingly.
     default: ${{ github.workspace }}
   ref:
-    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is ignored for pull requests from forks."
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is ignored for pull requests from forks. Expected format: refs/heads/<branch name>, refs/tags/<tag>, refs/pull/<number>/merge, or refs/pull/<number>/head."
     required: false
   sha:
     description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is ignored for pull requests from forks."

init/action.yml

@@ -12,6 +12,9 @@ inputs:
       - The URL of a CodeQL Bundle tarball GitHub release asset, or
       - A special value `linked` which uses the version of the CodeQL tools
         that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.
 
       If not specified, the Action will check in several places until it finds
       the CodeQL tools.

lib/analyze-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.4",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
         lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
         "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
         "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
         "test-debug": "npm run test -- --timeout=20m",
         transpile: "tsc --build --verbose"
       },
@@ -26486,29 +26486,27 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.36.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -26538,7 +26536,8 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
       }
     };
   }
@@ -31823,14 +31822,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31840,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -77687,7 +77686,7 @@ var require_brace_expansion2 = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -94797,7 +94796,7 @@ var require_commonjs16 = __commonJS({
     var TYPEMASK = 1023;
     var entToType = (s) => s.isFile() ? IFREG : s.isDirectory() ? IFDIR : s.isSymbolicLink() ? IFLNK : s.isCharacterDevice() ? IFCHR : s.isBlockDevice() ? IFBLK : s.isSocket() ? IFSOCK : s.isFIFO() ? IFIFO : UNKNOWN;
     var normalizeCache = /* @__PURE__ */ new Map();
-    var normalize3 = (s) => {
+    var normalize2 = (s) => {
       const c = normalizeCache.get(s);
       if (c)
         return c;
@@ -94810,7 +94809,7 @@ var require_commonjs16 = __commonJS({
       const c = normalizeNocaseCache.get(s);
       if (c)
         return c;
-      const n = normalize3(s.toLowerCase());
+      const n = normalize2(s.toLowerCase());
       normalizeNocaseCache.set(s, n);
       return n;
     };
@@ -94979,7 +94978,7 @@ var require_commonjs16 = __commonJS({
        */
       constructor(name, type2 = UNKNOWN, root, roots, nocase, children, opts) {
         this.name = name;
-        this.#matchName = nocase ? normalizeNocase(name) : normalize3(name);
+        this.#matchName = nocase ? normalizeNocase(name) : normalize2(name);
         this.#type = type2 & TYPEMASK;
         this.nocase = nocase;
         this.roots = roots;
@@ -95072,7 +95071,7 @@ var require_commonjs16 = __commonJS({
           return this.parent || this;
         }
         const children = this.children();
-        const name = this.nocase ? normalizeNocase(pathPart) : normalize3(pathPart);
+        const name = this.nocase ? normalizeNocase(pathPart) : normalize2(pathPart);
         for (const p of children) {
           if (p.#matchName === name) {
             return p;
@@ -95317,7 +95316,7 @@ var require_commonjs16 = __commonJS({
        * directly.
        */
       isNamed(n) {
-        return !this.nocase ? this.#matchName === normalize3(n) : this.#matchName === normalizeNocase(n);
+        return !this.nocase ? this.#matchName === normalize2(n) : this.#matchName === normalizeNocase(n);
       }
       /**
        * Return the Path object corresponding to the target of a symbolic link.
@@ -95456,7 +95455,7 @@ var require_commonjs16 = __commonJS({
       #readdirMaybePromoteChild(e, c) {
         for (let p = c.provisional; p < c.length; p++) {
           const pchild = c[p];
-          const name = this.nocase ? normalizeNocase(e.name) : normalize3(e.name);
+          const name = this.nocase ? normalizeNocase(e.name) : normalize2(e.name);
           if (name !== pchild.#matchName) {
             continue;
           }
@@ -102912,7 +102911,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -102920,7 +102919,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -102930,12 +102929,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -102943,12 +102942,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -102963,7 +102962,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -103287,7 +103286,7 @@ var require_tr46 = __commonJS({
       TRANSITIONAL: 0,
       NONTRANSITIONAL: 1
     };
-    function normalize3(str2) {
+    function normalize2(str2) {
       return str2.split("\0").map(function(s) {
         return s.normalize("NFC");
       }).join("\0");
@@ -103367,7 +103366,7 @@ var require_tr46 = __commonJS({
         processing_option = PROCESSING_OPTIONS.NONTRANSITIONAL;
       }
       var error2 = false;
-      if (normalize3(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
+      if (normalize2(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
         error2 = true;
       }
       var len = countSymbols(label);
@@ -103385,7 +103384,7 @@ var require_tr46 = __commonJS({
     }
     function processing(domain_name, useSTD3, processing_option) {
       var result = mapChars(domain_name, useSTD3, processing_option);
-      result.string = normalize3(result.string);
+      result.string = normalize2(result.string);
       var labels = result.string.split(".");
       for (var i = 0; i < labels.length; ++i) {
         try {
@@ -117488,7 +117487,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -117501,8 +117499,17 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
 
+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -117687,8 +117694,8 @@ function withGroup(groupName, f) {
 }
 
 // src/overlay-database-utils.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
   const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -117748,13 +117755,13 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 
 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver2.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
@@ -117798,6 +117805,12 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -117909,11 +117922,21 @@ var featureConfig = {
     minimumVersion: void 0,
     toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
   },
+  ["use_repository_properties" /* UseRepositoryProperties */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: void 0
+  },
   ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
   }
 };
 
