Generate UserConfig from schema ... ish

Add command for turning JSON schemas into TypeScript typings
Make schema for QueryFilter less strict
2025-12-12 18:50:12 +08:00 · 2025-10-17 16:19:12 +01:00 · 2025-10-17 16:12:28 +01:00 · 2025-10-17 15:11:16 +01:00 · 2025-10-17 15:11:13 +01:00 · 2025-10-17 15:09:05 +01:00
104 changed files with 152542 additions and 5071 deletions
--- a/.github/actions/check-sarif/action.yml
+++ b/.github/actions/check-sarif/action.yml
@@ -16,5 +16,5 @@ inputs:
      Comma separated list of query ids that should NOT be included in this SARIF file.

 runs:
-  using: node20
+  using: node24
  main: index.js
--- a/.github/actions/prepare-test/action.yml
+++ b/.github/actions/prepare-test/action.yml
@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'toolcache', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
    required: true
  use-all-platform-bundle:
    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -41,6 +41,9 @@ runs:
        elif [[ "$VERSION" == "linked" ]]; then
          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
          exit 0
+        elif [[ "$VERSION" == "toolcache" ]]; then
+          echo "tools-url=toolcache" >> "$GITHUB_OUTPUT"
+          exit 0
        elif [[ "$VERSION" == "default" ]]; then
          echo "tools-url=" >> "$GITHUB_OUTPUT"
          exit 0
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,9 +16,12 @@ updates:
      - dependency-name: "eslint-plugin-import"
        versions: [">=2.30.0"]
    groups:
-      npm:
+      npm-minor:
        patterns:
          - "*"
+        update-types:
+          - "minor"
+          - "patch"
  - package-ecosystem: github-actions
    directories:
      - "/.github/workflows"
@@ -28,6 +31,9 @@ updates:
    labels:
      - Rebuild
    groups:
-      actions:
+      actions-minor:
        patterns:
          - "*"
+        update-types:
+          - "minor"
+          - "patch"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,13 @@
-<!-- For GitHub staff: Remember that this is a public repository. -->
+<!--
+    For GitHub staff: Remember that this is a public repository. Do not link to internal resources.
+                      If necessary, link to this PR from an internal issue and include further details there.
+
+    Everyone: Include a summary of the context of this change, what it aims to accomplish, and why you
+              chose the approach you did if applicable. Indicate any open questions you want to answer
+              during the review process and anything you want reviewers to pay particular attention to.
+
+    See https://github.com/github/codeql-action/blob/main/CONTRIBUTING.md for additional information.
+-->

 ### Risk assessment

@@ -7,6 +16,44 @@ For internal use only. Please select the risk level of this change:
 - **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
 - **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

+#### Which use cases does this change impact?
+
+<!-- Delete options that don't apply. -->
+
+- **Advanced setup** - Impacts users who have custom workflows.
+- **Default setup** - Impacts users who use default setup.
+- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
+- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
+- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
+- **GHES** - Impacts GitHub Enterprise Server.
+
+#### How did/will you validate this change?
+
+<!-- Delete options that don't apply. -->
+
+- **Test repository** - This change will be tested on a test repository before merging.
+- **Unit tests** - I am depending on unit test coverage (i.e. tests in `.test.ts` files).
+- **End-to-end tests** - I am depending on PR checks (i.e. tests in `pr-checks`).
+- **Other** - Please provide details.
+- **None** - I am not validating these changes.
+
+#### If something goes wrong after this change is released, what are the mitigation and rollback strategies?
+
+<!-- Delete strategies that don't apply. -->
+
+- **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
+- **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
+- **Other** - Please provide details.
+
+#### How will you know if something goes wrong after this change is released?
+
+<!-- Delete options that don't apply. -->
+
+- **Telemetry** - I rely on existing telemetry or have made changes to the telemetry.
+    - **Dashboards** - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
+    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
+- **Other** - Please provide details.
+
 ### Merge / deployment checklist

 - Confirm this change is backwards compatible with existing workflows.
--- a/.github/update-release-branch.py
+++ b/.github/update-release-branch.py
@@ -371,10 +371,10 @@ def main():
      # releases.
      run_git('revert', vOlder_update_commits[0], '--no-edit')

-      # Also revert the "Update checked-in dependencies" commit created by Actions.
-      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
-      print(f'  Reverting {update_dependencies_commit}')
-      run_git('revert', update_dependencies_commit, '--no-edit')
+      # Also revert the "Rebuild" commit created by Actions.
+      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
+      print(f'  Reverting {rebuild_commit}')
+      run_git('revert', rebuild_commit, '--no-edit')

    else:
      print('  Nothing to revert.')
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/bundle-from-toolcache.yml
+++ b/.github/workflows/bundle-from-toolcache.yml
@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.

-name: 'PR Check - Upload-sarif: code quality endpoint'
+name: 'PR Check - Bundle: From toolcache'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
@@ -21,19 +21,9 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+    inputs: {}
  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
+    inputs: {}
 defaults:
  run:
    shell: bash
@@ -41,14 +31,14 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  upload-quality-sarif:
+  bundle-from-toolcache:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            version: default
-    name: 'Upload-sarif: code quality endpoint'
+            version: toolcache
+    name: 'Bundle: From toolcache'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
      contents: read
@@ -65,31 +55,31 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
+      - name: Install @actions/tool-cache
+        run: npm install @actions/tool-cache
+      - name: Check toolcache contains CodeQL
+        continue-on-error: true
+        uses: actions/github-script@v8
        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            if (allCodeqlVersions.length === 0) {
+              throw new Error(`CodeQL could not be found in the toolcache`);
+            }
+      - id: setup-codeql
+        uses: ./../action/setup-codeql
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: csharp,java,javascript,python
-          analysis-kinds: code-quality
-      - name: Build code
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
+      - name: Check CodeQL is installed within the toolcache
+        uses: actions/github-script@v8
        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        id: upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-      - name: Check output from `upload-sarif` step
-        if: '!(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)'
-        run: exit 1
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+            if (allCodeqlVersions.length === 0) {
+              throw new Error('CodeQL not found in toolcache');
+            }
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__local-bundle.yml
+++ b/.github/workflows/__local-bundle.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -104,6 +114,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -81,6 +91,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -72,6 +82,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -72,6 +82,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__upload-sarif.yml
+++ b/.github/workflows/__upload-sarif.yml
@@ -0,0 +1,173 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Test different uses of `upload-sarif`
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  upload-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-quality
+          - os: ubuntu-latest
+            version: default
+            analysis-kinds: code-scanning,code-quality
+    name: Test different uses of `upload-sarif`
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: csharp,java,javascript,python
+          analysis-kinds: ${{ matrix.analysis-kinds }}
+      - name: Build code
+        run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+      - uses: ./../action/analyze
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          upload: never
+          output: ${{ runner.temp }}/results
+
+      - name: |
+          Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
+        uses: ./../action/upload-sarif
+        id: upload-sarif
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
+      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: Fail for missing output from `upload-sarif` step for `code-quality`
+        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Upload single SARIF file for Code Scanning
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-scanning
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
+      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') &&
+          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
+        run: exit 1
+      - name: Upload single SARIF file for Code Quality
+        uses: ./../action/upload-sarif
+        id: upload-single-sarif-code-quality
+        if: contains(matrix.analysis-kinds, 'code-quality')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
+      - name: Fail for missing output from `upload-single-sarif-code-quality` step
+        if: contains(matrix.analysis-kinds, 'code-quality') &&
+          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
+        run: exit 1
+
+      - name: Change SARIF file extension
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
+      - name: Upload single non-`.sarif` file
+        uses: ./../action/upload-sarif
+        id: upload-single-non-sarif
+        if: contains(matrix.analysis-kinds, 'code-scanning')
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
+          category: |
+            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
+      - name: Fail for missing output from `upload-single-non-sarif` step
+        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
  run:
    shell: bash
@@ -70,6 +80,11 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
@@ -103,29 +118,30 @@ jobs:

      - name: Verify SARIF after upload
        run: |
+          PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"

-          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+          ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
+          ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
+          ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"

          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi

          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi

          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$RUNNER_TEMP/payload.json"
+            echo "$PAYLOAD_FILE"
            exit 1
          fi
    env:
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -58,7 +58,7 @@ jobs:
    - name: Set up Node.js
      uses: actions/setup-node@v5
      with:
-        node-version: '20'
+        node-version: 24
        cache: 'npm'

    - name: Install dependencies
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -146,6 +146,7 @@ jobs:
          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

      - name: Create the GitHub release
+        if: steps.check.outputs.exists != 'true'
        env:
          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
          VERSION: "${{ steps.getVersion.outputs.version }}"
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -20,6 +20,7 @@ jobs:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: [20, 24]
    permissions:
      contents: read
      security-events: write # needed to upload ESLint results
@@ -36,7 +37,7 @@ jobs:
      - name: Set up Node.js
        uses: actions/setup-node@v5
        with:
-          node-version: '20.x'
+          node-version: ${{ matrix.node-version }}
          cache: 'npm'

      - name: Set up Python
@@ -72,8 +73,8 @@ jobs:
        run: npm run lint-ci

      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
-        if: matrix.os == 'ubuntu-latest'
+        uses: github/codeql-action/upload-sarif@v4
+        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
        with:
          sarif_file: eslint.sarif
          category: eslint
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -34,7 +34,7 @@ jobs:
    - name: Install Node.js
      uses: actions/setup-node@v5
      with:
-        node-version: 20.x
+        node-version: 24
        cache: npm

    - name: Install dependencies
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -43,7 +43,7 @@ jobs:
      - name: Set up Node.js
        uses: actions/setup-node@v5
        with:
-          node-version: '20.x'
+          node-version: 24
          cache: 'npm'

      - name: Install dependencies
--- a/.github/workflows/update-proxy-release.yml
+++ b/.github/workflows/update-proxy-release.yml
@@ -1,99 +0,0 @@
-name: Update dependency proxy release assets
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
-        type: string
-        required: true
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  update:
-    name: Update code and create PR
-    timeout-minutes: 15
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # needed to push the updated files
-      pull-requests: write # needed to create the PR
-    env:
-      RELEASE_TAG: ${{ inputs.tag }}
-    steps:
-      - name: Check release tag format
-        id: checks
-        run: |
-          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
-            exit 1
-          fi
-
-          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
-
-      - name: Check that the release exists
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
-
-      - name: Install Node
-        uses: actions/setup-node@v5
-
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-          ref: main
-
-      - name: Update git config
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-
-      - name: Update release tag and version
-        run: |
-          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
-          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
-          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
-
-      - name: Compile TypeScript and commit changes
-        env:
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-        run: |
-          set -exu
-          git checkout -b "$TARGET_BRANCH"
-
-          npm run build
-          git add ./src/start-proxy-action.ts
-          git add ./lib
-          git commit -m "Update release used by \`start-proxy\` action"
-
-      - name: Push changes and open PR
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
-          PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }}
-        run: |
-          set -exu
-          pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`"
-          pr_body=$(cat << EOF
-            This PR updates the \`start-proxy\` action to use the private registry proxy binaries that
-            are attached as release assets to the \`$RELEASE_TAG\` release.
-
-
-            Please do the following before merging:
-
-            - [ ] Verify that the changes to the code are correct.
-            - [ ] Mark the PR as ready for review to trigger the CI.
-          EOF
-          )
-
-          git push origin "$TARGET_BRANCH"
-          gh pr create \
-            --head "$TARGET_BRANCH" \
-            --base "main" \
-            --title "${pr_title}" \
-            --body "${pr_body}" \
-            $PR_FLAG
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,8 +4,21 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

+- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
+- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
+
+## 4.30.8 - 10 Oct 2025
+
 No user facing changes.

+## 4.30.7 - 06 Oct 2025
+
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+
+## 3.30.6 - 02 Oct 2025
+
+- Update default CodeQL bundle version to 2.23.2. [#3168](https://github.com/github/codeql-action/pull/3168)
+
 ## 3.30.5 - 26 Sep 2025

 - We fixed a bug that was introduced in `3.30.4` with `upload-sarif` which resulted in files without a `.sarif` extension not getting uploaded. [#3160](https://github.com/github/codeql-action/pull/3160)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -13,7 +13,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c

 ## Development and Testing

-Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
+Before you start, ensure that you have a recent version of node (24 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.

 ### Common tasks

--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
+- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.

 ### Workflow Permissions

@@ -62,7 +63,8 @@ For compiled languages:

 The following versions of the CodeQL Action are currently supported:

