Merge pull request #3090 from github/update-v3.30.2-d7a501da0

Merge main into releases/v3

.github/workflows/__quality-queries.yml

@@ -32,16 +32,58 @@ jobs:
         include:
           - os: ubuntu-latest
             version: linked
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
           - os: macos-latest
             version: linked
+            analysis-kinds: code-scanning
+          - os: macos-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: macos-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
           - os: windows-latest
             version: linked
+            analysis-kinds: code-scanning
+          - os: windows-latest
+            version: linked
+            analysis-kinds: code-quality
+          - os: windows-latest
+            version: linked
+            analysis-kinds: code-scanning,code-quality
           - os: ubuntu-latest
             version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
           - os: macos-latest
             version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: macos-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: macos-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
           - os: windows-latest
             version: nightly-latest
+            analysis-kinds: code-scanning
+          - os: windows-latest
+            version: nightly-latest
+            analysis-kinds: code-quality
+          - os: windows-latest
+            version: nightly-latest
+            analysis-kinds: code-scanning,code-quality
     name: Quality queries input
     permissions:
       contents: read
@@ -61,25 +103,30 @@ jobs:
       - uses: ./../action/init
         with:
           languages: javascript
-          quality-queries: code-quality
+          analysis-kinds: ${{ matrix.analysis-kinds }}
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload security SARIF
+        if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/upload-artifact@v4
         with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          name: |
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif
           retention-days: 7
       - name: Upload quality SARIF
+        if: contains(matrix.analysis-kinds, 'code-quality')
         uses: actions/upload-artifact@v4
         with:
-          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.quality.sarif.json
+          name: |
+            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
       - name: Check quality query does not appear in security SARIF
+        if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v7
         env:
           SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
@@ -87,6 +134,7 @@ jobs:
         with:
           script: ${{ env.CHECK_SCRIPT }}
       - name: Check quality query appears in quality SARIF
+        if: contains(matrix.analysis-kinds, 'code-quality')
         uses: actions/github-script@v7
         env:
           SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif

.github/workflows/__upload-quality-sarif.yml

@@ -73,7 +73,7 @@ jobs:
           languages: cpp,csharp,java,javascript,python
           config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
             github.sha }}
-          quality-queries: code-quality
+          analysis-kinds: code-scanning,code-quality
       - name: Build code
         shell: bash
         run: ./build.sh

.github/workflows/script/update-required-checks.sh

@@ -1,6 +1,5 @@
 #!/usr/bin/env bash
 # Update the required checks based on the current branch.
-# Typically, this will be main.
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 REPO_DIR="$(dirname "$SCRIPT_DIR")"

CHANGELOG.md

@@ -2,13 +2,18 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## [UNRELEASED]
+## 3.30.2 - 09 Sep 2025
 
-No user facing changes.
+- Fixed a bug which could cause language autodetection to fail. [#3084](https://github.com/github/codeql-action/pull/3084)
+- Experimental: The `quality-queries` input that was added in `3.29.2` as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new `analysis-kinds` input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. [#3064](https://github.com/github/codeql-action/pull/3064)
+
+## 3.30.1 - 05 Sep 2025
+
+- Update default CodeQL bundle version to 2.23.0. [#3077](https://github.com/github/codeql-action/pull/3077)
 
 ## 3.30.0 - 01 Sep 2025
 
-No user facing changes.
+- Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. [#3054](https://github.com/github/codeql-action/pull/3054)
 
 ## 3.29.11 - 21 Aug 2025
 

CONTRIBUTING.md

@@ -68,11 +68,12 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 ## Keeping the PR checks up to date (admin access required)
 
-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. You can regenerate the checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
 
-1. By default, this script retrieves the checks from the latest SHA on `main`, so make sure that your `main` branch is up to date.
+- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
-2. Run the script. If there's a reason to, you can pass in a different SHA as a CLI argument.
+- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
-3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
+
+After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
 
 Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
 

lib/analyze-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26486,26 +26486,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -31823,14 +31821,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31839,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -102912,7 +102910,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -102920,7 +102918,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -102930,12 +102928,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -102943,12 +102941,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -102963,7 +102961,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -117921,15 +117919,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -117973,38 +117962,10 @@ async function getConfig(tempDir, logger) {
   logger.debug(configString);
   return JSON.parse(configString);
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
-  const augmentedConfig = cloneObject(originalUserInput);
+  const augmentedConfig = cloneObject(cliConfig);
-  if (augmentationProperties.queriesInput) {
+  if (extraQueryExclusions.length === 0) {
-    if (augmentationProperties.queriesInputCombines) {
+    return augmentedConfig;
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -118012,7 +117973,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -118134,7 +118095,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -118548,9 +118509,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`

lib/analyze-action.js

@@ -184,7 +184,7 @@ var require_file_command = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.prepareKeyValueMessage = exports2.issueFileCommand = void 0;
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var fs20 = __importStar4(require("fs"));
     var os5 = __importStar4(require("os"));
     var utils_1 = require_utils();
@@ -202,7 +202,7 @@ var require_file_command = __commonJS({
     }
     exports2.issueFileCommand = issueFileCommand;
     function prepareKeyValueMessage(key, value) {
-      const delimiter = `ghadelimiter_${crypto.randomUUID()}`;
+      const delimiter = `ghadelimiter_${crypto2.randomUUID()}`;
       const convertedValue = (0, utils_1.toCommandValue)(value);
       if (key.includes(delimiter)) {
         throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`);
@@ -3637,11 +3637,11 @@ var require_util2 = __commonJS({
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
     var supportedHashes = [];
-    var crypto;
+    var crypto2;
     try {
-      crypto = require("crypto");
+      crypto2 = require("crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2));
+      supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2));
     } catch {
     }
     function responseURL(response) {
@@ -3918,7 +3918,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto === void 0) {
+      if (crypto2 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -3933,7 +3933,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -5279,8 +5279,8 @@ var require_body = __commonJS({
     var { parseMIMEType, serializeAMimeType } = require_dataURL();
     var random;
     try {
-      const crypto = require("node:crypto");
+      const crypto2 = require("node:crypto");
-      random = (max) => crypto.randomInt(0, max);
+      random = (max) => crypto2.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -16330,9 +16330,9 @@ var require_connection = __commonJS({
     channels.open = diagnosticsChannel.channel("undici:websocket:open");
     channels.close = diagnosticsChannel.channel("undici:websocket:close");
     channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error");
-    var crypto;
+    var crypto2;
     try {
-      crypto = require("crypto");
+      crypto2 = require("crypto");
     } catch {
     }
     function establishWebSocketConnection(url2, protocols, ws, onEstablish, options) {
@@ -16351,7 +16351,7 @@ var require_connection = __commonJS({
         const headersList = new Headers(options.headers)[kHeadersList];
         request.headersList = headersList;
       }
-      const keyValue = crypto.randomBytes(16).toString("base64");
+      const keyValue = crypto2.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue);
       request.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -16380,7 +16380,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -16460,9 +16460,9 @@ var require_frame = __commonJS({
   "node_modules/undici/lib/websocket/frame.js"(exports2, module2) {
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
-    var crypto;
+    var crypto2;
     try {
-      crypto = require("crypto");
+      crypto2 = require("crypto");
     } catch {
     }
     var WebsocketFrameSend = class {
@@ -16471,7 +16471,7 @@ var require_frame = __commonJS({
        */
       constructor(data) {
         this.frameData = data;
-        this.maskKey = crypto.randomBytes(4);
+        this.maskKey = crypto2.randomBytes(4);
       }
       createFrame(opcode) {
         const bodyLength = this.frameData?.byteLength ?? 0;
@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -32335,26 +32335,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -36931,7 +36929,7 @@ var require_cacheUtils = __commonJS({
     var exec2 = __importStar4(require_exec());
     var glob2 = __importStar4(require_glob());
     var io7 = __importStar4(require_io());
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var fs20 = __importStar4(require("fs"));
     var path20 = __importStar4(require("path"));
     var semver8 = __importStar4(require_semver3());
@@ -36955,7 +36953,7 @@ var require_cacheUtils = __commonJS({
           }
           tempDirectory = path20.join(baseLocation, "actions", "temp");
         }
-        const dest = path20.join(tempDirectory, crypto.randomUUID());
+        const dest = path20.join(tempDirectory, crypto2.randomUUID());
         yield io7.mkdirP(dest);
         return dest;
       });
@@ -37071,7 +37069,7 @@ var require_cacheUtils = __commonJS({
         components.push("windows-only");
       }
       components.push(versionSalt);
-      return crypto.createHash("sha256").update(components.join("|")).digest("hex");
+      return crypto2.createHash("sha256").update(components.join("|")).digest("hex");
     }
     exports2.getCacheVersion = getCacheVersion;
     function getRuntimeToken() {
@@ -37672,14 +37670,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -37690,7 +37688,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -48815,7 +48813,7 @@ var require_dist7 = __commonJS({
     var coreXml = require_commonjs9();
     var logger$1 = require_dist();
     var abortController = require_commonjs10();
-    var crypto = require("crypto");
+    var crypto2 = require("crypto");
     var coreTracing = require_commonjs4();
     var stream2 = require("stream");
     var coreLro = require_dist6();
@@ -50323,7 +50321,7 @@ ${key}:${decodeURIComponent(lowercaseQueries[key])}`;
        * @param stringToSign -
        */
       computeHMACSHA256(stringToSign) {
-        return crypto.createHmac("sha256", this.accountKey).update(stringToSign, "utf8").digest("base64");
+        return crypto2.createHmac("sha256", this.accountKey).update(stringToSign, "utf8").digest("base64");
       }
     };
     var AnonymousCredentialPolicy = class extends CredentialPolicy {
@@ -50521,7 +50519,7 @@ ${key}:${decodeURIComponent(lowercaseQueries[key])}`;
           getHeaderValueToSign(request, HeaderConstants.IF_UNMODIFIED_SINCE),
           getHeaderValueToSign(request, HeaderConstants.RANGE)
         ].join("\n") + "\n" + getCanonicalizedHeadersString(request) + getCanonicalizedResourceString(request);
-        const signature = crypto.createHmac("sha256", options.accountKey).update(stringToSign, "utf8").digest("base64");
+        const signature = crypto2.createHmac("sha256", options.accountKey).update(stringToSign, "utf8").digest("base64");
         request.headers.set(HeaderConstants.AUTHORIZATION, `SharedKey ${options.accountName}:${signature}`);
       }
       function getHeaderValueToSign(request, headerName) {
@@ -64280,7 +64278,7 @@ ${key}:${decodeURIComponent(lowercaseQueries[key])}`;
        * @param stringToSign -
        */
       computeHMACSHA256(stringToSign) {
-        return crypto.createHmac("sha256", this.key).update(stringToSign, "utf8").digest("base64");
+        return crypto2.createHmac("sha256", this.key).update(stringToSign, "utf8").digest("base64");
       }
     };
     function ipRangeToString(ipRange) {
@@ -79551,7 +79549,7 @@ var require_tool_cache = __commonJS({
     exports2.evaluateVersions = exports2.isExplicitVersion = exports2.findFromManifest = exports2.getManifestFromRepo = exports2.findAllVersions = exports2.find = exports2.cacheFile = exports2.cacheDir = exports2.extractZip = exports2.extractXar = exports2.extractTar = exports2.extract7z = exports2.downloadTool = exports2.HTTPError = void 0;
     var core15 = __importStar4(require_core());
     var io7 = __importStar4(require_io());
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var fs20 = __importStar4(require("fs"));
     var mm = __importStar4(require_manifest());
     var os5 = __importStar4(require("os"));
@@ -79576,7 +79574,7 @@ var require_tool_cache = __commonJS({
     var userAgent = "actions/tool-cache";
     function downloadTool2(url2, dest, auth, headers) {
       return __awaiter4(this, void 0, void 0, function* () {
-        dest = dest || path20.join(_getTempDirectory(), crypto.randomUUID());
+        dest = dest || path20.join(_getTempDirectory(), crypto2.randomUUID());
         yield io7.mkdirP(path20.dirname(dest));
         core15.debug(`Downloading ${url2}`);
         core15.debug(`Destination ${dest}`);
@@ -79957,7 +79955,7 @@ var require_tool_cache = __commonJS({
     function _createExtractFolder(dest) {
       return __awaiter4(this, void 0, void 0, function* () {
         if (!dest) {
-          dest = path20.join(_getTempDirectory(), crypto.randomUUID());
+          dest = path20.join(_getTempDirectory(), crypto2.randomUUID());
         }
         yield io7.mkdirP(dest);
         return dest;
@@ -81565,7 +81563,7 @@ var require_internal_hash_files = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.hashFiles = void 0;
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var core15 = __importStar4(require_core());
     var fs20 = __importStar4(require("fs"));
     var stream2 = __importStar4(require("stream"));
@@ -81578,7 +81576,7 @@ var require_internal_hash_files = __commonJS({
         const writeDelegate = verbose ? core15.info : core15.debug;
         let hasMatch = false;
         const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd();
-        const result = crypto.createHash("sha256");
+        const result = crypto2.createHash("sha256");
         let count = 0;
         try {
           for (var _e = true, _f = __asyncValues4(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) {
@@ -81594,7 +81592,7 @@ var require_internal_hash_files = __commonJS({
               writeDelegate(`Skip directory '${file}'.`);
               continue;
             }
-            const hash2 = crypto.createHash("sha256");
+            const hash2 = crypto2.createHash("sha256");
             const pipeline = util.promisify(stream2.pipeline);
             yield pipeline(fs20.createReadStream(file), hash2);
             result.write(hash2.digest());
@@ -90115,12 +90113,6 @@ function fixCodeQualityCategory(logger, category) {
   return category;
 }
 
-// src/analyze.ts
-var fs15 = __toESM(require("fs"));
-var path16 = __toESM(require("path"));
-var import_perf_hooks2 = require("perf_hooks");
-var io5 = __toESM(require_io());
-
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
   AnalysisKind2["CodeScanning"] = "code-scanning";
@@ -90129,6 +90121,28 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
 })(AnalysisKind || {});
 var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
 var codeQualityQueries = ["code-quality"];
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name),
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
+};
+
+// src/analyze.ts
+var fs15 = __toESM(require("fs"));
+var path16 = __toESM(require("path"));
+var import_perf_hooks2 = require("perf_hooks");
+var io5 = __toESM(require_io());
 
 // src/api-client.ts
 var core5 = __toESM(require_core());
@@ -90239,6 +90253,11 @@ async function getAnalysisKey() {
   core5.exportVariable(analysisKeyEnvVar, analysisKey);
   return analysisKey;
 }
+async function getAutomationID() {
+  const analysis_key = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  return computeAutomationID(analysis_key, environment);
+}
 function computeAutomationID(analysis_key, environment) {
   let automationID = `${analysis_key}/`;
   const matrix = parseMatrixInput(environment);
@@ -90559,10 +90578,11 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.0";
-var cliVersion = "2.22.4";
+var cliVersion = "2.23.0";
 
 // src/overlay-database-utils.ts
+var crypto = __toESM(require("crypto"));
 var fs6 = __toESM(require("fs"));
 var path7 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache3());
@@ -90863,14 +90883,14 @@ function checkOverlayBaseDatabase(config, logger, warningPrefix) {
   return true;
 }
 async function uploadOverlayBaseDatabaseToCache(codeql, config, logger) {
-  const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+  const overlayDatabaseMode = config.overlayDatabaseMode;
   if (overlayDatabaseMode !== "overlay-base" /* OverlayBase */) {
     logger.debug(
       `Overlay database mode is ${overlayDatabaseMode}. Skip uploading overlay-base database to cache.`
     );
     return false;
   }
-  if (!config.augmentationProperties.useOverlayDatabaseCaching) {
+  if (!config.useOverlayDatabaseCaching) {
     logger.debug(
       "Overlay database caching is disabled. Skip uploading overlay-base database to cache."
     );
@@ -90910,14 +90930,18 @@ async function uploadOverlayBaseDatabaseToCache(codeql, config, logger) {
   }
   const codeQlVersion = (await codeql.getVersion()).version;
   const checkoutPath = getRequiredInput("checkout_path");
-  const cacheKey3 = await generateCacheKey(config, codeQlVersion, checkoutPath);
+  const cacheSaveKey = await getCacheSaveKey(
+    config,
+    codeQlVersion,
+    checkoutPath
+  );
   logger.info(
-    `Uploading overlay-base database to Actions cache with key ${cacheKey3}`
+    `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`
   );
   try {
     const cacheId = await withTimeout(
       MAX_CACHE_OPERATION_MS,
-      actionsCache.saveCache([dbLocation], cacheKey3),
+      actionsCache.saveCache([dbLocation], cacheSaveKey),
       () => {
       }
     );
@@ -90934,13 +90958,26 @@ async function uploadOverlayBaseDatabaseToCache(codeql, config, logger) {
   logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`);
   return true;
 }
-async function generateCacheKey(config, codeQlVersion, checkoutPath) {
+async function getCacheSaveKey(config, codeQlVersion, checkoutPath) {
   const sha = await getCommitOid(checkoutPath);
-  return `${getCacheRestoreKey(config, codeQlVersion)}${sha}`;
+  const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
+    config,
+    codeQlVersion
+  );
+  return `${restoreKeyPrefix}${sha}`;
 }
-function getCacheRestoreKey(config, codeQlVersion) {
+async function getCacheRestoreKeyPrefix(config, codeQlVersion) {
   const languages = [...config.languages].sort().join("_");
-  return `${CACHE_PREFIX}-${CACHE_VERSION}-${languages}-${codeQlVersion}-`;
+  const cacheKeyComponents = {
+    automationID: await getAutomationID()
+    // Add more components here as needed in the future
+  };
+  const componentsHash = createCacheKeyHash(cacheKeyComponents);
+  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
+}
+function createCacheKeyHash(components) {
+  const componentsJson = JSON.stringify(components);
+  return crypto.createHash("sha256").update(componentsJson).digest("hex").substring(0, 16);
 }
 
 // src/tools-features.ts
@@ -91542,15 +91579,6 @@ async function cachePrefix(codeql, language) {
 }
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -91594,38 +91622,10 @@ async function getConfig(tempDir, logger) {
   logger.debug(configString);
   return JSON.parse(configString);
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
-  const augmentedConfig = cloneObject(originalUserInput);
+  const augmentedConfig = cloneObject(cliConfig);
-  if (augmentationProperties.queriesInput) {
+  if (extraQueryExclusions.length === 0) {
-    if (augmentationProperties.queriesInputCombines) {
+    return augmentedConfig;
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -91633,16 +91633,25 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
   }
   return augmentedConfig;
 }
+function isCodeScanningEnabled(config) {
+  return config.analysisKinds.includes("code-scanning" /* CodeScanning */);
+}
 function isCodeQualityEnabled(config) {
   return config.analysisKinds.includes("code-quality" /* CodeQuality */);
 }
+function getPrimaryAnalysisKind(config) {
+  return isCodeScanningEnabled(config) ? "code-scanning" /* CodeScanning */ : "code-quality" /* CodeQuality */;
+}
+function getPrimaryAnalysisConfig(config) {
+  return getPrimaryAnalysisKind(config) === "code-scanning" /* CodeScanning */ ? CodeScanning : CodeQuality;
+}
 
 // src/setup-codeql.ts
 var fs12 = __toESM(require("fs"));
@@ -91651,7 +91660,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/esm/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -91660,27 +91669,24 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/esm/rng.js
+// node_modules/uuid/dist/rng.js
-var import_crypto = require("crypto");
+var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
 function rng() {
   if (poolPtr > rnds8Pool.length - 16) {
-    (0, import_crypto.randomFillSync)(rnds8Pool);
+    (0, import_node_crypto.randomFillSync)(rnds8Pool);
     poolPtr = 0;
   }
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/esm/native.js
+// node_modules/uuid/dist/native.js
-var import_crypto2 = require("crypto");
+var import_node_crypto2 = require("node:crypto");
-var native_default = { randomUUID: import_crypto2.randomUUID };
+var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/esm/v4.js
+// node_modules/uuid/dist/v4.js
-function v4(options, buf, offset) {
+function _v4(options, buf, offset) {
-  if (native_default.randomUUID && !buf && !options) {
-    return native_default.randomUUID();
-  }
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
   if (rnds.length < 16) {
@@ -91700,6 +91706,12 @@ function v4(options, buf, offset) {
   }
   return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+  if (native_default.randomUUID && !buf && !options) {
+    return native_default.randomUUID();
+  }
+  return _v4(options, buf, offset);
+}
 var v4_default = v4;
 