@@ -117921,15 +117944,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -117954,12 +117968,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
   return path3.join(tempDir, "config");
 }
@@ -117971,40 +117979,23 @@ async function getConfig(tempDir, logger) {
   const configString = fs3.readFileSync(configFile, "utf8");
   logger.debug("Loaded config:");
   logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
-  const augmentedConfig = cloneObject(originalUserInput);
-  if (augmentationProperties.queriesInput) {
-    if (augmentationProperties.queriesInputCombines) {
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
+  const augmentedConfig = cloneObject(cliConfig);
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -118012,7 +118003,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -118134,7 +118125,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -118245,13 +118236,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         );
       }
     },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
       const codeqlArgs = [
         "resolve",
         "languages",
         "--format=betterjson",
         "--extractor-options-verbosity=4",
         "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
         ...getExtraOptionsFromEnv(["resolve", "languages"])
       ];
       const output = await runCli(cmd, codeqlArgs);
@@ -118290,7 +118284,6 @@ ${output}`
         "run-queries",
         ...flags,
         databasePath,
-        "--intra-layer-parallelism",
         "--min-disk-free=1024",
         // Try to leave at least 1GB free
         "-v",
@@ -118548,9 +118541,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
-    config.originalUserInput,
-    config.augmentationProperties
+  const augmentedConfig = appendExtraQueryExclusions(
+    config.extraQueryExclusions,
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`

lib/autobuild-action.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.4",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
         lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
         "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
         "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
         "test-debug": "npm run test -- --timeout=20m",
         transpile: "tsc --build --verbose"
       },
@@ -26486,29 +26486,27 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.36.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -26538,7 +26536,8 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
       }
     };
   }
@@ -31823,14 +31822,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31840,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -78230,7 +78229,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs4 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -78243,14 +78241,23 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
 
+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
-var cliVersion = "2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.1";
+var cliVersion = "2.23.1";
 
 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -78427,8 +78434,8 @@ function getActionsLogger() {
 }
 
 // src/overlay-database-utils.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
   const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -78488,7 +78495,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 
 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -78536,6 +78543,12 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -78647,11 +78660,21 @@ var featureConfig = {
     minimumVersion: void 0,
     toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
   },
+  ["use_repository_properties" /* UseRepositoryProperties */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: void 0
+  },
   ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -78760,7 +78783,7 @@ var GitHubFeatureFlags = class {
       DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
       f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
     ).replace(/_/g, ".");
-    if (!semver3.valid(version)) {
+    if (!semver4.valid(version)) {
       this.logger.warning(
         `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
       );
@@ -78923,15 +78946,6 @@ var GitHubFeatureFlags = class {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -78956,12 +78970,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
   return path4.join(tempDir, "config");
 }
@@ -78973,40 +78981,23 @@ async function getConfig(tempDir, logger) {
   const configString = fs4.readFileSync(configFile, "utf8");
   logger.debug("Loaded config:");
   logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
-  const augmentedConfig = cloneObject(originalUserInput);
-  if (augmentationProperties.queriesInput) {
-    if (augmentationProperties.queriesInputCombines) {
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
+  const augmentedConfig = cloneObject(cliConfig);
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -79014,7 +79005,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -79169,7 +79160,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -79280,13 +79271,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         );
       }
     },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
       const codeqlArgs = [
         "resolve",
         "languages",
         "--format=betterjson",
         "--extractor-options-verbosity=4",
         "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
         ...getExtraOptionsFromEnv(["resolve", "languages"])
       ];
       const output = await runCli(cmd, codeqlArgs);
@@ -79325,7 +79319,6 @@ ${output}`
         "run-queries",
         ...flags,
         databasePath,
-        "--intra-layer-parallelism",
         "--min-disk-free=1024",
         // Try to leave at least 1GB free
         "-v",
@@ -79583,9 +79576,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
-    config.originalUserInput,
-    config.augmentationProperties
+  const augmentedConfig = appendExtraQueryExclusions(
+    config.extraQueryExclusions,
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.22.4",
-  "cliVersion": "2.22.4",
-  "priorBundleVersion": "codeql-bundle-v2.22.3",
-  "priorCliVersion": "2.22.3"
+  "bundleVersion": "codeql-bundle-v2.23.1",
+  "cliVersion": "2.23.1",
+  "priorBundleVersion": "codeql-bundle-v2.23.0",
+  "priorCliVersion": "2.23.0"
 }

lib/init-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context3, operator, key, modifier) {
       var value = context3[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context3, operator, key, modifier) {
       var value = context3[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -27722,7 +27722,7 @@ var require_pattern = __commonJS({
       const absolute = [];
       const relative2 = [];
       for (const pattern of patterns) {
-        if (isAbsolute3(pattern)) {
+        if (isAbsolute2(pattern)) {
           absolute.push(pattern);
         } else {
           relative2.push(pattern);
@@ -27731,10 +27731,10 @@ var require_pattern = __commonJS({
       return [absolute, relative2];
     }
     exports2.partitionAbsoluteAndRelative = partitionAbsoluteAndRelative;
-    function isAbsolute3(pattern) {
+    function isAbsolute2(pattern) {
       return path19.isAbsolute(pattern);
     }
-    exports2.isAbsolute = isAbsolute3;
+    exports2.isAbsolute = isAbsolute2;
   }
 });
 