- v3 (latest)
+- v4 (latest)
+- v3

 ## Supported versions of the CodeQL Bundle on GitHub Enterprise Server

--- a/analyze/action.yml
+++ b/analyze/action.yml
@@ -92,6 +92,6 @@ outputs:
  sarif-id:
    description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node24
  main: "../lib/analyze-action.js"
  post: "../lib/analyze-action-post.js"
--- a/autobuild/action.yml
+++ b/autobuild/action.yml
@@ -15,5 +15,5 @@ inputs:
      $GITHUB_WORKSPACE as its working directory.
    required: false
 runs:
-  using: node20
+  using: node24
  main: '../lib/autobuild-action.js'
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -146,6 +146,12 @@ export default [
      "@typescript-eslint/prefer-regexp-exec": "off",
      "@typescript-eslint/require-await": "off",
      "@typescript-eslint/restrict-template-expressions": "off",
+      "@typescript-eslint/no-unused-vars": [
+        "error",
+        {
+          "argsIgnorePattern": "^_",
+        }
+      ],
      "func-style": "off",
    },
  },
--- a/init/action.yml
+++ b/init/action.yml
@@ -165,6 +165,6 @@ outputs:
  codeql-version:
    description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node24
  main: '../lib/init-action.js'
  post: '../lib/init-action-post.js'
--- a/json-schemas.mjs
+++ b/json-schemas.mjs
@@ -0,0 +1,29 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { globSync } from "glob";
+import { compileFromFile } from 'json-schema-to-typescript';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const SRC_DIR = path.join(__dirname, "schemas");
+const OUT_DIR = path.join(__dirname, "src");
+
+async function generateTypings() {
+  const schemas = globSync(`${SRC_DIR}/*.json`);
+  for (const schema of schemas) {
+    const outPath = path.join(
+      OUT_DIR,
+      `${path.basename(schema, ".json")}.d.ts`,
+    );
+    const ts = await compileFromFile(schema, {
+      bannerComment:
+        "/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */",
+    });
+    fs.writeFileSync(outPath, ts, "utf-8");
+  }
+}
+
+await generateTypings();
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.1",
-  "cliVersion": "2.23.1",
-  "priorBundleVersion": "codeql-bundle-v2.23.0",
-  "priorCliVersion": "2.23.0"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
--- a/lib/init-action.js
+++ b/lib/init-action.js
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "3.30.6",
+  "version": "4.30.9",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "3.30.6",
+      "version": "4.30.9",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^2.3.1",
@@ -20,6 +20,7 @@
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.2",
        "@octokit/plugin-retry": "^6.0.0",
+        "@octokit/request-error": "^7.0.1",
        "@schemastore/package": "0.0.10",
        "archiver": "^7.0.1",
        "check-disk-space": "^3.4.0",
@@ -33,14 +34,14 @@
        "long": "^5.3.2",
        "node-forge": "^1.3.1",
        "octokit": "^5.0.3",
-        "semver": "^7.7.2",
+        "semver": "^7.7.3",
        "uuid": "^13.0.0"
      },
      "devDependencies": {
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.0",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^9.37.0",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^15.0.0",
        "@types/archiver": "^6.0.3",
@@ -51,7 +52,7 @@
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.44.1",
+        "@typescript-eslint/eslint-plugin": "^8.46.0",
        "@typescript-eslint/parser": "^8.41.0",
        "ava": "^6.4.1",
        "esbuild": "^0.25.10",
@@ -62,9 +63,10 @@
        "eslint-plugin-import": "2.29.1",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        "glob": "^11.0.3",
+        "json-schema-to-typescript": "^15.0.4",
        "nock": "^14.0.10",
        "sinon": "^21.0.0",
-        "typescript": "^5.9.2"
+        "typescript": "^5.9.3"
      }
    },
    "node_modules/@aashutoshrathi/word-wrap": {
@@ -428,6 +430,24 @@
        "semver": "^6.1.0"
      }
    },
+    "node_modules/@apidevtools/json-schema-ref-parser": {
+      "version": "11.9.3",
+      "resolved": "https://registry.npmjs.org/@apidevtools/json-schema-ref-parser/-/json-schema-ref-parser-11.9.3.tgz",
+      "integrity": "sha512-60vepv88RwcJtSHrD6MjIL6Ta3SOYbgfnkHb+ppAVK+o9mXprRtulx7VlRl3lN3bbvysAfCS7WMVfhUYemB0IQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jsdevtools/ono": "^7.1.3",
+        "@types/json-schema": "^7.0.15",
+        "js-yaml": "^4.1.0"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/philsturgeon"
+      }
+    },
    "node_modules/@ava/typescript": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/@ava/typescript/-/typescript-6.0.0.tgz",
@@ -1346,9 +1366,9 @@
      }
    },
    "node_modules/@eslint/js": {
-      "version": "9.36.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.36.0.tgz",
-      "integrity": "sha512-uhCbYtYynH30iZErszX78U+nR3pJU3RHGQ57NXy5QupD4SBVwDeU8TNBy+MjMngc1UyIW9noKqsRqfjQTBU2dw==",
+      "version": "9.37.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.37.0.tgz",
+      "integrity": "sha512-jaS+NJ+hximswBG6pjNX0uEJZkrT0zwpVi3BA3vX22aFGjJjmgSTSmPpZCRKmoBL5VY/M6p0xsSJx7rk7sy5gg==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -1524,6 +1544,13 @@
        "node": ">=18.0.0"
      }
    },
+    "node_modules/@jsdevtools/ono": {
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/@jsdevtools/ono/-/ono-7.1.3.tgz",
+      "integrity": "sha512-4JQNk+3mVzK3xh2rqd6RB4J46qUR19azEHBneZyTZM+c456qOrbbM/5xcR8huNCCcbVt7+UmizG6GuUvPvKUYg==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/@mapbox/node-pre-gyp": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/@mapbox/node-pre-gyp/-/node-pre-gyp-2.0.0.tgz",
@@ -2175,7 +2202,6 @@
      "version": "26.0.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-26.0.0.tgz",
      "integrity": "sha512-7AtcfKtpo77j7Ts73b4OWhOZHTKo/gGY8bB3bNBQz4H+GRSWqx2yvj8TXRsbdTE0eRmYmXOEY66jM7mJ7LzfsA==",
-      "dev": true,
      "license": "MIT"
    },
    "node_modules/@octokit/openapi-webhooks-types": {
@@ -2299,31 +2325,17 @@
      }
    },
    "node_modules/@octokit/request-error": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.0.0.tgz",
-      "integrity": "sha512-KRA7VTGdVyJlh0cP5Tf94hTiYVVqmt2f3I6mnimmaVz4UG3gQV/k4mDJlJv3X67iX6rmN7gSHCF8ssqeMnmhZg==",
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.0.1.tgz",
+      "integrity": "sha512-CZpFwV4+1uBrxu7Cw8E5NCXDWFNf18MSY23TdxCBgjw1tXXHvTrZVsXlW8hgFTOLw8RQR1BBrMvYRtuyaijHMA==",
+      "license": "MIT",
      "dependencies": {
-        "@octokit/types": "^14.0.0"
+        "@octokit/types": "^15.0.0"
      },
      "engines": {
        "node": ">= 20"
      }
    },
-    "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
-      "version": "25.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.1.0.tgz",
-      "integrity": "sha512-idsIggNXUKkk0+BExUn1dQ92sfysJrje03Q0bv0e+KPLrvyqZF8MnBpFz8UNfYDwB3Ie7Z0TByjWfzxt7vseaA==",
-      "license": "MIT"
-    },
-    "node_modules/@octokit/request-error/node_modules/@octokit/types": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-14.1.0.tgz",
-      "integrity": "sha512-1y6DgTy8Jomcpu33N+p5w58l6xyt55Ar2I91RPiIA0xCJBXyUAhXCcmZaDWSANiha7R9a6qJJ2CRomGPZ6f46g==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/openapi-types": "^25.1.0"
-      }
-    },
    "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
      "version": "25.1.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.1.0.tgz",
@@ -2348,7 +2360,6 @@
      "version": "15.0.0",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-15.0.0.tgz",
      "integrity": "sha512-8o6yDfmoGJUIeR9OfYU0/TUJTnMPG2r68+1yEdUeG2Fdqpj8Qetg0ziKIgcBm0RW/j29H41WP37CYCEhp6GoHQ==",
-      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@octokit/openapi-types": "^26.0.0"
@@ -2659,6 +2670,13 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/@types/lodash": {
+      "version": "4.17.20",
+      "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.17.20.tgz",
+      "integrity": "sha512-H3MHACvFUEiujabxhaI/ImO6gUrd8oOurg7LQtS7mbwIXA/cUqWrvBsaeJ23aZEPk1TAYkurjfMbSELfoCXlGA==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/@types/node": {
      "version": "20.19.9",
      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz",
@@ -2712,17 +2730,17 @@
      "license": "MIT"
    },
    "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.44.1.tgz",
-      "integrity": "sha512-molgphGqOBT7t4YKCSkbasmu1tb1MgrZ2szGzHbclF7PNmOkSTQVHy+2jXOSnxvR3+Xe1yySHFZoqMpz3TfQsw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.46.0.tgz",
+      "integrity": "sha512-hA8gxBq4ukonVXPy0OKhiaUh/68D0E88GSmtC1iAEnGaieuDi38LhS7jdCHRLi6ErJBNDGCzvh5EnzdPwUc0DA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/regexpp": "^4.10.0",
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/type-utils": "8.44.1",
-        "@typescript-eslint/utils": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/type-utils": "8.46.0",
+        "@typescript-eslint/utils": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "graphemer": "^1.4.0",
        "ignore": "^7.0.0",
        "natural-compare": "^1.4.0",
@@ -2736,20 +2754,20 @@
        "url": "https://opencollective.com/typescript-eslint"
      },
      "peerDependencies": {
-        "@typescript-eslint/parser": "^8.44.1",
+        "@typescript-eslint/parser": "^8.46.0",
        "eslint": "^8.57.0 || ^9.0.0",
        "typescript": ">=4.8.4 <6.0.0"
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz",
-      "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.0.tgz",
+      "integrity": "sha512-lWETPa9XGcBes4jqAMYD9fW0j4n6hrPtTJwWDmtqgFO/4HF4jmdH/Q6wggTw5qIT5TXjKzbt7GsZUBnWoO3dqw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1"
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2760,9 +2778,9 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2774,16 +2792,16 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz",
-      "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.0.tgz",
+      "integrity": "sha512-ekDCUfVpAKWJbRfm8T1YRrCot1KFxZn21oV76v5Fj4tr7ELyk84OS+ouvYdcDAwZL89WpEkEj2DKQ+qg//+ucg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.44.1",
-        "@typescript-eslint/tsconfig-utils": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/project-service": "8.46.0",
+        "@typescript-eslint/tsconfig-utils": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4",
        "fast-glob": "^3.3.2",
        "is-glob": "^4.0.3",
@@ -2803,16 +2821,16 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.1.tgz",
-      "integrity": "sha512-DpX5Fp6edTlocMCwA+mHY8Mra+pPjRZ0TfHkXI8QFelIKcbADQz1LUPNtzOFUriBB2UYqw4Pi9+xV4w9ZczHFg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.0.tgz",
+      "integrity": "sha512-nD6yGWPj1xiOm4Gk0k6hLSZz2XkNXhuYmyIrOWcHoPuAhjT9i5bAG+xbWPgFeNR8HPHHtpNKdYUXJl/D3x7f5g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1"
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2827,13 +2845,13 @@
      }
    },
    "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz",
-      "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.0.tgz",
+      "integrity": "sha512-FrvMpAK+hTbFy7vH5j1+tMYHMSKLE6RzluFJlkFNKD0p9YsUT75JlBSmr5so3QRzvMwU5/bIEdeNrxm8du8l3Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
        "eslint-visitor-keys": "^4.2.1"
      },
      "engines": {
@@ -2906,16 +2924,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.44.1.tgz",
-      "integrity": "sha512-EHrrEsyhOhxYt8MTg4zTF+DJMuNBzWwgvvOYNj/zm1vnaD/IC5zCXFehZv94Piqa2cRFfXrTFxIvO95L7Qc/cw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.46.0.tgz",
+      "integrity": "sha512-n1H6IcDhmmUEG7TNVSspGmiHHutt7iVKtZwRppD7e04wha5MrkV1h3pti9xQLcCMt6YWsncpoT0HMjkH1FNwWQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4"
      },
      "engines": {
@@ -2931,14 +2949,14 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz",
-      "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.0.tgz",
+      "integrity": "sha512-lWETPa9XGcBes4jqAMYD9fW0j4n6hrPtTJwWDmtqgFO/4HF4jmdH/Q6wggTw5qIT5TXjKzbt7GsZUBnWoO3dqw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1"
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2949,9 +2967,9 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -2963,16 +2981,16 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz",
-      "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.0.tgz",
+      "integrity": "sha512-ekDCUfVpAKWJbRfm8T1YRrCot1KFxZn21oV76v5Fj4tr7ELyk84OS+ouvYdcDAwZL89WpEkEj2DKQ+qg//+ucg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.44.1",
-        "@typescript-eslint/tsconfig-utils": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/project-service": "8.46.0",
+        "@typescript-eslint/tsconfig-utils": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4",
        "fast-glob": "^3.3.2",
        "is-glob": "^4.0.3",
@@ -2992,13 +3010,13 @@
      }
    },
    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz",
-      "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.0.tgz",
+      "integrity": "sha512-FrvMpAK+hTbFy7vH5j1+tMYHMSKLE6RzluFJlkFNKD0p9YsUT75JlBSmr5so3QRzvMwU5/bIEdeNrxm8du8l3Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
        "eslint-visitor-keys": "^4.2.1"
      },
      "engines": {
@@ -3062,14 +3080,14 @@
      }
    },
    "node_modules/@typescript-eslint/project-service": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.44.1.tgz",
-      "integrity": "sha512-ycSa60eGg8GWAkVsKV4E6Nz33h+HjTXbsDT4FILyL8Obk5/mx4tbvCNsLf9zret3ipSumAOG89UcCs/KRaKYrA==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.46.0.tgz",
+      "integrity": "sha512-OEhec0mH+U5Je2NZOeK1AbVCdm0ChyapAyTeXVIYTPXDJ3F07+cu87PPXcGoYqZ7M9YJVvFnfpGg1UmCIqM+QQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.44.1",
-        "@typescript-eslint/types": "^8.44.1",
+        "@typescript-eslint/tsconfig-utils": "^8.46.0",
+        "@typescript-eslint/types": "^8.46.0",
        "debug": "^4.3.4"
      },
      "engines": {
@@ -3084,9 +3102,9 @@
      }
    },
    "node_modules/@typescript-eslint/project-service/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -3116,9 +3134,9 @@
      }
    },
    "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.44.1.tgz",
-      "integrity": "sha512-B5OyACouEjuIvof3o86lRMvyDsFwZm+4fBOqFHccIctYgBjqR3qT39FBYGN87khcgf0ExpdCBeGKpKRhSFTjKQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.46.0.tgz",
+      "integrity": "sha512-WrYXKGAHY836/N7zoK/kzi6p8tXFhasHh8ocFL9VZSAkvH956gfeRfcnhs3xzRy8qQ/dq3q44v1jvQieMFg2cw==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -3133,15 +3151,15 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.44.1.tgz",
-      "integrity": "sha512-KdEerZqHWXsRNKjF9NYswNISnFzXfXNDfPxoTh7tqohU/PRIbwTmsjGK6V9/RTYWau7NZvfo52lgVk+sJh0K3g==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.46.0.tgz",
+      "integrity": "sha512-hy+lvYV1lZpVs2jRaEYvgCblZxUoJiPyCemwbQZ+NGulWkQRy0HRPYAoef/CNSzaLt+MLvMptZsHXHlkEilaeg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1",
-        "@typescript-eslint/utils": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0",
+        "@typescript-eslint/utils": "8.46.0",
        "debug": "^4.3.4",
        "ts-api-utils": "^2.1.0"
      },
@@ -3158,14 +3176,14 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz",
-      "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.0.tgz",
+      "integrity": "sha512-lWETPa9XGcBes4jqAMYD9fW0j4n6hrPtTJwWDmtqgFO/4HF4jmdH/Q6wggTw5qIT5TXjKzbt7GsZUBnWoO3dqw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1"
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -3176,9 +3194,9 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz",
-      "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.0.tgz",
+      "integrity": "sha512-bHGGJyVjSE4dJJIO5yyEWt/cHyNwga/zXGJbJJ8TiO01aVREK6gCTu3L+5wrkb1FbDkQ+TKjMNe9R/QQQP9+rA==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -3190,16 +3208,16 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz",
-      "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.0.tgz",
+      "integrity": "sha512-ekDCUfVpAKWJbRfm8T1YRrCot1KFxZn21oV76v5Fj4tr7ELyk84OS+ouvYdcDAwZL89WpEkEj2DKQ+qg//+ucg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/project-service": "8.44.1",
-        "@typescript-eslint/tsconfig-utils": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/visitor-keys": "8.44.1",
+        "@typescript-eslint/project-service": "8.46.0",
+        "@typescript-eslint/tsconfig-utils": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/visitor-keys": "8.46.0",
        "debug": "^4.3.4",
        "fast-glob": "^3.3.2",
        "is-glob": "^4.0.3",
@@ -3219,16 +3237,16 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/utils": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.1.tgz",
-      "integrity": "sha512-DpX5Fp6edTlocMCwA+mHY8Mra+pPjRZ0TfHkXI8QFelIKcbADQz1LUPNtzOFUriBB2UYqw4Pi9+xV4w9ZczHFg==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.0.tgz",
+      "integrity": "sha512-nD6yGWPj1xiOm4Gk0k6hLSZz2XkNXhuYmyIrOWcHoPuAhjT9i5bAG+xbWPgFeNR8HPHHtpNKdYUXJl/D3x7f5g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.44.1",
-        "@typescript-eslint/types": "8.44.1",
-        "@typescript-eslint/typescript-estree": "8.44.1"
+        "@typescript-eslint/scope-manager": "8.46.0",
+        "@typescript-eslint/types": "8.46.0",
+        "@typescript-eslint/typescript-estree": "8.46.0"
      },
      "engines": {
        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -3243,13 +3261,13 @@
      }
    },
    "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.44.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz",
-      "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==",
+      "version": "8.46.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.0.tgz",
+      "integrity": "sha512-FrvMpAK+hTbFy7vH5j1+tMYHMSKLE6RzluFJlkFNKD0p9YsUT75JlBSmr5so3QRzvMwU5/bIEdeNrxm8du8l3Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@typescript-eslint/types": "8.44.1",
+        "@typescript-eslint/types": "8.46.0",
        "eslint-visitor-keys": "^4.2.1"
      },
      "engines": {
@@ -6967,6 +6985,30 @@
        "node": ">=0.1.90"
      }
    },
+    "node_modules/json-schema-to-typescript": {
+      "version": "15.0.4",
+      "resolved": "https://registry.npmjs.org/json-schema-to-typescript/-/json-schema-to-typescript-15.0.4.tgz",
+      "integrity": "sha512-Su9oK8DR4xCmDsLlyvadkXzX6+GGXJpbhwoLtOGArAG61dvbW4YQmSEno2y66ahpIdmLMg6YUf/QHLgiwvkrHQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@apidevtools/json-schema-ref-parser": "^11.5.5",
+        "@types/json-schema": "^7.0.15",
+        "@types/lodash": "^4.17.7",
+        "is-glob": "^4.0.3",
+        "js-yaml": "^4.1.0",
+        "lodash": "^4.17.21",
+        "minimist": "^1.2.8",
+        "prettier": "^3.2.5",
+        "tinyglobby": "^0.2.9"
+      },
+      "bin": {
+        "json2ts": "dist/src/cli.js"
+      },
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
    "node_modules/json-schema-traverse": {
      "version": "0.4.1",
      "dev": true,
@@ -8225,9 +8267,10 @@
      "license": "ISC"
    },
    "node_modules/semver": {
-      "version": "7.7.2",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
-      "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
+      "version": "7.7.3",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz",
+      "integrity": "sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==",
+      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
      },
@@ -9043,9 +9086,9 @@
      }
    },
    "node_modules/typescript": {
-      "version": "5.9.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
-      "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "3.30.6",
+  "version": "4.30.9",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,7 +12,8 @@
    "ava": "npm run transpile && ava --serial --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "tsc --build --verbose"
+    "transpile": "npm run generate:schemas && tsc --build --verbose",
+    "generate:schemas": "node json-schemas.mjs"
  },
  "ava": {
    "typescript": {
@@ -35,6 +36,7 @@
    "@actions/io": "^1.1.3",
    "@actions/tool-cache": "^2.0.2",
    "@octokit/plugin-retry": "^6.0.0",
+    "@octokit/request-error": "^7.0.1",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
    "check-disk-space": "^3.4.0",
@@ -48,14 +50,14 @@
    "long": "^5.3.2",
    "node-forge": "^1.3.1",
    "octokit": "^5.0.3",
-    "semver": "^7.7.2",
+    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
    "@eslint/compat": "^1.4.0",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.36.0",
+    "@eslint/js": "^9.37.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^15.0.0",
    "@types/archiver": "^6.0.3",
@@ -66,7 +68,7 @@
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.44.1",
+    "@typescript-eslint/eslint-plugin": "^8.46.0",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
    "esbuild": "^0.25.10",
@@ -77,9 +79,10 @@
    "eslint-plugin-import": "2.29.1",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.0.3",
+    "json-schema-to-typescript": "^15.0.4",
    "nock": "^14.0.10",
    "sinon": "^21.0.0",
-    "typescript": "^5.9.2"
+    "typescript": "^5.9.3"
  },
  "overrides": {
    "@actions/tool-cache": {
--- a/pr-checks/checks/analyze-ref-input.yml
+++ b/pr-checks/checks/analyze-ref-input.yml
@@ -2,6 +2,7 @@ name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/bundle-from-toolcache.yml
+++ b/pr-checks/checks/bundle-from-toolcache.yml
@@ -0,0 +1,31 @@
+name: "Bundle: From toolcache"
+description: "The CodeQL bundle should be cached within the toolcache"
+versions:
+  - toolcache
+steps:
+  - name: Install @actions/tool-cache
+    run: npm install @actions/tool-cache
+  - name: Check toolcache contains CodeQL
+    continue-on-error: true
+    uses: actions/github-script@v8
+    with:
+      script: |
+        const toolcache = require('@actions/tool-cache');
+        const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+        if (allCodeqlVersions.length === 0) {
+          throw new Error(`CodeQL could not be found in the toolcache`);
+        }
+  - id: setup-codeql
+    uses: ./../action/setup-codeql
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - name: Check CodeQL is installed within the toolcache
+    uses: actions/github-script@v8
+    with:
+      script: |
+        const toolcache = require('@actions/tool-cache');
+        const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+        console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+        if (allCodeqlVersions.length === 0) {
+          throw new Error('CodeQL not found in toolcache');
+        }
--- a/pr-checks/checks/local-bundle.yml
+++ b/pr-checks/checks/local-bundle.yml
@@ -2,6 +2,7 @@ name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
  - name: Fetch latest CodeQL bundle
    run: |
--- a/pr-checks/checks/multi-language-autodetect.yml
+++ b/pr-checks/checks/multi-language-autodetect.yml
@@ -4,6 +4,7 @@ operatingSystems: ["macos", "ubuntu"]
 env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
+installPython: true
 steps:
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
--- a/pr-checks/checks/packaging-codescanning-config-inputs-js.yml
+++ b/pr-checks/checks/packaging-codescanning-config-inputs-js.yml
@@ -3,6 +3,7 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/remote-config.yml
+++ b/pr-checks/checks/remote-config.yml
@@ -6,6 +6,7 @@ versions:
  - linked
  - nightly-latest
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/rubocop-multi-language.yml
+++ b/pr-checks/checks/rubocop-multi-language.yml
@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
+    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
--- a/pr-checks/checks/unset-environment.yml
+++ b/pr-checks/checks/unset-environment.yml
@@ -6,6 +6,7 @@ versions:
  - linked
  - nightly-latest
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    id: init
--- a/pr-checks/checks/upload-quality-sarif.yml
+++ b/pr-checks/checks/upload-quality-sarif.yml
@@ -1,26 +0,0 @@
-name: "Upload-sarif: code quality endpoint"
-description: "Checks that uploading SARIFs to the code quality endpoint works"
-versions: ["default"]
-installGo: true
-steps:
-  - uses: ./../action/init
-    with:
-      tools: ${{ steps.prepare-test.outputs.tools-url }}
-      languages: csharp,java,javascript,python
-      analysis-kinds: code-quality
-  - name: Build code
-    run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-  - uses: ./../action/analyze
-    with:
-      ref: 'refs/heads/main'
-      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-      upload: never
-  - uses: ./../action/upload-sarif
-    id: upload-sarif
-    with:
-      ref: 'refs/heads/main'
-      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
-  - name: "Check output from `upload-sarif` step"
-    if: '!(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)'
-    run: exit 1
--- a/pr-checks/checks/upload-ref-sha-input.yml
+++ b/pr-checks/checks/upload-ref-sha-input.yml
@@ -2,6 +2,7 @@ name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/upload-sarif.yml
+++ b/pr-checks/checks/upload-sarif.yml
@@ -0,0 +1,82 @@
+name: "Test different uses of `upload-sarif`"
+description: "Checks that uploading SARIFs to the code quality endpoint works"
+versions: ["default"]
+analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
+installGo: true
+installPython: true
+steps:
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: csharp,java,javascript,python
+      analysis-kinds: ${{ matrix.analysis-kinds }}
+  - name: Build code
+    run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+  - uses: ./../action/analyze
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      upload: never
+      output: ${{ runner.temp }}/results
+
+  - name: |
+      Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
+    uses: ./../action/upload-sarif
+    id: upload-sarif
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
+  - name: "Fail for missing output from `upload-sarif` step for `code-scanning`"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)"
+    run: exit 1
+  - name: "Fail for missing output from `upload-sarif` step for `code-quality`"
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)"
+    run: exit 1
+
+  - name: Upload single SARIF file for Code Scanning
+    uses: ./../action/upload-sarif
+    id: upload-single-sarif-code-scanning
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.sarif
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
+  - name: "Fail for missing output from `upload-single-sarif-code-scanning` step"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)"
+    run: exit 1
+  - name: Upload single SARIF file for Code Quality
+    uses: ./../action/upload-sarif
+    id: upload-single-sarif-code-quality
+    if: "contains(matrix.analysis-kinds, 'code-quality')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
+  - name: "Fail for missing output from `upload-single-sarif-code-quality` step"
+    if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)"
+    run: exit 1
+
+  - name: Change SARIF file extension
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
+  - name: Upload single non-`.sarif` file
+    uses: ./../action/upload-sarif
+    id: upload-single-non-sarif
+    if: "contains(matrix.analysis-kinds, 'code-scanning')"
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
+      category: |
+        ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
+  - name: "Fail for missing output from `upload-single-non-sarif` step"
+    if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)"
+    run: exit 1
--- a/pr-checks/checks/with-checkout-path.yml
+++ b/pr-checks/checks/with-checkout-path.yml
@@ -2,6 +2,7 @@ name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
  # This ensures we don't accidentally use the original checkout for any part of the test.
  - name: Delete original checkout
@@ -37,28 +38,29 @@ steps:

  - name: Verify SARIF after upload
    run: |
+      PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
      EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
      EXPECTED_REF="v1.1.0"
      EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"

-      ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-      ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-      ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+      ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
+      ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
+      ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"

      if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
        echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
        exit 1
      fi

      if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
        echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
        exit 1
      fi

      if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
        echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-        echo "$RUNNER_TEMP/payload.json"
+        echo "$PAYLOAD_FILE"
        exit 1
      fi
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@@ -184,6 +184,26 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
            }
        })

+    installPython = is_truthy(checkSpecification.get('installPython', ''))
+
+    if installPython:
+        basePythonVersionExpr = '3.13'
+        workflowInputs['python-version'] = {
+            'type': 'string',
+            'description': 'The version of Python to install',
+            'required': False,
+            'default': basePythonVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Python',
+            'if': 'matrix.version != \'nightly-latest\'',
+            'uses': 'actions/setup-python@v6',
+            'with': {
+                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
+            }
+        })
+
    # If container initialisation steps are present in the check specification,
    # make sure to execute them first.
    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
--- a/resolve-environment/action.yml
+++ b/resolve-environment/action.yml
@@ -21,5 +21,5 @@ outputs:
  environment:
    description: The inferred build environment configuration.
 runs:
-  using: node20
+  using: node24
  main: '../lib/resolve-environment-action.js'
--- a/schemas/db-config-schema.json
+++ b/schemas/db-config-schema.json
@@ -0,0 +1,145 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "UserConfig",
+  "description": "Format of the config file supplied by the user for CodeQL analysis",
+  "type": "object",
+  "properties": {
+    "name": {
+      "type": "string",
+      "description": "Name of the configuration"
+    },
+    "disable-default-queries": {
+      "type": "boolean",
+      "description": "Whether to disable default queries"
+    },
+    "queries": {
+      "type": "array",
+      "description": "List of additional queries to run",
+      "items": {
+        "$ref": "#/definitions/QuerySpec"
+      }
+    },
+    "paths-ignore": {
+      "type": "array",
+      "description": "Paths to ignore during analysis",
+      "items": {
+        "type": "string"
+      }
+    },
+    "paths": {
+      "type": "array",
+      "description": "Paths to include in analysis",
+      "items": {
+        "type": "string"
+      }
+    },
+    "packs": {
+      "description": "Query packs to include. Can be a simple array for single-language analysis or an object with language-specific arrays for multi-language analysis",
+      "oneOf": [
+        {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        }
+      ]
+    },
+    "query-filters": {
+      "type": "array",
+      "description": "Set of query filters to include and exclude extra queries based on CodeQL query suite include and exclude properties",
+      "items": {
+        "$ref": "#/definitions/QueryFilter"
+      }
+    }
+  },
+  "additionalProperties": true,
+  "definitions": {
+    "QuerySpec": {
+      "type": "object",
+      "description": "Detailed query specification object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Optional name for the query"
+        },
+        "uses": {
+          "type": "string",
+          "description": "The query or query suite to use"
+        }
+      },
+      "required": ["uses"],
+      "additionalProperties": false
+    },
+    "QueryFilter": {
+      "description": "Query filter that can either include or exclude queries",
+      "oneOf": [
+        {
+          "$ref": "#/definitions/ExcludeQueryFilter"
+        },
+        {
+          "$ref": "#/definitions/IncludeQueryFilter"
+        },
+        {}
+      ]
+    },
+    "ExcludeQueryFilter": {
+      "type": "object",
+      "description": "Filter to exclude queries",
+      "properties": {
+        "exclude": {
+          "type": "object",
+          "description": "Queries to exclude",
+          "additionalProperties": {
+            "oneOf": [
+              {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              },
+              {
+                "type": "string"
+              }
+            ]
+          }
+        }
+      },
+      "required": ["exclude"],
+      "additionalProperties": false
+    },
+    "IncludeQueryFilter": {
+      "type": "object",
+      "description": "Filter to include queries",
+      "properties": {
+        "include": {
+          "type": "object",
+          "description": "Queries to include",
+          "additionalProperties": {
+            "oneOf": [
+              {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              },
+              {
+                "type": "string"
+              }
+            ]
+          }
+        }
+      },
+      "required": ["include"],
+      "additionalProperties": false
+    }
+  }
+}
--- a/setup-codeql/action.yml
+++ b/setup-codeql/action.yml
@@ -0,0 +1,39 @@
+name: 'CodeQL: Setup'
+description: 'Installs the CodeQL CLI'
+author: 'GitHub'
+inputs:
+  tools:
+    description: >-
+      By default, the Action will use the recommended version of the CodeQL
+      Bundle to analyze your project. You can override this choice using this
+      input. One of:
+
+      - A local path to a CodeQL Bundle tarball, or
+      - The URL of a CodeQL Bundle tarball GitHub release asset, or
+      - A special value `linked` which uses the version of the CodeQL tools
+        that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
+    required: false
+  token:
+    description: GitHub token to use for authenticating with this instance of GitHub.
+    default: ${{ github.token }}
+    required: false
+  matrix:
+    default: ${{ toJson(matrix) }}
+    required: false
+  external-repository-token:
+    description: A token for fetching additional files from private repositories in the same GitHub instance that is running this action.
+    required: false
+outputs:
+  codeql-path:
+    description: The path of the CodeQL binary that was installed.
+  codeql-version:
+    description: The version of the CodeQL binary that was installed.
+runs:
+  using: node24
+  main: '../lib/setup-codeql-action.js'
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@@ -247,9 +247,14 @@ export function isSelfHostedRunner() {
  return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }

+/** Determines whether the workflow trigger is `dynamic`. */
+export function isDynamicWorkflow(): boolean {
+  return getWorkflowEventName() === "dynamic";
+}
+
 /** Determines whether we are running in default setup. */
 export function isDefaultSetup(): boolean {
-  return getWorkflowEventName() === "dynamic";
+  return isDynamicWorkflow();
 }

 export function prettyPrintInvocation(cmd: string, args: string[]): string {
--- a/src/analyses.test.ts
+++ b/src/analyses.test.ts
@@ -1,12 +1,19 @@
 import test from "ava";
+import * as sinon from "sinon";

+import * as actionsUtil from "./actions-util";
 import {
  AnalysisKind,
+  getAnalysisKinds,
  parseAnalysisKinds,
  supportedAnalysisKinds,
 } from "./analyses";
+import { getRunnerLogger } from "./logging";
+import { setupTests } from "./testing-utils";
 import { ConfigurationError } from "./util";

+setupTests(test);
+
 test("All known analysis kinds can be parsed successfully", async (t) => {
  for (const analysisKind of supportedAnalysisKinds) {
    t.deepEqual(await parseAnalysisKinds(analysisKind), [analysisKind]);
@@ -34,3 +41,29 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
    instanceOf: ConfigurationError,
  });
 });
+
+test("getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub
+    .withArgs("analysis-kinds")
+    .returns("code-scanning,code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
+  const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+  optionalInputStub.withArgs("quality-queries").returns("code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
+  await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+});
--- a/src/analyses.ts
+++ b/src/analyses.ts
@@ -1,3 +1,9 @@
+import {
+  fixCodeQualityCategory,
+  getOptionalInput,
+  getRequiredInput,
+} from "./actions-util";
+import { Logger } from "./logging";
 import { ConfigurationError } from "./util";

 export enum AnalysisKind {
@@ -39,6 +45,55 @@ export async function parseAnalysisKinds(
  );
 }

+// Used to avoid re-parsing the input after we have done it once.
+let cachedAnalysisKinds: AnalysisKind[] | undefined;
+
+/**
+ * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
+ * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
+ * If the `analysis-kinds` input cannot be parsed, a `ConfigurationError` is thrown.
+ *
+ * @param logger The logger to use.
+ * @param skipCache For testing, whether to ignore the cached values (default: false).
+ *
+ * @returns The array of enabled analysis kinds.
+ * @throws A `ConfigurationError` if the `analysis-kinds` input cannot be parsed.
+ */
+export async function getAnalysisKinds(
+  logger: Logger,
+  skipCache: boolean = false,
+): Promise<AnalysisKind[]> {
+  if (!skipCache && cachedAnalysisKinds !== undefined) {
+    return cachedAnalysisKinds;
+  }
+
+  cachedAnalysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds"),
+  );
+
+  // Warn that `quality-queries` is deprecated if there is an argument for it.
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+
+  if (qualityQueriesInput !== undefined) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
+        "Use the `analysis-kinds` input to configure different analysis kinds instead.",
+    );
+  }
+
+  // For backwards compatibility, add Code Quality to the enabled analysis kinds
+  // if an input to `quality-queries` was specified. We should remove this once
+  // `quality-queries` is no longer used.
+  if (
+    !cachedAnalysisKinds.includes(AnalysisKind.CodeQuality) &&
+    qualityQueriesInput !== undefined
+  ) {
+    cachedAnalysisKinds.push(AnalysisKind.CodeQuality);
+  }
+
+  return cachedAnalysisKinds;
+}
+
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];

@@ -61,6 +116,8 @@ export interface AnalysisConfig {
  /** A predicate on filenames to decide whether a SARIF file
   * belongs to this kind of analysis. */
  sarifPredicate: (name: string) => boolean;
+  /** Analysis-specific adjustment of the category. */
+  fixCategory: (logger: Logger, category?: string) => string | undefined;
  /** A prefix for environment variables used to track the uniqueness of SARIF uploads. */
  sentinelPrefix: string;
 }
@@ -74,6 +131,7 @@ export const CodeScanning: AnalysisConfig = {
  sarifPredicate: (name) =>
    name.endsWith(CodeScanning.sarifExtension) &&
    !CodeQuality.sarifPredicate(name),
+  fixCategory: (_, category) => category,
  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
 };

@@ -84,5 +142,29 @@ export const CodeQuality: AnalysisConfig = {
  target: SARIF_UPLOAD_ENDPOINT.CODE_QUALITY,
  sarifExtension: ".quality.sarif",
  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  fixCategory: fixCodeQualityCategory,
  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
 };
+
+/**
+ * Gets the `AnalysisConfig` corresponding to `kind`.
+ * @param kind The analysis kind to get the `AnalysisConfig` for.
+ * @returns The `AnalysisConfig` corresponding to `kind`.
+ */
+export function getAnalysisConfig(kind: AnalysisKind): AnalysisConfig {
+  // Using a switch statement here accomplishes two things:
+  // 1. The type checker believes us that we have a case for every `AnalysisKind`.
+  // 2. If we ever add another member to `AnalysisKind`, the type checker will alert us that we have to add a case.
+  switch (kind) {
+    case AnalysisKind.CodeScanning:
+      return CodeScanning;
+    case AnalysisKind.CodeQuality:
+      return CodeQuality;
+  }
+}
+
+// Since we have overlapping extensions (i.e. ".sarif" includes ".quality.sarif"),
+// we want to scan a folder containing SARIF files in an order that finds the more
+// specific extensions first. This constant defines an array in the order of analyis
+// configurations with more specific extensions to less specific extensions.
+export const SarifScanOrder = [CodeQuality, CodeScanning];
--- a/src/analyze-action.ts
+++ b/src/analyze-action.ts
@@ -356,16 +356,14 @@ async function run() {
      }

      if (isCodeQualityEnabled(config)) {
+        const analysis = analyses.CodeQuality;
        const qualityUploadResult = await uploadLib.uploadFiles(
          outputDir,
          actionsUtil.getRequiredInput("checkout_path"),
-          actionsUtil.fixCodeQualityCategory(
-            logger,
-            actionsUtil.getOptionalInput("category"),
-          ),
+          actionsUtil.getOptionalInput("category"),
          features,
          logger,
-          analyses.CodeQuality,
+          analysis,
        );
        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
      }
--- a/src/analyze.test.ts
+++ b/src/analyze.test.ts
@@ -334,7 +334,7 @@ test("resolveQuerySuiteAlias", (t) => {
  for (const suite of defaultSuites) {
    const resolved = resolveQuerySuiteAlias(KnownLanguage.go, suite);
    t.assert(
-      resolved.endsWith(".qls"),
+      path.extname(resolved) === ".qls",
      "Resolved default suite doesn't end in .qls",
    );
    t.assert(
--- a/src/analyze.ts
+++ b/src/analyze.ts
@@ -7,7 +7,6 @@ import * as del from "del";
 import * as yaml from "js-yaml";

 import {
-  fixCodeQualityCategory,
  getRequiredInput,
  getTemporaryDirectory,
  PullRequestBranches,
@@ -781,7 +780,7 @@ export async function runQueries(
    // accepted by the Code Quality backend.
    let category = automationDetailsId;
    if (analysis.kind === analyses.AnalysisKind.CodeQuality) {
-      category = fixCodeQualityCategory(logger, automationDetailsId);
+      category = analysis.fixCategory(logger, automationDetailsId);
    }

    const sarifFile = path.join(
--- a/src/autobuild.ts
+++ b/src/autobuild.ts
@@ -52,11 +52,11 @@ export async function determineAutobuildLanguages(
   * For example, consider a user with the following workflow file:
   *
   * ```yml
-   * - uses: github/codeql-action/init@v3
+   * - uses: github/codeql-action/init@v4
   *   with:
   *     languages: go, java
-   * - uses: github/codeql-action/autobuild@v3
-   * - uses: github/codeql-action/analyze@v3
+   * - uses: github/codeql-action/autobuild@v4
+   * - uses: github/codeql-action/analyze@v4
   * ```
   *
   * - With Go extraction disabled, we will run the Java autobuilder in the
--- a/src/cli-errors.test.ts
+++ b/src/cli-errors.test.ts
@@ -310,6 +310,20 @@ test("wrapCliConfigurationError - pack cannot be found", (t) => {
  t.true(wrappedError instanceof ConfigurationError);
 });

+test("wrapCliConfigurationError - unknown query file", (t) => {
+  const commandError = new CommandInvocationError(
+    "codeql",
+    ["database", "init"],
+    2,
+    "my-query-file is not a .ql file, .qls file, a directory, or a query pack specification. See the logs for more details.",
+  );
+  const cliError = new CliError(commandError);
+
+  const wrappedError = wrapCliConfigurationError(cliError);
+
+  t.true(wrappedError instanceof ConfigurationError);
+});
+
 test("wrapCliConfigurationError - pack missing auth", (t) => {
  const commandError = new CommandInvocationError(
    "codeql",
--- a/src/cli-errors.ts
+++ b/src/cli-errors.ts
@@ -264,6 +264,9 @@ export const cliErrorsConfig: Record<
      new RegExp(
        "Query pack .* cannot be found\\. Check the spelling of the pack\\.",
      ),
+      new RegExp(
+        "is not a .ql file, .qls file, a directory, or a query pack specification.",
+      ),
    ],
  },
  [CliConfigErrorCategory.PackMissingAuth]: {
--- a/src/codeql.test.ts
+++ b/src/codeql.test.ts
@@ -74,6 +74,7 @@ async function installIntoToolcache({
    cliVersion !== undefined
      ? { cliVersion, tagName }
      : SAMPLE_DEFAULT_CLI_VERSION,
+    createFeatures([]),
    getRunnerLogger(true),
    false,
  );
@@ -122,6 +123,8 @@ async function stubCodeql(): Promise<codeql.CodeQL> {
 }

 test("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -140,6 +143,7 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        features,
        getRunnerLogger(true),
        false,
      );
@@ -154,6 +158,8 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
 });

 test("caches semantically versioned bundles using their semantic version number", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
    const url = mockBundleDownloadApi({
@@ -166,6 +172,7 @@ test("caches semantically versioned bundles using their semantic version number"
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -181,6 +188,8 @@ test("caches semantically versioned bundles using their semantic version number"
 });

 test("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -199,6 +208,7 @@ test("downloads an explicitly requested bundle even if a different version is ca
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -227,6 +237,8 @@ for (const {
  expectedToolcacheVersion,
 } of EXPLICITLY_REQUESTED_BUNDLE_TEST_CASES) {
  test(`caches explicitly requested bundle ${tagName} as ${expectedToolcacheVersion}`, async (t) => {
+    const features = createFeatures([]);
+
    await util.withTmpDir(async (tmpDir) => {
      setupActionsVars(tmpDir, tmpDir);