 // src/tar.ts
@@ -92646,7 +92658,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -93060,9 +93072,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`
@@ -93599,11 +93611,14 @@ function resolveQuerySuiteAlias(language, maybeSuite) {
   }
   return maybeSuite;
 }
+function addSarifExtension(analysis, base) {
+  return `${base}${analysis.sarifExtension}`;
+}
 async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, diffRangePackDir, automationDetailsId, codeql, config, logger, features) {
   const statusReport = {};
   const queryFlags = [memoryFlag, threadsFlag];
   const incrementalMode = [];
-  if (config.augmentationProperties.overlayDatabaseMode !== "overlay-base" /* OverlayBase */) {
+  if (config.overlayDatabaseMode !== "overlay-base" /* OverlayBase */) {
     queryFlags.push("--expect-discarded-cache");
   }
   statusReport.analysis_is_diff_informed = diffRangePackDir !== void 0;
@@ -93612,20 +93627,22 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
     queryFlags.push("--extension-packs=codeql-action/pr-diff-range");
     incrementalMode.push("diff-informed");
   }
-  statusReport.analysis_is_overlay = config.augmentationProperties.overlayDatabaseMode === "overlay" /* Overlay */;
+  statusReport.analysis_is_overlay = config.overlayDatabaseMode === "overlay" /* Overlay */;
-  statusReport.analysis_builds_overlay_base_database = config.augmentationProperties.overlayDatabaseMode === "overlay-base" /* OverlayBase */;
+  statusReport.analysis_builds_overlay_base_database = config.overlayDatabaseMode === "overlay-base" /* OverlayBase */;
-  if (config.augmentationProperties.overlayDatabaseMode === "overlay" /* Overlay */) {
+  if (config.overlayDatabaseMode === "overlay" /* Overlay */) {
     incrementalMode.push("overlay");
   }
   const sarifRunPropertyFlag = incrementalMode.length > 0 ? `--sarif-run-property=incrementalMode=${incrementalMode.join(",")}` : void 0;
+  const dbAnalysisConfig = getPrimaryAnalysisConfig(config);
   for (const language of config.languages) {
     try {
-      const sarifFile = path16.join(sarifFolder, `${language}.sarif`);
       const queries = [];
-      if (isCodeQualityEnabled(config)) {
+      if (config.analysisKinds.length > 1) {
         queries.push(getGeneratedSuitePath(config, language));
-        for (const qualityQuery of codeQualityQueries) {
+        if (isCodeQualityEnabled(config)) {
-          queries.push(resolveQuerySuiteAlias(language, qualityQuery));
+          for (const qualityQuery of codeQualityQueries) {
+            queries.push(resolveQuerySuiteAlias(language, qualityQuery));
+          }
         }
       }
       logger.startGroup(`Running queries for ${language}`);
@@ -93634,35 +93651,24 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
       await codeql.databaseRunQueries(databasePath, queryFlags, queries);
       logger.debug(`Finished running queries for ${language}.`);
       statusReport[`analyze_builtin_queries_${language}_duration_ms`] = (/* @__PURE__ */ new Date()).getTime() - startTimeRunQueries;
-      logger.startGroup(`Interpreting results for ${language}`);
       const startTimeInterpretResults = /* @__PURE__ */ new Date();
-      const analysisSummary = await runInterpretResults(
+      const { summary: analysisSummary, sarifFile } = await runInterpretResultsFor(
+        dbAnalysisConfig,
         language,
         void 0,
-        sarifFile,
+        config.debugMode
-        config.debugMode,
-        automationDetailsId
       );
       let qualityAnalysisSummary;
-      if (isCodeQualityEnabled(config)) {
+      if (config.analysisKinds.length > 1 && isCodeQualityEnabled(config)) {
-        logger.info(`Interpreting quality results for ${language}`);
+        const qualityResult = await runInterpretResultsFor(
-        const qualityCategory = fixCodeQualityCategory(
+          CodeQuality,
-          logger,
-          automationDetailsId
-        );
-        const qualitySarifFile = path16.join(
-          sarifFolder,
-          `${language}.quality.sarif`
-        );
-        qualityAnalysisSummary = await runInterpretResults(
           language,
           codeQualityQueries.map(
             (i) => resolveQuerySuiteAlias(language, i)
           ),
-          qualitySarifFile,
+          config.debugMode
-          config.debugMode,
-          qualityCategory
         );
+        qualityAnalysisSummary = qualityResult.summary;
       }
       const endTimeInterpretResults = /* @__PURE__ */ new Date();
       statusReport[`interpret_results_${language}_duration_ms`] = endTimeInterpretResults.getTime() - startTimeInterpretResults.getTime();
@@ -93698,6 +93704,25 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
     }
   }
   return statusReport;
+  async function runInterpretResultsFor(analysis, language, queries, enableDebugLogging) {
+    logger.info(`Interpreting ${analysis.name} results for ${language}`);
+    let category = automationDetailsId;
+    if (dbAnalysisConfig.kind === "code-quality" /* CodeQuality */) {
+      category = fixCodeQualityCategory(logger, automationDetailsId);
+    }
+    const sarifFile = path16.join(
+      sarifFolder,
+      addSarifExtension(analysis, language)
+    );
+    const summary = await runInterpretResults(
+      language,
+      queries,
+      sarifFile,
+      enableDebugLogging,
+      category
+    );
+    return { summary, sarifFile };
+  }
   async function runInterpretResults(language, queries, sarifFile, enableDebugLogging, category) {
     const databasePath = getCodeQLDatabasePath(config, language);
     return await codeql.databaseInterpretResults(
@@ -95346,7 +95371,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
   return JSON.parse(fs18.readFileSync(outputFile, "utf8"));
 }
 function populateRunAutomationDetails(sarif, category, analysis_key, environment) {
-  const automationID = getAutomationID(category, analysis_key, environment);
+  const automationID = getAutomationID2(category, analysis_key, environment);
   if (automationID !== void 0) {
     for (const run2 of sarif.runs || []) {
       if (run2.automationDetails === void 0) {
@@ -95359,7 +95384,7 @@ function populateRunAutomationDetails(sarif, category, analysis_key, environment
   }
   return sarif;
 }
-function getAutomationID(category, analysis_key, environment) {
+function getAutomationID2(category, analysis_key, environment) {
   if (category !== void 0) {
     let automationID = category;
     if (!automationID.endsWith("/")) {
@@ -95537,18 +95562,6 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-var CodeScanningTarget = {
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifPredicate: (name) => name.endsWith(".sarif") && !CodeQualityTarget.sarifPredicate(name),
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
-};
-var CodeQualityTarget = {
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifPredicate: (name) => name.endsWith(".quality.sarif"),
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
-};
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
@@ -95563,7 +95576,7 @@ async function uploadFiles(inputSarifPath, checkoutPath, category, features, log
     uploadTarget
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget = CodeScanningTarget) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
   logger.startGroup(`Uploading ${uploadTarget.name} results`);
   logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
@@ -95734,7 +95747,7 @@ function handleProcessingResultForUnsuccessfulExecution(response, status, logger
     assertNever(status);
   }
 }
-function validateUniqueCategory(sarif, sentinelPrefix = CodeScanningTarget.sentinelPrefix) {
+function validateUniqueCategory(sarif, sentinelPrefix) {
   const categories = {};
   for (const run2 of sarif.runs) {
     const id = run2?.automationDetails?.id;
@@ -95984,15 +95997,17 @@ async function run() {
     core14.setOutput("sarif-output", import_path4.default.resolve(outputDir));
     const uploadInput = getOptionalInput("upload");
     if (runStats && getUploadValue(uploadInput) === "always") {
-      uploadResult = await uploadFiles(
+      if (isCodeScanningEnabled(config)) {
-        outputDir,
+        uploadResult = await uploadFiles(
-        getRequiredInput("checkout_path"),
+          outputDir,
-        getOptionalInput("category"),
+          getRequiredInput("checkout_path"),
-        features,
+          getOptionalInput("category"),
-        logger,
+          features,
-        CodeScanningTarget
+          logger,
-      );
+          CodeScanning
-      core14.setOutput("sarif-id", uploadResult.sarifID);
+        );
+        core14.setOutput("sarif-id", uploadResult.sarifID);
+      }
       if (isCodeQualityEnabled(config)) {
         const qualityUploadResult = await uploadFiles(
           outputDir,
@@ -96003,7 +96018,7 @@ async function run() {
           ),
           features,
           logger,
-          CodeQualityTarget
+          CodeQuality
         );
         core14.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
       }

lib/autobuild-action.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26486,26 +26486,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -31823,14 +31821,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31839,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -78249,8 +78247,8 @@ var path3 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.0";
-var cliVersion = "2.22.4";
+var cliVersion = "2.23.0";
 
 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -78923,15 +78921,6 @@ var GitHubFeatureFlags = class {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -78975,38 +78964,10 @@ async function getConfig(tempDir, logger) {
   logger.debug(configString);
   return JSON.parse(configString);
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
-  const augmentedConfig = cloneObject(originalUserInput);
+  const augmentedConfig = cloneObject(cliConfig);
-  if (augmentationProperties.queriesInput) {
+  if (extraQueryExclusions.length === 0) {
-    if (augmentationProperties.queriesInputCombines) {
+    return augmentedConfig;
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -79014,7 +78975,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -79169,7 +79130,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -79583,9 +79544,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.22.4",
+  "bundleVersion": "codeql-bundle-v2.23.0",
-  "cliVersion": "2.22.4",
+  "cliVersion": "2.23.0",
-  "priorBundleVersion": "codeql-bundle-v2.22.3",
+  "priorBundleVersion": "codeql-bundle-v2.22.4",
-  "priorCliVersion": "2.22.3"
+  "priorCliVersion": "2.22.4"
 }

lib/init-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context3, operator, key, modifier) {
       var value = context3[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context3, operator, key, modifier) {
       var value = context3[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -32335,26 +32335,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -37672,14 +37670,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -37690,7 +37688,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -108761,7 +108759,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -108769,7 +108767,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context3, operator, key, modifier) {
       var value = context3[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -108779,12 +108777,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -108792,12 +108790,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -108812,7 +108810,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -128756,6 +128754,22 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
   return AnalysisKind2;
 })(AnalysisKind || {});
 var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name),
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
+};
 
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
@@ -128770,8 +128784,8 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.0";
-var cliVersion = "2.22.4";
+var cliVersion = "2.23.0";
 
 // src/overlay-database-utils.ts
 var fs6 = __toESM(require("fs"));
@@ -129520,15 +129534,6 @@ ${jsonContents}`
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -129572,38 +129577,10 @@ async function getConfig(tempDir, logger) {
   logger.debug(configString);
   return JSON.parse(configString);
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
-  const augmentedConfig = cloneObject(originalUserInput);
+  const augmentedConfig = cloneObject(cliConfig);
-  if (augmentationProperties.queriesInput) {
+  if (extraQueryExclusions.length === 0) {
-    if (augmentationProperties.queriesInputCombines) {
+    return augmentedConfig;
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -129611,7 +129588,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -129626,7 +129603,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/esm/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -129635,27 +129612,24 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/esm/rng.js
+// node_modules/uuid/dist/rng.js
-var import_crypto = require("crypto");
+var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
 function rng() {
   if (poolPtr > rnds8Pool.length - 16) {
-    (0, import_crypto.randomFillSync)(rnds8Pool);
+    (0, import_node_crypto.randomFillSync)(rnds8Pool);
     poolPtr = 0;
   }
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/esm/native.js
+// node_modules/uuid/dist/native.js
-var import_crypto2 = require("crypto");
+var import_node_crypto2 = require("node:crypto");
-var native_default = { randomUUID: import_crypto2.randomUUID };
+var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/esm/v4.js
+// node_modules/uuid/dist/v4.js
-function v4(options, buf, offset) {
+function _v4(options, buf, offset) {
-  if (native_default.randomUUID && !buf && !options) {
-    return native_default.randomUUID();
-  }
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
   if (rnds.length < 16) {
@@ -129675,6 +129649,12 @@ function v4(options, buf, offset) {
   }
   return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+  if (native_default.randomUUID && !buf && !options) {
+    return native_default.randomUUID();
+  }
+  return _v4(options, buf, offset);
+}
 var v4_default = v4;
 
 // src/tar.ts
@@ -130588,7 +130568,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -131002,9 +130982,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`
@@ -132828,7 +132808,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
   return JSON.parse(fs17.readFileSync(outputFile, "utf8"));
 }
 function populateRunAutomationDetails(sarif, category, analysis_key, environment) {
-  const automationID = getAutomationID(category, analysis_key, environment);
+  const automationID = getAutomationID2(category, analysis_key, environment);
   if (automationID !== void 0) {
     for (const run2 of sarif.runs || []) {
       if (run2.automationDetails === void 0) {
@@ -132841,7 +132821,7 @@ function populateRunAutomationDetails(sarif, category, analysis_key, environment
   }
   return sarif;
 }
-function getAutomationID(category, analysis_key, environment) {
+function getAutomationID2(category, analysis_key, environment) {
   if (category !== void 0) {
     let automationID = category;
     if (!automationID.endsWith("/")) {
@@ -133019,18 +132999,6 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-var CodeScanningTarget = {
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifPredicate: (name) => name.endsWith(".sarif") && !CodeQualityTarget.sarifPredicate(name),
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
-};
-var CodeQualityTarget = {
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifPredicate: (name) => name.endsWith(".quality.sarif"),
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
-};
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
@@ -133045,7 +133013,7 @@ async function uploadFiles(inputSarifPath, checkoutPath, category, features, log
     uploadTarget
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget = CodeScanningTarget) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
   logger.startGroup(`Uploading ${uploadTarget.name} results`);
   logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
@@ -133216,7 +133184,7 @@ function handleProcessingResultForUnsuccessfulExecution(response, status, logger
     assertNever(status);
   }
 }
-function validateUniqueCategory(sarif, sentinelPrefix = CodeScanningTarget.sentinelPrefix) {
+function validateUniqueCategory(sarif, sentinelPrefix) {
   const categories = {};
   for (const run2 of sarif.runs) {
     const id = run2?.automationDetails?.id;
@@ -133441,7 +133409,7 @@ async function maybeUploadFailedSarif(config, repositoryNwo, features, logger) {
     category,
     features,
     logger,
-    CodeScanningTarget
+    CodeScanning
   );
   await waitForProcessing(
     repositoryNwo,

lib/init-action.js

@@ -184,7 +184,7 @@ var require_file_command = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.prepareKeyValueMessage = exports2.issueFileCommand = void 0;
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var fs18 = __importStar4(require("fs"));
     var os5 = __importStar4(require("os"));
     var utils_1 = require_utils();
@@ -202,7 +202,7 @@ var require_file_command = __commonJS({
     }
     exports2.issueFileCommand = issueFileCommand;
     function prepareKeyValueMessage(key, value) {
-      const delimiter = `ghadelimiter_${crypto.randomUUID()}`;
+      const delimiter = `ghadelimiter_${crypto2.randomUUID()}`;
       const convertedValue = (0, utils_1.toCommandValue)(value);
       if (key.includes(delimiter)) {
         throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`);
@@ -3637,11 +3637,11 @@ var require_util2 = __commonJS({
     var assert = require("assert");
     var { isUint8Array } = require("util/types");
     var supportedHashes = [];
-    var crypto;
+    var crypto2;
     try {
-      crypto = require("crypto");
+      crypto2 = require("crypto");
       const possibleRelevantHashes = ["sha256", "sha384", "sha512"];
-      supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
+      supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash));
     } catch {
     }
     function responseURL(response) {
@@ -3918,7 +3918,7 @@ var require_util2 = __commonJS({
       }
     }
     function bytesMatch(bytes, metadataList) {
-      if (crypto === void 0) {
+      if (crypto2 === void 0) {
         return true;
       }
       const parsedMetadata = parseMetadata(metadataList);
@@ -3933,7 +3933,7 @@ var require_util2 = __commonJS({
       for (const item of metadata) {
         const algorithm = item.algo;
         const expectedValue = item.hash;
-        let actualValue = crypto.createHash(algorithm).update(bytes).digest("base64");
+        let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64");
         if (actualValue[actualValue.length - 1] === "=") {
           if (actualValue[actualValue.length - 2] === "=") {
             actualValue = actualValue.slice(0, -2);
@@ -5279,8 +5279,8 @@ var require_body = __commonJS({
     var { parseMIMEType, serializeAMimeType } = require_dataURL();
     var random;
     try {
-      const crypto = require("node:crypto");
+      const crypto2 = require("node:crypto");
-      random = (max) => crypto.randomInt(0, max);
+      random = (max) => crypto2.randomInt(0, max);
     } catch {
       random = (max) => Math.floor(Math.random(max));
     }
@@ -16330,9 +16330,9 @@ var require_connection = __commonJS({
     channels.open = diagnosticsChannel.channel("undici:websocket:open");
     channels.close = diagnosticsChannel.channel("undici:websocket:close");
     channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error");
-    var crypto;
+    var crypto2;
     try {
-      crypto = require("crypto");
+      crypto2 = require("crypto");
     } catch {
     }
     function establishWebSocketConnection(url, protocols, ws, onEstablish, options) {
@@ -16351,7 +16351,7 @@ var require_connection = __commonJS({
         const headersList = new Headers(options.headers)[kHeadersList];
         request.headersList = headersList;
       }
-      const keyValue = crypto.randomBytes(16).toString("base64");
+      const keyValue = crypto2.randomBytes(16).toString("base64");
       request.headersList.append("sec-websocket-key", keyValue);
       request.headersList.append("sec-websocket-version", "13");
       for (const protocol of protocols) {
@@ -16380,7 +16380,7 @@ var require_connection = __commonJS({
             return;
           }
           const secWSAccept = response.headersList.get("Sec-WebSocket-Accept");
-          const digest = crypto.createHash("sha1").update(keyValue + uid).digest("base64");
+          const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64");
           if (secWSAccept !== digest) {
             failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header.");
             return;
@@ -16460,9 +16460,9 @@ var require_frame = __commonJS({
   "node_modules/undici/lib/websocket/frame.js"(exports2, module2) {
     "use strict";
     var { maxUnsigned16Bit } = require_constants5();
-    var crypto;
+    var crypto2;
     try {
-      crypto = require("crypto");
+      crypto2 = require("crypto");
     } catch {
     }
     var WebsocketFrameSend = class {
@@ -16471,7 +16471,7 @@ var require_frame = __commonJS({
        */
       constructor(data) {
         this.frameData = data;
-        this.maskKey = crypto.randomBytes(4);
+        this.maskKey = crypto2.randomBytes(4);
       }
       createFrame(opcode) {
         const bodyLength = this.frameData?.byteLength ?? 0;
@@ -22196,7 +22196,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -22204,7 +22204,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -22216,14 +22216,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -22231,12 +22231,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -22251,7 +22251,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -22936,7 +22936,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -22944,7 +22944,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -22956,14 +22956,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -22971,12 +22971,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -22991,7 +22991,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -32335,26 +32335,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -36931,7 +36929,7 @@ var require_cacheUtils = __commonJS({
     var exec2 = __importStar4(require_exec());
     var glob2 = __importStar4(require_glob());
     var io7 = __importStar4(require_io());
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var fs18 = __importStar4(require("fs"));
     var path19 = __importStar4(require("path"));
     var semver9 = __importStar4(require_semver3());
@@ -36955,7 +36953,7 @@ var require_cacheUtils = __commonJS({
           }
           tempDirectory = path19.join(baseLocation, "actions", "temp");
         }
-        const dest = path19.join(tempDirectory, crypto.randomUUID());
+        const dest = path19.join(tempDirectory, crypto2.randomUUID());
         yield io7.mkdirP(dest);
         return dest;
       });
@@ -37071,7 +37069,7 @@ var require_cacheUtils = __commonJS({
         components.push("windows-only");
       }
       components.push(versionSalt);
-      return crypto.createHash("sha256").update(components.join("|")).digest("hex");
+      return crypto2.createHash("sha256").update(components.join("|")).digest("hex");
     }
     exports2.getCacheVersion = getCacheVersion;
     function getRuntimeToken() {
@@ -37672,14 +37670,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -37690,7 +37688,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -48815,7 +48813,7 @@ var require_dist7 = __commonJS({
     var coreXml = require_commonjs9();
     var logger$1 = require_dist();
     var abortController = require_commonjs10();
-    var crypto = require("crypto");
+    var crypto2 = require("crypto");
     var coreTracing = require_commonjs4();
     var stream2 = require("stream");
     var coreLro = require_dist6();
@@ -50323,7 +50321,7 @@ ${key}:${decodeURIComponent(lowercaseQueries[key])}`;
        * @param stringToSign -
        */
       computeHMACSHA256(stringToSign) {
-        return crypto.createHmac("sha256", this.accountKey).update(stringToSign, "utf8").digest("base64");
+        return crypto2.createHmac("sha256", this.accountKey).update(stringToSign, "utf8").digest("base64");
       }
     };
     var AnonymousCredentialPolicy = class extends CredentialPolicy {
@@ -50521,7 +50519,7 @@ ${key}:${decodeURIComponent(lowercaseQueries[key])}`;
           getHeaderValueToSign(request, HeaderConstants.IF_UNMODIFIED_SINCE),
           getHeaderValueToSign(request, HeaderConstants.RANGE)
         ].join("\n") + "\n" + getCanonicalizedHeadersString(request) + getCanonicalizedResourceString(request);
-        const signature = crypto.createHmac("sha256", options.accountKey).update(stringToSign, "utf8").digest("base64");
+        const signature = crypto2.createHmac("sha256", options.accountKey).update(stringToSign, "utf8").digest("base64");
         request.headers.set(HeaderConstants.AUTHORIZATION, `SharedKey ${options.accountName}:${signature}`);
       }
       function getHeaderValueToSign(request, headerName) {
@@ -64280,7 +64278,7 @@ ${key}:${decodeURIComponent(lowercaseQueries[key])}`;
        * @param stringToSign -
        */
       computeHMACSHA256(stringToSign) {
-        return crypto.createHmac("sha256", this.key).update(stringToSign, "utf8").digest("base64");
+        return crypto2.createHmac("sha256", this.key).update(stringToSign, "utf8").digest("base64");
       }
     };
     function ipRangeToString(ipRange) {
@@ -80225,7 +80223,7 @@ var require_internal_hash_files = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.hashFiles = void 0;
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var core14 = __importStar4(require_core());
     var fs18 = __importStar4(require("fs"));
     var stream2 = __importStar4(require("stream"));
@@ -80238,7 +80236,7 @@ var require_internal_hash_files = __commonJS({
         const writeDelegate = verbose ? core14.info : core14.debug;
         let hasMatch = false;
         const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd();
-        const result = crypto.createHash("sha256");
+        const result = crypto2.createHash("sha256");
         let count = 0;
         try {
           for (var _e = true, _f = __asyncValues4(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) {
@@ -80254,7 +80252,7 @@ var require_internal_hash_files = __commonJS({
               writeDelegate(`Skip directory '${file}'.`);
               continue;
             }
-            const hash = crypto.createHash("sha256");
+            const hash = crypto2.createHash("sha256");
             const pipeline = util.promisify(stream2.pipeline);
             yield pipeline(fs18.createReadStream(file), hash);
             result.write(hash.digest());
@@ -80648,7 +80646,7 @@ var require_tool_cache = __commonJS({
     exports2.evaluateVersions = exports2.isExplicitVersion = exports2.findFromManifest = exports2.getManifestFromRepo = exports2.findAllVersions = exports2.find = exports2.cacheFile = exports2.cacheDir = exports2.extractZip = exports2.extractXar = exports2.extractTar = exports2.extract7z = exports2.downloadTool = exports2.HTTPError = void 0;
     var core14 = __importStar4(require_core());
     var io7 = __importStar4(require_io());
-    var crypto = __importStar4(require("crypto"));
+    var crypto2 = __importStar4(require("crypto"));
     var fs18 = __importStar4(require("fs"));
     var mm = __importStar4(require_manifest());
     var os5 = __importStar4(require("os"));
@@ -80673,7 +80671,7 @@ var require_tool_cache = __commonJS({
     var userAgent = "actions/tool-cache";
     function downloadTool2(url, dest, auth, headers) {
       return __awaiter4(this, void 0, void 0, function* () {
-        dest = dest || path19.join(_getTempDirectory(), crypto.randomUUID());
+        dest = dest || path19.join(_getTempDirectory(), crypto2.randomUUID());
         yield io7.mkdirP(path19.dirname(dest));
         core14.debug(`Downloading ${url}`);
         core14.debug(`Destination ${dest}`);
@@ -81054,7 +81052,7 @@ var require_tool_cache = __commonJS({
     function _createExtractFolder(dest) {
       return __awaiter4(this, void 0, void 0, function* () {
         if (!dest) {
-          dest = path19.join(_getTempDirectory(), crypto.randomUUID());
+          dest = path19.join(_getTempDirectory(), crypto2.randomUUID());
         }
         yield io7.mkdirP(dest);
         return dest;
@@ -81688,7 +81686,7 @@ var core13 = __toESM(require_core());
 var io6 = __toESM(require_io());
 var semver8 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/esm/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -81697,27 +81695,24 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/esm/rng.js
+// node_modules/uuid/dist/rng.js
-var import_crypto = require("crypto");
+var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
 function rng() {
   if (poolPtr > rnds8Pool.length - 16) {
-    (0, import_crypto.randomFillSync)(rnds8Pool);
+    (0, import_node_crypto.randomFillSync)(rnds8Pool);
     poolPtr = 0;
   }
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/esm/native.js
+// node_modules/uuid/dist/native.js
-var import_crypto2 = require("crypto");
+var import_node_crypto2 = require("node:crypto");
-var native_default = { randomUUID: import_crypto2.randomUUID };
+var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/esm/v4.js
+// node_modules/uuid/dist/v4.js
-function v4(options, buf, offset) {
+function _v4(options, buf, offset) {
-  if (native_default.randomUUID && !buf && !options) {
-    return native_default.randomUUID();
-  }
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
   if (rnds.length < 16) {
@@ -81737,6 +81732,12 @@ function v4(options, buf, offset) {
   }
   return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+  if (native_default.randomUUID && !buf && !options) {
+    return native_default.randomUUID();
+  }
+  return _v4(options, buf, offset);
+}
 var v4_default = v4;
 
 // src/actions-util.ts
@@ -85651,6 +85652,12 @@ function isHostedRunner() {
     process.env["RUNNER_TOOL_CACHE"]?.includes("hostedtoolcache")
   );
 }
+function parseMatrixInput(matrixInput) {
+  if (matrixInput === void 0 || matrixInput === "null") {
+    return void 0;
+  }
+  return JSON.parse(matrixInput);
+}
 function wrapError(error2) {
   return error2 instanceof Error ? error2 : new Error(String(error2));
 }
@@ -85780,6 +85787,9 @@ async function asyncSome(array, predicate) {
   const results = await Promise.all(array.map(predicate));
   return results.some((result) => result);
 }
+function isDefined(value) {
+  return value !== void 0 && value !== null;
+}
 