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.4",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -32296,7 +32296,7 @@ var require_package = __commonJS({
         lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
         "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
         "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
         "test-debug": "npm run test -- --timeout=20m",
         transpile: "tsc --build --verbose"
       },
@@ -32335,29 +32335,27 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.36.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -32387,7 +32385,8 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
       }
     };
   }
@@ -37672,14 +37671,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -37690,7 +37689,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -83536,7 +83535,7 @@ var require_brace_expansion2 = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -100646,7 +100645,7 @@ var require_commonjs16 = __commonJS({
     var TYPEMASK = 1023;
     var entToType = (s) => s.isFile() ? IFREG : s.isDirectory() ? IFDIR : s.isSymbolicLink() ? IFLNK : s.isCharacterDevice() ? IFCHR : s.isBlockDevice() ? IFBLK : s.isSocket() ? IFSOCK : s.isFIFO() ? IFIFO : UNKNOWN;
     var normalizeCache = /* @__PURE__ */ new Map();
-    var normalize4 = (s) => {
+    var normalize3 = (s) => {
       const c = normalizeCache.get(s);
       if (c)
         return c;
@@ -100659,7 +100658,7 @@ var require_commonjs16 = __commonJS({
       const c = normalizeNocaseCache.get(s);
       if (c)
         return c;
-      const n = normalize4(s.toLowerCase());
+      const n = normalize3(s.toLowerCase());
       normalizeNocaseCache.set(s, n);
       return n;
     };
@@ -100828,7 +100827,7 @@ var require_commonjs16 = __commonJS({
        */
       constructor(name, type2 = UNKNOWN, root, roots, nocase, children, opts) {
         this.name = name;
-        this.#matchName = nocase ? normalizeNocase(name) : normalize4(name);
+        this.#matchName = nocase ? normalizeNocase(name) : normalize3(name);
         this.#type = type2 & TYPEMASK;
         this.nocase = nocase;
         this.roots = roots;
@@ -100921,7 +100920,7 @@ var require_commonjs16 = __commonJS({
           return this.parent || this;
         }
         const children = this.children();
-        const name = this.nocase ? normalizeNocase(pathPart) : normalize4(pathPart);
+        const name = this.nocase ? normalizeNocase(pathPart) : normalize3(pathPart);
         for (const p of children) {
           if (p.#matchName === name) {
             return p;
@@ -101166,7 +101165,7 @@ var require_commonjs16 = __commonJS({
        * directly.
        */
       isNamed(n) {
-        return !this.nocase ? this.#matchName === normalize4(n) : this.#matchName === normalizeNocase(n);
+        return !this.nocase ? this.#matchName === normalize3(n) : this.#matchName === normalizeNocase(n);
       }
       /**
        * Return the Path object corresponding to the target of a symbolic link.
@@ -101305,7 +101304,7 @@ var require_commonjs16 = __commonJS({
       #readdirMaybePromoteChild(e, c) {
         for (let p = c.provisional; p < c.length; p++) {
           const pchild = c[p];
-          const name = this.nocase ? normalizeNocase(e.name) : normalize4(e.name);
+          const name = this.nocase ? normalizeNocase(e.name) : normalize3(e.name);
           if (name !== pchild.#matchName) {
             continue;
           }
@@ -108761,7 +108760,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -108769,7 +108768,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context3, operator, key, modifier) {
       var value = context3[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -108779,12 +108778,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -108792,12 +108791,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -108812,7 +108811,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -109136,7 +109135,7 @@ var require_tr46 = __commonJS({
       TRANSITIONAL: 0,
       NONTRANSITIONAL: 1
     };
-    function normalize4(str2) {
+    function normalize3(str2) {
       return str2.split("\0").map(function(s) {
         return s.normalize("NFC");
       }).join("\0");
@@ -109216,7 +109215,7 @@ var require_tr46 = __commonJS({
         processing_option = PROCESSING_OPTIONS.NONTRANSITIONAL;
       }
       var error2 = false;
-      if (normalize4(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
+      if (normalize3(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
         error2 = true;
       }
       var len = countSymbols(label);
@@ -109234,7 +109233,7 @@ var require_tr46 = __commonJS({
     }
     function processing(domain_name, useSTD3, processing_option) {
       var result = mapChars(domain_name, useSTD3, processing_option);
-      result.string = normalize4(result.string);
+      result.string = normalize3(result.string);
       var labels = result.string.split(".");
       for (var i = 0; i < labels.length; ++i) {
         try {
@@ -128747,7 +128746,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs9 = __toESM(require("fs"));
 var path10 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -128756,10 +128754,35 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
   return AnalysisKind2;
 })(AnalysisKind || {});
 var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name),
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
+};
 
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
 
+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/diff-informed-analysis-utils.ts
 var fs8 = __toESM(require("fs"));
 var path9 = __toESM(require("path"));
@@ -128767,11 +128790,11 @@ var path9 = __toESM(require("path"));
 // src/feature-flags.ts
 var fs7 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
-var cliVersion = "2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.1";
+var cliVersion = "2.23.1";
 
 // src/overlay-database-utils.ts
 var fs6 = __toESM(require("fs"));
@@ -129001,8 +129024,8 @@ function formatDuration(durationMs) {
 }
 
 // src/overlay-database-utils.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
   const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -129062,13 +129085,13 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 
 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver2.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
@@ -129115,6 +129138,12 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -129226,11 +129255,21 @@ var featureConfig = {
     minimumVersion: void 0,
     toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
   },
+  ["use_repository_properties" /* UseRepositoryProperties */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: void 0
+  },
   ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -129339,7 +129378,7 @@ var GitHubFeatureFlags = class {
       DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
       f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
     ).replace(/_/g, ".");
-    if (!semver3.valid(version)) {
+    if (!semver4.valid(version)) {
       this.logger.warning(
         `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
       );
@@ -129520,15 +129559,6 @@ ${jsonContents}`
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -129553,12 +129583,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
   return path10.join(tempDir, "config");
 }
@@ -129570,40 +129594,23 @@ async function getConfig(tempDir, logger) {
   const configString = fs9.readFileSync(configFile, "utf8");
   logger.debug("Loaded config:");
   logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
-  const augmentedConfig = cloneObject(originalUserInput);
-  if (augmentationProperties.queriesInput) {
-    if (augmentationProperties.queriesInputCombines) {
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
+  const augmentedConfig = cloneObject(cliConfig);
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -129611,7 +129618,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -129626,7 +129633,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/esm/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -129635,27 +129642,24 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/esm/rng.js
-var import_crypto = require("crypto");
+// node_modules/uuid/dist-node/rng.js
+var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
 function rng() {
   if (poolPtr > rnds8Pool.length - 16) {
-    (0, import_crypto.randomFillSync)(rnds8Pool);
+    (0, import_node_crypto.randomFillSync)(rnds8Pool);
     poolPtr = 0;
   }
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/esm/native.js
-var import_crypto2 = require("crypto");
-var native_default = { randomUUID: import_crypto2.randomUUID };
+// node_modules/uuid/dist-node/native.js
+var import_node_crypto2 = require("node:crypto");
+var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/esm/v4.js
-function v4(options, buf, offset) {
-  if (native_default.randomUUID && !buf && !options) {
-    return native_default.randomUUID();
-  }
+// node_modules/uuid/dist-node/v4.js
+function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
   if (rnds.length < 16) {
@@ -129675,6 +129679,12 @@ function v4(options, buf, offset) {
   }
   return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+  if (native_default.randomUUID && !buf && !options) {
+    return native_default.randomUUID();
+  }
+  return _v4(options, buf, offset);
+}
 var v4_default = v4;
 