@@ -243,6 +255,7 @@ for (const {
        tmpDir,
        util.GitHubVariant.DOTCOM,
        SAMPLE_DEFAULT_CLI_VERSION,
+        features,
        getRunnerLogger(true),
        false,
      );
@@ -266,6 +279,8 @@ for (const toolcacheVersion of [
    `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
      `${toolcacheVersion} is installed`,
    async (t) => {
+      const features = createFeatures([]);
+
      await util.withTmpDir(async (tmpDir) => {
        setupActionsVars(tmpDir, tmpDir);

@@ -281,6 +296,7 @@ for (const toolcacheVersion of [
          tmpDir,
          util.GitHubVariant.DOTCOM,
          SAMPLE_DEFAULT_CLI_VERSION,
+          features,
          getRunnerLogger(true),
          false,
        );
@@ -295,6 +311,8 @@ for (const toolcacheVersion of [
 }

 test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -313,6 +331,7 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
        cliVersion: defaults.cliVersion,
        tagName: defaults.bundleVersion,
      },
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -328,6 +347,8 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
 });

 test(`downloads bundle if only an unpinned version is cached on GHES`, async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -349,6 +370,7 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
        cliVersion: defaults.cliVersion,
        tagName: defaults.bundleVersion,
      },
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -364,6 +386,8 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
 });

 test('downloads bundle if "latest" tools specified but not cached', async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -382,6 +406,7 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
@@ -397,6 +422,8 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
 });

 test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
+  const features = createFeatures([]);
+
  await util.withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);

@@ -417,6 +444,7 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
      tmpDir,
      util.GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      getRunnerLogger(true),
      false,
    );
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -3,6 +3,7 @@ import * as path from "path";

 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
+import { RequestError } from "@octokit/request-error";
 import * as yaml from "js-yaml";

 import {
@@ -308,6 +309,7 @@ const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
 * @param tempDir
 * @param variant
 * @param defaultCliVersion
+ * @param features Information about the features that are enabled.
 * @param logger
 * @param checkVersion Whether to check that CodeQL CLI meets the minimum
 *        version requirement. Must be set to true outside tests.
@@ -319,6 +321,7 @@ export async function setupCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
  logger: Logger,
  checkVersion: boolean,
 ): Promise<{
@@ -341,6 +344,7 @@ export async function setupCodeQL(
      tempDir,
      variant,
      defaultCliVersion,
+      features,
      logger,
    );

@@ -370,7 +374,8 @@ export async function setupCodeQL(
  } catch (e) {
    const ErrorClass =
      e instanceof util.ConfigurationError ||
-      (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
+      (e instanceof Error && e.message.includes("ENOSPC")) || // out of disk space
+      (e instanceof RequestError && e.status === 429) // rate limited
        ? util.ConfigurationError
        : Error;

--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@@ -49,10 +49,9 @@ function createTestInitConfigInputs(
  return Object.assign(
    {},
    {
-      analysisKindsInput: "code-scanning",
+      analysisKinds: [AnalysisKind.CodeScanning],
      languagesInput: undefined,
      queriesInput: undefined,
-      qualityQueriesInput: undefined,
      packsInput: undefined,
      configFile: undefined,
      dbLocation: undefined,
@@ -149,6 +148,7 @@ test("load empty config", async (t) => {
    });

    const config = await configUtils.initConfig(
+      createFeatures([]),
      createTestInitConfigInputs({
        languagesInput: languages,
        repository: { owner: "github", repo: "example" },
@@ -188,8 +188,9 @@ test("load code quality config", async (t) => {
    });

    const config = await configUtils.initConfig(
+      createFeatures([]),
      createTestInitConfigInputs({
-        analysisKindsInput: "code-quality",
+        analysisKinds: [AnalysisKind.CodeQuality],
        languagesInput: languages,
        repository: { owner: "github", repo: "example" },
        tempDir,
@@ -272,8 +273,9 @@ test("initActionState doesn't throw if there are queries configured in the repos

    await t.notThrowsAsync(async () => {
      const config = await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
-          analysisKindsInput: "code-quality",
+          analysisKinds: [AnalysisKind.CodeQuality],
          languagesInput: languages,
          repository: { owner: "github", repo: "example" },
          tempDir,
@@ -310,6 +312,7 @@ test("loading a saved config produces the same config", async (t) => {
    t.deepEqual(await configUtils.getConfig(tempDir, logger), undefined);

    const config1 = await configUtils.initConfig(
+      createFeatures([]),
      createTestInitConfigInputs({
        languagesInput: "javascript,python",
        tempDir,
@@ -361,6 +364,7 @@ test("loading config with version mismatch throws", async (t) => {
      .returns("does-not-exist");

    const config = await configUtils.initConfig(
+      createFeatures([]),
      createTestInitConfigInputs({
        languagesInput: "javascript,python",
        tempDir,
@@ -389,6 +393,7 @@ test("load input outside of workspace", async (t) => {
  return await withTmpDir(async (tempDir) => {
    try {
      await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
          configFile: "../input",
          tempDir,
@@ -416,6 +421,7 @@ test("load non-local input with invalid repo syntax", async (t) => {

    try {
      await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
          configFile,
          tempDir,
@@ -444,6 +450,7 @@ test("load non-existent input", async (t) => {

    try {
      await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
          languagesInput,
          configFile,
@@ -527,6 +534,7 @@ test("load non-empty input", async (t) => {
    const configFilePath = createConfigFile(inputFileContents, tempDir);

    const actualConfig = await configUtils.initConfig(
+      createFeatures([]),
      createTestInitConfigInputs({
        languagesInput,
        buildModeInput: "none",
@@ -583,6 +591,7 @@ test("Using config input and file together, config input should be used.", async
    const languagesInput = "javascript";

    const config = await configUtils.initConfig(
+      createFeatures([]),
      createTestInitConfigInputs({
        languagesInput,
        configFile: configFilePath,
@@ -633,6 +642,7 @@ test("API client used when reading remote config", async (t) => {
    const languagesInput = "javascript";

    await configUtils.initConfig(
+      createFeatures([]),
      createTestInitConfigInputs({
        languagesInput,
        configFile,
@@ -653,6 +663,7 @@ test("Remote config handles the case where a directory is provided", async (t) =
    const repoReference = "octo-org/codeql-config/config.yaml@main";
    try {
      await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
          configFile: repoReference,
          tempDir,
@@ -681,6 +692,7 @@ test("Invalid format of remote config handled correctly", async (t) => {
    const repoReference = "octo-org/codeql-config/config.yaml@main";
    try {
      await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
          configFile: repoReference,
          tempDir,
@@ -710,6 +722,7 @@ test("No detected languages", async (t) => {

    try {
      await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
          tempDir,
          codeql,
@@ -732,6 +745,7 @@ test("Unknown languages", async (t) => {

    try {
      await configUtils.initConfig(
+        createFeatures([]),
        createTestInitConfigInputs({
          languagesInput,
          tempDir,
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -11,7 +11,6 @@ import {
  CodeQuality,
  codeQualityQueries,
  CodeScanning,
-  parseAnalysisKinds,
 } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
@@ -20,6 +19,7 @@ import {
  calculateAugmentation,
  ExcludeQueryFilter,
  generateCodeScanningConfig,
+  parseUserConfig,
  UserConfig,
 } from "./config/db-config";
 import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
@@ -373,10 +373,8 @@ export async function getRawLanguages(

 /** Inputs required to initialize a configuration. */
 export interface InitConfigInputs {
-  analysisKindsInput: string;
  languagesInput: string | undefined;
  queriesInput: string | undefined;
-  qualityQueriesInput: string | undefined;
  packsInput: string | undefined;
  configFile: string | undefined;
  dbLocation: string | undefined;
@@ -396,6 +394,7 @@ export interface InitConfigInputs {
  apiDetails: api.GitHubApiCombinedDetails;
  features: FeatureEnablement;
  repositoryProperties: RepositoryProperties;
+  analysisKinds: AnalysisKind[];
  logger: Logger;
 }

@@ -405,10 +404,8 @@ export interface InitConfigInputs {
 */
 export async function initActionState(
  {
-    analysisKindsInput,
    languagesInput,
    queriesInput,
-    qualityQueriesInput,
    packsInput,
    buildModeInput,
    dbLocation,
@@ -424,22 +421,11 @@ export async function initActionState(
    githubVersion,
    features,
    repositoryProperties,
+    analysisKinds,
    logger,
  }: InitConfigInputs,
  userConfig: UserConfig,
 ): Promise<Config> {
-  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
-
-  // For backwards compatibility, add Code Quality to the enabled analysis kinds
-  // if an input to `quality-queries` was specified. We should remove this once
-  // `quality-queries` is no longer used.
-  if (
-    !analysisKinds.includes(AnalysisKind.CodeQuality) &&
-    qualityQueriesInput !== undefined
-  ) {
-    analysisKinds.push(AnalysisKind.CodeQuality);
-  }
-
  const languages = await getLanguages(
    codeql,
    languagesInput,
@@ -540,10 +526,12 @@ async function downloadCacheWithTime(
 }

 async function loadUserConfig(
+  logger: Logger,
  configFile: string,
  workspacePath: string,
  apiDetails: api.GitHubApiCombinedDetails,
  tempDir: string,
+  validateConfig: boolean,
 ): Promise<UserConfig> {
  if (isLocal(configFile)) {
    if (configFile !== userConfigFromActionPath(tempDir)) {
@@ -556,9 +544,14 @@ async function loadUserConfig(
        );
      }
    }
-    return getLocalConfig(configFile);
+    return getLocalConfig(logger, configFile, validateConfig);
  } else {
-    return await getRemoteConfig(configFile, apiDetails);
+    return await getRemoteConfig(
+      logger,
+      configFile,
+      apiDetails,
+      validateConfig,
+    );
  }
 }

@@ -723,7 +716,14 @@ export async function getOverlayDatabaseMode(
    buildMode !== BuildMode.None &&
    (
      await Promise.all(
-        languages.map(async (l) => await codeql.isTracedLanguage(l)),
+        languages.map(
+          async (l) =>
+            l !== KnownLanguage.go && // Workaround to allow overlay analysis for Go with any build
+            // mode, since it does not yet support BMN. The Go autobuilder and/or extractor will
+            // ensure that overlay-base databases are only created for supported Go build setups,
+            // and that we'll fall back to full databases in other cases.
+            (await codeql.isTracedLanguage(l)),
+        ),
      )
    ).some(Boolean)
  ) {
@@ -787,7 +787,10 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
 * This will parse the config from the user input if present, or generate
 * a default config. The parsed config is then stored to a known location.
 */
-export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
+export async function initConfig(
+  features: FeatureEnablement,
+  inputs: InitConfigInputs,
+): Promise<Config> {
  const { logger, tempDir } = inputs;

  // if configInput is set, it takes precedence over configFile
@@ -807,11 +810,14 @@ export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
    logger.debug("No configuration file was provided");
  } else {
    logger.debug(`Using configuration file: ${inputs.configFile}`);
+    const validateConfig = await features.getValue(Feature.ValidateDbConfig);
    userConfig = await loadUserConfig(
+      logger,
      inputs.configFile,
      inputs.workspacePath,
      inputs.apiDetails,
      tempDir,
+      validateConfig,
    );
  }

@@ -905,7 +911,11 @@ function isLocal(configPath: string): boolean {
  return configPath.indexOf("@") === -1;
 }

-function getLocalConfig(configFile: string): UserConfig {
+function getLocalConfig(
+  logger: Logger,
+  configFile: string,
+  validateConfig: boolean,
+): UserConfig {
  // Error if the file does not exist
  if (!fs.existsSync(configFile)) {
    throw new ConfigurationError(
@@ -913,12 +923,19 @@ function getLocalConfig(configFile: string): UserConfig {
    );
  }

-  return yaml.load(fs.readFileSync(configFile, "utf8")) as UserConfig;
+  return parseUserConfig(
+    logger,
+    configFile,
+    fs.readFileSync(configFile, "utf-8"),
+    validateConfig,
+  );
 }

 async function getRemoteConfig(
+  logger: Logger,
  configFile: string,
  apiDetails: api.GitHubApiCombinedDetails,
+  validateConfig: boolean,
 ): Promise<UserConfig> {
  // retrieve the various parts of the config location, and ensure they're present
  const format = new RegExp(
@@ -954,9 +971,12 @@ async function getRemoteConfig(
    );
  }

-  return yaml.load(
+  return parseUserConfig(
+    logger,
+    configFile,
    Buffer.from(fileContents, "base64").toString("binary"),
-  ) as UserConfig;
+    validateConfig,
+  );
 }

 /**
--- a/src/config/db-config.test.ts
+++ b/src/config/db-config.test.ts
@@ -2,7 +2,13 @@ import test, { ExecutionContext } from "ava";

 import { RepositoryProperties } from "../feature-flags/properties";
 import { KnownLanguage, Language } from "../languages";
-import { prettyPrintPack } from "../util";
+import { getRunnerLogger } from "../logging";
+import {
+  checkExpectedLogMessages,
+  getRecordingLogger,
+  LoggedMessage,
+} from "../testing-utils";
+import { ConfigurationError, prettyPrintPack } from "../util";

 import * as dbConfig from "./db-config";

@@ -153,7 +159,6 @@ const packSpecPrettyPrintingMacro = test.macro({
  title: (
    _providedTitle: string | undefined,
    packStr: string,
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
    _packObj: dbConfig.Pack,
  ) => `Prettyprint pack spec: '${packStr}'`,
 });
@@ -392,3 +397,111 @@ test(
  {},
  /"a-pack-without-a-scope" is not a valid pack/,
 );
+
+test("parseUserConfig - successfully parses valid YAML", (t) => {
+  const result = dbConfig.parseUserConfig(
+    getRunnerLogger(true),
+    "test",
+    `
+    paths-ignore:
+      - "some/path"
+    queries:
+      - uses: foo
+    some-unknown-option: true
+    `,
+    true,
+  );
+  t.truthy(result);
+  if (t.truthy(result["paths-ignore"])) {
+    t.is(result["paths-ignore"].length, 1);
+    t.is(result["paths-ignore"][0], "some/path");
+  }
+  if (t.truthy(result["queries"])) {
+    t.is(result["queries"].length, 1);
+    t.deepEqual(result["queries"][0], { uses: "foo" });
+  }
+});
+
+test("parseUserConfig - throws a ConfigurationError if the file is not valid YAML", (t) => {
+  t.throws(
+    () =>
+      dbConfig.parseUserConfig(
+        getRunnerLogger(true),
+        "test",
+        `
+        paths-ignore:
+         - "some/path"
+         queries:
+         - foo
+        `,
+        true,
+      ),
+    {
+      instanceOf: ConfigurationError,
+    },
+  );
+});
+
+test("parseUserConfig - validation isn't picky about `query-filters`", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.notThrows(() =>
+    dbConfig.parseUserConfig(
+      logger,
+      "test",
+      `
+        query-filters:
+          - something
+          - include: foo
+          - exclude: bar
+        `,
+      true,
+    ),
+  );
+});
+
+test("parseUserConfig - throws a ConfigurationError if validation fails", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.throws(
+    () =>
+      dbConfig.parseUserConfig(
+        logger,
+        "test",
+        `
+        paths-ignore:
+         - "some/path"
+        queries: true
+        `,
+        true,
+      ),
+    {
+      instanceOf: ConfigurationError,
+      message:
+        'The configuration file "test" is invalid: instance.queries is not of a type(s) array.',
+    },
+  );
+
+  const expectedMessages = ["instance.queries is not of a type(s) array"];
+  checkExpectedLogMessages(t, loggedMessages, expectedMessages);
+});
+
+test("parseUserConfig - throws no ConfigurationError if validation should fail, but feature is disabled", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.notThrows(() =>
+    dbConfig.parseUserConfig(
+      logger,
+      "test",
+      `
+        paths-ignore:
+         - "some/path"
+        queries: true
+        `,
+      false,
+    ),
+  );
+});
--- a/src/config/db-config.ts
+++ b/src/config/db-config.ts
@@ -1,7 +1,10 @@
 import * as path from "path";

+import * as yaml from "js-yaml";
+import * as jsonschema from "jsonschema";
 import * as semver from "semver";

+import type { UserConfig as DbConfig, QuerySpec } from "../db-config-schema";
 import * as errorMessages from "../error-messages";
 import {
  RepositoryProperties,
@@ -11,6 +14,8 @@ import { Language } from "../languages";
 import { Logger } from "../logging";
 import { cloneObject, ConfigurationError, prettyPrintPack } from "../util";

+export type { QuerySpec } from "../db-config-schema";
+
 export interface ExcludeQueryFilter {
  exclude: Record<string, string[] | string>;
 }
@@ -21,30 +26,14 @@ export interface IncludeQueryFilter {

 export type QueryFilter = ExcludeQueryFilter | IncludeQueryFilter;

-export interface QuerySpec {
-  name?: string;
-  uses: string;
-}
-
 /**
 * Format of the config file supplied by the user.
 */
-export interface UserConfig {
-  name?: string;
-  "disable-default-queries"?: boolean;
-  queries?: QuerySpec[];
-  "paths-ignore"?: string[];
-  paths?: string[];
-
-  // If this is a multi-language analysis, then the packages must be split by
-  // language. If this is a single language analysis, then no split by
-  // language is necessary.
-  packs?: Record<string, string[]> | string[];
-
+export type UserConfig = DbConfig & {
  // Set of query filters to include and exclude extra queries based on
  // codeql query suite `include` and `exclude` properties
  "query-filters"?: QueryFilter[];
-}
+};