 // src/actions-util.ts
 var pkg = require_package();
@@ -86098,6 +86108,25 @@ async function getAnalysisKey() {
   core5.exportVariable(analysisKeyEnvVar, analysisKey);
   return analysisKey;
 }
+async function getAutomationID() {
+  const analysis_key = await getAnalysisKey();
+  const environment = getRequiredInput("matrix");
+  return computeAutomationID(analysis_key, environment);
+}
+function computeAutomationID(analysis_key, environment) {
+  let automationID = `${analysis_key}/`;
+  const matrix = parseMatrixInput(environment);
+  if (matrix !== void 0) {
+    for (const entry of Object.entries(matrix).sort()) {
+      if (typeof entry[1] === "string") {
+        automationID += `${entry[0]}:${entry[1]}/`;
+      } else {
+        automationID += `${entry[0]}:/`;
+      }
+    }
+  }
+  return automationID;
+}
 
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
@@ -86169,6 +86198,7 @@ async function parseAnalysisKinds(input) {
     new Set(components.map((component) => component))
   );
 }
+var codeQualityQueries = ["code-quality"];
 
 // src/feature-flags.ts
 var fs7 = __toESM(require("fs"));
@@ -86176,10 +86206,11 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.0";
-var cliVersion = "2.22.4";
+var cliVersion = "2.23.0";
 
 // src/overlay-database-utils.ts
+var crypto = __toESM(require("crypto"));
 var fs6 = __toESM(require("fs"));
 var path7 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache3());
@@ -86458,14 +86489,14 @@ function checkOverlayBaseDatabase(config, logger, warningPrefix) {
   return true;
 }
 async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) {
-  const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+  const overlayDatabaseMode = config.overlayDatabaseMode;
   if (overlayDatabaseMode !== "overlay" /* Overlay */) {
     logger.debug(
       `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.`
     );
     return void 0;
   }
-  if (!config.augmentationProperties.useOverlayDatabaseCaching) {
+  if (!config.useOverlayDatabaseCaching) {
     logger.debug(
       "Overlay database caching is disabled. Skip downloading overlay-base database from cache."
     );
@@ -86479,16 +86510,19 @@ async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) {
   }
   const dbLocation = config.dbLocation;
   const codeQlVersion = (await codeql.getVersion()).version;
-  const restoreKey = getCacheRestoreKey(config, codeQlVersion);
+  const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix(
+    config,
+    codeQlVersion
+  );
   logger.info(
-    `Looking in Actions cache for overlay-base database with restore key ${restoreKey}`
+    `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}`
   );
   let databaseDownloadDurationMs = 0;
   try {
     const databaseDownloadStart = performance.now();
     const foundKey = await withTimeout(
       MAX_CACHE_OPERATION_MS,
-      actionsCache.restoreCache([dbLocation], restoreKey),
+      actionsCache.restoreCache([dbLocation], cacheRestoreKeyPrefix),
       () => {
         logger.info("Timed out downloading overlay-base database from cache");
       }
@@ -86531,9 +86565,18 @@ async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) {
     databaseDownloadDurationMs
   };
 }
-function getCacheRestoreKey(config, codeQlVersion) {
+async function getCacheRestoreKeyPrefix(config, codeQlVersion) {
   const languages = [...config.languages].sort().join("_");
-  return `${CACHE_PREFIX}-${CACHE_VERSION}-${languages}-${codeQlVersion}-`;
+  const cacheKeyComponents = {
+    automationID: await getAutomationID()
+    // Add more components here as needed in the future
+  };
+  const componentsHash = createCacheKeyHash(cacheKeyComponents);
+  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
+}
+function createCacheKeyHash(components) {
+  const componentsJson = JSON.stringify(components);
+  return crypto.createHash("sha256").update(componentsJson).digest("hex").substring(0, 16);
 }
 
 // src/tools-features.ts
@@ -87116,15 +87159,6 @@ async function cachePrefix(codeql, language) {
 
 // src/config-utils.ts
 var PACKS_PROPERTY = "packs";
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 function getPacksStrInvalid(packStr, configFile) {
   return configFile ? getConfigFilePropertyError(
     configFile,
@@ -87180,7 +87214,7 @@ async function getSupportedLanguageMap(codeql) {
 var baseWorkflowsPath = ".github/workflows";
 function hasActionsWorkflows(sourceRoot) {
   const workflowsPath = path10.resolve(sourceRoot, baseWorkflowsPath);
-  const stats = fs9.lstatSync(workflowsPath);
+  const stats = fs9.lstatSync(workflowsPath, { throwIfNoEntry: false });
   return stats !== void 0 && stats.isDirectory() && fs9.readdirSync(workflowsPath).length > 0;
 }
 async function getRawLanguagesInRepo(repository, sourceRoot, logger) {
@@ -87247,7 +87281,7 @@ async function getRawLanguages(languagesInput, repository, sourceRoot, logger) {
     autodetected: true
   };
 }
-async function getDefaultConfig({
+async function initActionState({
   analysisKindsInput,
   languagesInput,
   queriesInput,
@@ -87267,7 +87301,7 @@ async function getDefaultConfig({
   githubVersion,
   features,
   logger
-}) {
+}, userConfig) {
   const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
   if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) {
     analysisKinds.push("code-quality" /* CodeQuality */);
@@ -87296,11 +87330,16 @@ async function getDefaultConfig({
     languages,
     logger
   );
+  const computedConfig = generateCodeScanningConfig(
+    userConfig,
+    augmentationProperties
+  );
   return {
     analysisKinds,
     languages,
     buildMode,
-    originalUserInput: {},
+    originalUserInput: userConfig,
+    computedConfig,
     tempDir,
     codeQLCmd: codeql.getPath(),
     gitHubVersion: githubVersion,
@@ -87308,10 +87347,12 @@ async function getDefaultConfig({
     debugMode,
     debugArtifactName,
     debugDatabaseName,
-    augmentationProperties,
     trapCaches,
     trapCacheDownloadTime,
-    dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled)
+    dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled),
+    extraQueryExclusions: [],
+    overlayDatabaseMode: "none" /* None */,
+    useOverlayDatabaseCaching: false
   };
 }
 async function downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logger) {
@@ -87355,10 +87396,7 @@ async function calculateAugmentation(rawPacksInput, rawQueriesInput, languages)
     packsInputCombines,
     packsInput: packsInput?.[languages[0]],
     queriesInput,
-    queriesInputCombines,
+    queriesInputCombines
-    extraQueryExclusions: [],
-    overlayDatabaseMode: "none" /* None */,
-    useOverlayDatabaseCaching: false
   };
 }
 function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) {
@@ -87585,6 +87623,9 @@ function dbLocationOrDefault(dbLocation, tempDir) {
 function userConfigFromActionPath(tempDir) {
   return path10.resolve(tempDir, "user-config-from-action.yml");
 }
+function hasQueryCustomisation(userConfig) {
+  return isDefined(userConfig["disable-default-queries"]) || isDefined(userConfig.queries) || isDefined(userConfig["query-filters"]);
+}
 async function initConfig(inputs) {
   const { logger, tempDir } = inputs;
   if (inputs.configInput) {
@@ -87609,9 +87650,18 @@ async function initConfig(inputs) {
       tempDir
     );
   }
-  const config = await getDefaultConfig(inputs);
+  const config = await initActionState(inputs, userConfig);
-  const augmentationProperties = config.augmentationProperties;
+  if (config.analysisKinds.length === 1 && isCodeQualityEnabled(config)) {
-  config.originalUserInput = userConfig;
+    if (hasQueryCustomisation(config.computedConfig)) {
+      throw new ConfigurationError(
+        "Query customizations are unsupported, because only `code-quality` analysis is enabled."
+      );
+    }
+    const queries = codeQualityQueries.map((v) => ({ uses: v }));
+    config.computedConfig["disable-default-queries"] = true;
+    config.computedConfig.queries = queries;
+    config.computedConfig["query-filters"] = [];
+  }
   const { overlayDatabaseMode, useOverlayDatabaseCaching } = await getOverlayDatabaseMode(
     inputs.codeql,
     inputs.repository,
@@ -87619,20 +87669,20 @@ async function initConfig(inputs) {
     config.languages,
     inputs.sourceRoot,
     config.buildMode,
-    generateCodeScanningConfig(userConfig, augmentationProperties),
+    config.computedConfig,
     logger
   );
   logger.info(
     `Using overlay database mode: ${overlayDatabaseMode} ${useOverlayDatabaseCaching ? "with" : "without"} caching.`
   );
-  augmentationProperties.overlayDatabaseMode = overlayDatabaseMode;
+  config.overlayDatabaseMode = overlayDatabaseMode;
-  augmentationProperties.useOverlayDatabaseCaching = useOverlayDatabaseCaching;
+  config.useOverlayDatabaseCaching = useOverlayDatabaseCaching;
   if (overlayDatabaseMode === "overlay" /* Overlay */ || await shouldPerformDiffInformedAnalysis(
     inputs.codeql,
     inputs.features,
     logger
   )) {
-    augmentationProperties.extraQueryExclusions.push({
+    config.extraQueryExclusions.push({
       exclude: { tags: "exclude-from-incremental" }
     });
   }
@@ -87825,19 +87875,29 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
   if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
     delete augmentedConfig.packs;
   }
+  return augmentedConfig;
+}
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
+  const augmentedConfig = cloneObject(cliConfig);
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
+  }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
     // excludes all queries that are not included. If it is an exclusion,
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
   }
   return augmentedConfig;
 }
+function isCodeQualityEnabled(config) {
+  return config.analysisKinds.includes("code-quality" /* CodeQuality */);
+}
 
 // src/dependency-caching.ts
 var os2 = __toESM(require("os"));
@@ -89192,7 +89252,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -89606,9 +89666,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`
@@ -89988,6 +90048,51 @@ async function sendStatusReport(statusReport) {
     );
   }
 }
+async function createInitWithConfigStatusReport(config, initStatusReport, configFile, totalCacheSize, overlayBaseDatabaseStats) {
+  const languages = config.languages.join(",");
+  const paths = (config.originalUserInput.paths || []).join(",");
+  const pathsIgnore = (config.originalUserInput["paths-ignore"] || []).join(
+    ","
+  );
+  const disableDefaultQueries = config.originalUserInput["disable-default-queries"] ? languages : "";
+  const queries = [];
+  let queriesInput = getOptionalInput("queries")?.trim();
+  if (queriesInput === void 0 || queriesInput.startsWith("+")) {
+    queries.push(
+      ...(config.originalUserInput.queries || []).map((q) => q.uses)
+    );
+  }
+  if (queriesInput !== void 0) {
+    queriesInput = queriesInput.startsWith("+") ? queriesInput.slice(1) : queriesInput;
+    queries.push(...queriesInput.split(","));
+  }
+  let packs = {};
+  if (Array.isArray(config.computedConfig.packs)) {
+    packs[config.languages[0]] = config.computedConfig.packs;
+  } else if (config.computedConfig.packs !== void 0) {
+    packs = config.computedConfig.packs;
+  }
+  return {
+    ...initStatusReport,
+    config_file: configFile ?? "",
+    disable_default_queries: disableDefaultQueries,
+    paths,
+    paths_ignore: pathsIgnore,
+    queries: queries.join(","),
+    packs: JSON.stringify(packs),
+    trap_cache_languages: Object.keys(config.trapCaches).join(","),
+    trap_cache_download_size_bytes: totalCacheSize,
+    trap_cache_download_duration_ms: Math.round(config.trapCacheDownloadTime),
+    overlay_base_database_download_size_bytes: overlayBaseDatabaseStats?.databaseSizeBytes,
+    overlay_base_database_download_duration_ms: overlayBaseDatabaseStats?.databaseDownloadDurationMs,
+    query_filters: JSON.stringify(
+      config.originalUserInput["query-filters"] ?? []
+    ),
+    registries: JSON.stringify(
+      parseRegistriesWithoutCredentials(getOptionalInput("registries")) ?? []
+    )
+  };
+}
 
 // src/workflow.ts
 var fs16 = __toESM(require("fs"));
@@ -90175,64 +90280,15 @@ async function sendCompletedStatusReport(startedAt, config, configFile, toolsDow
     initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
   }
   if (config !== void 0) {
-    const languages = config.languages.join(",");
+    const initWithConfigStatusReport = await createInitWithConfigStatusReport(
-    const paths = (config.originalUserInput.paths || []).join(",");
+      config,
-    const pathsIgnore = (config.originalUserInput["paths-ignore"] || []).join(
+      initStatusReport,
-      ","
+      configFile,
-    );
+      Math.round(
-    const disableDefaultQueries = config.originalUserInput["disable-default-queries"] ? languages : "";
-    const queries = [];
-    let queriesInput = getOptionalInput("queries")?.trim();
-    if (queriesInput === void 0 || queriesInput.startsWith("+")) {
-      queries.push(
-        ...(config.originalUserInput.queries || []).map((q) => q.uses)
-      );
-    }
-    if (queriesInput !== void 0) {
-      queriesInput = queriesInput.startsWith("+") ? queriesInput.slice(1) : queriesInput;
-      queries.push(...queriesInput.split(","));
-    }
-    let packs = {};
-    if ((config.augmentationProperties.packsInputCombines || !config.augmentationProperties.packsInput) && config.originalUserInput.packs) {
-      const copyPacksFromOriginalUserInput = cloneObject(
-        config.originalUserInput.packs
-      );
-      if (Array.isArray(copyPacksFromOriginalUserInput)) {
-        packs[config.languages[0]] = copyPacksFromOriginalUserInput;
-      } else {
-        packs = copyPacksFromOriginalUserInput;
-      }
-    }
-    if (config.augmentationProperties.packsInput) {
-      packs[config.languages[0]] ??= [];
-      packs[config.languages[0]].push(
-        ...config.augmentationProperties.packsInput
-      );
-    }
-    const initWithConfigStatusReport = {
-      ...initStatusReport,
-      config_file: configFile ?? "",
-      disable_default_queries: disableDefaultQueries,
-      paths,
-      paths_ignore: pathsIgnore,
-      queries: queries.join(","),
-      packs: JSON.stringify(packs),
-      trap_cache_languages: Object.keys(config.trapCaches).join(","),
-      trap_cache_download_size_bytes: Math.round(
         await getTotalCacheSize(Object.values(config.trapCaches), logger)
       ),
-      trap_cache_download_duration_ms: Math.round(config.trapCacheDownloadTime),
+      overlayBaseDatabaseStats
-      overlay_base_database_download_size_bytes: overlayBaseDatabaseStats?.databaseSizeBytes,
+    );
-      overlay_base_database_download_duration_ms: overlayBaseDatabaseStats?.databaseDownloadDurationMs,
-      query_filters: JSON.stringify(
-        config.originalUserInput["query-filters"] ?? []
-      ),
-      registries: JSON.stringify(
-        parseRegistriesWithoutCredentials(
-          getOptionalInput("registries")
-        ) ?? []
-      )
-    };
     await sendStatusReport({
       ...initWithConfigStatusReport,
       ...initToolsDownloadFields
@@ -90391,20 +90447,20 @@ async function run() {
   }
   let overlayBaseDatabaseStats;
   try {
-    if (config.augmentationProperties.overlayDatabaseMode === "overlay" /* Overlay */ && config.augmentationProperties.useOverlayDatabaseCaching) {
+    if (config.overlayDatabaseMode === "overlay" /* Overlay */ && config.useOverlayDatabaseCaching) {
       overlayBaseDatabaseStats = await downloadOverlayBaseDatabaseFromCache(
         codeql,
         config,
         logger
       );
       if (!overlayBaseDatabaseStats) {
-        config.augmentationProperties.overlayDatabaseMode = "none" /* None */;
+        config.overlayDatabaseMode = "none" /* None */;
         logger.info(
           `No overlay-base database found in cache, reverting overlay database mode to ${"none" /* None */}.`
         );
       }
     }
-    if (config.augmentationProperties.overlayDatabaseMode !== "overlay" /* Overlay */) {
+    if (config.overlayDatabaseMode !== "overlay" /* Overlay */) {
       cleanupDatabaseClusterDirectory(config, logger);
     }
     if (zstdAvailability) {
@@ -90581,11 +90637,11 @@ exec ${goBinaryPath} "$@"`
       qlconfigFile,
       logger
     );
-    if (config.augmentationProperties.overlayDatabaseMode !== "none" /* None */ && !await checkPacksForOverlayCompatibility(codeql, config, logger)) {
+    if (config.overlayDatabaseMode !== "none" /* None */ && !await checkPacksForOverlayCompatibility(codeql, config, logger)) {
       logger.info(
         "Reverting overlay database mode to None due to incompatible packs."
       );
-      config.augmentationProperties.overlayDatabaseMode = "none" /* None */;
+      config.overlayDatabaseMode = "none" /* None */;
       cleanupDatabaseClusterDirectory(config, logger, {
         disableExistingDirectoryWarning: true
       });

lib/resolve-environment-action.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26486,26 +26486,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -31823,14 +31821,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31839,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -78650,15 +78648,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -78702,38 +78691,10 @@ async function getConfig(tempDir, logger) {
   logger.debug(configString);
   return JSON.parse(configString);
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
-  const augmentedConfig = cloneObject(originalUserInput);
+  const augmentedConfig = cloneObject(cliConfig);
-  if (augmentationProperties.queriesInput) {
+  if (extraQueryExclusions.length === 0) {
-    if (augmentationProperties.queriesInputCombines) {
+    return augmentedConfig;
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -78741,7 +78702,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -78869,7 +78830,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -79283,9 +79244,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`

lib/start-proxy-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26486,26 +26486,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -31823,14 +31821,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -31841,7 +31839,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -101572,7 +101570,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -101580,7 +101578,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -101590,12 +101588,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -101603,12 +101601,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -101623,7 +101621,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -117330,15 +117328,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,

lib/start-proxy-action.js

@@ -44966,7 +44966,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -45014,26 +45014,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -47755,6 +47753,9 @@ async function delay(milliseconds, opts) {
 function getErrorMessage(error2) {
   return error2 instanceof Error ? error2.message : String(error2);
 }
+function isDefined(value) {
+  return value !== void 0 && value !== null;
+}
 
 // src/actions-util.ts
 var pkg = require_package();
@@ -47819,17 +47820,14 @@ function parseLanguage(language) {
   return void 0;
 }
 var LANGUAGE_TO_REGISTRY_TYPE = {
-  java: "maven_repository",
+  java: ["maven_repository"],
-  csharp: "nuget_feed",
+  csharp: ["nuget_feed"],
-  javascript: "npm_registry",
+  javascript: ["npm_registry"],
-  python: "python_index",
+  python: ["python_index"],
-  ruby: "rubygems_server",
+  ruby: ["rubygems_server"],
-  rust: "cargo_registry",
+  rust: ["cargo_registry"],
-  go: "goproxy_server"
+  go: ["goproxy_server", "git_source"]
 };
-function isDefined(value) {
-  return value !== void 0 && value !== null;
-}
 function getCredentials(logger, registrySecrets, registriesCredentials, languageString) {
   const language = languageString ? parseLanguage(languageString) : void 0;
   const registryTypeForLanguage = language ? LANGUAGE_TO_REGISTRY_TYPE[language] : void 0;
@@ -47872,7 +47870,7 @@ function getCredentials(logger, registrySecrets, registriesCredentials, language
         "Invalid credentials - must specify host or url"
       );
     }
-    if (registryTypeForLanguage && e.type !== registryTypeForLanguage) {
+    if (registryTypeForLanguage && !registryTypeForLanguage.some((t) => t === e.type)) {
       continue;
     }
     const isPrintable2 = (str2) => {

lib/upload-lib.js

@@ -21585,7 +21585,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21593,7 +21593,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21605,14 +21605,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21620,12 +21620,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21640,7 +21640,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -22325,7 +22325,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -22333,7 +22333,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -22345,14 +22345,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -22360,12 +22360,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -22380,7 +22380,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -33584,7 +33584,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -33632,26 +33632,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -38969,14 +38967,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -38987,7 +38985,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -84780,10 +84778,7 @@ var require_sarif_schema_2_1_0 = __commonJS({
 // src/upload-lib.ts
 var upload_lib_exports = {};
 __export(upload_lib_exports, {
-  CodeQualityTarget: () => CodeQualityTarget,
-  CodeScanningTarget: () => CodeScanningTarget,
   InvalidSarifUploadError: () => InvalidSarifUploadError,
-  SARIF_UPLOAD_ENDPOINT: () => SARIF_UPLOAD_ENDPOINT,
   buildPayload: () => buildPayload,
   findSarifFilesInDir: () => findSarifFilesInDir,
   getSarifFilePaths: () => getSarifFilePaths,
@@ -88898,8 +88893,8 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.0";
-var cliVersion = "2.22.4";
+var cliVersion = "2.23.0";
 
 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89367,15 +89362,6 @@ ${jsonContents}`
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
@@ -89419,38 +89405,10 @@ async function getConfig(tempDir, logger) {
   logger.debug(configString);
   return JSON.parse(configString);
 }
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
-  const augmentedConfig = cloneObject(originalUserInput);
+  const augmentedConfig = cloneObject(cliConfig);
-  if (augmentationProperties.queriesInput) {
+  if (extraQueryExclusions.length === 0) {
-    if (augmentationProperties.queriesInputCombines) {
+    return augmentedConfig;
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
   }
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
@@ -89458,7 +89416,7 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
+    ...extraQueryExclusions
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
@@ -89473,7 +89431,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/esm/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -89482,27 +89440,24 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/esm/rng.js
+// node_modules/uuid/dist/rng.js
-var import_crypto = require("crypto");
+var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
 function rng() {
   if (poolPtr > rnds8Pool.length - 16) {
-    (0, import_crypto.randomFillSync)(rnds8Pool);
+    (0, import_node_crypto.randomFillSync)(rnds8Pool);
     poolPtr = 0;
   }
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/esm/native.js
+// node_modules/uuid/dist/native.js
-var import_crypto2 = require("crypto");
+var import_node_crypto2 = require("node:crypto");
-var native_default = { randomUUID: import_crypto2.randomUUID };
+var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/esm/v4.js
+// node_modules/uuid/dist/v4.js
-function v4(options, buf, offset) {
+function _v4(options, buf, offset) {
-  if (native_default.randomUUID && !buf && !options) {
-    return native_default.randomUUID();
-  }
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
   if (rnds.length < 16) {
@@ -89522,6 +89477,12 @@ function v4(options, buf, offset) {
   }
   return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+  if (native_default.randomUUID && !buf && !options) {
+    return native_default.randomUUID();
+  }
+  return _v4(options, buf, offset);
+}
 var v4_default = v4;
 