 // src/tar.ts
@@ -129991,7 +130001,10 @@ function sanitizeUrlForStatusReport(url2) {
 
 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
   switch (compressionMethod) {
     case "gzip":
@@ -130134,7 +130147,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -130163,6 +130176,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let cliVersion2;
   let tagName;
   let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
   if (forceShippedTools) {
     cliVersion2 = cliVersion;
     tagName = bundleVersion;
@@ -130446,6 +130465,34 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
   return path12.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  try {
+    const release3 = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release3.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
+  }
+}
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
@@ -130588,7 +130635,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -130699,13 +130746,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         );
       }
     },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
       const codeqlArgs = [
         "resolve",
         "languages",
         "--format=betterjson",
         "--extractor-options-verbosity=4",
         "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
         ...getExtraOptionsFromEnv(["resolve", "languages"])
       ];
       const output = await runCli(cmd, codeqlArgs);
@@ -130744,7 +130794,6 @@ ${output}`
         "run-queries",
         ...flags,
         databasePath,
-        "--intra-layer-parallelism",
         "--min-disk-free=1024",
         // Try to leave at least 1GB free
         "-v",
@@ -131002,9 +131051,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
-    config.originalUserInput,
-    config.augmentationProperties
+  const augmentedConfig = appendExtraQueryExclusions(
+    config.extraQueryExclusions,
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`
@@ -132828,7 +132877,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
   return JSON.parse(fs17.readFileSync(outputFile, "utf8"));
 }
 function populateRunAutomationDetails(sarif, category, analysis_key, environment) {
-  const automationID = getAutomationID(category, analysis_key, environment);
+  const automationID = getAutomationID2(category, analysis_key, environment);
   if (automationID !== void 0) {
     for (const run2 of sarif.runs || []) {
       if (run2.automationDetails === void 0) {
@@ -132841,7 +132890,7 @@ function populateRunAutomationDetails(sarif, category, analysis_key, environment
   }
   return sarif;
 }
-function getAutomationID(category, analysis_key, environment) {
+function getAutomationID2(category, analysis_key, environment) {
   if (category !== void 0) {
     let automationID = category;
     if (!automationID.endsWith("/")) {
@@ -133019,18 +133068,6 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-var CodeScanningTarget = {
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifPredicate: (name) => name.endsWith(".sarif") && !CodeQualityTarget.sarifPredicate(name),
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
-};
-var CodeQualityTarget = {
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifPredicate: (name) => name.endsWith(".quality.sarif"),
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
-};
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
@@ -133045,7 +133082,7 @@ async function uploadFiles(inputSarifPath, checkoutPath, category, features, log
     uploadTarget
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget = CodeScanningTarget) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
   logger.startGroup(`Uploading ${uploadTarget.name} results`);
   logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
@@ -133082,6 +133119,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -133120,6 +133161,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     sarifID
   };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs17.existsSync(outputDir)) {
+    fs17.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs17.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path17.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs17.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
@@ -133216,7 +133272,7 @@ function handleProcessingResultForUnsuccessfulExecution(response, status, logger
     assertNever(status);
   }
 }
-function validateUniqueCategory(sarif, sentinelPrefix = CodeScanningTarget.sentinelPrefix) {
+function validateUniqueCategory(sarif, sentinelPrefix) {
   const categories = {};
   for (const run2 of sarif.runs) {
     const id = run2?.automationDetails?.id;
@@ -133288,7 +133344,8 @@ function toCodedErrors(errors) {
 }
 var WorkflowErrors = toCodedErrors({
   MissingPushHook: `Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.`,
-  CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`
+  CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
+  InconsistentActionVersion: `Not all workflow steps that use \`github/codeql-action\` actions use the same version. Please ensure that all such steps use the same version to avoid compatibility issues.`
 });
 async function getWorkflow(logger) {
   const maybeWorkflow = process.env["CODE_SCANNING_WORKFLOW_FILE"];
@@ -133441,7 +133498,7 @@ async function maybeUploadFailedSarif(config, repositoryNwo, features, logger) {
     category,
     features,
     logger,
-    CodeScanningTarget
+    CodeScanning
   );
   await waitForProcessing(
     repositoryNwo,

lib/resolve-environment-action.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.4",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
         lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
         "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
         "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
         "test-debug": "npm run test -- --timeout=20m",
         transpile: "tsc --build --verbose"
       },
@@ -26486,29 +26486,27 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.36.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -26538,7 +26536,8 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
       }
     };
   }
@@ -31823,14 +31822,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31840,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -78229,7 +78228,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -78242,8 +78240,17 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
 