 /**
 * Represents additional configuration data from a source other than
@@ -474,3 +463,53 @@ export function generateCodeScanningConfig(

  return augmentedConfig;
 }
+
+/**
+ * Attempts to parse `contents` into a `UserConfig` value.
+ *
+ * @param logger The logger to use.
+ * @param pathInput The path to the file where `contents` was obtained from, for use in error messages.
+ * @param contents The string contents of a YAML file to try and parse as a `UserConfig`.
+ * @param validateConfig Whether to validate the configuration file against the schema.
+ * @returns The `UserConfig` corresponding to `contents`, if parsing was successful.
+ * @throws A `ConfigurationError` if parsing failed.
+ */
+export function parseUserConfig(
+  logger: Logger,
+  pathInput: string,
+  contents: string,
+  validateConfig: boolean,
+): UserConfig {
+  try {
+    const schema =
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      require("../../schemas/db-config-schema.json") as jsonschema.Schema;
+
+    const doc = yaml.load(contents);
+
+    if (validateConfig) {
+      const result = new jsonschema.Validator().validate(doc, schema);
+
+      if (result.errors.length > 0) {
+        for (const error of result.errors) {
+          logger.error(error.stack);
+        }
+        throw new ConfigurationError(
+          errorMessages.getInvalidConfigFileMessage(
+            pathInput,
+            result.errors.map((e) => e.stack),
+          ),
+        );
+      }
+    }
+
+    return doc as UserConfig;
+  } catch (error) {
+    if (error instanceof yaml.YAMLException) {
+      throw new ConfigurationError(
+        errorMessages.getConfigFileParseErrorMessage(pathInput, error.message),
+      );
+    }
+    throw error;
+  }
+}
--- a/src/db-config-schema.d.ts
+++ b/src/db-config-schema.d.ts
@@ -0,0 +1,53 @@
+/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */
+
+/**
+ * Format of the config file supplied by the user for CodeQL analysis
+ */
+export interface UserConfig {
+  /**
+   * Name of the configuration
+   */
+  name?: string;
+  /**
+   * Whether to disable default queries
+   */
+  "disable-default-queries"?: boolean;
+  /**
+   * List of additional queries to run
+   */
+  queries?: QuerySpec[];
+  /**
+   * Paths to ignore during analysis
+   */
+  "paths-ignore"?: string[];
+  /**
+   * Paths to include in analysis
+   */
+  paths?: string[];
+  /**
+   * Query packs to include. Can be a simple array for single-language analysis or an object with language-specific arrays for multi-language analysis
+   */
+  packs?:
+    | string[]
+    | {
+        [k: string]: string[];
+      };
+  /**
+   * Set of query filters to include and exclude extra queries based on CodeQL query suite include and exclude properties
+   */
+  "query-filters"?: unknown[];
+  [k: string]: unknown;
+}
+/**
+ * Detailed query specification object
+ */
+export interface QuerySpec {
+  /**
+   * Optional name for the query
+   */
+  name?: string;
+  /**
+   * The query or query suite to use
+   */
+  uses: string;
+}
--- a/src/debug-artifacts.ts
+++ b/src/debug-artifacts.ts
@@ -59,7 +59,7 @@ export async function uploadCombinedSarifArtifacts(
        for (const outputDir of outputDirs) {
          const sarifFiles = fs
            .readdirSync(path.resolve(baseTempDir, outputDir))
-            .filter((f) => f.endsWith(".sarif"));
+            .filter((f) => path.extname(f) === ".sarif");

          for (const sarifFile of sarifFiles) {
            toUpload.push(path.resolve(baseTempDir, outputDir, sarifFile));
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.1",
-  "cliVersion": "2.23.1",
-  "priorBundleVersion": "codeql-bundle-v2.23.0",
-  "priorCliVersion": "2.23.0"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }
--- a/src/environment.ts
+++ b/src/environment.ts
@@ -47,6 +47,9 @@ export enum EnvVar {
  /** Whether the CodeQL Action has already warned the user about low disk space. */
  HAS_WARNED_ABOUT_DISK_SPACE = "CODEQL_ACTION_HAS_WARNED_ABOUT_DISK_SPACE",

+  /** Whether the `setup-codeql` action has been run. */
+  SETUP_CODEQL_ACTION_HAS_RUN = "CODEQL_ACTION_SETUP_CODEQL_HAS_RUN",
+
  /** Whether the init action has been run. */
  INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",

@@ -128,4 +131,10 @@ export enum EnvVar {
   * whether the upload is disabled. This is intended for testing and debugging purposes.
   */
  SARIF_DUMP_DIR = "CODEQL_ACTION_SARIF_DUMP_DIR",
+
+  /**
+   * Whether to skip uploading SARIF results to GitHub. Intended for testing purposes.
+   * This setting is more specific than `CODEQL_ACTION_TEST_MODE`, which implies this option.
+   */
+  SKIP_SARIF_UPLOAD = "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
 }
--- a/src/error-messages.ts
+++ b/src/error-messages.ts
@@ -14,6 +14,22 @@ export function getConfigFileDoesNotExistErrorMessage(
  return `The configuration file "${configFile}" does not exist`;
 }

+export function getConfigFileParseErrorMessage(
+  configFile: string,
+  message: string,
+): string {
+  return `Cannot parse "${configFile}": ${message}`;
+}
+
+export function getInvalidConfigFileMessage(
+  configFile: string,
+  messages: string[],
+): string {
+  const andMore =
+    messages.length > 10 ? `, and ${messages.length - 10} more.` : ".";
+  return `The configuration file "${configFile}" is invalid: ${messages.slice(0, 10).join(", ")}${andMore}`;
+}
+
 export function getConfigFileRepoFormatInvalidMessage(
  configFile: string,
 ): string {
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -43,6 +43,7 @@ export interface FeatureEnablement {
 * Legacy features should end with `_enabled`.
 */
 export enum Feature {
+  AllowToolcacheInput = "allow_toolcache_input",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
  DiffInformedQueries = "diff_informed_queries",
@@ -73,9 +74,10 @@ export enum Feature {
  OverlayAnalysisRust = "overlay_analysis_rust",
  OverlayAnalysisSwift = "overlay_analysis_swift",
  PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
-  UseRepositoryProperties = "use_repository_properties",
  QaTelemetryEnabled = "qa_telemetry_enabled",
  ResolveSupportedLanguagesUsingCli = "resolve_supported_languages_using_cli",
+  UseRepositoryProperties = "use_repository_properties",
+  ValidateDbConfig = "validate_db_config",
 }

 export const featureConfig: Record<
@@ -109,6 +111,11 @@ export const featureConfig: Record<
    toolsFeature?: ToolsFeature;
  }
 > = {
+  [Feature.AllowToolcacheInput]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
+    minimumVersion: undefined,
+  },
  [Feature.CleanupTrapCaches]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -281,6 +288,11 @@ export const featureConfig: Record<
    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
    minimumVersion: "2.23.0",
  },
+  [Feature.ValidateDbConfig]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
+    minimumVersion: undefined,
+  },
 };

 /**
--- a/src/init-action-post-helper.test.ts
+++ b/src/init-action-post-helper.test.ts
@@ -2,6 +2,7 @@ import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import * as codeql from "./codeql";
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
@@ -28,12 +29,13 @@ test("post: init action with debug mode off", async (t) => {
    const gitHubVersion: util.GitHubVersion = {
      type: util.GitHubVariant.DOTCOM,
    };
-    sinon.stub(configUtils, "getConfig").resolves({
-      debugMode: false,
-      gitHubVersion,
-      languages: [],
-      packs: [],
-    } as unknown as configUtils.Config);
+    sinon.stub(configUtils, "getConfig").resolves(
+      createTestConfig({
+        debugMode: false,
+        gitHubVersion,
+        languages: [],
+      }),
+    );

    const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
    const printDebugLogsSpy = sinon.spy();
@@ -84,14 +86,14 @@ test("uploads failed SARIF run with `diagnostics export` if feature flag is off"
    },
    {
      name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
      with: {
        languages: "javascript",
      },
    },
    {
      name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
      with: {
        category: "my-category",
      },
@@ -108,14 +110,14 @@ test("uploads failed SARIF run with `diagnostics export` if the database doesn't
    },
    {
      name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
      with: {
        languages: "javascript",
      },
    },
    {
      name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
      with: {
        category: "my-category",
      },
@@ -135,14 +137,14 @@ test("uploads failed SARIF run with database export-diagnostics if the database
    },
    {
      name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
      with: {
        languages: "javascript",
      },
    },
    {
      name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
      with: {
        category: "my-category",
      },
@@ -192,14 +194,14 @@ for (const { uploadInput, shouldUpload } of UPLOAD_INPUT_TEST_CASES) {
      },
      {
        name: "Initialize CodeQL",
-        uses: "github/codeql-action/init@v3",
+        uses: "github/codeql-action/init@v4",
        with: {
          languages: "javascript",
        },
      },
      {
        name: "Perform CodeQL Analysis",
-        uses: "github/codeql-action/analyze@v3",
+        uses: "github/codeql-action/analyze@v4",
        with: {
          category: "my-category",
          upload: uploadInput,
@@ -227,14 +229,14 @@ test("uploading failed SARIF run succeeds when workflow uses an input with a mat
    },
    {
      name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
      with: {
        languages: "javascript",
      },
    },
    {
      name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
      with: {
        category: "/language:${{ matrix.language }}",
      },
@@ -254,14 +256,14 @@ test("uploading failed SARIF run fails when workflow uses a complex upload input
    },
    {
      name: "Initialize CodeQL",
-      uses: "github/codeql-action/init@v3",
+      uses: "github/codeql-action/init@v4",
      with: {
        languages: "javascript",
      },
    },
    {
      name: "Perform CodeQL Analysis",
-      uses: "github/codeql-action/analyze@v3",
+      uses: "github/codeql-action/analyze@v4",
      with: {
        upload: "${{ matrix.language != 'csharp' }}",
      },
@@ -295,6 +297,17 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
  t.truthy(result.upload_failed_run_stack_trace);
 });

+test("not uploading failed SARIF when `code-scanning` is not an enabled analysis kind", async (t) => {
+  const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
+    analysisKinds: [AnalysisKind.CodeQuality],
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_skipped_because,
+    "Code Scanning is not enabled.",
+  );
+});
+
 function createTestWorkflow(
  steps: workflow.WorkflowJobStep[],
 ): workflow.Workflow {
@@ -327,20 +340,22 @@ async function testFailedSarifUpload(
    expectUpload = true,
    exportDiagnosticsEnabled = false,
    matrix = {},
+    analysisKinds = [AnalysisKind.CodeScanning],
  }: {
    category?: string;
    databaseExists?: boolean;
    expectUpload?: boolean;
    exportDiagnosticsEnabled?: boolean;
    matrix?: { [key: string]: string };
+    analysisKinds?: AnalysisKind[];
  } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
-  const config = {
+  const config = createTestConfig({
+    analysisKinds,
    codeQLCmd: "codeql",
    debugMode: true,
    languages: [],
-    packs: [],
-  } as unknown as configUtils.Config;
+  });
  if (databaseExists) {
    config.dbLocation = "path/to/database";
  }
--- a/src/init-action-post-helper.ts
+++ b/src/init-action-post-helper.ts
@@ -7,7 +7,7 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config } from "./config-utils";
+import { Config, isCodeScanningEnabled } from "./config-utils";
 import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -19,8 +19,8 @@ import {
  delay,
  getErrorMessage,
  getRequiredEnvParam,
-  isInTestMode,
  parseMatrixInput,
+  shouldSkipSarifUpload,
  wrapError,
 } from "./util";
 import {
@@ -81,7 +81,7 @@ async function maybeUploadFailedSarif(
    !["always", "failure-only"].includes(
      actionsUtil.getUploadValue(shouldUpload),
    ) ||
-    isInTestMode()
+    shouldSkipSarifUpload()
  ) {
    return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
  }
@@ -139,6 +139,15 @@ export async function tryUploadSarifIfRunFailed(
      EnvVar.JOB_STATUS,
      process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
    );
+
+    // If the only enabled analysis kind is `code-quality`, then we shouldn't
+    // upload the failed SARIF to Code Scanning.
+    if (!isCodeScanningEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Scanning is not enabled.",
+      };
+    }
+
    try {
      return await maybeUploadFailedSarif(
        config,
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -15,6 +15,7 @@ import {
  getTemporaryDirectory,
  persistInputs,
 } from "./actions-util";
+import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import {
  getDependencyCachingEnabled,
@@ -56,6 +57,7 @@ import { ToolsSource } from "./setup-codeql";
 import {
  ActionName,
  InitStatusReport,
+  InitToolsDownloadFields,
  InitWithConfigStatusReport,
  createInitWithConfigStatusReport,
  createStatusReportBase,
@@ -86,14 +88,29 @@ import {
 } from "./util";
 import { validateWorkflow } from "./workflow";

-/** Fields of the init status report populated when the tools source is `download`. */
-interface InitToolsDownloadFields {
-  /** Time taken to download the bundle, in milliseconds. */
-  tools_download_duration_ms?: number;
-  /**
-   * Whether the relevant tools dotcom feature flags have been misconfigured.
-   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
-  tools_feature_flags_valid?: boolean;
+/**
+ * Sends a status report indicating that the `init` Action is starting.
+ *
+ * @param startedAt
+ * @param config
+ * @param logger
+ */
+async function sendStartingStatusReport(
+  startedAt: Date,
+  config: Partial<configUtils.Config> | undefined,
+  logger: Logger,
+) {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.Init,
+    "starting",
+    startedAt,
+    config,
+    await checkDiskUsage(logger),
+    logger,
+  );
+  if (statusReportBase !== undefined) {
+    await sendStatusReport(statusReportBase);
+  }
 }

 async function sendCompletedStatusReport(
@@ -210,6 +227,7 @@ async function run() {
    ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
    : {};

+  // Create a unique identifier for this run.
  const jobRunUuid = uuidV4();
  logger.info(`Job run UUID is ${jobRunUuid}.`);
  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
@@ -227,17 +245,30 @@ async function run() {
  );

  try {
-    const statusReportBase = await createStatusReportBase(
-      ActionName.Init,
-      "starting",
-      startedAt,
-      config,
-      await checkDiskUsage(logger),
-      logger,
-    );
-    if (statusReportBase !== undefined) {
-      await sendStatusReport(statusReportBase);
+    // Parsing the `analysis-kinds` input may throw a `ConfigurationError`, which we don't want before
+    // we have called `sendStartingStatusReport` below. However, we want the analysis kinds for that status
+    // report. To work around this, we ignore exceptions that are thrown here and then call `getAnalysisKinds`
+    // a second time later. The second call will then throw the exception again. If `getAnalysisKinds` is
+    // successful, the results are cached so that we don't duplicate the work in normal runs.
+    let analysisKinds: AnalysisKind[] | undefined;
+    try {
+      analysisKinds = await getAnalysisKinds(logger);
+    } catch (err) {
+      logger.debug(
+        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
+      );
    }
+
+    // Send a status report indicating that an analysis is starting.
+    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
+
+    // Throw a `ConfigurationError` if the `setup-codeql` action has been run.
+    if (process.env[EnvVar.SETUP_CODEQL_ACTION_HAS_RUN] === "true") {
+      throw new ConfigurationError(
+        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`,
+      );
+    }
+
    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
      gitHubVersion.type,
    );
@@ -248,6 +279,7 @@ async function run() {
      getTemporaryDirectory(),
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger,
    );
    codeql = initCodeQLResult.codeql;
@@ -292,21 +324,11 @@ async function run() {
      }
    }

-    // Warn that `quality-queries` is deprecated if there is an argument for it.
-    const qualityQueriesInput = getOptionalInput("quality-queries");
-
-    if (qualityQueriesInput !== undefined) {
-      logger.warning(
-        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
-          "Use the `analysis-kinds` input to configure different analysis kinds instead.",
-      );
-    }
-
-    config = await initConfig({
-      analysisKindsInput: getRequiredInput("analysis-kinds"),
+    analysisKinds = await getAnalysisKinds(logger);
+    config = await initConfig(features, {
+      analysisKinds,
      languagesInput: getOptionalInput("languages"),
      queriesInput: getOptionalInput("queries"),
-      qualityQueriesInput,
      packsInput: getOptionalInput("packs"),
      buildModeInput: getOptionalInput("build-mode"),
      configFile,
--- a/src/init.ts
+++ b/src/init.ts
@@ -9,7 +9,7 @@ import { getOptionalInput, isSelfHostedRunner } from "./actions-util";
 import { GitHubApiDetails } from "./api-client";
 import { CodeQL, setupCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { CodeQLDefaultVersionInfo } from "./feature-flags";
+import { CodeQLDefaultVersionInfo, FeatureEnablement } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { ToolsSource } from "./setup-codeql";
@@ -23,6 +23,7 @@ export async function initCodeQL(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
  logger: Logger,
 ): Promise<{
  codeql: CodeQL;
@@ -44,6 +45,7 @@ export async function initCodeQL(
    tempDir,
    variant,
    defaultCliVersion,
+    features,
    logger,
    true,
  );
@@ -59,10 +61,11 @@ export async function initCodeQL(
 }

 export async function initConfig(
+  features: FeatureEnablement,
  inputs: configUtils.InitConfigInputs,
 ): Promise<configUtils.Config> {
  return await withGroupAsync("Load language configuration", async () => {
-    return await configUtils.initConfig(inputs);
+    return await configUtils.initConfig(features, inputs);
  });
 }