 // src/tar.ts
@@ -90435,7 +90396,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -90849,9 +90810,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`
@@ -92219,7 +92180,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
   return JSON.parse(fs13.readFileSync(outputFile, "utf8"));
 }
 function populateRunAutomationDetails(sarif, category, analysis_key, environment) {
-  const automationID = getAutomationID(category, analysis_key, environment);
+  const automationID = getAutomationID2(category, analysis_key, environment);
   if (automationID !== void 0) {
     for (const run of sarif.runs || []) {
       if (run.automationDetails === void 0) {
@@ -92232,7 +92193,7 @@ function populateRunAutomationDetails(sarif, category, analysis_key, environment
   }
   return sarif;
 }
-function getAutomationID(category, analysis_key, environment) {
+function getAutomationID2(category, analysis_key, environment) {
   if (category !== void 0) {
     let automationID = category;
     if (!automationID.endsWith("/")) {
@@ -92242,11 +92203,6 @@ function getAutomationID(category, analysis_key, environment) {
   }
   return computeAutomationID(analysis_key, environment);
 }
-var SARIF_UPLOAD_ENDPOINT = /* @__PURE__ */ ((SARIF_UPLOAD_ENDPOINT2) => {
-  SARIF_UPLOAD_ENDPOINT2["CODE_SCANNING"] = "PUT /repos/:owner/:repo/code-scanning/analysis";
-  SARIF_UPLOAD_ENDPOINT2["CODE_QUALITY"] = "PUT /repos/:owner/:repo/code-quality/analysis";
-  return SARIF_UPLOAD_ENDPOINT2;
-})(SARIF_UPLOAD_ENDPOINT || {});
 async function uploadPayload(payload, repositoryNwo, logger, target) {
   logger.info("Uploading results");
   if (isInTestMode()) {
@@ -92415,18 +92371,6 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-var CodeScanningTarget = {
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifPredicate: (name) => name.endsWith(".sarif") && !CodeQualityTarget.sarifPredicate(name),
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
-};
-var CodeQualityTarget = {
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifPredicate: (name) => name.endsWith(".quality.sarif"),
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
-};
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
@@ -92441,7 +92385,7 @@ async function uploadFiles(inputSarifPath, checkoutPath, category, features, log
     uploadTarget
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget = CodeScanningTarget) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
   logger.startGroup(`Uploading ${uploadTarget.name} results`);
   logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
@@ -92612,7 +92556,7 @@ function handleProcessingResultForUnsuccessfulExecution(response, status, logger
     assertNever(status);
   }
 }
-function validateUniqueCategory(sarif, sentinelPrefix = CodeScanningTarget.sentinelPrefix) {
+function validateUniqueCategory(sarif, sentinelPrefix) {
   const categories = {};
   for (const run of sarif.runs) {
     const id = run?.automationDetails?.id;
@@ -92669,10 +92613,7 @@ function filterAlertsByDiffRange(logger, sarif) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  CodeQualityTarget,
-  CodeScanningTarget,
   InvalidSarifUploadError,
-  SARIF_UPLOAD_ENDPOINT,
   buildPayload,
   findSarifFilesInDir,
   getSarifFilePaths,

lib/upload-sarif-action-post.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -26486,26 +26486,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -35660,14 +35658,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -35678,7 +35676,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -95694,7 +95692,7 @@ var require_dist_node16 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -95702,7 +95700,7 @@ var require_dist_node16 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -95712,12 +95710,12 @@ var require_dist_node16 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(encodeValue(operator, value2, isKeyOperator(operator) ? key : ""));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -95725,12 +95723,12 @@ var require_dist_node16 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -95745,7 +95743,7 @@ var require_dist_node16 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -117495,15 +117493,6 @@ var featureConfig = {
 var actionsCache2 = __toESM(require_cache3());
 
 // src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
 var OVERLAY_ANALYSIS_FEATURES = {
   actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
   cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,

lib/upload-sarif-action.js

@@ -20288,7 +20288,7 @@ var require_dist_node2 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -20296,7 +20296,7 @@ var require_dist_node2 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -20308,14 +20308,14 @@ var require_dist_node2 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -20323,12 +20323,12 @@ var require_dist_node2 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -20343,7 +20343,7 @@ var require_dist_node2 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -21028,7 +21028,7 @@ var require_dist_node6 = __commonJS({
         return value;
       }
     }
-    function isDefined(value) {
+    function isDefined2(value) {
       return value !== void 0 && value !== null;
     }
     function isKeyOperator(operator) {
@@ -21036,7 +21036,7 @@ var require_dist_node6 = __commonJS({
     }
     function getValues(context2, operator, key, modifier) {
       var value = context2[key], result = [];
-      if (isDefined(value) && value !== "") {
+      if (isDefined2(value) && value !== "") {
         if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
           value = value.toString();
           if (modifier && modifier !== "*") {
@@ -21048,14 +21048,14 @@ var require_dist_node6 = __commonJS({
         } else {
           if (modifier === "*") {
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 result.push(
                   encodeValue(operator, value2, isKeyOperator(operator) ? key : "")
                 );
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   result.push(encodeValue(operator, value[k], k));
                 }
               });
@@ -21063,12 +21063,12 @@ var require_dist_node6 = __commonJS({
           } else {
             const tmp = [];
             if (Array.isArray(value)) {
-              value.filter(isDefined).forEach(function(value2) {
+              value.filter(isDefined2).forEach(function(value2) {
                 tmp.push(encodeValue(operator, value2));
               });
             } else {
               Object.keys(value).forEach(function(k) {
-                if (isDefined(value[k])) {
+                if (isDefined2(value[k])) {
                   tmp.push(encodeUnreserved(k));
                   tmp.push(encodeValue(operator, value[k].toString()));
                 }
@@ -21083,7 +21083,7 @@ var require_dist_node6 = __commonJS({
         }
       } else {
         if (operator === ";") {
-          if (isDefined(value)) {
+          if (isDefined2(value)) {
             result.push(encodeUnreserved(key));
           }
         } else if (value === "" && (operator === "&" || operator === "?")) {
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.1",
+      version: "3.30.2",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -32335,26 +32335,24 @@ var require_package = __commonJS({
         "node-forge": "^1.3.1",
         octokit: "^5.0.3",
         semver: "^7.7.2",
-        uuid: "^11.1.0"
+        uuid: "^12.0.0"
       },
       devDependencies: {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
         esbuild: "^0.25.9",
@@ -37672,14 +37670,14 @@ var require_typeGuards = __commonJS({
   "node_modules/@azure/core-util/dist/commonjs/typeGuards.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.isDefined = isDefined;
+    exports2.isDefined = isDefined2;
     exports2.isObjectWithProperties = isObjectWithProperties;
     exports2.objectHasProperty = objectHasProperty;
-    function isDefined(thing) {
+    function isDefined2(thing) {
       return typeof thing !== "undefined" && thing !== null;
     }
     function isObjectWithProperties(thing, properties) {
-      if (!isDefined(thing) || typeof thing !== "object") {
+      if (!isDefined2(thing) || typeof thing !== "object") {
         return false;
       }
       for (const property of properties) {
@@ -37690,7 +37688,7 @@ var require_typeGuards = __commonJS({
       return true;
     }
     function objectHasProperty(thing, property) {
-      return isDefined(thing) && typeof thing === "object" && property in thing;
+      return isDefined2(thing) && typeof thing === "object" && property in thing;
     }
   }
 });
@@ -88720,6 +88718,30 @@ function fixCodeQualityCategory(logger, category) {
   return category;
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name),
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
+};
+
 // src/api-client.ts
 var core5 = __toESM(require_core());
 var githubUtils = __toESM(require_utils4());
@@ -88862,8 +88884,8 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.22.4";
+var bundleVersion = "codeql-bundle-v2.23.0";
-var cliVersion = "2.22.4";
+var cliVersion = "2.23.0";
 
 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89580,7 +89602,103 @@ var GitHubFeatureFlags = class {
 
 // src/status-report.ts
 var os = __toESM(require("os"));
+var core9 = __toESM(require_core());
+
+// src/config-utils.ts
+var fs8 = __toESM(require("fs"));
+var path10 = __toESM(require("path"));
+var semver4 = __toESM(require_semver2());
+
+// src/caching-utils.ts
 var core8 = __toESM(require_core());
+
+// src/diff-informed-analysis-utils.ts
+var fs7 = __toESM(require("fs"));
+var path9 = __toESM(require("path"));
+function getDiffRangesJsonFilePath() {
+  return path9.join(getTemporaryDirectory(), "pr-diff-range.json");
+}
+function readDiffRangesJsonFile(logger) {
+  const jsonFilePath = getDiffRangesJsonFilePath();
+  if (!fs7.existsSync(jsonFilePath)) {
+    logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`);
+    return void 0;
+  }
+  const jsonContents = fs7.readFileSync(jsonFilePath, "utf8");
+  logger.debug(
+    `Read pr-diff-range JSON file from ${jsonFilePath}:
+${jsonContents}`
+  );
+  return JSON.parse(jsonContents);
+}
+
+// src/trap-caching.ts
+var actionsCache2 = __toESM(require_cache3());
+
+// src/config-utils.ts
+var OVERLAY_ANALYSIS_FEATURES = {
+  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
+  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
+  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
+  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
+  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
+  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
+  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
+  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
+  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
+  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
+};
+var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
+  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
+  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
+  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
+  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
+  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
+  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
+  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
+  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
+  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
+  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
+};
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+function getPathToParsedConfigFile(tempDir) {
+  return path10.join(tempDir, "config");
+}
+async function getConfig(tempDir, logger) {
+  const configFile = getPathToParsedConfigFile(tempDir);
+  if (!fs8.existsSync(configFile)) {
+    return void 0;
+  }
+  const configString = fs8.readFileSync(configFile, "utf8");
+  logger.debug("Loaded config:");
+  logger.debug(configString);
+  return JSON.parse(configString);
+}
+function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
+  const augmentedConfig = cloneObject(cliConfig);
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
+  }
+  augmentedConfig["query-filters"] = [
+    // Ordering matters. If the first filter is an inclusion, it implicitly
+    // excludes all queries that are not included. If it is an exclusion,
+    // it implicitly includes all queries that are not excluded. So user
+    // filters (if any) should always be first to preserve intent.
+    ...augmentedConfig["query-filters"] || [],
+    ...extraQueryExclusions
+  ];
+  if (augmentedConfig["query-filters"]?.length === 0) {
+    delete augmentedConfig["query-filters"];
+  }
+  return augmentedConfig;
+}
+
+// src/status-report.ts
 function isFirstPartyAnalysis(actionName) {
   if (actionName !== "upload-sarif" /* UploadSarif */) {
     return true;
@@ -89599,12 +89717,12 @@ function getActionsStatus(error2, otherFailureCause) {
 }
 function setJobStatusIfUnsuccessful(actionStatus) {
   if (actionStatus === "user-error") {
-    core8.exportVariable(
+    core9.exportVariable(
       "CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */,
       process.env["CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */] ?? "JOB_STATUS_CONFIGURATION_ERROR" /* ConfigErrorStatus */
     );
   } else if (actionStatus === "failure" || actionStatus === "aborted") {
-    core8.exportVariable(
+    core9.exportVariable(
       "CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */,
       process.env["CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */] ?? "JOB_STATUS_FAILURE" /* FailureStatus */
     );
@@ -89623,14 +89741,14 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
     let workflowStartedAt = process.env["CODEQL_WORKFLOW_STARTED_AT" /* WORKFLOW_STARTED_AT */];
     if (workflowStartedAt === void 0) {
       workflowStartedAt = actionStartedAt.toISOString();
-      core8.exportVariable("CODEQL_WORKFLOW_STARTED_AT" /* WORKFLOW_STARTED_AT */, workflowStartedAt);
+      core9.exportVariable("CODEQL_WORKFLOW_STARTED_AT" /* WORKFLOW_STARTED_AT */, workflowStartedAt);
     }
     const runnerOs = getRequiredEnvParam("RUNNER_OS");
     const codeQlCliVersion = getCachedCodeQlVersion();
     const actionRef = process.env["GITHUB_ACTION_REF"] || "";
     const testingEnvironment = getTestingEnvironment();
     if (testingEnvironment) {
-      core8.exportVariable("CODEQL_ACTION_TESTING_ENVIRONMENT" /* TESTING_ENVIRONMENT */, testingEnvironment);
+      core9.exportVariable("CODEQL_ACTION_TESTING_ENVIRONMENT" /* TESTING_ENVIRONMENT */, testingEnvironment);
     }
     const isSteadyStateDefaultSetupRun = process.env["CODE_SCANNING_IS_STEADY_STATE_DEFAULT_SETUP"] === "true";
     const statusReport = {
@@ -89708,9 +89826,9 @@ var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scan
 async function sendStatusReport(statusReport) {
   setJobStatusIfUnsuccessful(statusReport.status);
   const statusReportJSON = JSON.stringify(statusReport);
-  core8.debug(`Sending status report: ${statusReportJSON}`);
+  core9.debug(`Sending status report: ${statusReportJSON}`);
   if (isInTestMode()) {
-    core8.debug("In test mode. Status reports are not uploaded.");
+    core9.debug("In test mode. Status reports are not uploaded.");
     return;
   }
   const nwo = getRepositoryNwo();
@@ -89729,26 +89847,26 @@ async function sendStatusReport(statusReport) {
       switch (e.status) {
         case 403:
           if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
-            core8.warning(
+            core9.warning(
               `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
             );
           } else {
-            core8.warning(e.message);
+            core9.warning(e.message);
           }
           return;
         case 404:
-          core8.warning(e.message);
+          core9.warning(e.message);
           return;
         case 422:
           if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
-            core8.debug(INCOMPATIBLE_MSG);
+            core9.debug(INCOMPATIBLE_MSG);
           } else {
-            core8.debug(OUT_OF_DATE_MSG);
+            core9.debug(OUT_OF_DATE_MSG);
           }
           return;
       }
     }
-    core8.warning(
+    core9.warning(
       `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
         e
       )}`
@@ -90007,145 +90125,6 @@ function wrapCliConfigurationError(cliError) {
   return new ConfigurationError(errorMessageBuilder);
 }
 
-// src/config-utils.ts
-var fs8 = __toESM(require("fs"));
-var path10 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
-
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core9 = __toESM(require_core());
-
-// src/diff-informed-analysis-utils.ts
-var fs7 = __toESM(require("fs"));
-var path9 = __toESM(require("path"));
-function getDiffRangesJsonFilePath() {
-  return path9.join(getTemporaryDirectory(), "pr-diff-range.json");
-}
-function readDiffRangesJsonFile(logger) {
-  const jsonFilePath = getDiffRangesJsonFilePath();
-  if (!fs7.existsSync(jsonFilePath)) {
-    logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`);
-    return void 0;
-  }
-  const jsonContents = fs7.readFileSync(jsonFilePath, "utf8");
-  logger.debug(
-    `Read pr-diff-range JSON file from ${jsonFilePath}:
-${jsonContents}`
-  );
-  return JSON.parse(jsonContents);
-}
-
-// src/trap-caching.ts
-var actionsCache2 = __toESM(require_cache3());
-
-// src/config-utils.ts
-var defaultAugmentationProperties = {
-  queriesInputCombines: false,
-  packsInputCombines: false,
-  packsInput: void 0,
-  queriesInput: void 0,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: "none" /* None */,
-  useOverlayDatabaseCaching: false
-};
-var OVERLAY_ANALYSIS_FEATURES = {
-  actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
-  cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
-  csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
-  go: "overlay_analysis_go" /* OverlayAnalysisGo */,
-  java: "overlay_analysis_java" /* OverlayAnalysisJava */,
-  javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
-  python: "overlay_analysis_python" /* OverlayAnalysisPython */,
-  ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
-  rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
-  swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
-};
-var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
-  actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
-  cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
-  csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
-  go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
-  java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
-  javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
-  python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
-  ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
-  rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
-  swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
-};
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-function getPathToParsedConfigFile(tempDir) {
-  return path10.join(tempDir, "config");
-}
-async function getConfig(tempDir, logger) {
-  const configFile = getPathToParsedConfigFile(tempDir);
-  if (!fs8.existsSync(configFile)) {
-    return void 0;
-  }
-  const configString = fs8.readFileSync(configFile, "utf8");
-  logger.debug("Loaded config:");
-  logger.debug(configString);
-  return JSON.parse(configString);
-}
-function generateCodeScanningConfig(originalUserInput, augmentationProperties) {
-  const augmentedConfig = cloneObject(originalUserInput);
-  if (augmentationProperties.queriesInput) {
-    if (augmentationProperties.queriesInputCombines) {
-      augmentedConfig.queries = (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput
-      );
-    } else {
-      augmentedConfig.queries = augmentationProperties.queriesInput;
-    }
-  }
-  if (augmentedConfig.queries?.length === 0) {
-    delete augmentedConfig.queries;
-  }
-  if (augmentationProperties.packsInput) {
-    if (augmentationProperties.packsInputCombines) {
-      if (Array.isArray(augmentedConfig.packs)) {
-        augmentedConfig.packs = (augmentedConfig.packs || []).concat(
-          augmentationProperties.packsInput
-        );
-      } else if (!augmentedConfig.packs) {
-        augmentedConfig.packs = augmentationProperties.packsInput;
-      } else {
-        const language = Object.keys(augmentedConfig.packs)[0];
-        augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput);
-      }
-    } else {
-      augmentedConfig.packs = augmentationProperties.packsInput;
-    }
-  }
-  if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
-    delete augmentedConfig.packs;
-  }
-  augmentedConfig["query-filters"] = [
-    // Ordering matters. If the first filter is an inclusion, it implicitly
-    // excludes all queries that are not included. If it is an exclusion,
-    // it implicitly includes all queries that are not excluded. So user
-    // filters (if any) should always be first to preserve intent.
-    ...augmentedConfig["query-filters"] || [],
-    ...augmentationProperties.extraQueryExclusions
-  ];
-  if (augmentedConfig["query-filters"]?.length === 0) {
-    delete augmentedConfig["query-filters"];
-  }
-  return augmentedConfig;
-}
-
 // src/setup-codeql.ts
 var fs11 = __toESM(require("fs"));
 var path12 = __toESM(require("path"));
@@ -90153,7 +90132,7 @@ var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
 var semver7 = __toESM(require_semver2());
 
-// node_modules/uuid/dist/esm/stringify.js
+// node_modules/uuid/dist/stringify.js
 var byteToHex = [];
 for (let i = 0; i < 256; ++i) {
   byteToHex.push((i + 256).toString(16).slice(1));
@@ -90162,27 +90141,24 @@ function unsafeStringify(arr, offset = 0) {
   return (byteToHex[arr[offset + 0]] + byteToHex[arr[offset + 1]] + byteToHex[arr[offset + 2]] + byteToHex[arr[offset + 3]] + "-" + byteToHex[arr[offset + 4]] + byteToHex[arr[offset + 5]] + "-" + byteToHex[arr[offset + 6]] + byteToHex[arr[offset + 7]] + "-" + byteToHex[arr[offset + 8]] + byteToHex[arr[offset + 9]] + "-" + byteToHex[arr[offset + 10]] + byteToHex[arr[offset + 11]] + byteToHex[arr[offset + 12]] + byteToHex[arr[offset + 13]] + byteToHex[arr[offset + 14]] + byteToHex[arr[offset + 15]]).toLowerCase();
 }
 
-// node_modules/uuid/dist/esm/rng.js
+// node_modules/uuid/dist/rng.js
-var import_crypto = require("crypto");
+var import_node_crypto = require("node:crypto");
 var rnds8Pool = new Uint8Array(256);
 var poolPtr = rnds8Pool.length;
 function rng() {
   if (poolPtr > rnds8Pool.length - 16) {
-    (0, import_crypto.randomFillSync)(rnds8Pool);
+    (0, import_node_crypto.randomFillSync)(rnds8Pool);
     poolPtr = 0;
   }
   return rnds8Pool.slice(poolPtr, poolPtr += 16);
 }
 
-// node_modules/uuid/dist/esm/native.js
+// node_modules/uuid/dist/native.js
-var import_crypto2 = require("crypto");
+var import_node_crypto2 = require("node:crypto");
-var native_default = { randomUUID: import_crypto2.randomUUID };
+var native_default = { randomUUID: import_node_crypto2.randomUUID };
 
-// node_modules/uuid/dist/esm/v4.js
+// node_modules/uuid/dist/v4.js
-function v4(options, buf, offset) {
+function _v4(options, buf, offset) {
-  if (native_default.randomUUID && !buf && !options) {
-    return native_default.randomUUID();
-  }
   options = options || {};
   const rnds = options.random ?? options.rng?.() ?? rng();
   if (rnds.length < 16) {
@@ -90202,6 +90178,12 @@ function v4(options, buf, offset) {
   }
   return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+  if (native_default.randomUUID && !buf && !options) {
+    return native_default.randomUUID();
+  }
+  return _v4(options, buf, offset);
+}
 var v4_default = v4;
 
 // src/tar.ts
@@ -91115,7 +91097,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         await this.getVersion(),
         "forceOverwrite" /* ForceOverwrite */
       ) ? "--force-overwrite" : "--overwrite";
-      const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+      const overlayDatabaseMode = config.overlayDatabaseMode;
       if (overlayDatabaseMode === "overlay" /* Overlay */) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -91529,9 +91511,9 @@ async function runCli(cmd, args = [], opts = {}) {
 }
 async function writeCodeScanningConfigFile(config, logger) {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+  const augmentedConfig = appendExtraQueryExclusions(
-    config.originalUserInput,
+    config.extraQueryExclusions,
-    config.augmentationProperties
+    config.computedConfig
   );
   logger.info(
     `Writing augmented user configuration file to ${codeScanningConfigFile}`
@@ -92899,7 +92881,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
   return JSON.parse(fs14.readFileSync(outputFile, "utf8"));
 }
 function populateRunAutomationDetails(sarif, category, analysis_key, environment) {
-  const automationID = getAutomationID(category, analysis_key, environment);
+  const automationID = getAutomationID2(category, analysis_key, environment);
   if (automationID !== void 0) {
     for (const run2 of sarif.runs || []) {
       if (run2.automationDetails === void 0) {
@@ -92912,7 +92894,7 @@ function populateRunAutomationDetails(sarif, category, analysis_key, environment
   }
   return sarif;
 }
-function getAutomationID(category, analysis_key, environment) {
+function getAutomationID2(category, analysis_key, environment) {
   if (category !== void 0) {
     let automationID = category;
     if (!automationID.endsWith("/")) {
@@ -93090,18 +93072,6 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-var CodeScanningTarget = {
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifPredicate: (name) => name.endsWith(".sarif") && !CodeQualityTarget.sarifPredicate(name),
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_"
-};
-var CodeQualityTarget = {
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifPredicate: (name) => name.endsWith(".quality.sarif"),
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_"
-};
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
@@ -93116,7 +93086,7 @@ async function uploadFiles(inputSarifPath, checkoutPath, category, features, log
     uploadTarget
   );
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget = CodeScanningTarget) {
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
   logger.startGroup(`Uploading ${uploadTarget.name} results`);
   logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
@@ -93287,7 +93257,7 @@ function handleProcessingResultForUnsuccessfulExecution(response, status, logger
     assertNever(status);
   }
 }
-function validateUniqueCategory(sarif, sentinelPrefix = CodeScanningTarget.sentinelPrefix) {
+function validateUniqueCategory(sarif, sentinelPrefix) {
   const categories = {};
   for (const run2 of sarif.runs) {
     const id = run2?.automationDetails?.id;
@@ -93396,13 +93366,13 @@ async function run() {
       category,
       features,
       logger,
-      CodeScanningTarget
+      CodeScanning
     );
     core13.setOutput("sarif-id", uploadResult.sarifID);
     if (fs15.lstatSync(sarifPath).isDirectory()) {
       const qualitySarifFiles = findSarifFilesInDir(
         sarifPath,
-        CodeQualityTarget.sarifPredicate
+        CodeQuality.sarifPredicate
       );
       if (qualitySarifFiles.length !== 0) {
         await uploadSpecifiedFiles(
@@ -93411,7 +93381,7 @@ async function run() {
           fixCodeQualityCategory(logger, category),
           features,
           logger,
-          CodeQualityTarget
+          CodeQuality
         );
       }
     }