+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -78420,8 +78427,8 @@ function getActionsLogger() {
 }
 
 // src/overlay-database-utils.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
   const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -78481,7 +78488,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 
 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -78527,6 +78534,12 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -78638,11 +78651,21 @@ var featureConfig = {
     minimumVersion: void 0,
     toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
   },
+  ["use_repository_properties" /* UseRepositoryProperties */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: void 0
+  },
   ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
   }
 };
 
@@ -78650,15 +78673,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -78683,12 +78697,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
   return path3.join(tempDir, "config");
 }
@@ -78700,40 +78708,23 @@ async function getConfig(tempDir, logger) {
   const configString = fs3.readFileSync(configFile, "utf8");
   logger.debug("Loaded config:");
   logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
-  const augmentedConfig = cloneObject(originalUserInput);
-  if (augmentationProperties.queriesInput) {
-    if (augmentationProperties.queriesInputCombines) {
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
+  const augmentedConfig = cloneObject(cliConfig);
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -78741,7 +78732,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -78869,7 +78860,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -78980,13 +78971,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         );
       }
     },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
       const codeqlArgs = [
         "resolve",
         "languages",
         "--format=betterjson",
         "--extractor-options-verbosity=4",
         "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
         ...getExtraOptionsFromEnv(["resolve", "languages"])
       ];
       const output = await runCli(cmd, codeqlArgs);
@@ -79025,7 +79019,6 @@ ${output}`
         "run-queries",
         ...flags,
         databasePath,
-        "--intra-layer-parallelism",
         "--min-disk-free=1024",
         // Try to leave at least 1GB free
         "-v",
@@ -79283,9 +79276,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
-    config.originalUserInput,
-    config.augmentationProperties
+  const augmentedConfig = appendExtraQueryExclusions(
+    config.extraQueryExclusions,
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`

lib/start-proxy-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.4",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
         lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
         "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
         "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
         "test-debug": "npm run test -- --timeout=20m",
         transpile: "tsc --build --verbose"
       },
@@ -26486,29 +26486,27 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.36.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -26538,7 +26536,8 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
       }
     };
   }
@@ -31823,14 +31822,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31840,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -76347,7 +76346,7 @@ var require_brace_expansion2 = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -93457,7 +93456,7 @@ var require_commonjs16 = __commonJS({
     var TYPEMASK = 1023;
     var entToType = (s) => s.isFile() ? IFREG : s.isDirectory() ? IFDIR : s.isSymbolicLink() ? IFLNK : s.isCharacterDevice() ? IFCHR : s.isBlockDevice() ? IFBLK : s.isSocket() ? IFSOCK : s.isFIFO() ? IFIFO : UNKNOWN;
     var normalizeCache = /* @__PURE__ */ new Map();
-    var normalize2 = (s) => {
+    var normalize = (s) => {
       const c = normalizeCache.get(s);
       if (c)
         return c;
@@ -93470,7 +93469,7 @@ var require_commonjs16 = __commonJS({
       const c = normalizeNocaseCache.get(s);
       if (c)
         return c;
-      const n = normalize2(s.toLowerCase());
+      const n = normalize(s.toLowerCase());
       normalizeNocaseCache.set(s, n);
       return n;
     };
@@ -93639,7 +93638,7 @@ var require_commonjs16 = __commonJS({
        */
       constructor(name, type2 = UNKNOWN, root, roots, nocase, children, opts) {
         this.name = name;
-        this.#matchName = nocase ? normalizeNocase(name) : normalize2(name);
+        this.#matchName = nocase ? normalizeNocase(name) : normalize(name);
         this.#type = type2 & TYPEMASK;
         this.nocase = nocase;
         this.roots = roots;
@@ -93732,7 +93731,7 @@ var require_commonjs16 = __commonJS({
           return this.parent || this;
         }
         const children = this.children();
-        const name = this.nocase ? normalizeNocase(pathPart) : normalize2(pathPart);
+        const name = this.nocase ? normalizeNocase(pathPart) : normalize(pathPart);
         for (const p of children) {
           if (p.#matchName === name) {
             return p;
@@ -93977,7 +93976,7 @@ var require_commonjs16 = __commonJS({
        * directly.
        */
       isNamed(n) {
-        return !this.nocase ? this.#matchName === normalize2(n) : this.#matchName === normalizeNocase(n);
+        return !this.nocase ? this.#matchName === normalize(n) : this.#matchName === normalizeNocase(n);
       }
       /**
        * Return the Path object corresponding to the target of a symbolic link.
@@ -94116,7 +94115,7 @@ var require_commonjs16 = __commonJS({
       #readdirMaybePromoteChild(e, c) {
         for (let p = c.provisional; p < c.length; p++) {
           const pchild = c[p];
-          const name = this.nocase ? normalizeNocase(e.name) : normalize2(e.name);
+          const name = this.nocase ? normalizeNocase(e.name) : normalize(e.name);
           if (name !== pchild.#matchName) {
             continue;
           }
@@ -101572,7 +101571,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -101580,7 +101579,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -101590,12 +101589,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -101603,12 +101602,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -101623,7 +101622,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -101947,7 +101946,7 @@ var require_tr46 = __commonJS({
       TRANSITIONAL: 0,
       NONTRANSITIONAL: 1
     };
-    function normalize2(str2) {
+    function normalize(str2) {
       return str2.split("\0").map(function(s) {
         return s.normalize("NFC");
       }).join("\0");
@@ -102027,7 +102026,7 @@ var require_tr46 = __commonJS({
         processing_option = PROCESSING_OPTIONS.NONTRANSITIONAL;
       }
       var error2 = false;
-      if (normalize2(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
+      if (normalize(label) !== label || label[3] === "-" && label[4] === "-" || label[0] === "-" || label[label.length - 1] === "-" || label.indexOf(".") !== -1 || label.search(combiningMarksRegex) === 0) {
         error2 = true;
       }
       var len = countSymbols(label);
@@ -102045,7 +102044,7 @@ var require_tr46 = __commonJS({
     }
     function processing(domain_name, useSTD3, processing_option) {
       var result = mapChars(domain_name, useSTD3, processing_option);
-      result.string = normalize2(result.string);
+      result.string = normalize(result.string);
       var labels = result.string.split(".");
       for (var i = 0; i < labels.length; ++i) {
         try {
@@ -117128,7 +117127,6 @@ async function getGitHubVersion() {
 // src/config-utils.ts
 var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -117141,8 +117139,17 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
 