--- a/src/setup-codeql-action.ts
+++ b/src/setup-codeql-action.ts
@@ -0,0 +1,196 @@
+import * as core from "@actions/core";
+import { v4 as uuidV4 } from "uuid";
+
+import {
+  getActionVersion,
+  getOptionalInput,
+  getRequiredInput,
+  getTemporaryDirectory,
+} from "./actions-util";
+import { getGitHubVersion } from "./api-client";
+import { CodeQL } from "./codeql";
+import { EnvVar } from "./environment";
+import { Features } from "./feature-flags";
+import { initCodeQL } from "./init";
+import { getActionsLogger, Logger } from "./logging";
+import { getRepositoryNwo } from "./repository";
+import { ToolsSource } from "./setup-codeql";
+import {
+  ActionName,
+  InitStatusReport,
+  InitToolsDownloadFields,
+  createStatusReportBase,
+  getActionsStatus,
+  sendStatusReport,
+} from "./status-report";
+import { ToolsDownloadStatusReport } from "./tools-download";
+import {
+  checkDiskUsage,
+  checkForTimeout,
+  checkGitHubVersionInRange,
+  getRequiredEnvParam,
+  initializeEnvironment,
+  ConfigurationError,
+  wrapError,
+  checkActionVersion,
+  getErrorMessage,
+} from "./util";
+
+/**
+ * Helper function to send a full status report for this action.
+ */
+async function sendCompletedStatusReport(
+  startedAt: Date,
+  toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined,
+  toolsFeatureFlagsValid: boolean | undefined,
+  toolsSource: ToolsSource,
+  toolsVersion: string,
+  logger: Logger,
+  error?: Error,
+): Promise<void> {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.SetupCodeQL,
+    getActionsStatus(error),
+    startedAt,
+    undefined,
+    await checkDiskUsage(logger),
+    logger,
+    error?.message,
+    error?.stack,
+  );
+
+  if (statusReportBase === undefined) {
+    return;
+  }
+
+  const initStatusReport: InitStatusReport = {
+    ...statusReportBase,
+    tools_input: getOptionalInput("tools") || "",
+    tools_resolved_version: toolsVersion,
+    tools_source: toolsSource || ToolsSource.Unknown,
+    workflow_languages: "",
+  };
+
+  const initToolsDownloadFields: InitToolsDownloadFields = {};
+
+  if (toolsDownloadStatusReport?.downloadDurationMs !== undefined) {
+    initToolsDownloadFields.tools_download_duration_ms =
+      toolsDownloadStatusReport.downloadDurationMs;
+  }
+  if (toolsFeatureFlagsValid !== undefined) {
+    initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
+  }
+
+  await sendStatusReport({ ...initStatusReport, ...initToolsDownloadFields });
+}
+
+/** The main behaviour of this action. */
+async function run(): Promise<void> {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
+  initializeEnvironment(getActionVersion());
+
+  let codeql: CodeQL;
+  let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
+  let toolsFeatureFlagsValid: boolean | undefined;
+  let toolsSource: ToolsSource;
+  let toolsVersion: string;
+
+  const apiDetails = {
+    auth: getRequiredInput("token"),
+    externalRepoAuth: getOptionalInput("external-repository-token"),
+    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
+    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+  };
+
+  const gitHubVersion = await getGitHubVersion();
+  checkGitHubVersionInRange(gitHubVersion, logger);
+  checkActionVersion(getActionVersion(), gitHubVersion);
+
+  const repositoryNwo = getRepositoryNwo();
+
+  const features = new Features(
+    gitHubVersion,
+    repositoryNwo,
+    getTemporaryDirectory(),
+    logger,
+  );
+
+  const jobRunUuid = uuidV4();
+  logger.info(`Job run UUID is ${jobRunUuid}.`);
+  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+
+  try {
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      "starting",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const initCodeQLResult = await initCodeQL(
+      getOptionalInput("tools"),
+      apiDetails,
+      getTemporaryDirectory(),
+      gitHubVersion.type,
+      codeQLDefaultVersionInfo,
+      features,
+      logger,
+    );
+    codeql = initCodeQLResult.codeql;
+    toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
+    toolsVersion = initCodeQLResult.toolsVersion;
+    toolsSource = initCodeQLResult.toolsSource;
+
+    core.setOutput("codeql-path", codeql.getPath());
+    core.setOutput("codeql-version", (await codeql.getVersion()).version);
+
+    core.exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
+  } catch (unwrappedError) {
+    const error = wrapError(unwrappedError);
+    core.setFailed(error.message);
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      error instanceof ConfigurationError ? "user-error" : "failure",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+      error.message,
+      error.stack,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    return;
+  }
+
+  await sendCompletedStatusReport(
+    startedAt,
+    toolsDownloadStatusReport,
+    toolsFeatureFlagsValid,
+    toolsSource,
+    toolsVersion,
+    logger,
+  );
+}
+
+/** Run the action and catch any unhandled errors. */
+async function runWrapper(): Promise<void> {
+  try {
+    await run();
+  } catch (error) {
+    core.setFailed(`setup-codeql action failed: ${getErrorMessage(error)}`);
+  }
+  await checkForTimeout();
+}
+
+void runWrapper();
--- a/src/setup-codeql.test.ts
+++ b/src/setup-codeql.test.ts
@@ -1,6 +1,7 @@
 import * as path from "path";

-import test from "ava";
+import * as toolcache from "@actions/tool-cache";
+import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
@@ -12,6 +13,7 @@ import {
  LoggedMessage,
  SAMPLE_DEFAULT_CLI_VERSION,
  SAMPLE_DOTCOM_API_DETAILS,
+  createFeatures,
  getRecordingLogger,
  initializeFeatures,
  mockBundleDownloadApi,
@@ -90,6 +92,8 @@ test("getCodeQLActionRepository", (t) => {
 });

 test("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) => {
+  const features = createFeatures([]);
+
  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
    const tagName = "codeql-bundle-v1.2.3";
@@ -100,6 +104,7 @@ test("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) =>
      SAMPLE_DOTCOM_API_DETAILS,
      GitHubVariant.DOTCOM,
      false,
+      features,
      getRunnerLogger(true),
    );

@@ -109,6 +114,8 @@ test("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) =>
 });

 test("getCodeQLSource correctly returns bundled CLI version when tools == linked", async (t) => {
+  const features = createFeatures([]);
+
  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
    const source = await setupCodeql.getCodeQLSource(
@@ -117,6 +124,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == linked
      SAMPLE_DOTCOM_API_DETAILS,
      GitHubVariant.DOTCOM,
      false,
+      features,
      getRunnerLogger(true),
    );

@@ -128,6 +136,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == linked
 test("getCodeQLSource correctly returns bundled CLI version when tools == latest", async (t) => {
  const loggedMessages: LoggedMessage[] = [];
  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([]);

  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
@@ -137,6 +146,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == latest
      SAMPLE_DOTCOM_API_DETAILS,
      GitHubVariant.DOTCOM,
      false,
+      features,
      logger,
    );

@@ -161,6 +171,7 @@ test("getCodeQLSource correctly returns bundled CLI version when tools == latest
 test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use linked tools", async (t) => {
  const loggedMessages: LoggedMessage[] = [];
  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([]);

  // Stub the downloadCodeQL function to prevent downloading artefacts
  // during testing from being called.
@@ -185,6 +196,7 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use
      "tmp/codeql_action_test/",
      GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      logger,
    );

@@ -207,6 +219,7 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use
 test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to download a non-default bundle", async (t) => {
  const loggedMessages: LoggedMessage[] = [];
  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([]);

  const bundleUrl =
    "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.16.0/codeql-bundle-linux64.tar.gz";
@@ -235,6 +248,7 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to dow
      "tmp/codeql_action_test/",
      GitHubVariant.DOTCOM,
      SAMPLE_DEFAULT_CLI_VERSION,
+      features,
      logger,
    );

@@ -254,6 +268,160 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to dow
  });
 });

+test("getCodeQLSource correctly returns latest version from toolcache when tools == toolcache", async (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+  const features = createFeatures([Feature.AllowToolcacheInput]);
+
+  process.env["GITHUB_EVENT_NAME"] = "dynamic";
+
+  const latestToolcacheVersion = "3.2.1";
+  const latestVersionPath = "/path/to/latest";
+  const testVersions = ["2.3.1", latestToolcacheVersion, "1.2.3"];
+  const findAllVersionsStub = sinon
+    .stub(toolcache, "findAllVersions")
+    .returns(testVersions);
+  const findStub = sinon.stub(toolcache, "find");
+  findStub
+    .withArgs("CodeQL", latestToolcacheVersion)
+    .returns(latestVersionPath);
+
+  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    const source = await setupCodeql.getCodeQLSource(
+      "toolcache",
+      SAMPLE_DEFAULT_CLI_VERSION,
+      SAMPLE_DOTCOM_API_DETAILS,
+      GitHubVariant.DOTCOM,
+      false,
+      features,
+      logger,
+    );
+
+    // Check that the toolcache functions were called with the expected arguments
+    t.assert(
+      findAllVersionsStub.calledOnceWith("CodeQL"),
+      `toolcache.findAllVersions("CodeQL") wasn't called`,
+    );
+    t.assert(
+      findStub.calledOnceWith("CodeQL", latestToolcacheVersion),
+      `toolcache.find("CodeQL", ${latestToolcacheVersion}) wasn't called`,
+    );
+
+    // Check that `sourceType` and `toolsVersion` match expectations.
+    t.is(source.sourceType, "toolcache");
+    t.is(source.toolsVersion, latestToolcacheVersion);
+
+    // Check that key messages we would expect to find in the log are present.
+    const expectedMessages: string[] = [
+      `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: toolcache'.`,
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`,
+      `Using CodeQL CLI version ${latestToolcacheVersion} from toolcache at ${latestVersionPath}`,
+    ];
+    for (const expectedMessage of expectedMessages) {
+      t.assert(
+        loggedMessages.some(
+          (msg) =>
+            typeof msg.message === "string" &&
+            msg.message.includes(expectedMessage),
+        ),
+        `Expected '${expectedMessage}' in the logger output, but didn't find it in:\n ${loggedMessages.map((m) => ` - '${m.message}'`).join("\n")}`,
+      );
+    }
+  });
+});
+
+const toolcacheInputFallbackMacro = test.macro({
+  exec: async (
+    t: ExecutionContext<unknown>,
+    featureList: Feature[],
+    environment: Record<string, string>,
+    testVersions: string[],
+    expectedMessages: string[],
+  ) => {
+    const loggedMessages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(loggedMessages);
+    const features = createFeatures(featureList);
+
+    for (const [k, v] of Object.entries(environment)) {
+      process.env[k] = v;
+    }
+
+    const findAllVersionsStub = sinon
+      .stub(toolcache, "findAllVersions")
+      .returns(testVersions);
+
+    await withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const source = await setupCodeql.getCodeQLSource(
+        "toolcache",
+        SAMPLE_DEFAULT_CLI_VERSION,
+        SAMPLE_DOTCOM_API_DETAILS,
+        GitHubVariant.DOTCOM,
+        false,
+        features,
+        logger,
+      );
+
+      // Check that the toolcache functions were called with the expected arguments
+      t.assert(
+        findAllVersionsStub.calledWith("CodeQL"),
+        `toolcache.findAllVersions("CodeQL") wasn't called`,
+      );
+
+      // Check that `sourceType` and `toolsVersion` match expectations.
+      t.is(source.sourceType, "download");
+      t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+
+      // Check that key messages we would expect to find in the log are present.
+      for (const expectedMessage of expectedMessages) {
+        t.assert(
+          loggedMessages.some(
+            (msg) =>
+              typeof msg.message === "string" &&
+              msg.message.includes(expectedMessage),
+          ),
+          `Expected '${expectedMessage}' in the logger output, but didn't find it in:\n ${loggedMessages.map((m) => ` - '${m.message}'`).join("\n")}`,
+        );
+      }
+    });
+  },
+  title: (providedTitle = "") =>
+    `getCodeQLSource falls back to downloading the CLI if ${providedTitle}`,
+});
+
+test(
+  "the toolcache doesn't have a CodeQL CLI when tools == toolcache",
+  toolcacheInputFallbackMacro,
+  [Feature.AllowToolcacheInput],
+  { GITHUB_EVENT_NAME: "dynamic" },
+  [],
+  [
+    `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: toolcache'.`,
+    `Found no CodeQL CLI in the toolcache, ignoring 'tools: toolcache'...`,
+  ],
+);
+
+test(
+  "the workflow trigger is not `dynamic`",
+  toolcacheInputFallbackMacro,
+  [Feature.AllowToolcacheInput],
+  { GITHUB_EVENT_NAME: "pull_request" },
+  [],
+  [
+    `Ignoring 'tools: toolcache' because the workflow was not triggered dynamically.`,
+  ],
+);
+
+test(
+  "the feature flag is not enabled",
+  toolcacheInputFallbackMacro,
+  [],
+  { GITHUB_EVENT_NAME: "dynamic" },
+  [],
+  [`Ignoring 'tools: toolcache' because the feature is not enabled.`],
+);
+
 test('tryGetTagNameFromUrl extracts the right tag name for a repo name containing "codeql-bundle"', (t) => {
  t.is(
    setupCodeql.tryGetTagNameFromUrl(
@@ -263,3 +431,15 @@ test('tryGetTagNameFromUrl extracts the right tag name for a repo name containin
    "codeql-bundle-v2.19.0",
  );
 });
+
+test("getLatestToolcacheVersion returns undefined if there are no CodeQL CLIs in the toolcache", (t) => {
+  sinon.stub(toolcache, "findAllVersions").returns([]);
+  t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), undefined);
+});
+
+test("getLatestToolcacheVersion returns latest version in the toolcache", (t) => {
+  const testVersions = ["2.3.1", "3.2.1", "1.2.3"];
+  sinon.stub(toolcache, "findAllVersions").returns(testVersions);
+
+  t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1");
+});
--- a/src/setup-codeql.ts
+++ b/src/setup-codeql.ts
@@ -7,12 +7,14 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

-import { isRunningLocalAction } from "./actions-util";
+import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
 import {
  CODEQL_VERSION_ZSTD_BUNDLE,
  CodeQLDefaultVersionInfo,
+  Feature,
+  FeatureEnablement,
 } from "./feature-flags";
 import { Logger } from "./logging";
 import * as tar from "./tar";
@@ -38,6 +40,7 @@ const CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";

 const CODEQL_BUNDLE_VERSION_ALIAS: string[] = ["linked", "latest"];
 const CODEQL_NIGHTLY_TOOLS_INPUTS = ["nightly", "nightly-latest"];
+const CODEQL_TOOLCACHE_INPUT = "toolcache";

 function getCodeQLBundleExtension(
  compressionMethod: tar.CompressionMethod,
@@ -275,6 +278,7 @@ export async function getCodeQLSource(
  apiDetails: api.GitHubApiDetails,
  variant: util.GitHubVariant,
  tarSupportsZstd: boolean,
+  features: FeatureEnablement,
  logger: Logger,
 ): Promise<CodeQLToolsSource> {
  if (
@@ -346,6 +350,54 @@ export async function getCodeQLSource(
        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.",
      );
    }
+  } else if (
+    toolsInput !== undefined &&
+    toolsInput === CODEQL_TOOLCACHE_INPUT
+  ) {
+    let latestToolcacheVersion: string | undefined;
+
+    // We only allow `toolsInput === "toolcache"` for `dynamic` events. In general, using `toolsInput === "toolcache"`
+    // can lead to alert wobble and so it shouldn't be used for an analysis where results are intended to be uploaded.
+    // We also allow this in test mode.
+    const allowToolcacheValueFF = await features.getValue(
+      Feature.AllowToolcacheInput,
+    );
+    const allowToolcacheValue =
+      allowToolcacheValueFF && (isDynamicWorkflow() || util.isInTestMode());
+    if (allowToolcacheValue) {
+      // If `toolsInput === "toolcache"`, try to find the latest version of the CLI that's available in the toolcache
+      // and use that. We perform this check here since we can set `cliVersion` directly and don't want to default to
+      // the linked version.
+      logger.info(
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`,
+      );
+
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion = latestToolcacheVersion;
+      }
+    }
+
+    if (latestToolcacheVersion === undefined) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`,
+        );
+      } else {
+        if (allowToolcacheValueFF) {
+          logger.warning(
+            `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`,
+          );
+        } else {
+          logger.info(
+            `Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`,
+          );
+        }
+      }
+
+      cliVersion = defaultCliVersion.cliVersion;
+      tagName = defaultCliVersion.tagName;
+    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
@@ -696,6 +748,7 @@ export async function setupCodeQLBundle(
  tempDir: string,
  variant: util.GitHubVariant,
  defaultCliVersion: CodeQLDefaultVersionInfo,
+  features: FeatureEnablement,
  logger: Logger,
 ) {
  if (!(await util.isBinaryAccessible("tar", logger))) {
@@ -711,6 +764,7 @@ export async function setupCodeQLBundle(
    apiDetails,
    variant,
    zstdAvailability.available,
+    features,
    logger,
  );

@@ -816,9 +870,38 @@ async function getNightlyToolsUrl(logger: Logger) {
  }
 }

+/**
+ * Gets the latest version of the CodeQL CLI that is available in the toolcache, or `undefined`
+ * if no CodeQL CLI is available in the toolcache.
+ *
+ * @param logger The logger to use.
+ * @returns The latest version of the CodeQL CLI that is available in the toolcache, or `undefined` if there is none.
+ */
+export function getLatestToolcacheVersion(logger: Logger): string | undefined {
+  const allVersions = toolcache
+    .findAllVersions("CodeQL")
+    .sort((a, b) => semver.compare(b, a));
+  logger.debug(
+    `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
+      allVersions,
+    )}.`,
+  );
+
+  if (allVersions.length > 0) {
+    const latestToolcacheVersion = allVersions[0];
+    logger.info(
+      `CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`,
+    );
+    return latestToolcacheVersion;
+  }
+
+  return undefined;
+}
+
 function isReservedToolsValue(tools: string): boolean {
  return (
    CODEQL_BUNDLE_VERSION_ALIAS.includes(tools) ||
-    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools)
+    CODEQL_NIGHTLY_TOOLS_INPUTS.includes(tools) ||
+    tools === CODEQL_TOOLCACHE_INPUT
  );
 }
--- a/src/start-proxy-action.ts
+++ b/src/start-proxy-action.ts
@@ -7,13 +7,23 @@ import { pki } from "node-forge";

 import * as actionsUtil from "./actions-util";
 import { getApiDetails, getAuthorizationHeaderFor } from "./api-client";
+import { Config } from "./config-utils";
+import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import {
  Credential,
  getCredentials,
  getDownloadUrl,
+  parseLanguage,
  UPDATEJOB_PROXY,
 } from "./start-proxy";
+import {
+  ActionName,
+  createStatusReportBase,
+  getActionsStatus,
+  sendStatusReport,
+  StatusReportBase,
+} from "./status-report";
 import * as util from "./util";

 const KEY_SIZE = 2048;
@@ -83,46 +93,111 @@ function generateCertificateAuthority(): CertificateAuthority {
  return { cert: pem, key };
 }