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "3.30.1",
+  "version": "3.30.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "3.30.1",
+      "version": "3.30.2",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^2.3.1",
@@ -34,26 +34,24 @@
         "node-forge": "^1.3.1",
         "octokit": "^5.0.3",
         "semver": "^7.7.2",
-        "uuid": "^11.1.0"
+        "uuid": "^12.0.0"
       },
       "devDependencies": {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.3.2",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.34.0",
+        "@eslint/js": "^9.35.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^14.1.0",
         "@types/archiver": "^6.0.3",
         "@types/console-log-level": "^1.4.5",
         "@types/follow-redirects": "^1.14.4",
-        "@types/get-folder-size": "^3.0.4",
         "@types/js-yaml": "^4.0.9",
         "@types/node": "20.19.9",
         "@types/node-forge": "^1.3.14",
-        "@types/semver": "^7.7.0",
+        "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@types/uuid": "^10.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.43.0",
-        "@typescript-eslint/eslint-plugin": "^8.41.0",
         "@typescript-eslint/parser": "^8.41.0",
         "ava": "^6.4.1",
         "esbuild": "^0.25.9",
@@ -1332,9 +1330,9 @@
       }
     },
     "node_modules/@eslint/js": {
-      "version": "9.34.0",
+      "version": "9.35.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.34.0.tgz",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.35.0.tgz",
-      "integrity": "sha512-EoyvqQnBNsV1CWaEJ559rxXL4c8V92gxirbawSmVUOWXlsRxxQXl6LmCpdUblgxgSkDIqKnhzba2SjRTI/A5Rw==",
+      "integrity": "sha512-30iXE9whjlILfWobBkNerJo+TXYsgVM5ERQwMcMKCHckHflCmf7wXDAHlARoWnh0s1U72WqlbeyE7iAcCzuCPw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2459,16 +2457,6 @@
         "@types/node": "*"
       }
     },
-    "node_modules/@types/get-folder-size": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/@types/get-folder-size/-/get-folder-size-3.0.4.tgz",
-      "integrity": "sha512-tSf/k7Undx6jKRwpChR9tl+0ZPf0BVwkjBRtJ5qSnz6iWm2ZRYMAS2MktC2u7YaTAFHmxpL/LBxI85M7ioJCSg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/node": "*"
-      }
-    },
     "node_modules/@types/js-yaml": {
       "version": "4.0.9",
       "dev": true,
@@ -2510,10 +2498,11 @@
       }
     },
     "node_modules/@types/semver": {
-      "version": "7.7.0",
+      "version": "7.7.1",
-      "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.7.0.tgz",
+      "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.7.1.tgz",
-      "integrity": "sha512-k107IF4+Xr7UHjwDc7Cfd6PRQfbdkiRabXGRjo07b4WyPahFBZCZ1sE+BNxYIJPPg73UkfOsVOLwqVc/6ETrIA==",
+      "integrity": "sha512-FmgJfu+MOcQ370SD0ev7EI8TlCAfKYU+B4m5T3yXc1CiRN94g/SZPtsCkk506aUDtlMnFZvasDwHHUcZUEaYuA==",
-      "dev": true
+      "dev": true,
+      "license": "MIT"
     },
     "node_modules/@types/sinon": {
       "version": "17.0.4",
@@ -2530,23 +2519,18 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/@types/uuid": {
-      "version": "10.0.0",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.43.0.tgz",
-      "integrity": "sha512-8fz6oa6wEKZrhXWro/S3n2eRJqlRcIa6SlDh59FXJ5Wp5XRZ8B9ixpJDcjadHq47hMx0u+HW6SNa6LjJQ6NLtw==",
+      "integrity": "sha512-8tg+gt7ENL7KewsKMKDHXR1vm8tt9eMxjJBYINf6swonlWgkYn5NwyIgXpbbDxTNU5DgpDFfj95prcTq2clIQQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.10.0",
-        "@typescript-eslint/scope-manager": "8.41.0",
+        "@typescript-eslint/scope-manager": "8.43.0",
-        "@typescript-eslint/type-utils": "8.41.0",
+        "@typescript-eslint/type-utils": "8.43.0",
-        "@typescript-eslint/utils": "8.41.0",
+        "@typescript-eslint/utils": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0",
+        "@typescript-eslint/visitor-keys": "8.43.0",
         "graphemer": "^1.4.0",
         "ignore": "^7.0.0",
         "natural-compare": "^1.4.0",
@@ -2560,20 +2544,20 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/parser": "^8.43.0",
         "eslint": "^8.57.0 || ^9.0.0",
         "typescript": ">=4.8.4 <6.0.0"
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.43.0.tgz",
-      "integrity": "sha512-n6m05bXn/Cd6DZDGyrpXrELCPVaTnLdPToyhBoFkLIMznRUQUEQdSp96s/pcWSQdqOhrgR1mzJ+yItK7T+WPMQ==",
+      "integrity": "sha512-daSWlQ87ZhsjrbMLvpuuMAt3y4ba57AuvadcR7f3nl8eS3BjRc8L9VLxFLk92RL5xdXOg6IQ+qKjjqNEimGuAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0"
+        "@typescript-eslint/visitor-keys": "8.43.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2584,9 +2568,9 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.43.0.tgz",
-      "integrity": "sha512-9EwxsWdVqh42afLbHP90n2VdHaWU/oWgbH2P0CfcNfdKL7CuKpwMQGjwev56vWu9cSKU7FWSu6r9zck6CVfnag==",
+      "integrity": "sha512-vQ2FZaxJpydjSZJKiSW/LJsabFFvV7KgLC5DiLhkBcykhQj8iK9BOaDmQt74nnKdLvceM5xmhaTF+pLekrxEkw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2598,16 +2582,16 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.43.0.tgz",
-      "integrity": "sha512-D43UwUYJmGhuwHfY7MtNKRZMmfd8+p/eNSfFe6tH5mbVDto+VQCayeAt35rOx3Cs6wxD16DQtIKw/YXxt5E0UQ==",
+      "integrity": "sha512-7Vv6zlAhPb+cvEpP06WXXy/ZByph9iL6BQRBDj4kmBsW98AqEeQHlj/13X+sZOrKSo9/rNKH4Ul4f6EICREFdw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.41.0",
+        "@typescript-eslint/project-service": "8.43.0",
-        "@typescript-eslint/tsconfig-utils": "8.41.0",
+        "@typescript-eslint/tsconfig-utils": "8.43.0",
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0",
+        "@typescript-eslint/visitor-keys": "8.43.0",
         "debug": "^4.3.4",
         "fast-glob": "^3.3.2",
         "is-glob": "^4.0.3",
@@ -2627,16 +2611,16 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.43.0.tgz",
-      "integrity": "sha512-udbCVstxZ5jiPIXrdH+BZWnPatjlYwJuJkDA4Tbo3WyYLh8NvB+h/bKeSZHDOFKfphsZYJQqaFtLeXEqurQn1A==",
+      "integrity": "sha512-S1/tEmkUeeswxd0GGcnwuVQPFWo8NzZTOMxCvw8BX7OMxnNae+i8Tm7REQen/SwUIPoPqfKn7EaZ+YLpiB3k9g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.41.0",
+        "@typescript-eslint/scope-manager": "8.43.0",
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/typescript-estree": "8.41.0"
+        "@typescript-eslint/typescript-estree": "8.43.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2651,13 +2635,13 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.43.0.tgz",
-      "integrity": "sha512-+GeGMebMCy0elMNg67LRNoVnUFPIm37iu5CmHESVx56/9Jsfdpsvbv605DQ81Pi/x11IdKUsS5nzgTYbCQU9fg==",
+      "integrity": "sha512-T+S1KqRD4sg/bHfLwrpF/K3gQLBM1n7Rp7OjjikjTEssI2YJzQpi5WXoynOaQ93ERIuq3O8RBTOUYDKszUCEHw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -2730,16 +2714,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.43.0.tgz",
-      "integrity": "sha512-gTtSdWX9xiMPA/7MV9STjJOOYtWwIJIYxkQxnSV1U3xcE+mnJSH3f6zI0RYP+ew66WSlZ5ed+h0VCxsvdC1jJg==",
+      "integrity": "sha512-B7RIQiTsCBBmY+yW4+ILd6mF5h1FUwJsVvpqkrgpszYifetQ2Ke+Z4u6aZh0CblkUGIdR59iYVyXqqZGkZ3aBw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.41.0",
+        "@typescript-eslint/scope-manager": "8.43.0",
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/typescript-estree": "8.41.0",
+        "@typescript-eslint/typescript-estree": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0",
+        "@typescript-eslint/visitor-keys": "8.43.0",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2755,14 +2739,14 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.43.0.tgz",
-      "integrity": "sha512-n6m05bXn/Cd6DZDGyrpXrELCPVaTnLdPToyhBoFkLIMznRUQUEQdSp96s/pcWSQdqOhrgR1mzJ+yItK7T+WPMQ==",
+      "integrity": "sha512-daSWlQ87ZhsjrbMLvpuuMAt3y4ba57AuvadcR7f3nl8eS3BjRc8L9VLxFLk92RL5xdXOg6IQ+qKjjqNEimGuAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0"
+        "@typescript-eslint/visitor-keys": "8.43.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2773,9 +2757,9 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.43.0.tgz",
-      "integrity": "sha512-9EwxsWdVqh42afLbHP90n2VdHaWU/oWgbH2P0CfcNfdKL7CuKpwMQGjwev56vWu9cSKU7FWSu6r9zck6CVfnag==",
+      "integrity": "sha512-vQ2FZaxJpydjSZJKiSW/LJsabFFvV7KgLC5DiLhkBcykhQj8iK9BOaDmQt74nnKdLvceM5xmhaTF+pLekrxEkw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2787,16 +2771,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.43.0.tgz",
-      "integrity": "sha512-D43UwUYJmGhuwHfY7MtNKRZMmfd8+p/eNSfFe6tH5mbVDto+VQCayeAt35rOx3Cs6wxD16DQtIKw/YXxt5E0UQ==",
+      "integrity": "sha512-7Vv6zlAhPb+cvEpP06WXXy/ZByph9iL6BQRBDj4kmBsW98AqEeQHlj/13X+sZOrKSo9/rNKH4Ul4f6EICREFdw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.41.0",
+        "@typescript-eslint/project-service": "8.43.0",
-        "@typescript-eslint/tsconfig-utils": "8.41.0",
+        "@typescript-eslint/tsconfig-utils": "8.43.0",
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0",
+        "@typescript-eslint/visitor-keys": "8.43.0",
         "debug": "^4.3.4",
         "fast-glob": "^3.3.2",
         "is-glob": "^4.0.3",
@@ -2816,13 +2800,13 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.43.0.tgz",
-      "integrity": "sha512-+GeGMebMCy0elMNg67LRNoVnUFPIm37iu5CmHESVx56/9Jsfdpsvbv605DQ81Pi/x11IdKUsS5nzgTYbCQU9fg==",
+      "integrity": "sha512-T+S1KqRD4sg/bHfLwrpF/K3gQLBM1n7Rp7OjjikjTEssI2YJzQpi5WXoynOaQ93ERIuq3O8RBTOUYDKszUCEHw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -2886,14 +2870,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.43.0.tgz",
-      "integrity": "sha512-b8V9SdGBQzQdjJ/IO3eDifGpDBJfvrNTp2QD9P2BeqWTGrRibgfgIlBSw6z3b6R7dPzg752tOs4u/7yCLxksSQ==",
+      "integrity": "sha512-htB/+D/BIGoNTQYffZw4uM4NzzuolCoaA/BusuSIcC8YjmBYQioew5VUZAYdAETPjeed0hqCaW7EHg+Robq8uw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.41.0",
+        "@typescript-eslint/tsconfig-utils": "^8.43.0",
-        "@typescript-eslint/types": "^8.41.0",
+        "@typescript-eslint/types": "^8.43.0",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2908,9 +2892,9 @@
       }
     },
     "node_modules/@typescript-eslint/project-service/node_modules/@typescript-eslint/types": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.43.0.tgz",
-      "integrity": "sha512-9EwxsWdVqh42afLbHP90n2VdHaWU/oWgbH2P0CfcNfdKL7CuKpwMQGjwev56vWu9cSKU7FWSu6r9zck6CVfnag==",
+      "integrity": "sha512-vQ2FZaxJpydjSZJKiSW/LJsabFFvV7KgLC5DiLhkBcykhQj8iK9BOaDmQt74nnKdLvceM5xmhaTF+pLekrxEkw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2940,9 +2924,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.43.0.tgz",
-      "integrity": "sha512-TDhxYFPUYRFxFhuU5hTIJk+auzM/wKvWgoNYOPcOf6i4ReYlOoYN8q1dV5kOTjNQNJgzWN3TUUQMtlLOcUgdUw==",
+      "integrity": "sha512-ALC2prjZcj2YqqL5X/bwWQmHA2em6/94GcbB/KKu5SX3EBDOsqztmmX1kMkvAJHzxk7TazKzJfFiEIagNV3qEA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2957,15 +2941,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.43.0.tgz",
-      "integrity": "sha512-63qt1h91vg3KsjVVonFJWjgSK7pZHSQFKH6uwqxAH9bBrsyRhO6ONoKyXxyVBzG1lJnFAJcKAcxLS54N1ee1OQ==",
+      "integrity": "sha512-qaH1uLBpBuBBuRf8c1mLJ6swOfzCXryhKND04Igr4pckzSEW9JX5Aw9AgW00kwfjWJF0kk0ps9ExKTfvXfw4Qg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/typescript-estree": "8.41.0",
+        "@typescript-eslint/typescript-estree": "8.43.0",
-        "@typescript-eslint/utils": "8.41.0",
+        "@typescript-eslint/utils": "8.43.0",
         "debug": "^4.3.4",
         "ts-api-utils": "^2.1.0"
       },
@@ -2982,14 +2966,14 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.43.0.tgz",
-      "integrity": "sha512-n6m05bXn/Cd6DZDGyrpXrELCPVaTnLdPToyhBoFkLIMznRUQUEQdSp96s/pcWSQdqOhrgR1mzJ+yItK7T+WPMQ==",
+      "integrity": "sha512-daSWlQ87ZhsjrbMLvpuuMAt3y4ba57AuvadcR7f3nl8eS3BjRc8L9VLxFLk92RL5xdXOg6IQ+qKjjqNEimGuAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0"
+        "@typescript-eslint/visitor-keys": "8.43.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -3000,9 +2984,9 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.43.0.tgz",
-      "integrity": "sha512-9EwxsWdVqh42afLbHP90n2VdHaWU/oWgbH2P0CfcNfdKL7CuKpwMQGjwev56vWu9cSKU7FWSu6r9zck6CVfnag==",
+      "integrity": "sha512-vQ2FZaxJpydjSZJKiSW/LJsabFFvV7KgLC5DiLhkBcykhQj8iK9BOaDmQt74nnKdLvceM5xmhaTF+pLekrxEkw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -3014,16 +2998,16 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.43.0.tgz",
-      "integrity": "sha512-D43UwUYJmGhuwHfY7MtNKRZMmfd8+p/eNSfFe6tH5mbVDto+VQCayeAt35rOx3Cs6wxD16DQtIKw/YXxt5E0UQ==",
+      "integrity": "sha512-7Vv6zlAhPb+cvEpP06WXXy/ZByph9iL6BQRBDj4kmBsW98AqEeQHlj/13X+sZOrKSo9/rNKH4Ul4f6EICREFdw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.41.0",
+        "@typescript-eslint/project-service": "8.43.0",
-        "@typescript-eslint/tsconfig-utils": "8.41.0",
+        "@typescript-eslint/tsconfig-utils": "8.43.0",
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/visitor-keys": "8.41.0",
+        "@typescript-eslint/visitor-keys": "8.43.0",
         "debug": "^4.3.4",
         "fast-glob": "^3.3.2",
         "is-glob": "^4.0.3",
@@ -3043,16 +3027,16 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/utils": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.43.0.tgz",
-      "integrity": "sha512-udbCVstxZ5jiPIXrdH+BZWnPatjlYwJuJkDA4Tbo3WyYLh8NvB+h/bKeSZHDOFKfphsZYJQqaFtLeXEqurQn1A==",
+      "integrity": "sha512-S1/tEmkUeeswxd0GGcnwuVQPFWo8NzZTOMxCvw8BX7OMxnNae+i8Tm7REQen/SwUIPoPqfKn7EaZ+YLpiB3k9g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.41.0",
+        "@typescript-eslint/scope-manager": "8.43.0",
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
-        "@typescript-eslint/typescript-estree": "8.41.0"
+        "@typescript-eslint/typescript-estree": "8.43.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -3067,13 +3051,13 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.41.0",
+      "version": "8.43.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.41.0.tgz",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.43.0.tgz",
-      "integrity": "sha512-+GeGMebMCy0elMNg67LRNoVnUFPIm37iu5CmHESVx56/9Jsfdpsvbv605DQ81Pi/x11IdKUsS5nzgTYbCQU9fg==",
+      "integrity": "sha512-T+S1KqRD4sg/bHfLwrpF/K3gQLBM1n7Rp7OjjikjTEssI2YJzQpi5WXoynOaQ93ERIuq3O8RBTOUYDKszUCEHw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.41.0",
+        "@typescript-eslint/types": "8.43.0",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -9092,16 +9076,16 @@
       "license": "MIT"
     },
     "node_modules/uuid": {
-      "version": "11.1.0",
+      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-12.0.0.tgz",
-      "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
+      "integrity": "sha512-USe1zesMYh4fjCA8ZH5+X5WIVD0J4V1Jksm1bFTVBX2F/cwSXt0RO5w/3UXbdLKmZX65MiWV+hwhSS8p6oBTGA==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"
       ],
       "license": "MIT",
       "bin": {
-        "uuid": "dist/esm/bin/uuid"
+        "uuid": "dist/bin/uuid"
       }
     },
     "node_modules/webidl-conversions": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.30.1",
+  "version": "3.30.2",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -48,26 +48,24 @@
     "node-forge": "^1.3.1",
     "octokit": "^5.0.3",
     "semver": "^7.7.2",
-    "uuid": "^11.1.0"
+    "uuid": "^12.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^1.3.2",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.34.0",
+    "@eslint/js": "^9.35.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^14.1.0",
     "@types/archiver": "^6.0.3",
     "@types/console-log-level": "^1.4.5",
     "@types/follow-redirects": "^1.14.4",
-    "@types/get-folder-size": "^3.0.4",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "20.19.9",
     "@types/node-forge": "^1.3.14",
-    "@types/semver": "^7.7.0",
+    "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@types/uuid": "^10.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.43.0",
-    "@typescript-eslint/eslint-plugin": "^8.41.0",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
     "esbuild": "^0.25.9",

pr-checks/checks/quality-queries.yml

@@ -1,6 +1,7 @@
 name: "Quality queries input"
 description: "Tests that queries specified in the quality-queries input are used."
 versions: ["linked", "nightly-latest"]
+analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 env:
   CHECK_SCRIPT: |
     const fs = require('fs');
@@ -29,25 +30,30 @@ steps:
   - uses: ./../action/init
     with:
       languages: javascript
-      quality-queries: code-quality
+      analysis-kinds: ${{ matrix.analysis-kinds }}
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - uses: ./../action/analyze
     with:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload security SARIF
+    if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/upload-artifact@v4
     with:
-      name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+      name: |
+        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"
       retention-days: 7
   - name: Upload quality SARIF
+    if: contains(matrix.analysis-kinds, 'code-quality')
     uses: actions/upload-artifact@v4
     with:
-      name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.quality.sarif.json
+      name: |
+        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
   - name: Check quality query does not appear in security SARIF
+    if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/github-script@v7
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
@@ -55,6 +61,7 @@ steps:
     with:
       script: ${{ env.CHECK_SCRIPT }}
   - name: Check quality query appears in quality SARIF
+    if: contains(matrix.analysis-kinds, 'code-quality')
     uses: actions/github-script@v7
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif"

pr-checks/checks/upload-quality-sarif.yml

@@ -8,7 +8,7 @@ steps:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
       languages: cpp,csharp,java,javascript,python
       config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
-      quality-queries: code-quality
+      analysis-kinds: code-scanning,code-quality
   - name: Build code
     shell: bash
     run: ./build.sh

pr-checks/sync.py

@@ -102,6 +102,18 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
         if checkSpecification.get('useAllPlatformBundle'):
             useAllPlatformBundle = checkSpecification['useAllPlatformBundle']
 
+
+    if 'analysisKinds' in checkSpecification:
+        newMatrix = []
+        for matrixInclude in matrix:
+            for analysisKind in checkSpecification.get('analysisKinds'):
+                newMatrix.append(
+                    matrixInclude |
+                    { 'analysis-kinds': analysisKind }
+                )
+        matrix = newMatrix
+
+    # Construct the workflow steps needed for this check.
     steps = [
         {
             'name': 'Check out repository',

src/analyses.ts

@@ -41,3 +41,48 @@ export async function parseAnalysisKinds(
 
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];
+
+// Enumerates API endpoints that accept SARIF files.
+export enum SARIF_UPLOAD_ENDPOINT {
+  CODE_SCANNING = "PUT /repos/:owner/:repo/code-scanning/analysis",
+  CODE_QUALITY = "PUT /repos/:owner/:repo/code-quality/analysis",
+}
+
+// Represents configurations for different analysis kinds.
+export interface AnalysisConfig {
+  /** The analysis kind the configuration is for. */
+  kind: AnalysisKind;
+  /** A display friendly name for logs. */
+  name: string;
+  /** The API endpoint to upload SARIF files to. */
+  target: SARIF_UPLOAD_ENDPOINT;
+  /** The file extension for SARIF files generated by this kind of analysis. */
+  sarifExtension: string;
+  /** A predicate on filenames to decide whether a SARIF file
+   * belongs to this kind of analysis. */
+  sarifPredicate: (name: string) => boolean;
+  /** A prefix for environment variables used to track the uniqueness of SARIF uploads. */
+  sentinelPrefix: string;
+}
+
+// Represents the Code Scanning analysis configuration.
+export const CodeScanning: AnalysisConfig = {
+  kind: AnalysisKind.CodeScanning,
+  name: "code scanning",
+  target: SARIF_UPLOAD_ENDPOINT.CODE_SCANNING,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) =>
+    name.endsWith(CodeScanning.sarifExtension) &&
+    !CodeQuality.sarifPredicate(name),
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
+};
+
+// Represents the Code Quality analysis configuration.
+export const CodeQuality: AnalysisConfig = {
+  kind: AnalysisKind.CodeQuality,
+  name: "code quality",
+  target: SARIF_UPLOAD_ENDPOINT.CODE_QUALITY,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
+};

src/analyze-action.ts

@@ -5,6 +5,7 @@ import { performance } from "perf_hooks";
 import * as core from "@actions/core";
 
 import * as actionsUtil from "./actions-util";
+import * as analyses from "./analyses";
 import {
   CodeQLAnalysisError,
   dbIsFinalized,
@@ -18,7 +19,12 @@ import { getApiDetails, getGitHubVersion } from "./api-client";
 import { runAutobuild } from "./autobuild";
 import { getTotalCacheSize, shouldStoreCache } from "./caching-utils";
 import { getCodeQL } from "./codeql";
-import { Config, getConfig, isCodeQualityEnabled } from "./config-utils";
+import {
+  Config,
+  getConfig,
+  isCodeQualityEnabled,
+  isCodeScanningEnabled,
+} from "./config-utils";
 import { uploadDatabases } from "./database-upload";
 import { uploadDependencyCaches } from "./dependency-caching";
 import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
@@ -326,15 +332,17 @@ async function run() {
     core.setOutput("sarif-output", path.resolve(outputDir));
     const uploadInput = actionsUtil.getOptionalInput("upload");
     if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
-      uploadResult = await uploadLib.uploadFiles(
+      if (isCodeScanningEnabled(config)) {
-        outputDir,
+        uploadResult = await uploadLib.uploadFiles(
-        actionsUtil.getRequiredInput("checkout_path"),
+          outputDir,
-        actionsUtil.getOptionalInput("category"),
+          actionsUtil.getRequiredInput("checkout_path"),
-        features,
+          actionsUtil.getOptionalInput("category"),
-        logger,
+          features,
-        uploadLib.CodeScanningTarget,
+          logger,
-      );
+          analyses.CodeScanning,
-      core.setOutput("sarif-id", uploadResult.sarifID);
+        );
+        core.setOutput("sarif-id", uploadResult.sarifID);
+      }
 
       if (isCodeQualityEnabled(config)) {
         const qualityUploadResult = await uploadLib.uploadFiles(
@@ -346,7 +354,7 @@ async function run() {
           ),
           features,
           logger,
-          uploadLib.CodeQualityTarget,
+          analyses.CodeQuality,
         );
         core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
       }

src/analyze.test.ts

@@ -5,11 +5,13 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { CodeQuality, CodeScanning } from "./analyses";
 import {
   exportedForTesting,
   runQueries,
   defaultSuites,
   resolveQuerySuiteAlias,
+  addSarifExtension,
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
@@ -348,3 +350,13 @@ test("resolveQuerySuiteAlias", (t) => {
     t.deepEqual(resolveQuerySuiteAlias(KnownLanguage.go, name), name);
   }
 });
+
+test("addSarifExtension", (t) => {
+  for (const language of Object.values(KnownLanguage)) {
+    t.deepEqual(addSarifExtension(CodeScanning, language), `${language}.sarif`);
+    t.deepEqual(
+      addSarifExtension(CodeQuality, language),
+      `${language}.quality.sarif`,
+    );
+  }
+});

src/analyze.ts

@@ -608,6 +608,16 @@ export function resolveQuerySuiteAlias(
   return maybeSuite;
 }
 