+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay-database-utils.ts
 var actionsCache = __toESM(require_cache3());
@@ -117159,12 +117166,12 @@ function getActionsLogger() {
 }
 
 // src/overlay-database-utils.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 
 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 
 // src/feature-flags.ts
 var featureConfig = {
@@ -117207,6 +117214,12 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -117318,11 +117331,21 @@ var featureConfig = {
     minimumVersion: void 0,
     toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
   },
+  ["use_repository_properties" /* UseRepositoryProperties */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: void 0
+  },
   ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
   }
 };
 
@@ -117330,15 +117353,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -117363,12 +117377,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
   return path.join(tempDir, "config");
 }
@@ -117380,7 +117388,18 @@ async function getConfig(tempDir, logger) {
   const configString = fs.readFileSync(configFile, "utf8");
   logger.debug("Loaded config:");
   logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 
 // src/debug-artifacts.ts

lib/upload-lib.js

@@ -21585,7 +21585,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21593,7 +21593,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21605,14 +21605,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21620,12 +21620,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21640,7 +21640,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -22325,7 +22325,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -22333,7 +22333,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -22345,14 +22345,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -22360,12 +22360,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -22380,7 +22380,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -29019,7 +29019,7 @@ var require_pattern = __commonJS({
       const absolute = [];
       const relative2 = [];
       for (const pattern of patterns) {
-        if (isAbsolute3(pattern)) {
+        if (isAbsolute2(pattern)) {
           absolute.push(pattern);
         } else {
           relative2.push(pattern);
@@ -29028,10 +29028,10 @@ var require_pattern = __commonJS({
       return [absolute, relative2];
     }
     exports2.partitionAbsoluteAndRelative = partitionAbsoluteAndRelative;
-    function isAbsolute3(pattern) {
+    function isAbsolute2(pattern) {
       return path15.isAbsolute(pattern);
     }
-    exports2.isAbsolute = isAbsolute3;
+    exports2.isAbsolute = isAbsolute2;
   }
 });
 
@@ -33584,7 +33584,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.4",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -33593,7 +33593,7 @@ var require_package = __commonJS({
         lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
         "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
         "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
         "test-debug": "npm run test -- --timeout=20m",
         transpile: "tsc --build --verbose"
       },
@@ -33632,29 +33632,27 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.36.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -33684,7 +33682,8 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
       }
     };
   }
@@ -38969,14 +38968,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -38987,7 +38986,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -84780,10 +84779,7 @@ var require_sarif_schema_2_1_0 = __commonJS({
 // src/upload-lib.ts
 var upload_lib_exports = {};
 __export(upload_lib_exports, {
-  CodeQualityTarget: () => CodeQualityTarget,
-  CodeScanningTarget: () => CodeScanningTarget,
   InvalidSarifUploadError: () => InvalidSarifUploadError,
-  SARIF_UPLOAD_ENDPOINT: () => SARIF_UPLOAD_ENDPOINT,
   buildPayload: () => buildPayload,
   findSarifFilesInDir: () => findSarifFilesInDir,
   getSarifFilePaths: () => getSarifFilePaths,
@@ -88877,7 +88873,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs7 = __toESM(require("fs"));
 var path9 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -88890,16 +88885,25 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
 
+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/diff-informed-analysis-utils.ts
 var fs6 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
 
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
-var cliVersion = "2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.1";
+var cliVersion = "2.23.1";
 
 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89118,8 +89122,8 @@ function formatDuration(durationMs) {
 }
 
 // src/overlay-database-utils.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
   const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -89179,7 +89183,7 @@ function computeChangedFiles(baseFileOids, overlayFileOids) {
 }
 
 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -89226,6 +89230,12 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -89337,11 +89347,21 @@ var featureConfig = {
     minimumVersion: void 0,
     toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
   },
+  ["use_repository_properties" /* UseRepositoryProperties */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: void 0
+  },
   ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
   }
 };
 
@@ -89367,15 +89387,6 @@ ${jsonContents}`
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -89400,12 +89411,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 function getPathToParsedConfigFile(tempDir) {
   return path9.join(tempDir, "config");
 }
@@ -89417,40 +89422,23 @@ async function getConfig(tempDir, logger) {
   const configString = fs7.readFileSync(configFile, "utf8");
   logger.debug("Loaded config:");
   logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
-  const augmentedConfig = cloneObject(originalUserInput);
-  if (augmentationProperties.queriesInput) {
-    if (augmentationProperties.queriesInputCombines) {
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
+  const augmentedConfig = cloneObject(cliConfig);
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -89458,7 +89446,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -89473,7 +89461,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/esm/stringify.js
+// node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -89482,27 +89470,24 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/esm/rng.js
-var import_crypto = require("crypto");
+// node_modules/uuid/dist-node/rng.js
+var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
 function rng() {
   if (poolPtr > rnds8Pool.length - 16) {
-    (0, import_crypto.randomFillSync)(rnds8Pool);
+    (0, import_node_crypto.randomFillSync)(rnds8Pool);
     poolPtr = 0;
   }
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/esm/native.js
-var import_crypto2 = require("crypto");
-var native_default = { randomUUID: import_crypto2.randomUUID };
+// node_modules/uuid/dist-node/native.js
+var import_node_crypto2 = require("node:crypto");
+var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/esm/v4.js
-function v4(options, buf, offset) {
-  if (native_default.randomUUID && !buf && !options) {
-    return native_default.randomUUID();
-  }
+// node_modules/uuid/dist-node/v4.js
+function _v4(options, buf, offset) {
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
   if (rnds.length < 16) {
@@ -89522,6 +89507,12 @@ function v4(options, buf, offset) {
   }
   return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+  if (native_default.randomUUID && !buf && !options) {
+    return native_default.randomUUID();
+  }
+  return _v4(options, buf, offset);
+}
 var v4_default = v4;
 