+interface StartProxyStatus extends StatusReportBase {
+  // A comma-separated list of registry types which are configured for CodeQL.
+  // This only includes registry types we support, not all that are configured.
+  registry_types: string;
+}
+
+async function sendSuccessStatusReport(
+  startedAt: Date,
+  config: Partial<Config>,
+  registry_types: string[],
+  logger: Logger,
+) {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.StartProxy,
+    "success",
+    startedAt,
+    config,
+    await util.checkDiskUsage(logger),
+    logger,
+  );
+  if (statusReportBase !== undefined) {
+    const statusReport: StartProxyStatus = {
+      ...statusReportBase,
+      registry_types: registry_types.join(","),
+    };
+    await sendStatusReport(statusReport);
+  }
+}
+
 async function runWrapper() {
+  const startedAt = new Date();
+
  // Make inputs accessible in the `post` step.
  actionsUtil.persistInputs();

  const logger = getActionsLogger();
+  let language: KnownLanguage | undefined;

-  // Setup logging for the proxy
-  const tempDir = actionsUtil.getTemporaryDirectory();
-  const proxyLogFilePath = path.resolve(tempDir, "proxy.log");
-  core.saveState("proxy-log-file", proxyLogFilePath);
+  try {
+    // Setup logging for the proxy
+    const tempDir = actionsUtil.getTemporaryDirectory();
+    const proxyLogFilePath = path.resolve(tempDir, "proxy.log");
+    core.saveState("proxy-log-file", proxyLogFilePath);

-  // Get the configuration options
-  const credentials = getCredentials(
-    logger,
-    actionsUtil.getOptionalInput("registry_secrets"),
-    actionsUtil.getOptionalInput("registries_credentials"),
-    actionsUtil.getOptionalInput("language"),
-  );
+    // Get the configuration options
+    const languageInput = actionsUtil.getOptionalInput("language");
+    language = languageInput ? parseLanguage(languageInput) : undefined;
+    const credentials = getCredentials(
+      logger,
+      actionsUtil.getOptionalInput("registry_secrets"),
+      actionsUtil.getOptionalInput("registries_credentials"),
+      language,
+    );

-  if (credentials.length === 0) {
-    logger.info("No credentials found, skipping proxy setup.");
-    return;
+    if (credentials.length === 0) {
+      logger.info("No credentials found, skipping proxy setup.");
+      return;
+    }
+
+    logger.info(
+      `Credentials loaded for the following registries:\n ${credentials
+        .map((c) => credentialToStr(c))
+        .join("\n")}`,
+    );
+
+    const ca = generateCertificateAuthority();
+
+    const proxyConfig: ProxyConfig = {
+      all_credentials: credentials,
+      ca,
+    };
+
+    // Start the Proxy
+    const proxyBin = await getProxyBinaryPath(logger);
+    await startProxy(proxyBin, proxyConfig, proxyLogFilePath, logger);
+
+    // Report success if we have reached this point.
+    await sendSuccessStatusReport(
+      startedAt,
+      {
+        languages: language && [language],
+      },
+      proxyConfig.all_credentials.map((c) => c.type),
+      logger,
+    );
+  } catch (unwrappedError) {
+    const error = util.wrapError(unwrappedError);
+    core.setFailed(`start-proxy action failed: ${error.message}`);
+
+    // We skip sending the error message and stack trace here to avoid the possibility
+    // of leaking any sensitive information into the telemetry.
+    const errorStatusReportBase = await createStatusReportBase(
+      ActionName.StartProxy,
+      getActionsStatus(error),
+      startedAt,
+      {
+        languages: language && [language],
+      },
+      await util.checkDiskUsage(logger),
+      logger,
+    );
+    if (errorStatusReportBase !== undefined) {
+      await sendStatusReport(errorStatusReportBase);
+    }
  }
-
-  logger.info(
-    `Credentials loaded for the following registries:\n ${credentials
-      .map((c) => credentialToStr(c))
-      .join("\n")}`,
-  );
-
-  const ca = generateCertificateAuthority();
-
-  const proxyConfig: ProxyConfig = {
-    all_credentials: credentials,
-    ca,
-  };
-
-  // Start the Proxy
-  const proxyBin = await getProxyBinaryPath(logger);
-  await startProxy(proxyBin, proxyConfig, proxyLogFilePath, logger);
 }

 async function startProxy(
@@ -133,57 +208,53 @@ async function startProxy(
 ) {
  const host = "127.0.0.1";
  let port = 49152;
-  try {
-    let subprocess: ChildProcess | undefined = undefined;
-    let tries = 5;
-    let subprocessError: Error | undefined = undefined;
-    while (tries-- > 0 && !subprocess && !subprocessError) {
-      subprocess = spawn(
-        binPath,
-        ["-addr", `${host}:${port}`, "-config", "-", "-logfile", logFilePath],
-        {
-          detached: true,
-          stdio: ["pipe", "ignore", "ignore"],
-        },
-      );
-      subprocess.unref();
-      if (subprocess.pid) {
-        core.saveState("proxy-process-pid", `${subprocess.pid}`);
+  let subprocess: ChildProcess | undefined = undefined;
+  let tries = 5;
+  let subprocessError: Error | undefined = undefined;
+  while (tries-- > 0 && !subprocess && !subprocessError) {
+    subprocess = spawn(
+      binPath,
+      ["-addr", `${host}:${port}`, "-config", "-", "-logfile", logFilePath],
+      {
+        detached: true,
+        stdio: ["pipe", "ignore", "ignore"],
+      },
+    );
+    subprocess.unref();
+    if (subprocess.pid) {
+      core.saveState("proxy-process-pid", `${subprocess.pid}`);
+    }
+    subprocess.on("error", (error) => {
+      subprocessError = error;
+    });
+    subprocess.on("exit", (code) => {
+      if (code !== 0) {
+        // If the proxy failed to start, try a different port from the ephemeral range [49152, 65535]
+        port = Math.floor(Math.random() * (65535 - 49152) + 49152);
+        subprocess = undefined;
      }
-      subprocess.on("error", (error) => {
-        subprocessError = error;
-      });
-      subprocess.on("exit", (code) => {
-        if (code !== 0) {
-          // If the proxy failed to start, try a different port from the ephemeral range [49152, 65535]
-          port = Math.floor(Math.random() * (65535 - 49152) + 49152);
-          subprocess = undefined;
-        }
-      });
-      subprocess.stdin?.write(JSON.stringify(config));
-      subprocess.stdin?.end();
-      // Wait a little to allow the proxy to start
-      await util.delay(1000);
-    }
-    if (subprocessError) {
-      // eslint-disable-next-line @typescript-eslint/only-throw-error
-      throw subprocessError;
-    }
-    logger.info(`Proxy started on ${host}:${port}`);
-    core.setOutput("proxy_host", host);
-    core.setOutput("proxy_port", port.toString());
-    core.setOutput("proxy_ca_certificate", config.ca.cert);
-
-    const registry_urls = config.all_credentials
-      .filter((credential) => credential.url !== undefined)
-      .map((credential) => ({
-        type: credential.type,
-        url: credential.url,
-      }));
-    core.setOutput("proxy_urls", JSON.stringify(registry_urls));
-  } catch (error) {
-    core.setFailed(`start-proxy action failed: ${util.getErrorMessage(error)}`);
+    });
+    subprocess.stdin?.write(JSON.stringify(config));
+    subprocess.stdin?.end();
+    // Wait a little to allow the proxy to start
+    await util.delay(1000);
  }
+  if (subprocessError) {
+    // eslint-disable-next-line @typescript-eslint/only-throw-error
+    throw subprocessError;
+  }
+  logger.info(`Proxy started on ${host}:${port}`);
+  core.setOutput("proxy_host", host);
+  core.setOutput("proxy_port", port.toString());
+  core.setOutput("proxy_ca_certificate", config.ca.cert);
+
+  const registry_urls = config.all_credentials
+    .filter((credential) => credential.url !== undefined)
+    .map((credential) => ({
+      type: credential.type,
+      url: credential.url,
+    }));
+  core.setOutput("proxy_urls", JSON.stringify(registry_urls));
 }

 async function getProxyBinaryPath(logger: Logger): Promise<string> {
--- a/src/start-proxy.test.ts
+++ b/src/start-proxy.test.ts
@@ -109,7 +109,7 @@ test("getCredentials filters by language when specified", async (t) => {
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(mixedCredentials),
-    "java",
+    KnownLanguage.java,
  );
  t.is(credentials.length, 1);
  t.is(credentials[0].type, "maven_repository");
@@ -120,7 +120,7 @@ test("getCredentials returns all for a language when specified", async (t) => {
    getRunnerLogger(true),
    undefined,
    toEncodedJSON(mixedCredentials),
-    "go",
+    KnownLanguage.go,
  );
  t.is(credentials.length, 2);

--- a/src/start-proxy.ts
+++ b/src/start-proxy.ts
@@ -79,9 +79,8 @@ export function getCredentials(
  logger: Logger,
  registrySecrets: string | undefined,
  registriesCredentials: string | undefined,
-  languageString: string | undefined,
+  language: KnownLanguage | undefined,
 ): Credential[] {
-  const language = languageString ? parseLanguage(languageString) : undefined;
  const registryTypeForLanguage = language
    ? LANGUAGE_TO_REGISTRY_TYPE[language]
    : undefined;
--- a/src/status-report.test.ts
+++ b/src/status-report.test.ts
@@ -92,6 +92,49 @@ test("createStatusReportBase", async (t) => {
  });
 });

+test("createStatusReportBase - empty configuration", async (t) => {
+  await withTmpDir(async (tmpDir: string) => {
+    setupEnvironmentAndStub(tmpDir);
+
+    const statusReport = await createStatusReportBase(
+      ActionName.StartProxy,
+      "success",
+      new Date("May 19, 2023 05:19:00"),
+      {},
+      { numAvailableBytes: 100, numTotalBytes: 500 },
+      getRunnerLogger(false),
+    );
+
+    if (t.truthy(statusReport)) {
+      t.is(statusReport.action_name, ActionName.StartProxy);
+      t.is(statusReport.status, "success");
+    }
+  });
+});
+
+test("createStatusReportBase - partial configuration", async (t) => {
+  await withTmpDir(async (tmpDir: string) => {
+    setupEnvironmentAndStub(tmpDir);
+
+    const statusReport = await createStatusReportBase(
+      ActionName.StartProxy,
+      "success",
+      new Date("May 19, 2023 05:19:00"),
+      {
+        languages: ["go"],
+      },
+      { numAvailableBytes: 100, numTotalBytes: 500 },
+      getRunnerLogger(false),
+    );
+
+    if (t.truthy(statusReport)) {
+      t.is(statusReport.action_name, ActionName.StartProxy);
+      t.is(statusReport.status, "success");
+      t.is(statusReport.languages, "go");
+    }
+  });
+});
+
 test("createStatusReportBase_firstParty", async (t) => {
  await withTmpDir(async (tmpDir: string) => {
    setupEnvironmentAndStub(tmpDir);
--- a/src/status-report.ts
+++ b/src/status-report.ts
@@ -36,11 +36,13 @@ import {
 } from "./util";

 export enum ActionName {
-  Autobuild = "autobuild",
  Analyze = "finish",
+  Autobuild = "autobuild",
  Init = "init",
  InitPost = "init-post",
  ResolveEnvironment = "resolve-environment",
+  SetupCodeQL = "setup-codeql",
+  StartProxy = "start-proxy",
  UploadSarif = "upload-sarif",
 }

@@ -259,7 +261,7 @@ export async function createStatusReportBase(
  actionName: ActionName,
  status: ActionStatus,
  actionStartedAt: Date,
-  config: Config | undefined,
+  config: Partial<Config> | undefined,
  diskInfo: DiskUsage | undefined,
  logger: Logger,
  cause?: string,
@@ -298,7 +300,7 @@ export async function createStatusReportBase(
      action_ref: actionRef,
      action_started_at: actionStartedAt.toISOString(),
      action_version: getActionVersion(),
-      analysis_kinds: config?.analysisKinds.join(","),
+      analysis_kinds: config?.analysisKinds?.join(","),
      analysis_key,
      build_mode: config?.buildMode,
      commit_oid: commitOid,
@@ -323,7 +325,7 @@ export async function createStatusReportBase(
    }

    if (config) {
-      statusReport.languages = config.languages.join(",");
+      statusReport.languages = config.languages?.join(",");
    }

    if (diskInfo) {
@@ -374,6 +376,12 @@ export async function createStatusReportBase(
    logger.warning(
      `Caught an exception while gathering information for telemetry: ${e}. Will skip sending status report.`,
    );
+
+    // Re-throw the exception in test mode. While testing, we want to know if something goes wrong here.
+    if (isInTestMode()) {
+      throw e;
+    }
+
    return undefined;
  }
 }
@@ -509,6 +517,16 @@ export interface InitWithConfigStatusReport extends InitStatusReport {
  config_file: string;
 }

+/** Fields of the init status report populated when the tools source is `download`. */
+export interface InitToolsDownloadFields {
+  /** Time taken to download the bundle, in milliseconds. */
+  tools_download_duration_ms?: number;
+  /**
+   * Whether the relevant tools dotcom feature flags have been misconfigured.
+   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
+  tools_feature_flags_valid?: boolean;
+}
+
 /**
 * Composes a `InitWithConfigStatusReport` from the given values.
 *
--- a/src/testing-utils.ts
+++ b/src/testing-utils.ts
@@ -2,7 +2,7 @@ import { TextDecoder } from "node:util";
 import path from "path";

 import * as github from "@actions/github";
-import { TestFn } from "ava";
+import { ExecutionContext, TestFn } from "ava";
 import nock from "nock";
 import * as sinon from "sinon";

@@ -180,6 +180,23 @@ export function getRecordingLogger(messages: LoggedMessage[]): Logger {
  };
 }

+export function checkExpectedLogMessages(
+  t: ExecutionContext<any>,
+  messages: LoggedMessage[],
+  expectedMessages: string[],
+) {
+  for (const expectedMessage of expectedMessages) {
+    t.assert(
+      messages.some(
+        (msg) =>
+          typeof msg.message === "string" &&
+          msg.message.includes(expectedMessage),
+      ),
+      `Expected '${expectedMessage}' in the logger output, but didn't find it in:\n ${messages.map((m) => ` - '${m.message}'`).join("\n")}`,
+    );
+  }
+}
+
 /** Mock the HTTP request to the feature flags enablement API endpoint. */
 export function mockFeatureFlagApiEndpoint(
  responseStatusCode: number,
--- a/src/upload-lib.test.ts
+++ b/src/upload-lib.test.ts
@@ -1,9 +1,14 @@
 import * as fs from "fs";
 import * as path from "path";

+import * as github from "@actions/github";
+import { HTTPError } from "@actions/tool-cache";
 import test from "ava";
+import * as sinon from "sinon";

-import { CodeQuality, CodeScanning } from "./analyses";
+import * as analyses from "./analyses";
+import { AnalysisKind, CodeQuality, CodeScanning } from "./analyses";
+import * as api from "./api-client";
 import { getRunnerLogger, Logger } from "./logging";
 import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
@@ -127,27 +132,97 @@ test("finding SARIF files", async (t) => {
    fs.writeFileSync(path.join(tmpDir, "a.quality.sarif"), "");
    fs.writeFileSync(path.join(tmpDir, "dir1", "b.quality.sarif"), "");

+    const expectedSarifFiles = [
+      path.join(tmpDir, "a.sarif"),
+      path.join(tmpDir, "b.sarif"),
+      path.join(tmpDir, "dir1", "d.sarif"),
+      path.join(tmpDir, "dir1", "dir2", "e.sarif"),
+    ];
    const sarifFiles = uploadLib.findSarifFilesInDir(
      tmpDir,
      CodeScanning.sarifPredicate,
    );

-    t.deepEqual(sarifFiles, [
-      path.join(tmpDir, "a.sarif"),
-      path.join(tmpDir, "b.sarif"),
-      path.join(tmpDir, "dir1", "d.sarif"),
-      path.join(tmpDir, "dir1", "dir2", "e.sarif"),
-    ]);
+    t.deepEqual(sarifFiles, expectedSarifFiles);

+    const expectedQualitySarifFiles = [
+      path.join(tmpDir, "a.quality.sarif"),
+      path.join(tmpDir, "dir1", "b.quality.sarif"),
+    ];
    const qualitySarifFiles = uploadLib.findSarifFilesInDir(
      tmpDir,
      CodeQuality.sarifPredicate,
    );