+/**
+ * Adds the appropriate file extension for the given analysis configuration to the given base filename.
+ */
+export function addSarifExtension(
+  analysis: analyses.AnalysisConfig,
+  base: string,
+): string {
+  return `${base}${analysis.sarifExtension}`;
+}
+
 // Runs queries and creates sarif files in the given folder
 export async function runQueries(
   sarifFolder: string,
@@ -626,10 +636,7 @@ export async function runQueries(
   const incrementalMode: string[] = [];
 
   // Preserve cached intermediate results for overlay-base databases.
-  if (
+  if (config.overlayDatabaseMode !== OverlayDatabaseMode.OverlayBase) {
-    config.augmentationProperties.overlayDatabaseMode !==
-    OverlayDatabaseMode.OverlayBase
-  ) {
     queryFlags.push("--expect-discarded-cache");
   }
 
@@ -641,15 +648,10 @@ export async function runQueries(
   }
 
   statusReport.analysis_is_overlay =
-    config.augmentationProperties.overlayDatabaseMode ===
+    config.overlayDatabaseMode === OverlayDatabaseMode.Overlay;
-    OverlayDatabaseMode.Overlay;
   statusReport.analysis_builds_overlay_base_database =
-    config.augmentationProperties.overlayDatabaseMode ===
+    config.overlayDatabaseMode === OverlayDatabaseMode.OverlayBase;
-    OverlayDatabaseMode.OverlayBase;
+  if (config.overlayDatabaseMode === OverlayDatabaseMode.Overlay) {
-  if (
-    config.augmentationProperties.overlayDatabaseMode ===
-    OverlayDatabaseMode.Overlay
-  ) {
     incrementalMode.push("overlay");
   }
 
@@ -658,15 +660,25 @@ export async function runQueries(
       ? `--sarif-run-property=incrementalMode=${incrementalMode.join(",")}`
       : undefined;
 
+  const dbAnalysisConfig = configUtils.getPrimaryAnalysisConfig(config);
+
   for (const language of config.languages) {
     try {
-      const sarifFile = path.join(sarifFolder, `${language}.sarif`);
+      // This should be empty to run only the query suite that was generated when
-
+      // the database was initialised.
       const queries: string[] = [];
-      if (configUtils.isCodeQualityEnabled(config)) {
+
+      // If multiple analysis kinds are enabled, the database is initialised for Code Scanning.
+      // To avoid duplicate work, we want to run queries for all analyses at the same time.
+      // To do this, we invoke `run-queries` once with the generated query suite that was created
+      // when the database was initialised + the queries for other analysis kinds.
+      if (config.analysisKinds.length > 1) {
         queries.push(util.getGeneratedSuitePath(config, language));
-        for (const qualityQuery of analyses.codeQualityQueries) {
+
-          queries.push(resolveQuerySuiteAlias(language, qualityQuery));
+        if (configUtils.isCodeQualityEnabled(config)) {
+          for (const qualityQuery of analyses.codeQualityQueries) {
+            queries.push(resolveQuerySuiteAlias(language, qualityQuery));
+          }
         }
       }
 
@@ -684,48 +696,49 @@ export async function runQueries(
       statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
         new Date().getTime() - startTimeRunQueries;
 
-      logger.startGroup(`Interpreting results for ${language}`);
+      // There is always at least one analysis kind enabled. Running `interpret-results`
+      // produces the SARIF file for the analysis kind that the database was initialised with.
       const startTimeInterpretResults = new Date();
-      const analysisSummary = await runInterpretResults(
+      const { summary: analysisSummary, sarifFile } =
-        language,
+        await runInterpretResultsFor(
-        undefined,
+          dbAnalysisConfig,
-        sarifFile,
+          language,
-        config.debugMode,
+          undefined,
-        automationDetailsId,
+          config.debugMode,
-      );
+        );
 
+      // This case is only needed if Code Quality is not the sole analysis kind.
+      // In this case, we will have run queries for all analysis kinds. The previous call to
+      // `interpret-results` will have produced a SARIF file for Code Scanning and we now
+      // need to produce an additional SARIF file for Code Quality.
       let qualityAnalysisSummary: string | undefined;
-      if (configUtils.isCodeQualityEnabled(config)) {
+      if (
-        logger.info(`Interpreting quality results for ${language}`);
+        config.analysisKinds.length > 1 &&
-        const qualityCategory = fixCodeQualityCategory(
+        configUtils.isCodeQualityEnabled(config)
-          logger,
+      ) {
-          automationDetailsId,
+        const qualityResult = await runInterpretResultsFor(
-        );
+          analyses.CodeQuality,
-        const qualitySarifFile = path.join(
-          sarifFolder,
-          `${language}.quality.sarif`,
-        );
-        qualityAnalysisSummary = await runInterpretResults(
           language,
           analyses.codeQualityQueries.map((i) =>
             resolveQuerySuiteAlias(language, i),
           ),
-          qualitySarifFile,
           config.debugMode,
-          qualityCategory,
         );
+        qualityAnalysisSummary = qualityResult.summary;
       }
       const endTimeInterpretResults = new Date();
       statusReport[`interpret_results_${language}_duration_ms`] =
         endTimeInterpretResults.getTime() - startTimeInterpretResults.getTime();
       logger.endGroup();
-      logger.info(analysisSummary);
 
+      logger.info(analysisSummary);
       if (qualityAnalysisSummary) {
         logger.info(qualityAnalysisSummary);
       }
 
       if (await features.getValue(Feature.QaTelemetryEnabled)) {
+        // Note: QA adds the `code-quality` query suite to the `queries` input,
+        // so this is fine since there is no `.quality.sarif`.
         const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile);
 
         const perQueryAlertCountEventReport: EventReport = {
@@ -756,6 +769,37 @@ export async function runQueries(
 
   return statusReport;
 
+  async function runInterpretResultsFor(
+    analysis: analyses.AnalysisConfig,
+    language: Language,
+    queries: string[] | undefined,
+    enableDebugLogging: boolean,
+  ): Promise<{ summary: string; sarifFile: string }> {
+    logger.info(`Interpreting ${analysis.name} results for ${language}`);
+
+    // If this is a Code Quality analysis, correct the category to one
+    // accepted by the Code Quality backend.
+    let category = automationDetailsId;
+    if (dbAnalysisConfig.kind === analyses.AnalysisKind.CodeQuality) {
+      category = fixCodeQualityCategory(logger, automationDetailsId);
+    }
+
+    const sarifFile = path.join(
+      sarifFolder,
+      addSarifExtension(analysis, language),
+    );
+
+    const summary = await runInterpretResults(
+      language,
+      queries,
+      sarifFile,
+      enableDebugLogging,
+      category,
+    );
+
+    return { summary, sarifFile };
+  }
+
   async function runInterpretResults(
     language: Language,
     queries: string[] | undefined,

src/codeql.test.ts

@@ -18,6 +18,7 @@ import {
   AugmentationProperties,
   Config,
   defaultAugmentationProperties,
+  generateCodeScanningConfig,
 } from "./config-utils";
 import * as defaults from "./defaults.json";
 import { DocUrl } from "./doc-url";
@@ -502,8 +503,11 @@ const injectedConfigMacro = test.macro({
         ...stubConfig,
         ...configOverride,
         tempDir,
-        augmentationProperties,
       };
+      thisStubConfig.computedConfig = generateCodeScanningConfig(
+        thisStubConfig.originalUserInput,
+        augmentationProperties,
+      );
 
       await codeqlObject.databaseInitCluster(
         thisStubConfig,

src/codeql.ts

@@ -13,7 +13,7 @@ import {
 } from "./actions-util";
 import * as api from "./api-client";
 import { CliError, wrapCliConfigurationError } from "./cli-errors";
-import { generateCodeScanningConfig, type Config } from "./config-utils";
+import { appendExtraQueryExclusions, type Config } from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
 import {
@@ -593,8 +593,7 @@ export async function getCodeQLForCmd(
         ? "--force-overwrite"
         : "--overwrite";
 
-      const overlayDatabaseMode =
+      const overlayDatabaseMode = config.overlayDatabaseMode;
-        config.augmentationProperties.overlayDatabaseMode;
       if (overlayDatabaseMode === OverlayDatabaseMode.Overlay) {
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
@@ -1150,20 +1149,26 @@ async function runCli(
 }
 
 /**
- * Generates a code scanning configuration that is to be used for a scan.
+ * Writes the code scanning configuration that is to be used by the CLI.
  *
  * @param codeql The CodeQL object to use.
- * @param config The configuration to use.
+ * @param config The CodeQL Action state to use.
- * @returns the path to the generated user configuration file.
+ * @returns The path to the generated user configuration file.
  */
 async function writeCodeScanningConfigFile(
   config: Config,
   logger: Logger,
 ): Promise<string> {
   const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
-  const augmentedConfig = generateCodeScanningConfig(
+
-    config.originalUserInput,
+  // Apply the `extraQueryExclusions` from the CodeQL Action state to the CLI configuration.
-    config.augmentationProperties,
+  // We do this here at the latest possible point before passing the CLI configuration on to
+  // the CLI so that the `extraQueryExclusions` appear after all user-configured `query-filters`.
+  // See the comment in `applyExtraQueryExclusions` for more information, as well as
+  // https://github.com/github/codeql-action/pull/2938
+  const augmentedConfig = appendExtraQueryExclusions(
+    config.extraQueryExclusions,
+    config.computedConfig,
   );
 
   logger.info(

src/config-utils.test.ts

@@ -157,17 +157,74 @@ test("load empty config", async (t) => {
       }),
     );
 
-    t.deepEqual(
+    const expectedConfig = await configUtils.initActionState(
-      config,
+      createTestInitConfigInputs({
-      await configUtils.getDefaultConfig(
+        languagesInput: languages,
-        createTestInitConfigInputs({
+        tempDir,
-          languagesInput: languages,
+        codeql,
-          tempDir,
+        logger,
-          codeql,
+      }),
-          logger,
+      {},
-        }),
-      ),
     );
+
+    t.deepEqual(config, expectedConfig);
+  });
+});
+
+test("load code quality config", async (t) => {
+  return await withTmpDir(async (tempDir) => {
+    const logger = getRunnerLogger(true);
+    const languages = "actions";
+
+    const codeql = createStubCodeQL({
+      async betterResolveLanguages() {
+        return {
+          extractors: {
+            actions: [{ extractor_root: "" }],
+          },
+        };
+      },
+    });
+
+    const config = await configUtils.initConfig(
+      createTestInitConfigInputs({
+        analysisKindsInput: "code-quality",
+        languagesInput: languages,
+        repository: { owner: "github", repo: "example" },
+        tempDir,
+        codeql,
+        logger,
+      }),
+    );
+
+    // And the config we expect it to result in
+    const expectedConfig: configUtils.Config = {
+      analysisKinds: [AnalysisKind.CodeQuality],
+      languages: [KnownLanguage.actions],
+      buildMode: undefined,
+      originalUserInput: {},
+      // This gets set because we only have `AnalysisKind.CodeQuality`
+      computedConfig: {
+        "disable-default-queries": true,
+        queries: [{ uses: "code-quality" }],
+        "query-filters": [],
+      },
+      tempDir,
+      codeQLCmd: codeql.getPath(),
+      gitHubVersion: githubVersion,
+      dbLocation: path.resolve(tempDir, "codeql_databases"),
+      debugMode: false,
+      debugArtifactName: "",
+      debugDatabaseName: "",
+      trapCaches: {},
+      trapCacheDownloadTime: 0,
+      dependencyCachingEnabled: CachingKind.None,
+      extraQueryExclusions: [],
+      overlayDatabaseMode: OverlayDatabaseMode.None,
+      useOverlayDatabaseCaching: false,
+    };
+
+    t.deepEqual(config, expectedConfig);
   });
 });
 
@@ -322,18 +379,21 @@ test("load non-empty input", async (t) => {
 
     fs.mkdirSync(path.join(tempDir, "foo"));
 
+    const userConfig: configUtils.UserConfig = {
+      name: "my config",
+      "disable-default-queries": true,
+      queries: [{ uses: "./foo" }],
+      "paths-ignore": ["a", "b"],
+      paths: ["c/d"],
+    };
+
     // And the config we expect it to parse to
     const expectedConfig: configUtils.Config = {
       analysisKinds: [AnalysisKind.CodeScanning],
       languages: [KnownLanguage.javascript],
       buildMode: BuildMode.None,
-      originalUserInput: {
+      originalUserInput: userConfig,
-        name: "my config",
+      computedConfig: userConfig,
-        "disable-default-queries": true,
-        queries: [{ uses: "./foo" }],
-        "paths-ignore": ["a", "b"],
-        paths: ["c/d"],
-      },
       tempDir,
       codeQLCmd: codeql.getPath(),
       gitHubVersion: githubVersion,
@@ -341,10 +401,12 @@ test("load non-empty input", async (t) => {
       debugMode: false,
       debugArtifactName: "my-artifact",
       debugDatabaseName: "my-db",
-      augmentationProperties: configUtils.defaultAugmentationProperties,
       trapCaches: {},
       trapCacheDownloadTime: 0,
       dependencyCachingEnabled: CachingKind.None,
+      extraQueryExclusions: [],
+      overlayDatabaseMode: OverlayDatabaseMode.None,
+      useOverlayDatabaseCaching: false,
     };
 
     const languagesInput = "javascript";
@@ -1750,3 +1812,9 @@ for (const language in KnownLanguage) {
     },
   );
 }
+
+test("hasActionsWorkflows doesn't throw if workflows folder doesn't exist", async (t) => {
+  return withTmpDir(async (tmpDir) => {
+    t.notThrows(() => configUtils.hasActionsWorkflows(tmpDir));
+  });
+});

src/config-utils.ts

@@ -6,7 +6,14 @@ import * as yaml from "js-yaml";
 import * as semver from "semver";
 
 import { isAnalyzingPullRequest } from "./actions-util";
-import { AnalysisKind, parseAnalysisKinds } from "./analyses";
+import {
+  AnalysisConfig,
+  AnalysisKind,
+  CodeQuality,
+  codeQualityQueries,
+  CodeScanning,
+  parseAnalysisKinds,
+} from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
 import { type CodeQL } from "./codeql";
@@ -28,6 +35,7 @@ import {
   BuildMode,
   codeQlVersionAtLeast,
   cloneObject,
+  isDefined,
 } from "./util";
 
 // Property names from the user-supplied config file.
@@ -144,8 +152,11 @@ export interface Config {
    * Specifies the name of the database in the debugging artifact.
    */
   debugDatabaseName: string;
-
+  /**
-  augmentationProperties: AugmentationProperties;
+   * The configuration we computed by combining `originalUserInput` with `augmentationProperties`,
+   * as well as adjustments made to it based on unsupported or required options.
+   */
+  computedConfig: UserConfig;
 
   /**
    * Partial map from languages to locations of TRAP caches for that language.
@@ -160,6 +171,28 @@ export interface Config {
 
   /** A value indicating how dependency caching should be used. */
   dependencyCachingEnabled: CachingKind;
+
+  /**
+   * Extra query exclusions to append to the config.
+   */
+  extraQueryExclusions: ExcludeQueryFilter[];
+
+  /**
+   * The overlay database mode to use.
+   */
+  overlayDatabaseMode: OverlayDatabaseMode;
+
+  /**
+   * Whether to use caching for overlay databases. If it is true, the action
+   * will upload the created overlay-base database to the actions cache, and
+   * download an overlay-base database from the actions cache before it creates
+   * a new overlay database. If it is false, the action assumes that the
+   * workflow will be responsible for managing database storage and retrieval.
+   *
+   * This property has no effect unless `overlayDatabaseMode` is `Overlay` or
+   * `OverlayBase`.
+   */
+  useOverlayDatabaseCaching: boolean;
 }
 
 /**
@@ -192,28 +225,6 @@ export interface AugmentationProperties {
    * The packs input from the `with` block of the action declaration
    */
   packsInput?: string[];
-
-  /**
-   * Extra query exclusions to append to the config.
-   */
-  extraQueryExclusions: ExcludeQueryFilter[];
-
-  /**
-   * The overlay database mode to use.
-   */
-  overlayDatabaseMode: OverlayDatabaseMode;
-
-  /**
-   * Whether to use caching for overlay databases. If it is true, the action
-   * will upload the created overlay-base database to the actions cache, and
-   * download an overlay-base database from the actions cache before it creates
-   * a new overlay database. If it is false, the action assumes that the
-   * workflow will be responsible for managing database storage and retrieval.
-   *
-   * This property has no effect unless `overlayDatabaseMode` is `Overlay` or
-   * `OverlayBase`.
-   */
-  useOverlayDatabaseCaching: boolean;
 }
 
 /**
@@ -225,9 +236,6 @@ export const defaultAugmentationProperties: AugmentationProperties = {
   packsInputCombines: false,
   packsInput: undefined,
   queriesInput: undefined,
-  extraQueryExclusions: [],
-  overlayDatabaseMode: OverlayDatabaseMode.None,
-  useOverlayDatabaseCaching: false,
 };
 export type Packs = Partial<Record<Language, string[]>>;
 
@@ -341,7 +349,7 @@ const baseWorkflowsPath = ".github/workflows";
  */
 export function hasActionsWorkflows(sourceRoot: string): boolean {
   const workflowsPath = path.resolve(sourceRoot, baseWorkflowsPath);
-  const stats = fs.lstatSync(workflowsPath);
+  const stats = fs.lstatSync(workflowsPath, { throwIfNoEntry: false });
   return (
     stats !== undefined &&
     stats.isDirectory() &&
@@ -508,29 +516,33 @@ export interface InitConfigInputs {
 }
 
 /**
- * Get the default config, populated without user configuration file.
+ * Initialise the CodeQL Action state, which includes the base configuration for the Action
+ * and computes the configuration for the CodeQL CLI.
  */
-export async function getDefaultConfig({
+export async function initActionState(
-  analysisKindsInput,
+  {
-  languagesInput,
+    analysisKindsInput,
-  queriesInput,
+    languagesInput,
-  qualityQueriesInput,
+    queriesInput,
-  packsInput,
+    qualityQueriesInput,
-  buildModeInput,
+    packsInput,
-  dbLocation,
+    buildModeInput,
-  trapCachingEnabled,
+    dbLocation,
-  dependencyCachingEnabled,
+    trapCachingEnabled,
-  debugMode,
+    dependencyCachingEnabled,
-  debugArtifactName,
+    debugMode,
-  debugDatabaseName,
+    debugArtifactName,
-  repository,
+    debugDatabaseName,
-  tempDir,
+    repository,
-  codeql,
+    tempDir,
-  sourceRoot,
+    codeql,
-  githubVersion,
+    sourceRoot,
-  features,
+    githubVersion,
-  logger,
+    features,
-}: InitConfigInputs): Promise<Config> {
+    logger,
+  }: InitConfigInputs,
+  userConfig: UserConfig,
+): Promise<Config> {
   const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
 
   // For backwards compatibility, add Code Quality to the enabled analysis kinds
@@ -571,11 +583,19 @@ export async function getDefaultConfig({
     logger,
   );
 
+  // Compute the full Code Scanning configuration that combines the configuration from the
+  // configuration file / `config` input with other inputs, such as `queries`.
+  const computedConfig = generateCodeScanningConfig(
+    userConfig,
+    augmentationProperties,
+  );
+
   return {
     analysisKinds,
     languages,
     buildMode,
-    originalUserInput: {},
+    originalUserInput: userConfig,
+    computedConfig,
     tempDir,
     codeQLCmd: codeql.getPath(),
     gitHubVersion: githubVersion,
@@ -583,10 +603,12 @@ export async function getDefaultConfig({
     debugMode,
     debugArtifactName,
     debugDatabaseName,
-    augmentationProperties,
     trapCaches,
     trapCacheDownloadTime,
     dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled),
+    extraQueryExclusions: [],
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
   };
 }
 
@@ -673,9 +695,6 @@ export async function calculateAugmentation(
     packsInput: packsInput?.[languages[0]],
     queriesInput,
     queriesInputCombines,
-    extraQueryExclusions: [],
-    overlayDatabaseMode: OverlayDatabaseMode.None,
-    useOverlayDatabaseCaching: false,
   };
 }
 
@@ -1063,6 +1082,19 @@ function userConfigFromActionPath(tempDir: string): string {
   return path.resolve(tempDir, "user-config-from-action.yml");
 }
 
+/**
+ * Checks whether the given `UserConfig` contains any query customisations.
+ *
+ * @returns Returns `true` if the `UserConfig` customises which queries are run.
+ */
+function hasQueryCustomisation(userConfig: UserConfig): boolean {
+  return (
+    isDefined(userConfig["disable-default-queries"]) ||
+    isDefined(userConfig.queries) ||
+    isDefined(userConfig["query-filters"])
+  );
+}
+
 /**
  * Load and return the config.
  *
@@ -1097,9 +1129,26 @@ export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
     );
   }
 
-  const config = await getDefaultConfig(inputs);
+  const config = await initActionState(inputs, userConfig);
-  const augmentationProperties = config.augmentationProperties;
+
-  config.originalUserInput = userConfig;
+  // If Code Quality analysis is the only enabled analysis kind, then we will initialise
+  // the database for Code Quality. That entails disabling the default queries and only
+  // running quality queries. We do not currently support query customisations in that case.
+  if (config.analysisKinds.length === 1 && isCodeQualityEnabled(config)) {
+    // Warn if any query customisations are present in the computed configuration.
+    if (hasQueryCustomisation(config.computedConfig)) {
+      throw new ConfigurationError(
+        "Query customizations are unsupported, because only `code-quality` analysis is enabled.",
+      );
+    }
+
+    const queries = codeQualityQueries.map((v) => ({ uses: v }));
+
+    // Set the query customisation options for Code Quality only analysis.
+    config.computedConfig["disable-default-queries"] = true;
+    config.computedConfig.queries = queries;
+    config.computedConfig["query-filters"] = [];
+  }
 