 // src/tar.ts
@@ -89838,7 +89829,10 @@ function sanitizeUrlForStatusReport(url2) {
 
 // src/setup-codeql.ts
 var CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+var CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
+var CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 var CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
+var CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
 function getCodeQLBundleExtension(compressionMethod) {
   switch (compressionMethod) {
     case "gzip":
@@ -89981,7 +89975,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   return void 0;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, logger) {
-  if (toolsInput && !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) && !toolsInput.startsWith("http")) {
+  if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
     const compressionMethod2 = inferCompressionMethod(toolsInput);
     if (compressionMethod2 === void 0) {
@@ -90010,6 +90004,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
   let cliVersion2;
   let tagName;
   let url2;
+  if (toolsInput !== void 0 && CODEQL_NIGHTLY_TOOLS_INPUTS.includes(toolsInput)) {
+    logger.info(
+      `Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
+    );
+    toolsInput = await getNightlyToolsUrl(logger);
+  }
   if (forceShippedTools) {
     cliVersion2 = cliVersion;
     tagName = bundleVersion;
@@ -90293,6 +90293,34 @@ async function useZstdBundle(cliVersion2, tarSupportsZstd) {
 function getTempExtractionDir(tempDir) {
   return path11.join(tempDir, v4_default());
 }
+async function getNightlyToolsUrl(logger) {
+  const zstdAvailability = await isZstdAvailable(logger);
+  const compressionMethod = await useZstdBundle(
+    CODEQL_VERSION_ZSTD_BUNDLE,
+    zstdAvailability.available
+  ) ? "zstd" : "gzip";
+  try {
+    const release = await getApiClient().rest.repos.listReleases({
+      owner: CODEQL_NIGHTLIES_REPOSITORY_OWNER,
+      repo: CODEQL_NIGHTLIES_REPOSITORY_NAME,
+      per_page: 1,
+      page: 1,
+      prerelease: true
+    });
+    const latestRelease = release.data[0];
+    if (!latestRelease) {
+      throw new Error("Could not find the latest nightly release.");
+    }
+    return `https://github.com/${CODEQL_NIGHTLIES_REPOSITORY_OWNER}/${CODEQL_NIGHTLIES_REPOSITORY_NAME}/releases/download/${latestRelease.tag_name}/${getCodeQLBundleName(compressionMethod)}`;
+  } catch (e) {
+    throw new Error(
+      `Failed to retrieve the latest nightly release: ${wrapError(e)}`
+    );
+  }
+}
+function isReservedToolsValue(tools) {
+  return CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) || CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools);
+}
 
 // src/tracer-config.ts
 async function shouldEnableIndirectTracing(codeql, config) {
@@ -90435,7 +90463,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -90546,13 +90574,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         );
       }
     },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
       const codeqlArgs = [
         "resolve",
         "languages",
         "--format=betterjson",
         "--extractor-options-verbosity=4",
         "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
         ...getExtraOptionsFromEnv(["resolve", "languages"])
       ];
       const output = await runCli(cmd, codeqlArgs);
@@ -90591,7 +90622,6 @@ ${output}`
         "run-queries",
         ...flags,
         databasePath,
-        "--intra-layer-parallelism",
         "--min-disk-free=1024",
         // Try to leave at least 1GB free
         "-v",
@@ -90849,9 +90879,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
-    config.originalUserInput,
-    config.augmentationProperties
+  const augmentedConfig = appendExtraQueryExclusions(
+    config.extraQueryExclusions,
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`
@@ -92219,7 +92249,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
   return JSON.parse(fs13.readFileSync(outputFile, "utf8"));
 }
 function populateRunAutomationDetails(sarif, category, analysis_key, environment) {
-  const automationID = getAutomationID(category, analysis_key, environment);
+  const automationID = getAutomationID2(category, analysis_key, environment);
   if (automationID !== void 0) {
     for (const run of sarif.runs || []) {
       if (run.automationDetails === void 0) {
@@ -92232,7 +92262,7 @@ function populateRunAutomationDetails(sarif, category, analysis_key, environment
   }
   return sarif;
 }
-function getAutomationID(category, analysis_key, environment) {
+function getAutomationID2(category, analysis_key, environment) {
   if (category !== void 0) {
     let automationID = category;
     if (!automationID.endsWith("/")) {
@@ -92242,11 +92272,6 @@ function getAutomationID(category, analysis_key, environment) {
   }
   return computeAutomationID(analysis_key, environment);
 }
-var SARIF_UPLOAD_ENDPOINT = /* @__PURE__ */ ((SARIF_UPLOAD_ENDPOINT2) => {
-  SARIF_UPLOAD_ENDPOINT2["CODE_SCANNING"] = "PUT /repos/:owner/:repo/code-scanning/analysis";
-  SARIF_UPLOAD_ENDPOINT2["CODE_QUALITY"] = "PUT /repos/:owner/:repo/code-quality/analysis";
-  return SARIF_UPLOAD_ENDPOINT2;
-})(SARIF_UPLOAD_ENDPOINT || {});
 async function uploadPayload(payload, repositoryNwo, logger, target) {
   logger.info("Uploading results");
   if (isInTestMode()) {
@@ -92415,18 +92440,6 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-var CodeScanningTarget = {
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifPredicate: (name) => name.endsWith(".sarif") && !CodeQualityTarget.sarifPredicate(name),
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
-};
-var CodeQualityTarget = {
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifPredicate: (name) => name.endsWith(".quality.sarif"),
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
-};
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
@@ -92441,7 +92454,7 @@ async function uploadFiles(inputSarifPath, checkoutPath, category, features, log
     uploadTarget
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget = CodeScanningTarget) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
   logger.startGroup(`Uploading ${uploadTarget.name} results`);
   logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
@@ -92478,6 +92491,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -92516,6 +92533,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     sarifID
   };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs13.existsSync(outputDir)) {
+    fs13.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs13.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path14.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs13.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
@@ -92612,7 +92644,7 @@ function handleProcessingResultForUnsuccessfulExecution(response, status, logger
     assertNever(status);
   }
 }
-function validateUniqueCategory(sarif, sentinelPrefix = CodeScanningTarget.sentinelPrefix) {
+function validateUniqueCategory(sarif, sentinelPrefix) {
   const categories = {};
   for (const run of sarif.runs) {
     const id = run?.automationDetails?.id;
@@ -92669,10 +92701,7 @@ function filterAlertsByDiffRange(logger, sarif) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  CodeQualityTarget,
-  CodeScanningTarget,
   InvalidSarifUploadError,
-  SARIF_UPLOAD_ENDPOINT,
   buildPayload,
   findSarifFilesInDir,
   getSarifFilePaths,