-    t.deepEqual(qualitySarifFiles, [
-      path.join(tmpDir, "a.quality.sarif"),
-      path.join(tmpDir, "dir1", "b.quality.sarif"),
-    ]);
+    t.deepEqual(qualitySarifFiles, expectedQualitySarifFiles);
+
+    const groupedSarifFiles = await uploadLib.getGroupedSarifFilePaths(
+      getRunnerLogger(true),
+      tmpDir,
+    );
+
+    t.not(groupedSarifFiles, undefined);
+    t.not(groupedSarifFiles[AnalysisKind.CodeScanning], undefined);
+    t.not(groupedSarifFiles[AnalysisKind.CodeQuality], undefined);
+    t.deepEqual(
+      groupedSarifFiles[AnalysisKind.CodeScanning],
+      expectedSarifFiles,
+    );
+    t.deepEqual(
+      groupedSarifFiles[AnalysisKind.CodeQuality],
+      expectedQualitySarifFiles,
+    );
+  });
+});
+
+test("getGroupedSarifFilePaths - Code Quality file", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    const sarifPath = path.join(tmpDir, "a.quality.sarif");
+    fs.writeFileSync(sarifPath, "");
+
+    const groupedSarifFiles = await uploadLib.getGroupedSarifFilePaths(
+      getRunnerLogger(true),
+      sarifPath,
+    );
+
+    t.not(groupedSarifFiles, undefined);
+    t.is(groupedSarifFiles[AnalysisKind.CodeScanning], undefined);
+    t.not(groupedSarifFiles[AnalysisKind.CodeQuality], undefined);
+    t.deepEqual(groupedSarifFiles[AnalysisKind.CodeQuality], [sarifPath]);
+  });
+});
+
+test("getGroupedSarifFilePaths - Code Scanning file", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    const sarifPath = path.join(tmpDir, "a.sarif");
+    fs.writeFileSync(sarifPath, "");
+
+    const groupedSarifFiles = await uploadLib.getGroupedSarifFilePaths(
+      getRunnerLogger(true),
+      sarifPath,
+    );
+
+    t.not(groupedSarifFiles, undefined);
+    t.not(groupedSarifFiles[AnalysisKind.CodeScanning], undefined);
+    t.is(groupedSarifFiles[AnalysisKind.CodeQuality], undefined);
+    t.deepEqual(groupedSarifFiles[AnalysisKind.CodeScanning], [sarifPath]);
+  });
+});
+
+test("getGroupedSarifFilePaths - Other file", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    const sarifPath = path.join(tmpDir, "a.json");
+    fs.writeFileSync(sarifPath, "");
+
+    const groupedSarifFiles = await uploadLib.getGroupedSarifFilePaths(
+      getRunnerLogger(true),
+      sarifPath,
+    );
+
+    t.not(groupedSarifFiles, undefined);
+    t.not(groupedSarifFiles[AnalysisKind.CodeScanning], undefined);
+    t.is(groupedSarifFiles[AnalysisKind.CodeQuality], undefined);
+    t.deepEqual(groupedSarifFiles[AnalysisKind.CodeScanning], [sarifPath]);
  });
 });

@@ -797,3 +872,91 @@ function createMockSarif(id?: string, tool?: string) {
    ],
  };
 }
+
+function uploadPayloadFixtures(analysis: analyses.AnalysisConfig) {
+  const mockData = {
+    payload: { sarif: "base64data", commit_sha: "abc123" },
+    owner: "test-owner",
+    repo: "test-repo",
+    response: {
+      status: 200,
+      data: { id: "uploaded-sarif-id" },
+      headers: {},
+      url: analysis.target,
+    },
+  };
+  const client = github.getOctokit("123");
+  sinon.stub(api, "getApiClient").value(() => client);
+  const requestStub = sinon.stub(client, "request");
+
+  const upload = async () =>
+    uploadLib.uploadPayload(
+      mockData.payload,
+      {
+        owner: mockData.owner,
+        repo: mockData.repo,
+      },
+      getRunnerLogger(true),
+      analysis,
+    );
+
+  return {
+    upload,
+    requestStub,
+    mockData,
+  };
+}
+
+for (const analysis of [CodeScanning, CodeQuality]) {
+  test(`uploadPayload on ${analysis.name} uploads successfully`, async (t) => {
+    const { upload, requestStub, mockData } = uploadPayloadFixtures(analysis);
+    requestStub
+      .withArgs(analysis.target, {
+        owner: mockData.owner,
+        repo: mockData.repo,
+        data: mockData.payload,
+      })
+      .onFirstCall()
+      .returns(Promise.resolve(mockData.response));
+    const result = await upload();
+    t.is(result, mockData.response.data.id);
+    t.true(requestStub.calledOnce);
+  });
+
+  for (const envVar of [
+    "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
+    "CODEQL_ACTION_TEST_MODE",
+  ]) {
+    test(`uploadPayload on ${analysis.name} skips upload when ${envVar} is set`, async (t) => {
+      const { upload, requestStub, mockData } = uploadPayloadFixtures(analysis);
+      await withTmpDir(async (tmpDir) => {
+        process.env.RUNNER_TEMP = tmpDir;
+        process.env[envVar] = "true";
+        const result = await upload();
+        t.is(result, "dummy-sarif-id");
+        t.false(requestStub.called);
+
+        const payloadFile = path.join(tmpDir, `payload-${analysis.kind}.json`);
+        t.true(fs.existsSync(payloadFile));
+
+        const savedPayload = JSON.parse(fs.readFileSync(payloadFile, "utf8"));
+        t.deepEqual(savedPayload, mockData.payload);
+      });
+    });
+  }
+
+  test(`uploadPayload on ${analysis.name} wraps request errors using wrapApiConfigurationError`, async (t) => {
+    const { upload, requestStub } = uploadPayloadFixtures(analysis);
+    const wrapApiConfigurationErrorStub = sinon.stub(
+      api,
+      "wrapApiConfigurationError",
+    );
+    const originalError = new HTTPError(404);
+    const wrappedError = new Error("Wrapped error message");
+    requestStub.rejects(originalError);
+    wrapApiConfigurationErrorStub.withArgs(originalError).returns(wrappedError);
+    await t.throwsAsync(upload, {
+      is: wrappedError,
+    });
+  });
+}
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -262,6 +262,7 @@ async function combineSarifFilesUsingCLI(
      tempDir,
      gitHubVersion.type,
      codeQLDefaultVersionInfo,
+      features,
      logger,
    );

@@ -346,34 +347,36 @@ function getAutomationID(
  return api.computeAutomationID(analysis_key, environment);
 }

-// Upload the given payload.
-// If the request fails then this will retry a small number of times.
-async function uploadPayload(
+/**
+ * Upload the given payload.
+ * If the request fails then this will retry a small number of times.
+ * This is exported for testing purposes only.
+ */
+export async function uploadPayload(
  payload: any,
  repositoryNwo: RepositoryNwo,
  logger: Logger,
-  target: analyses.SARIF_UPLOAD_ENDPOINT,
+  analysis: analyses.AnalysisConfig,
 ): Promise<string> {
  logger.info("Uploading results");

-  // If in test mode we don't want to upload the results
-  if (util.isInTestMode()) {
+  if (util.shouldSkipSarifUpload()) {
    const payloadSaveFile = path.join(
      actionsUtil.getTemporaryDirectory(),
-      "payload.json",
+      `payload-${analysis.kind}.json`,
    );
    logger.info(
-      `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`,
+      `SARIF upload disabled by an environment variable. Saving to ${payloadSaveFile}`,
    );
    logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
    fs.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
-    return "test-mode-sarif-id";
+    return "dummy-sarif-id";
  }

  const client = api.getApiClient();

  try {
-    const response = await client.request(target, {
+    const response = await client.request(analysis.target, {
      owner: repositoryNwo.owner,
      repo: repositoryNwo.repo,
      data: payload,
@@ -459,6 +462,79 @@ export function getSarifFilePaths(
  return sarifFiles;
 }

+type GroupedSarifFiles = Partial<Record<analyses.AnalysisKind, string[]>>;
+
+/**
+ * Finds SARIF files in `sarifPath`, and groups them by analysis kind, following `SarifScanOrder`.
+ *
+ * @param logger The logger to use.
+ * @param sarifPath The path of a file or directory to recursively scan for SARIF files.
+ * @returns The `.sarif` files found in `sarifPath`, grouped by analysis kind.
+ */
+export async function getGroupedSarifFilePaths(
+  logger: Logger,
+  sarifPath: string,
+): Promise<GroupedSarifFiles> {
+  const stats = fs.statSync(sarifPath, { throwIfNoEntry: false });
+
+  if (stats === undefined) {
+    // This is always a configuration error, even for first-party runs.
+    throw new ConfigurationError(`Path does not exist: ${sarifPath}`);
+  }
+
+  const results: GroupedSarifFiles = {};
+
+  if (stats.isDirectory()) {
+    let unassignedSarifFiles = findSarifFilesInDir(
+      sarifPath,
+      (name) => path.extname(name) === ".sarif",
+    );
+    logger.debug(
+      `Found the following .sarif files in ${sarifPath}: ${unassignedSarifFiles.join(", ")}`,
+    );
+
+    for (const analysisConfig of analyses.SarifScanOrder) {
+      const filesForCurrentAnalysis = unassignedSarifFiles.filter(
+        analysisConfig.sarifPredicate,
+      );
+      if (filesForCurrentAnalysis.length > 0) {
+        logger.debug(
+          `The following SARIF files are for ${analysisConfig.name}: ${filesForCurrentAnalysis.join(", ")}`,
+        );
+        // Looping through the array a second time is not efficient, but more readable.
+        // Change this to one loop for both calls to `filter` if this becomes a bottleneck.
+        unassignedSarifFiles = unassignedSarifFiles.filter(
+          (name) => !analysisConfig.sarifPredicate(name),
+        );
+        results[analysisConfig.kind] = filesForCurrentAnalysis;
+      } else {
+        logger.debug(`Found no SARIF files for ${analysisConfig.name}`);
+      }
+    }
+
+    if (unassignedSarifFiles.length !== 0) {
+      logger.warning(
+        `Found files in ${sarifPath} which do not belong to any analysis: ${unassignedSarifFiles.join(", ")}`,
+      );
+    }
+  } else {
+    for (const analysisConfig of analyses.SarifScanOrder) {
+      if (
+        analysisConfig.kind === analyses.AnalysisKind.CodeScanning ||
+        analysisConfig.sarifPredicate(sarifPath)
+      ) {
+        logger.debug(
+          `Using '${sarifPath}' as a SARIF file for ${analysisConfig.name}.`,
+        );
+        results[analysisConfig.kind] = [sarifPath];
+        break;
+      }
+    }
+  }
+
+  return results;
+}
+
 // Counts the number of results in the given SARIF file
 function countResultsInSarif(sarif: string): number {
  let numResults = 0;
@@ -655,6 +731,7 @@ export async function uploadSpecifiedFiles(
  const gitHubVersion = await getGitHubVersion();

  let sarif: SarifFile;
+  category = uploadTarget.fixCategory(logger, category);

  if (sarifPaths.length > 1) {
    // Validate that the files we were asked to upload are all valid SARIF files
@@ -733,7 +810,7 @@ export async function uploadSpecifiedFiles(
    payload,
    getRepositoryNwo(),
    logger,
-    uploadTarget.target,
+    uploadTarget,
  );

  logger.endGroup();
--- a/src/upload-sarif-action.ts
+++ b/src/upload-sarif-action.ts
@@ -23,7 +23,7 @@ import {
  checkDiskUsage,
  getErrorMessage,
  initializeEnvironment,
-  isInTestMode,
+  shouldSkipSarifUpload,
  wrapError,
 } from "./util";

@@ -113,8 +113,10 @@ async function run() {
    core.setOutput("sarif-ids", JSON.stringify(uploadResults));

    // We don't upload results in test mode, so don't wait for processing
-    if (isInTestMode()) {
-      core.debug("In test mode. Waiting for processing is disabled.");
+    if (shouldSkipSarifUpload()) {
+      core.debug(
+        "SARIF upload disabled by an environment variable. Waiting for processing is disabled.",
+      );
    } else if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
      if (codeScanningResult !== undefined) {
        await upload_lib.waitForProcessing(
--- a/src/upload-sarif.test.ts
+++ b/src/upload-sarif.test.ts
@@ -4,87 +4,16 @@ import * as path from "path";
 import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";

-import {
-  AnalysisConfig,
-  AnalysisKind,
-  CodeQuality,
-  CodeScanning,
-} from "./analyses";
+import { AnalysisKind, getAnalysisConfig } from "./analyses";
 import { getRunnerLogger } from "./logging";
 import { createFeatures, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
-import { findAndUpload, uploadSarif } from "./upload-sarif";
+import { uploadSarif } from "./upload-sarif";
 import * as util from "./util";

 setupTests(test);

-const findAndUploadMacro = test.macro({
-  exec: async (
-    t: ExecutionContext<unknown>,
-    sarifFiles: string[],
-    analysis: AnalysisConfig,
-    sarifPath: (tempDir: string) => string = (tempDir) => tempDir,
-    expectedResult: UploadResult | undefined,
-  ) => {
-    await util.withTmpDir(async (tempDir) => {
-      sinon.stub(uploadLib, "uploadSpecifiedFiles").resolves(expectedResult);
-      const logger = getRunnerLogger(true);
-      const features = createFeatures([]);
-
-      for (const sarifFile of sarifFiles) {
-        fs.writeFileSync(path.join(tempDir, sarifFile), "");
-      }
-
-      const stats = fs.statSync(sarifPath(tempDir));
-      const actual = await findAndUpload(
-        logger,
-        features,
-        sarifPath(tempDir),
-        stats,
-        "",
-        analysis,
-      );
-
-      t.deepEqual(actual, expectedResult);
-    });
-  },
-  title: (providedTitle = "") => `findAndUpload - ${providedTitle}`,
-});
-
-test(
-  "no matching files",
-  findAndUploadMacro,
-  ["test.json"],
-  CodeScanning,
-  undefined,
-  undefined,
-);
-
-test(
-  "matching files for Code Scanning with directory path",
-  findAndUploadMacro,
-  ["test.sarif"],
-  CodeScanning,
-  undefined,
-  {
-    statusReport: {},
-    sarifID: "some-id",
-  },
-);
-
-test(
-  "matching files for Code Scanning with file path",
-  findAndUploadMacro,
-  ["test.sarif"],
-  CodeScanning,
-  (tempDir) => path.join(tempDir, "test.sarif"),
-  {
-    statusReport: {},
-    sarifID: "some-id",
-  },
-);
-
 interface UploadSarifExpectedResult {
  uploadResult?: UploadResult;
  expectedFiles?: string[];
@@ -117,9 +46,7 @@ const uploadSarifMacro = test.macro({
            sinon.match.any,
            features,
            logger,
-            analysisKind === AnalysisKind.CodeScanning
-              ? CodeScanning
-              : CodeQuality,
+            getAnalysisConfig(analysisKind),
          )
          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
      }
@@ -146,9 +73,7 @@ const uploadSarifMacro = test.macro({
              sinon.match.any,
              features,
              logger,
-              analysisKind === AnalysisKind.CodeScanning
-                ? CodeScanning
-                : CodeQuality,
+              getAnalysisConfig(analysisKind),
            ),
          );
        } else {
@@ -164,9 +89,7 @@ const uploadSarifMacro = test.macro({
              sinon.match.any,
              features,
              logger,
-              analysisKind === AnalysisKind.CodeScanning
-                ? CodeScanning
-                : CodeQuality,
+              getAnalysisConfig(analysisKind),
            ),
            `uploadSpecifiedFiles was called for ${analysisKind}, but should not have been.`,
          );
--- a/src/upload-sarif.ts
+++ b/src/upload-sarif.ts
@@ -1,65 +1,8 @@
-import * as fs from "fs";
-
-import * as actionsUtil from "./actions-util";
 import * as analyses from "./analyses";
 import { FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
 import * as upload_lib from "./upload-lib";
-import { ConfigurationError } from "./util";
-
-/**
- * Searches for SARIF files for the given `analysis` in the given `sarifPath`.
- * If any are found, then they are uploaded to the appropriate endpoint for the given `analysis`.
- *
- * @param logger The logger to use.
- * @param features Information about FFs.
- * @param sarifPath The path to a SARIF file or directory containing SARIF files.
- * @param pathStats Information about `sarifPath`.
- * @param checkoutPath The checkout path.
- * @param analysis The configuration of the analysis we should upload SARIF files for.
- * @param category The SARIF category to use for the upload.
- * @returns The result of uploading the SARIF file(s) or `undefined` if there are none.
- */
-export async function findAndUpload(
-  logger: Logger,
-  features: FeatureEnablement,
-  sarifPath: string,
-  pathStats: fs.Stats,
-  checkoutPath: string,
-  analysis: analyses.AnalysisConfig,
-  category?: string,
-): Promise<upload_lib.UploadResult | undefined> {
-  let sarifFiles: string[] | undefined;
-
-  if (pathStats.isDirectory()) {
-    sarifFiles = upload_lib.findSarifFilesInDir(
-      sarifPath,
-      analysis.sarifPredicate,
-    );
-  } else if (
-    pathStats.isFile() &&
-    (analysis.sarifPredicate(sarifPath) ||
-      (analysis.kind === analyses.AnalysisKind.CodeScanning &&
-        !analyses.CodeQuality.sarifPredicate(sarifPath)))
-  ) {
-    sarifFiles = [sarifPath];
-  } else {
-    return undefined;
-  }
-
-  if (sarifFiles.length !== 0) {
-    return await upload_lib.uploadSpecifiedFiles(
-      sarifFiles,
-      checkoutPath,
-      category,
-      features,
-      logger,
-      analysis,
-    );
-  }
-
-  return undefined;
-}
+import { unsafeEntriesInvariant } from "./util";

 // Maps analysis kinds to SARIF IDs.
 export type UploadSarifResults = Partial<
@@ -84,38 +27,24 @@ export async function uploadSarif(
  sarifPath: string,
  category?: string,
 ): Promise<UploadSarifResults> {
-  const pathStats = fs.lstatSync(sarifPath, { throwIfNoEntry: false });
-
-  if (pathStats === undefined) {
-    throw new ConfigurationError(`Path does not exist: ${sarifPath}.`);
-  }
+  const sarifGroups = await upload_lib.getGroupedSarifFilePaths(
+    logger,
+    sarifPath,
+  );

  const uploadResults: UploadSarifResults = {};
-  const uploadResult = await findAndUpload(
-    logger,
-    features,
-    sarifPath,
-    pathStats,
-    checkoutPath,
-    analyses.CodeScanning,
-    category,
-  );
-  if (uploadResult !== undefined) {
-    uploadResults[analyses.AnalysisKind.CodeScanning] = uploadResult;
-  }
-
-  // If there are `.quality.sarif` files in `sarifPath`, then upload those to the code quality service.
-  const qualityUploadResult = await findAndUpload(
-    logger,
-    features,
-    sarifPath,
-    pathStats,
-    checkoutPath,
-    analyses.CodeQuality,
-    actionsUtil.fixCodeQualityCategory(logger, category),
-  );
-  if (qualityUploadResult !== undefined) {
-    uploadResults[analyses.AnalysisKind.CodeQuality] = qualityUploadResult;
+  for (const [analysisKind, sarifFiles] of unsafeEntriesInvariant(
+    sarifGroups,
+  )) {
+    const analysisConfig = analyses.getAnalysisConfig(analysisKind);
+    uploadResults[analysisKind] = await upload_lib.uploadSpecifiedFiles(
+      sarifFiles,
+      checkoutPath,
+      category,
+      features,
+      logger,
+      analysisConfig,
+    );
  }

  return uploadResults;
--- a/Show More
+++ b/Show More