   // The choice of overlay database mode depends on the selection of languages
   // and queries, which in turn depends on the user config and the augmentation
@@ -1113,15 +1162,15 @@ export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
       config.languages,
       inputs.sourceRoot,
       config.buildMode,
-      generateCodeScanningConfig(userConfig, augmentationProperties),
+      config.computedConfig,
       logger,
     );
   logger.info(
     `Using overlay database mode: ${overlayDatabaseMode} ` +
       `${useOverlayDatabaseCaching ? "with" : "without"} caching.`,
   );
-  augmentationProperties.overlayDatabaseMode = overlayDatabaseMode;
+  config.overlayDatabaseMode = overlayDatabaseMode;
-  augmentationProperties.useOverlayDatabaseCaching = useOverlayDatabaseCaching;
+  config.useOverlayDatabaseCaching = useOverlayDatabaseCaching;
 
   if (
     overlayDatabaseMode === OverlayDatabaseMode.Overlay ||
@@ -1131,7 +1180,7 @@ export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
       logger,
     ))
   ) {
-    augmentationProperties.extraQueryExclusions.push({
+    config.extraQueryExclusions.push({
       exclude: { tags: "exclude-from-incremental" },
     });
   }
@@ -1461,23 +1510,80 @@ export function generateCodeScanningConfig(
     delete augmentedConfig.packs;
   }
 
+  return augmentedConfig;
+}
+
+/**
+ * Appends `extraQueryExclusions` to `cliConfig`'s `query-filters`.
+ *
+ * @param extraQueryExclusions The extra query exclusions to append to the `query-filters`.
+ * @param cliConfig The CodeQL CLI configuration to extend.
+ * @returns Returns `cliConfig` if there are no extra query exclusions
+ *          or a copy of `cliConfig` where the extra query exclusions
+ *          have been appended to `query-filters`.
+ */
+export function appendExtraQueryExclusions(
+  extraQueryExclusions: ExcludeQueryFilter[],
+  cliConfig: UserConfig,
+): Readonly<UserConfig> {
+  // make a copy so we can modify it and so that modifications to the input
+  // object do not affect the result that is marked as `Readonly`.
+  const augmentedConfig = cloneObject(cliConfig);
+
+  if (extraQueryExclusions.length === 0) {
+    return augmentedConfig;
+  }
+
   augmentedConfig["query-filters"] = [
     // Ordering matters. If the first filter is an inclusion, it implicitly
     // excludes all queries that are not included. If it is an exclusion,
     // it implicitly includes all queries that are not excluded. So user
     // filters (if any) should always be first to preserve intent.
     ...(augmentedConfig["query-filters"] || []),
-    ...augmentationProperties.extraQueryExclusions,
+    ...extraQueryExclusions,
   ];
   if (augmentedConfig["query-filters"]?.length === 0) {
     delete augmentedConfig["query-filters"];
   }
+
   return augmentedConfig;
 }
 
+/**
+ * Returns `true` if Code Scanning analysis is enabled, or `false` if not.
+ */
+export function isCodeScanningEnabled(config: Config): boolean {
+  return config.analysisKinds.includes(AnalysisKind.CodeScanning);
+}
+
 /**
  * Returns `true` if Code Quality analysis is enabled, or `false` if not.
  */
 export function isCodeQualityEnabled(config: Config): boolean {
   return config.analysisKinds.includes(AnalysisKind.CodeQuality);
 }
+
+/**
+ * Returns the primary analysis kind that the Action is initialised with. This is
+ * always `AnalysisKind.CodeScanning` unless `AnalysisKind.CodeScanning` is not enabled.
+ *
+ * @returns Returns `AnalysisKind.CodeScanning` if `AnalysisKind.CodeScanning` is enabled;
+ * otherwise `AnalysisKind.CodeQuality`.
+ */
+export function getPrimaryAnalysisKind(config: Config): AnalysisKind {
+  return isCodeScanningEnabled(config)
+    ? AnalysisKind.CodeScanning
+    : AnalysisKind.CodeQuality;
+}
+
+/**
+ * Returns the primary analysis configuration that the Action is initialised with. This is
+ * always `CodeScanning` unless `CodeScanning` is not enabled.
+ *
+ * @returns Returns `CodeScanning` if `AnalysisKind.CodeScanning` is enabled; otherwise `CodeQuality`.
+ */
+export function getPrimaryAnalysisConfig(config: Config): AnalysisConfig {
+  return getPrimaryAnalysisKind(config) === AnalysisKind.CodeScanning
+    ? CodeScanning
+    : CodeQuality;
+}

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.22.4",
+  "bundleVersion": "codeql-bundle-v2.23.0",
-  "cliVersion": "2.22.4",
+  "cliVersion": "2.23.0",
-  "priorBundleVersion": "codeql-bundle-v2.22.3",
+  "priorBundleVersion": "codeql-bundle-v2.22.4",
-  "priorCliVersion": "2.22.3"
+  "priorCliVersion": "2.22.4"
 }

src/init-action-post-helper.ts

@@ -4,6 +4,7 @@ import * as core from "@actions/core";
 import * as github from "@actions/github";
 
 import * as actionsUtil from "./actions-util";
+import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
 import { Config } from "./config-utils";
@@ -104,7 +105,7 @@ async function maybeUploadFailedSarif(
     category,
     features,
     logger,
-    uploadLib.CodeScanningTarget,
+    CodeScanning,
   );
   await uploadLib.waitForProcessing(
     repositoryNwo,

src/init-action.ts

@@ -51,7 +51,9 @@ import { getRepositoryNwo } from "./repository";
 import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
-  StatusReportBase,
+  InitStatusReport,
+  InitWithConfigStatusReport,
+  createInitWithConfigStatusReport,
   createStatusReportBase,
   getActionsStatus,
   sendStatusReport,
@@ -75,52 +77,9 @@ import {
   ConfigurationError,
   wrapError,
   checkActionVersion,
-  cloneObject,
   getErrorMessage,
 } from "./util";
 import { validateWorkflow } from "./workflow";
-/** Fields of the init status report that can be sent before `config` is populated. */
-interface InitStatusReport extends StatusReportBase {
-  /** Value given by the user as the "tools" input. */
-  tools_input: string;
-  /** Version of the bundle used. */
-  tools_resolved_version: string;
-  /** Where the bundle originated from. */
-  tools_source: ToolsSource;
-  /** Comma-separated list of languages specified explicitly in the workflow file. */
-  workflow_languages: string;
-}
-
-/** Fields of the init status report that are populated using values from `config`. */
-interface InitWithConfigStatusReport extends InitStatusReport {
-  /** Comma-separated list of languages where the default queries are disabled. */
-  disable_default_queries: string;
-  /** Comma-separated list of paths, from the 'paths' config field. */
-  paths: string;
-  /** Comma-separated list of paths, from the 'paths-ignore' config field. */
-  paths_ignore: string;
-  /** Comma-separated list of queries sources, from the 'queries' config field or workflow input. */
-  queries: string;
-  /** Stringified JSON object of packs, from the 'packs' config field or workflow input. */
-  packs: string;
-  /** Comma-separated list of languages for which we are using TRAP caching. */
-  trap_cache_languages: string;
-  /** Size of TRAP caches that we downloaded, in bytes. */
-  trap_cache_download_size_bytes: number;
-  /** Time taken to download TRAP caches, in milliseconds. */
-  trap_cache_download_duration_ms: number;
-  /** Size of the overlay-base database that we downloaded, in bytes. */
-  overlay_base_database_download_size_bytes?: number;
-  /** Time taken to download the overlay-base database, in milliseconds. */
-  overlay_base_database_download_duration_ms?: number;
-  /** Stringified JSON array of registry configuration objects, from the 'registries' config field
-  or workflow input. **/
-  registries: string;
-  /** Stringified JSON object representing a query-filters, from the 'query-filters' config field. **/
-  query_filters: string;
-  /** Path to the specified code scanning config file, from the 'config-file' config field. */
-  config_file: string;
-}
 
 /** Fields of the init status report populated when the tools source is `download`. */
 interface InitToolsDownloadFields {
@@ -180,83 +139,17 @@ async function sendCompletedStatusReport(
   }
 
   if (config !== undefined) {
-    const languages = config.languages.join(",");
-    const paths = (config.originalUserInput.paths || []).join(",");
-    const pathsIgnore = (config.originalUserInput["paths-ignore"] || []).join(
-      ",",
-    );
-    const disableDefaultQueries = config.originalUserInput[
-      "disable-default-queries"
-    ]
-      ? languages
-      : "";
-
-    const queries: string[] = [];
-    let queriesInput = getOptionalInput("queries")?.trim();
-    if (queriesInput === undefined || queriesInput.startsWith("+")) {
-      queries.push(
-        ...(config.originalUserInput.queries || []).map((q) => q.uses),
-      );
-    }
-    if (queriesInput !== undefined) {
-      queriesInput = queriesInput.startsWith("+")
-        ? queriesInput.slice(1)
-        : queriesInput;
-      queries.push(...queriesInput.split(","));
-    }
-
-    let packs: Record<string, string[]> = {};
-    if (
-      (config.augmentationProperties.packsInputCombines ||
-        !config.augmentationProperties.packsInput) &&
-      config.originalUserInput.packs
-    ) {
-      // Make a copy, because we might modify `packs`.
-      const copyPacksFromOriginalUserInput = cloneObject(
-        config.originalUserInput.packs,
-      );
-      // If it is an array, then assume there is only a single language being analyzed.
-      if (Array.isArray(copyPacksFromOriginalUserInput)) {
-        packs[config.languages[0]] = copyPacksFromOriginalUserInput;
-      } else {
-        packs = copyPacksFromOriginalUserInput;
-      }
-    }
-
-    if (config.augmentationProperties.packsInput) {
-      packs[config.languages[0]] ??= [];
-      packs[config.languages[0]].push(
-        ...config.augmentationProperties.packsInput,
-      );
-    }
-
     // Append fields that are dependent on `config`
-    const initWithConfigStatusReport: InitWithConfigStatusReport = {
+    const initWithConfigStatusReport: InitWithConfigStatusReport =
-      ...initStatusReport,
+      await createInitWithConfigStatusReport(
-      config_file: configFile ?? "",
+        config,
-      disable_default_queries: disableDefaultQueries,
+        initStatusReport,
-      paths,
+        configFile,
-      paths_ignore: pathsIgnore,
+        Math.round(
-      queries: queries.join(","),
+          await getTotalCacheSize(Object.values(config.trapCaches), logger),
-      packs: JSON.stringify(packs),
+        ),
-      trap_cache_languages: Object.keys(config.trapCaches).join(","),
+        overlayBaseDatabaseStats,
-      trap_cache_download_size_bytes: Math.round(
+      );
-        await getTotalCacheSize(Object.values(config.trapCaches), logger),
-      ),
-      trap_cache_download_duration_ms: Math.round(config.trapCacheDownloadTime),
-      overlay_base_database_download_size_bytes:
-        overlayBaseDatabaseStats?.databaseSizeBytes,
-      overlay_base_database_download_duration_ms:
-        overlayBaseDatabaseStats?.databaseDownloadDurationMs,
-      query_filters: JSON.stringify(
-        config.originalUserInput["query-filters"] ?? [],
-      ),
-      registries: JSON.stringify(
-        configUtils.parseRegistriesWithoutCredentials(
-          getOptionalInput("registries"),
-        ) ?? [],
-      ),
-    };
     await sendStatusReport({
       ...initWithConfigStatusReport,
       ...initToolsDownloadFields,
@@ -449,9 +342,8 @@ async function run() {
   let overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined;
   try {
     if (
-      config.augmentationProperties.overlayDatabaseMode ===
+      config.overlayDatabaseMode === OverlayDatabaseMode.Overlay &&
-        OverlayDatabaseMode.Overlay &&
+      config.useOverlayDatabaseCaching
-      config.augmentationProperties.useOverlayDatabaseCaching
     ) {
       // OverlayDatabaseMode.Overlay comes in two flavors: with database
       // caching, or without. The flavor with database caching is intended to be
@@ -470,8 +362,7 @@ async function run() {
         logger,
       );
       if (!overlayBaseDatabaseStats) {
-        config.augmentationProperties.overlayDatabaseMode =
+        config.overlayDatabaseMode = OverlayDatabaseMode.None;
-          OverlayDatabaseMode.None;
         logger.info(
           "No overlay-base database found in cache, " +
             `reverting overlay database mode to ${OverlayDatabaseMode.None}.`,
@@ -479,10 +370,7 @@ async function run() {
       }
     }
 
-    if (
+    if (config.overlayDatabaseMode !== OverlayDatabaseMode.Overlay) {
-      config.augmentationProperties.overlayDatabaseMode !==
-      OverlayDatabaseMode.Overlay
-    ) {
       cleanupDatabaseClusterDirectory(config, logger);
     }
 
@@ -739,15 +627,13 @@ async function run() {
     // revert to `OverlayDatabaseMode.None`, re-initialize the database cluster
     // with the new overlay database mode.
     if (
-      config.augmentationProperties.overlayDatabaseMode !==
+      config.overlayDatabaseMode !== OverlayDatabaseMode.None &&
-        OverlayDatabaseMode.None &&
       !(await checkPacksForOverlayCompatibility(codeql, config, logger))
     ) {
       logger.info(
         "Reverting overlay database mode to None due to incompatible packs.",
       );
-      config.augmentationProperties.overlayDatabaseMode =
+      config.overlayDatabaseMode = OverlayDatabaseMode.None;
-        OverlayDatabaseMode.None;
       cleanupDatabaseClusterDirectory(config, logger, {
         disableExistingDirectoryWarning: true,
       });

src/overlay-database-utils.test.ts

@@ -6,6 +6,7 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import * as apiClient from "./api-client";
 import * as gitUtils from "./git-utils";
 import { getRunnerLogger } from "./logging";
 import {
@@ -120,10 +121,8 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({
 
       const testCase = { ...defaultDownloadTestCase, ...partialTestCase };
 
-      config.augmentationProperties.overlayDatabaseMode =
+      config.overlayDatabaseMode = testCase.overlayDatabaseMode;
-        testCase.overlayDatabaseMode;
+      config.useOverlayDatabaseCaching = testCase.useOverlayDatabaseCaching;
-      config.augmentationProperties.useOverlayDatabaseCaching =
-        testCase.useOverlayDatabaseCaching;
 
       if (testCase.hasBaseDatabaseOidsFile) {
         const baseDatabaseOidsFile = path.join(
@@ -135,6 +134,11 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({
 
       const stubs: sinon.SinonStub[] = [];
 
+      const getAutomationIDStub = sinon
+        .stub(apiClient, "getAutomationID")
+        .resolves("test-automation-id/");
+      stubs.push(getAutomationIDStub);
+
       const isInTestModeStub = sinon
         .stub(utils, "isInTestMode")
         .returns(testCase.isInTestMode);

src/overlay-database-utils.ts

@@ -1,9 +1,11 @@
+import * as crypto from "crypto";
 import * as fs from "fs";
 import * as path from "path";
 
 import * as actionsCache from "@actions/cache";
 
 import { getRequiredInput, getTemporaryDirectory } from "./actions-util";
+import { getAutomationID } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { type Config } from "./config-utils";
 import { getCommitOid, getFileOidsUnderPath } from "./git-utils";
@@ -192,7 +194,7 @@ export async function uploadOverlayBaseDatabaseToCache(
   config: Config,
   logger: Logger,
 ): Promise<boolean> {
-  const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+  const overlayDatabaseMode = config.overlayDatabaseMode;
   if (overlayDatabaseMode !== OverlayDatabaseMode.OverlayBase) {
     logger.debug(
       `Overlay database mode is ${overlayDatabaseMode}. ` +
@@ -200,7 +202,7 @@ export async function uploadOverlayBaseDatabaseToCache(
     );
     return false;
   }
-  if (!config.augmentationProperties.useOverlayDatabaseCaching) {
+  if (!config.useOverlayDatabaseCaching) {
     logger.debug(
       "Overlay database caching is disabled. " +
         "Skip uploading overlay-base database to cache.",
@@ -251,15 +253,19 @@ export async function uploadOverlayBaseDatabaseToCache(
 
   const codeQlVersion = (await codeql.getVersion()).version;
   const checkoutPath = getRequiredInput("checkout_path");
-  const cacheKey = await generateCacheKey(config, codeQlVersion, checkoutPath);
+  const cacheSaveKey = await getCacheSaveKey(
+    config,
+    codeQlVersion,
+    checkoutPath,
+  );
   logger.info(
-    `Uploading overlay-base database to Actions cache with key ${cacheKey}`,
+    `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`,
   );
 
   try {
     const cacheId = await withTimeout(
       MAX_CACHE_OPERATION_MS,
-      actionsCache.saveCache([dbLocation], cacheKey),
+      actionsCache.saveCache([dbLocation], cacheSaveKey),
       () => {},
     );
     if (cacheId === undefined) {
@@ -298,7 +304,7 @@ export async function downloadOverlayBaseDatabaseFromCache(
   config: Config,
   logger: Logger,
 ): Promise<OverlayBaseDatabaseDownloadStats | undefined> {
-  const overlayDatabaseMode = config.augmentationProperties.overlayDatabaseMode;
+  const overlayDatabaseMode = config.overlayDatabaseMode;
   if (overlayDatabaseMode !== OverlayDatabaseMode.Overlay) {
     logger.debug(
       `Overlay database mode is ${overlayDatabaseMode}. ` +
@@ -306,7 +312,7 @@ export async function downloadOverlayBaseDatabaseFromCache(
     );
     return undefined;
   }
-  if (!config.augmentationProperties.useOverlayDatabaseCaching) {
+  if (!config.useOverlayDatabaseCaching) {
     logger.debug(
       "Overlay database caching is disabled. " +
         "Skip downloading overlay-base database from cache.",
@@ -322,10 +328,14 @@ export async function downloadOverlayBaseDatabaseFromCache(
 
   const dbLocation = config.dbLocation;
   const codeQlVersion = (await codeql.getVersion()).version;
-  const restoreKey = getCacheRestoreKey(config, codeQlVersion);
+  const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix(
+    config,
+    codeQlVersion,
+  );
 
   logger.info(
-    `Looking in Actions cache for overlay-base database with restore key ${restoreKey}`,
+    "Looking in Actions cache for overlay-base database with " +
+      `restore key ${cacheRestoreKeyPrefix}`,
   );
 
   let databaseDownloadDurationMs = 0;
@@ -333,7 +343,7 @@ export async function downloadOverlayBaseDatabaseFromCache(
     const databaseDownloadStart = performance.now();
     const foundKey = await withTimeout(
       MAX_CACHE_OPERATION_MS,
-      actionsCache.restoreCache([dbLocation], restoreKey),
+      actionsCache.restoreCache([dbLocation], cacheRestoreKeyPrefix),
       () => {
         logger.info("Timed out downloading overlay-base database from cache");
       },
@@ -387,25 +397,87 @@ export async function downloadOverlayBaseDatabaseFromCache(
   };
 }
 
-async function generateCacheKey(
+/**
+ * Computes the cache key for saving the overlay-base database to the GitHub
+ * Actions cache.
+ *
+ * The key consists of the restore key prefix (which does not include the
+ * commit SHA) and the commit SHA of the current checkout.
+ */
+async function getCacheSaveKey(
   config: Config,
   codeQlVersion: string,
   checkoutPath: string,
 ): Promise<string> {
   const sha = await getCommitOid(checkoutPath);
-  return `${getCacheRestoreKey(config, codeQlVersion)}${sha}`;
+  const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
+    config,
+    codeQlVersion,
+  );
+  return `${restoreKeyPrefix}${sha}`;
 }
 
-function getCacheRestoreKey(config: Config, codeQlVersion: string): string {
+/**
-  // The restore key (prefix) specifies which cached overlay-base databases are
+ * Computes the cache key prefix for restoring the overlay-base database from
-  // compatible with the current analysis: the cached database must have the
+ * the GitHub Actions cache.
-  // same cache version and the same CodeQL bundle version.
+ *
-  //
+ * Actions cache supports using multiple restore keys to indicate preference,
-  // Actions cache supports using multiple restore keys to indicate preference.
+ * and this function could in principle take advantage of that feature by
-  // Technically we prefer a cached overlay-base database with the same SHA as
+ * returning a list of restore key prefixes. However, since overlay-base
-  // we are analyzing. However, since overlay-base databases are built from the
+ * databases are built from the default branch and used in PR analysis, it is
-  // default branch and used in PR analysis, it is exceedingly unlikely that
+ * exceedingly unlikely that the commit SHA will ever be the same.
-  // the commit SHA will ever be the same, so we can just leave it out.
+ *
+ * Therefore, this function returns only a single restore key prefix, which does
+ * not include the commit SHA. This allows us to restore the most recent
+ * compatible overlay-base database.
+ */
+async function getCacheRestoreKeyPrefix(
+  config: Config,
+  codeQlVersion: string,
+): Promise<string> {
   const languages = [...config.languages].sort().join("_");
-  return `${CACHE_PREFIX}-${CACHE_VERSION}-${languages}-${codeQlVersion}-`;
+
+  const cacheKeyComponents = {
+    automationID: await getAutomationID(),
+    // Add more components here as needed in the future
+  };
+  const componentsHash = createCacheKeyHash(cacheKeyComponents);
+
+  // For a cached overlay-base database to be considered compatible for overlay
+  // analysis, all components in the cache restore key must match:
+  //
+  // CACHE_PREFIX: distinguishes overlay-base databases from other cache objects
+  // CACHE_VERSION: cache format version
+  // componentsHash: hash of additional components (see above for details)
+  // languages: the languages included in the overlay-base database
+  // codeQlVersion: CodeQL bundle version
+  //
+  // Technically we can also include languages and codeQlVersion in the
+  // componentsHash, but including them explicitly in the cache key makes it
+  // easier to debug and understand the cache key structure.
+  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
+}
+
+/**
+ * Creates a SHA-256 hash of the cache key components to ensure uniqueness
+ * while keeping the cache key length manageable.
+ *
+ * @param components Object containing all components that should influence cache key uniqueness
+ * @returns A short SHA-256 hash (first 16 characters) of the components
+ */
+function createCacheKeyHash(components: Record<string, any>): string {
+  // From https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify
+  //
+  // "Properties are visited using the same algorithm as Object.keys(), which
+  // has a well-defined order and is stable across implementations. For example,
+  // JSON.stringify on the same object will always produce the same string, and
+  // JSON.parse(JSON.stringify(obj)) would produce an object with the same key
+  // ordering as the original (assuming the object is completely
+  // JSON-serializable)."
+  const componentsJson = JSON.stringify(components);
+  return crypto
+    .createHash("sha256")
+    .update(componentsJson)
+    .digest("hex")
+    .substring(0, 16);
 }

src/start-proxy.test.ts

@@ -11,6 +11,14 @@ setupTests(test);
 const toEncodedJSON = (data: any) =>
   Buffer.from(JSON.stringify(data)).toString("base64");
 
+const mixedCredentials = [
+  { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
+  { type: "maven_repository", host: "maven.pkg.github.com", token: "def" },
+  { type: "nuget_feed", host: "nuget.pkg.github.com", token: "ghi" },
+  { type: "goproxy_server", host: "goproxy.example.com", token: "jkl" },
+  { type: "git_source", host: "github.com/github", token: "mno" },
+];
+
 test("getCredentials prefers registriesCredentials over registrySecrets", async (t) => {
   const registryCredentials = Buffer.from(
     JSON.stringify([
@@ -94,13 +102,6 @@ test("getCredentials throws error when credential missing host and url", async (
 });
 
 test("getCredentials filters by language when specified", async (t) => {
-  const mixedCredentials = [
-    { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
-    { type: "maven_repository", host: "maven.pkg.github.com", token: "def" },
-    { type: "nuget_feed", host: "nuget.pkg.github.com", token: "ghi" },
-    { type: "goproxy_server", host: "goproxy.example.com", token: "jkl" },
-  ];
-
   const credentials = startProxyExports.getCredentials(
     getRunnerLogger(true),
     undefined,
@@ -111,13 +112,21 @@ test("getCredentials filters by language when specified", async (t) => {
   t.is(credentials[0].type, "maven_repository");
 });
 