lib/upload-sarif-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.4",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26447,7 +26447,7 @@ var require_package = __commonJS({
         lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
         "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
         "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/**.test.ts --serial --verbose",
+        test: "npm run transpile && ava src/ --serial --verbose",
         "test-debug": "npm run test -- --timeout=20m",
         transpile: "tsc --build --verbose"
       },
@@ -26486,29 +26486,27 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^13.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.36.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
-        "@octokit/types": "^14.1.0",
+        "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.44.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.9",
+        esbuild: "^0.25.10",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -26538,7 +26536,8 @@ var require_package = __commonJS({
         },
         "eslint-plugin-jsx-a11y": {
           semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
       }
     };
   }
@@ -35660,14 +35659,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -35678,7 +35677,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -70469,7 +70468,7 @@ var require_brace_expansion = __commonJS({
         var isSequence = isNumericSequence || isAlphaSequence;
         var isOptions = m.body.indexOf(",") >= 0;
         if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
             return expand(str2);
           }
@@ -95694,7 +95693,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -95702,7 +95701,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -95712,12 +95711,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -95725,12 +95724,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -95745,7 +95744,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -117288,14 +117287,20 @@ var cliErrorsConfig = {
   }
 };
 
-// src/config-utils.ts
-var semver4 = __toESM(require_semver2());
-
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
 
+// src/config/db-config.ts
+var semver2 = __toESM(require_semver2());
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
 // src/feature-flags.ts
-var semver3 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay-database-utils.ts
 var actionsCache = __toESM(require_cache3());
@@ -117320,15 +117325,15 @@ function withGroup(groupName, f) {
 }
 
 // src/overlay-database-utils.ts
-var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 
 // src/tools-features.ts
-var semver2 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver2.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
@@ -117372,6 +117377,12 @@ var featureConfig = {
     legacyApi: true,
     minimumVersion: void 0
   },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
   ["overlay_analysis" /* OverlayAnalysis */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -117483,11 +117494,21 @@ var featureConfig = {
     minimumVersion: void 0,
     toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
   },
+  ["use_repository_properties" /* UseRepositoryProperties */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: void 0
+  },
   ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
   }
 };
 
@@ -117495,15 +117516,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -117528,12 +117540,6 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
 
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.30.1",
+  "version": "3.30.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -9,7 +9,7 @@
     "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
     "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
     "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-    "test": "npm run transpile && ava src/**.test.ts --serial --verbose",
+    "test": "npm run transpile && ava src/ --serial --verbose",
     "test-debug": "npm run test -- --timeout=20m",
     "transpile": "tsc --build --verbose"
   },
@@ -48,29 +48,27 @@
     "node-forge": "^1.3.1",
     "octokit": "^5.0.3",
     "semver": "^7.7.2",
-    "uuid": "^11.1.0"
+    "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^1.3.2",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.34.0",
+    "@eslint/js": "^9.36.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^14.1.0",
+    "@octokit/types": "^15.0.0",
     "@types/archiver": "^6.0.3",
     "@types/console-log-level": "^1.4.5",
     "@types/follow-redirects": "^1.14.4",
-    "@types/get-folder-size": "^3.0.4",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "20.19.9",
     "@types/node-forge": "^1.3.14",
-    "@types/semver": "^7.7.0",
+    "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@types/uuid": "^10.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.41.0",
+    "@typescript-eslint/eslint-plugin": "^8.44.0",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.25.9",
+    "esbuild": "^0.25.10",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",
@@ -100,6 +98,7 @@
     },
     "eslint-plugin-jsx-a11y": {
       "semver": ">=6.3.1"
-    }
+    },
+    "brace-expansion@2.0.1": "2.0.2"
   }
 }

pr-checks/.gitignore

@@ -1 +1,3 @@
 env
+__pycache__/
+*.pyc

pr-checks/checks/all-platform-bundle.yml

@@ -12,6 +12,5 @@ steps:
       languages: cpp,csharp,go,java,javascript,python,ruby
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Build code
-    shell: bash
     run: ./build.sh
   - uses: ./../action/analyze