+test("getCredentials returns all for a language when specified", async (t) => {
+  const credentials = startProxyExports.getCredentials(
+    getRunnerLogger(true),
+    undefined,
+    toEncodedJSON(mixedCredentials),
+    "go",
+  );
+  t.is(credentials.length, 2);
+
+  const credentialsTypes = credentials.map((c) => c.type);
+  t.assert(credentialsTypes.includes("goproxy_server"));
+  t.assert(credentialsTypes.includes("git_source"));
+});
+
 test("getCredentials returns all credentials when no language specified", async (t) => {
-  const mixedCredentials = [
-    { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
-    { type: "maven_repository", host: "maven.pkg.github.com", token: "def" },
-    { type: "nuget_feed", host: "nuget.pkg.github.com", token: "ghi" },
-    { type: "goproxy_server", host: "goproxy.example.com", token: "jkl" },
-  ];
   const credentialsInput = toEncodedJSON(mixedCredentials);
 
   const credentials = startProxyExports.getCredentials(

src/start-proxy.ts

@@ -2,7 +2,7 @@ import * as core from "@actions/core";
 
 import { KnownLanguage } from "./languages";
 import { Logger } from "./logging";
-import { ConfigurationError } from "./util";
+import { ConfigurationError, isDefined } from "./util";
 
 export type Credential = {
   type: string;
@@ -55,25 +55,16 @@ export function parseLanguage(language: string): KnownLanguage | undefined {
   return undefined;
 }
 
-const LANGUAGE_TO_REGISTRY_TYPE: Partial<Record<KnownLanguage, string>> = {
+const LANGUAGE_TO_REGISTRY_TYPE: Partial<Record<KnownLanguage, string[]>> = {
-  java: "maven_repository",
+  java: ["maven_repository"],
-  csharp: "nuget_feed",
+  csharp: ["nuget_feed"],
-  javascript: "npm_registry",
+  javascript: ["npm_registry"],
-  python: "python_index",
+  python: ["python_index"],
-  ruby: "rubygems_server",
+  ruby: ["rubygems_server"],
-  rust: "cargo_registry",
+  rust: ["cargo_registry"],
-  go: "goproxy_server",
+  go: ["goproxy_server", "git_source"],
 } as const;
 
-/**
- * Checks that `value` is neither `undefined` nor `null`.
- * @param value The value to test.
- * @returns Narrows the type of `value` to exclude `undefined` and `null`.
- */
-function isDefined<T>(value: T | null | undefined): value is T {
-  return value !== undefined && value !== null;
-}
-
 // getCredentials returns registry credentials from action inputs.
 // It prefers `registries_credentials` over `registry_secrets`.
 // If neither is set, it returns an empty array.
@@ -140,7 +131,10 @@ export function getCredentials(
 
     // Filter credentials based on language if specified. `type` is the registry type.
     // E.g., "maven_feed" for Java/Kotlin, "nuget_repository" for C#.
-    if (registryTypeForLanguage && e.type !== registryTypeForLanguage) {
+    if (
+      registryTypeForLanguage &&
+      !registryTypeForLanguage.some((t) => t === e.type)
+    ) {
       continue;
     }
 

src/status-report.test.ts

@@ -2,13 +2,18 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import { KnownLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
+import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
+  createInitWithConfigStatusReport,
   createStatusReportBase,
   getActionsStatus,
+  InitStatusReport,
+  InitWithConfigStatusReport,
 } from "./status-report";
 import {
   setupTests,
@@ -243,3 +248,103 @@ test("getActionStatus handling correctly various types of errors", (t) => {
     "We still recognise a wrapped ConfigurationError as a user error",
   );
 });
+
+const testCreateInitWithConfigStatusReport = test.macro({
+  exec: async (
+    t,
+    _title: string,
+    config: Config,
+    expectedReportProperties: Partial<InitWithConfigStatusReport>,
+  ) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupEnvironmentAndStub(tmpDir);
+
+      const statusReportBase = await createStatusReportBase(
+        ActionName.Init,
+        "failure",
+        new Date("May 19, 2023 05:19:00"),
+        config,
+        { numAvailableBytes: 100, numTotalBytes: 500 },
+        getRunnerLogger(false),
+        "failure cause",
+        "exception stack trace",
+      );
+
+      if (t.truthy(statusReportBase)) {
+        const initStatusReport: InitStatusReport = {
+          ...statusReportBase,
+          tools_input: "",
+          tools_resolved_version: "foo",
+          tools_source: ToolsSource.Unknown,
+          workflow_languages: "actions",
+        };
+
+        const initWithConfigStatusReport =
+          await createInitWithConfigStatusReport(
+            config,
+            initStatusReport,
+            undefined,
+            1024,
+            undefined,
+          );
+
+        if (t.truthy(initWithConfigStatusReport)) {
+          t.like(initWithConfigStatusReport, expectedReportProperties);
+        }
+      }
+    });
+  },
+  title: (_, title) => `createInitWithConfigStatusReport: ${title}`,
+});
+
+test(
+  testCreateInitWithConfigStatusReport,
+  "returns a value",
+  createTestConfig({
+    buildMode: BuildMode.None,
+    languages: [KnownLanguage.java, KnownLanguage.swift],
+  }),
+  {
+    trap_cache_download_size_bytes: 1024,
+    registries: "[]",
+    query_filters: "[]",
+    packs: "{}",
+  },
+);
+
+test(
+  testCreateInitWithConfigStatusReport,
+  "includes packs for a single language",
+  createTestConfig({
+    buildMode: BuildMode.None,
+    languages: [KnownLanguage.java],
+    computedConfig: {
+      packs: ["foo", "bar"],
+    },
+  }),
+  {
+    registries: "[]",
+    query_filters: "[]",
+    packs: JSON.stringify({ java: ["foo", "bar"] }),
+  },
+);
+
+test(
+  testCreateInitWithConfigStatusReport,
+  "includes packs for multiple languages",
+  createTestConfig({
+    buildMode: BuildMode.None,
+    languages: [KnownLanguage.java, KnownLanguage.swift],
+    computedConfig: {
+      packs: { java: ["java-foo", "java-bar"], swift: ["swift-bar"] },
+    },
+  }),
+  {
+    registries: "[]",
+    query_filters: "[]",
+    packs: JSON.stringify({
+      java: ["java-foo", "java-bar"],
+      swift: ["swift-bar"],
+    }),
+  },
+);

src/status-report.ts

@@ -12,12 +12,14 @@ import {
   isSelfHostedRunner,
 } from "./actions-util";
 import { getAnalysisKey, getApiClient } from "./api-client";
-import { type Config } from "./config-utils";
+import { parseRegistriesWithoutCredentials, type Config } from "./config-utils";
 import { DocUrl } from "./doc-url";
 import { EnvVar } from "./environment";
 import { getRef } from "./git-utils";
 import { Logger } from "./logging";
+import { OverlayBaseDatabaseDownloadStats } from "./overlay-database-utils";
 import { getRepositoryNwo } from "./repository";
+import { ToolsSource } from "./setup-codeql";
 import {
   ConfigurationError,
   isHTTPError,
@@ -460,3 +462,119 @@ export async function sendStatusReport<S extends StatusReportBase>(
     );
   }
 }
+
+/** Fields of the init status report that can be sent before `config` is populated. */
+export interface InitStatusReport extends StatusReportBase {
+  /** Value given by the user as the "tools" input. */
+  tools_input: string;
+  /** Version of the bundle used. */
+  tools_resolved_version: string;
+  /** Where the bundle originated from. */
+  tools_source: ToolsSource;
+  /** Comma-separated list of languages specified explicitly in the workflow file. */
+  workflow_languages: string;
+}
+
+/** Fields of the init status report that are populated using values from `config`. */
+export interface InitWithConfigStatusReport extends InitStatusReport {
+  /** Comma-separated list of languages where the default queries are disabled. */
+  disable_default_queries: string;
+  /** Comma-separated list of paths, from the 'paths' config field. */
+  paths: string;
+  /** Comma-separated list of paths, from the 'paths-ignore' config field. */
+  paths_ignore: string;
+  /** Comma-separated list of queries sources, from the 'queries' config field or workflow input. */
+  queries: string;
+  /** Stringified JSON object of packs, from the 'packs' config field or workflow input. */
+  packs: string;
+  /** Comma-separated list of languages for which we are using TRAP caching. */
+  trap_cache_languages: string;
+  /** Size of TRAP caches that we downloaded, in bytes. */
+  trap_cache_download_size_bytes: number;
+  /** Time taken to download TRAP caches, in milliseconds. */
+  trap_cache_download_duration_ms: number;
+  /** Size of the overlay-base database that we downloaded, in bytes. */
+  overlay_base_database_download_size_bytes?: number;
+  /** Time taken to download the overlay-base database, in milliseconds. */
+  overlay_base_database_download_duration_ms?: number;
+  /** Stringified JSON array of registry configuration objects, from the 'registries' config field
+  or workflow input. **/
+  registries: string;
+  /** Stringified JSON object representing a query-filters, from the 'query-filters' config field. **/
+  query_filters: string;
+  /** Path to the specified code scanning config file, from the 'config-file' config field. */
+  config_file: string;
+}
+
+/**
+ * Composes a `InitWithConfigStatusReport` from the given values.
+ *
+ * @param config The CodeQL Action configuration whose values should be added to the base status report.
+ * @param initStatusReport The base status report.
+ * @param configFile Optionally, the filename of the configuration file that was read.
+ * @param totalCacheSize The computed total TRAP cache size.
+ * @param overlayBaseDatabaseStats Statistics about the overlay database, if any.
+ * @returns
+ */
+export async function createInitWithConfigStatusReport(
+  config: Config,
+  initStatusReport: InitStatusReport,
+  configFile: string | undefined,
+  totalCacheSize: number,
+  overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined,
+): Promise<InitWithConfigStatusReport> {
+  const languages = config.languages.join(",");
+  const paths = (config.originalUserInput.paths || []).join(",");
+  const pathsIgnore = (config.originalUserInput["paths-ignore"] || []).join(
+    ",",
+  );
+  const disableDefaultQueries = config.originalUserInput[
+    "disable-default-queries"
+  ]
+    ? languages
+    : "";
+
+  const queries: string[] = [];
+  let queriesInput = getOptionalInput("queries")?.trim();
+  if (queriesInput === undefined || queriesInput.startsWith("+")) {
+    queries.push(
+      ...(config.originalUserInput.queries || []).map((q) => q.uses),
+    );
+  }
+  if (queriesInput !== undefined) {
+    queriesInput = queriesInput.startsWith("+")
+      ? queriesInput.slice(1)
+      : queriesInput;
+    queries.push(...queriesInput.split(","));
+  }
+
+  let packs: Record<string, string[]> = {};
+  if (Array.isArray(config.computedConfig.packs)) {
+    packs[config.languages[0]] = config.computedConfig.packs;
+  } else if (config.computedConfig.packs !== undefined) {
+    packs = config.computedConfig.packs;
+  }
+
+  return {
+    ...initStatusReport,
+    config_file: configFile ?? "",
+    disable_default_queries: disableDefaultQueries,
+    paths,
+    paths_ignore: pathsIgnore,
+    queries: queries.join(","),
+    packs: JSON.stringify(packs),
+    trap_cache_languages: Object.keys(config.trapCaches).join(","),
+    trap_cache_download_size_bytes: totalCacheSize,
+    trap_cache_download_duration_ms: Math.round(config.trapCacheDownloadTime),
+    overlay_base_database_download_size_bytes:
+      overlayBaseDatabaseStats?.databaseSizeBytes,
+    overlay_base_database_download_duration_ms:
+      overlayBaseDatabaseStats?.databaseDownloadDurationMs,
+    query_filters: JSON.stringify(
+      config.originalUserInput["query-filters"] ?? [],
+    ),
+    registries: JSON.stringify(
+      parseRegistriesWithoutCredentials(getOptionalInput("registries")) ?? [],
+    ),
+  };
+}

src/testing-utils.ts

@@ -360,6 +360,7 @@ export function createTestConfig(overrides: Partial<Config>): Config {
       languages: [],
       buildMode: undefined,
       originalUserInput: {},
+      computedConfig: {},
       tempDir: "",
       codeQLCmd: "",
       gitHubVersion: {
@@ -369,16 +370,12 @@ export function createTestConfig(overrides: Partial<Config>): Config {
       debugMode: false,
       debugArtifactName: DEFAULT_DEBUG_ARTIFACT_NAME,
       debugDatabaseName: DEFAULT_DEBUG_DATABASE_NAME,
-      augmentationProperties: {
-        packsInputCombines: false,
-        queriesInputCombines: false,
-        extraQueryExclusions: [],
-        overlayDatabaseMode: OverlayDatabaseMode.None,
-        useOverlayDatabaseCaching: false,
-      },
       trapCaches: {},
       trapCacheDownloadTime: 0,
       dependencyCachingEnabled: CachingKind.None,
+      extraQueryExclusions: [],
+      overlayDatabaseMode: OverlayDatabaseMode.None,
+      useOverlayDatabaseCaching: false,
     } satisfies Config,
     overrides,
   );

src/upload-lib.test.ts

@@ -3,6 +3,7 @@ import * as path from "path";
 
 import test from "ava";
 
+import { CodeQuality, CodeScanning } from "./analyses";
 import { getRunnerLogger, Logger } from "./logging";
 import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
@@ -128,7 +129,7 @@ test("finding SARIF files", async (t) => {
 
     const sarifFiles = uploadLib.findSarifFilesInDir(
       tmpDir,
-      uploadLib.CodeScanningTarget.sarifPredicate,
+      CodeScanning.sarifPredicate,
     );
 
     t.deepEqual(sarifFiles, [
@@ -140,7 +141,7 @@ test("finding SARIF files", async (t) => {
 
     const qualitySarifFiles = uploadLib.findSarifFilesInDir(
       tmpDir,
-      uploadLib.CodeQualityTarget.sarifPredicate,
+      CodeQuality.sarifPredicate,
     );
 
     t.deepEqual(qualitySarifFiles, [
@@ -211,109 +212,237 @@ test("populateRunAutomationDetails", (t) => {
 });
 
 test("validateUniqueCategory when empty", (t) => {
-  t.notThrows(() => uploadLib.validateUniqueCategory(createMockSarif()));
+  t.notThrows(() =>
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif()));
+    uploadLib.validateUniqueCategory(
+      createMockSarif(),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif(),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
 });
 
 test("validateUniqueCategory for automation details id", (t) => {
-  t.notThrows(() => uploadLib.validateUniqueCategory(createMockSarif("abc")));
+  t.notThrows(() =>
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("abc")));
+    uploadLib.validateUniqueCategory(
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("AbC")));
+      createMockSarif("abc"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("AbC"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
 
-  t.notThrows(() => uploadLib.validateUniqueCategory(createMockSarif("def")));
+  t.notThrows(() =>
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("def")));
+    uploadLib.validateUniqueCategory(
+      createMockSarif("def"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("def"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
 
   // Our category sanitization is not perfect. Here are some examples
   // of where we see false clashes
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc/def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc/def"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc@def"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc_def"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("abc@def")));
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("abc_def")));
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("abc def")));
 
   // this one is fine
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc_ def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc_ def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 });
 
 test("validateUniqueCategory for tool name", (t) => {
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "abc")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "abc"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "abc")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "abc"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "AbC")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "AbC"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 
   // Our category sanitization is not perfect. Here are some examples
   // of where we see false clashes
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "abc/def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "abc/def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "abc@def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "abc@def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "abc_def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "abc_def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif(undefined, "abc def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif(undefined, "abc def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 
   // this one is fine
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc_ def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc_ def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 });
 
 test("validateUniqueCategory for automation details id and tool name", (t) => {
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc", "abc")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc", "abc"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc", "abc")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc", "abc"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc_", "def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc_", "def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc_", "def")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc_", "def"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("ghi", "_jkl")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("ghi", "_jkl"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("ghi", "_jkl")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("ghi", "_jkl"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 
   // Our category sanitization is not perfect. Here are some examples
   // of where we see false clashes
-  t.notThrows(() => uploadLib.validateUniqueCategory(createMockSarif("abc")));
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("abc", "_")));
-
   t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("abc", "def__")),
+    uploadLib.validateUniqueCategory(
-  );
+      createMockSarif("abc"),
-  t.throws(() => uploadLib.validateUniqueCategory(createMockSarif("abc_def")));
+      CodeScanning.sentinelPrefix,
-
+    ),
-  t.notThrows(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("mno_", "pqr")),
   );
   t.throws(() =>
-    uploadLib.validateUniqueCategory(createMockSarif("mno", "_pqr")),
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc", "_"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+
+  t.notThrows(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc", "def__"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("abc_def"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+
+  t.notThrows(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("mno_", "pqr"),
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif("mno", "_pqr"),
+      CodeScanning.sentinelPrefix,
+    ),
   );
 });
 
@@ -323,19 +452,30 @@ test("validateUniqueCategory for multiple runs", (t) => {
 
   // duplicate categories are allowed within the same sarif file
   const multiSarif = { runs: [sarif1.runs[0], sarif1.runs[0], sarif2.runs[0]] };
-  t.notThrows(() => uploadLib.validateUniqueCategory(multiSarif));
+  t.notThrows(() =>
+    uploadLib.validateUniqueCategory(multiSarif, CodeScanning.sentinelPrefix),
+  );
 
   // should throw if there are duplicate categories in separate validations
-  t.throws(() => uploadLib.validateUniqueCategory(sarif1));
+  t.throws(() =>
-  t.throws(() => uploadLib.validateUniqueCategory(sarif2));
+    uploadLib.validateUniqueCategory(sarif1, CodeScanning.sentinelPrefix),
+  );
+  t.throws(() =>
+    uploadLib.validateUniqueCategory(sarif2, CodeScanning.sentinelPrefix),
+  );
 });
 
 test("validateUniqueCategory with different prefixes", (t) => {
-  t.notThrows(() => uploadLib.validateUniqueCategory(createMockSarif()));
   t.notThrows(() =>
     uploadLib.validateUniqueCategory(
       createMockSarif(),
-      uploadLib.CodeQualityTarget.sentinelPrefix,
+      CodeScanning.sentinelPrefix,
+    ),
+  );
+  t.notThrows(() =>
+    uploadLib.validateUniqueCategory(
+      createMockSarif(),
+      CodeQuality.sentinelPrefix,
     ),
   );
 });

src/upload-lib.ts

@@ -8,6 +8,7 @@ import { OctokitResponse } from "@octokit/types";
 import * as jsonschema from "jsonschema";
 
 import * as actionsUtil from "./actions-util";
+import * as analyses from "./analyses";
 import * as api from "./api-client";
 import { getGitHubVersion, wrapApiConfigurationError } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
@@ -345,19 +346,13 @@ function getAutomationID(
   return api.computeAutomationID(analysis_key, environment);
 }
 
-// Enumerates API endpoints that accept SARIF files.
-export enum SARIF_UPLOAD_ENDPOINT {
-  CODE_SCANNING = "PUT /repos/:owner/:repo/code-scanning/analysis",
-  CODE_QUALITY = "PUT /repos/:owner/:repo/code-quality/analysis",
-}
-
 // Upload the given payload.
 // If the request fails then this will retry a small number of times.
 async function uploadPayload(
   payload: any,
   repositoryNwo: RepositoryNwo,
   logger: Logger,
-  target: SARIF_UPLOAD_ENDPOINT,
+  target: analyses.SARIF_UPLOAD_ENDPOINT,
 ): Promise<string> {
   logger.info("Uploading results");
 
@@ -616,31 +611,6 @@ export function buildPayload(
   return payloadObj;
 }
 
-// Represents configurations for different services that we can upload SARIF to.
-export interface UploadTarget {
-  name: string;
-  target: SARIF_UPLOAD_ENDPOINT;
-  sarifPredicate: (name: string) => boolean;
-  sentinelPrefix: string;
-}
-
-// Represents the Code Scanning upload target.
-export const CodeScanningTarget: UploadTarget = {
-  name: "code scanning",
-  target: SARIF_UPLOAD_ENDPOINT.CODE_SCANNING,
-  sarifPredicate: (name) =>
-    name.endsWith(".sarif") && !CodeQualityTarget.sarifPredicate(name),
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
-};
-
-// Represents the Code Quality upload target.
-export const CodeQualityTarget: UploadTarget = {
-  name: "code quality",
-  target: SARIF_UPLOAD_ENDPOINT.CODE_QUALITY,
-  sarifPredicate: (name) => name.endsWith(".quality.sarif"),
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
-};
-
 /**
  * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
  * to.
@@ -651,7 +621,7 @@ export async function uploadFiles(
   category: string | undefined,
   features: FeatureEnablement,
   logger: Logger,
-  uploadTarget: UploadTarget,
+  uploadTarget: analyses.AnalysisConfig,
 ): Promise<UploadResult> {
   const sarifPaths = getSarifFilePaths(
     inputSarifPath,
@@ -677,7 +647,7 @@ export async function uploadSpecifiedFiles(
   category: string | undefined,
   features: FeatureEnablement,
   logger: Logger,
-  uploadTarget: UploadTarget = CodeScanningTarget,
+  uploadTarget: analyses.AnalysisConfig,
 ): Promise<UploadResult> {
   logger.startGroup(`Uploading ${uploadTarget.name} results`);
   logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
@@ -943,7 +913,7 @@ function handleProcessingResultForUnsuccessfulExecution(
 
 export function validateUniqueCategory(
   sarif: SarifFile,
-  sentinelPrefix: string = CodeScanningTarget.sentinelPrefix,
+  sentinelPrefix: string,
 ): void {
   // duplicate categories are allowed in the same sarif file
   // but not across multiple sarif files

src/upload-sarif-action.ts

@@ -4,6 +4,7 @@ import * as core from "@actions/core";
 
 import * as actionsUtil from "./actions-util";
 import { getActionVersion, getTemporaryDirectory } from "./actions-util";
+import * as analyses from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { Features } from "./feature-flags";
 import { Logger, getActionsLogger } from "./logging";
@@ -95,7 +96,7 @@ async function run() {
       category,
       features,
       logger,
-      upload_lib.CodeScanningTarget,
+      analyses.CodeScanning,
     );
     core.setOutput("sarif-id", uploadResult.sarifID);
 
@@ -105,7 +106,7 @@ async function run() {
     if (fs.lstatSync(sarifPath).isDirectory()) {
       const qualitySarifFiles = upload_lib.findSarifFilesInDir(
         sarifPath,
-        upload_lib.CodeQualityTarget.sarifPredicate,
+        analyses.CodeQuality.sarifPredicate,
       );
 
       if (qualitySarifFiles.length !== 0) {
@@ -115,7 +116,7 @@ async function run() {
           actionsUtil.fixCodeQualityCategory(logger, category),
           features,
           logger,
-          upload_lib.CodeQualityTarget,
+          analyses.CodeQuality,
         );
       }
     }

src/util.ts

@@ -1278,3 +1278,12 @@ export async function asyncSome<T>(
   const results = await Promise.all(array.map(predicate));
   return results.some((result) => result);
 }
+
+/**
+ * Checks that `value` is neither `undefined` nor `null`.
+ * @param value The value to test.
+ * @returns Narrows the type of `value` to exclude `undefined` and `null`.
+ */
+export function isDefined<T>(value: T | null | undefined): value is T {
+  return value !== undefined && value !== null;
+}

tests/multi-language-repo/.gitignore

@@ -1,9 +1,11 @@
 .DS_Store
 /.build
 /Packages
+/obj
 /*.xcodeproj
 xcuserdata/
 DerivedData/
 .swiftpm/config/registries.json
 .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata
 .netrc
+multi-language-repo.sln