Merge pull request #3216 from github/backport-v3.30.9-16140ae1a

Merge releases/v4 into releases/v3

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node24
+  using: node20
   main: index.js

.github/workflows/__analyze-ref-input.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__bundle-from-toolcache.yml

@@ -67,10 +67,9 @@ jobs:
             if (allCodeqlVersions.length === 0) {
               throw new Error(`CodeQL could not be found in the toolcache`);
             }
-      - id: init
-        uses: ./../action/init
+      - id: setup-codeql
+        uses: ./../action/setup-codeql
         with:
-          languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check CodeQL is installed within the toolcache
         uses: actions/github-script@v8

.github/workflows/__local-bundle.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -104,6 +114,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -81,6 +91,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__remote-config.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -72,6 +82,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__unset-environment.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -72,6 +82,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -77,6 +87,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.

CHANGELOG.md

@@ -2,18 +2,19 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## [UNRELEASED]
+## 3.30.9 - 17 Oct 2025
+
+- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
+- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
+
+## 3.30.8 - 10 Oct 2025
 
 No user facing changes.
 
-## 4.30.8 - 10 Oct 2025
+## 3.30.7 - 06 Oct 2025
 
 No user facing changes.
 
-## 4.30.7 - 06 Oct 2025
-
-- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
-
 ## 3.30.6 - 02 Oct 2025
 
 - Update default CodeQL bundle version to 2.23.2. [#3168](https://github.com/github/codeql-action/pull/3168)
@@ -248,17 +249,13 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
-
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -381,12 +378,9 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
-
   As a result, the following inputs and environment variables are now ignored:
-
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
-
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)

README.md

@@ -34,6 +34,7 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
+- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.
 
 ### Workflow Permissions
 

analyze/action.yml

@@ -92,6 +92,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node24
+  using: node20
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node24
+  using: node20
   main: '../lib/autobuild-action.js'

init/action.yml

@@ -165,6 +165,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node24
+  using: node20
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/analyze-action-post.js

@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/analyze-action.js

@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -90704,8 +90704,8 @@ var path8 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var crypto = __toESM(require("crypto"));

lib/autobuild-action.js

@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -78318,8 +78318,8 @@ var path3 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.2",
-  "cliVersion": "2.23.2",
-  "priorBundleVersion": "codeql-bundle-v2.23.1",
-  "priorCliVersion": "2.23.1"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }

lib/init-action-post.js

@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -128949,8 +128949,8 @@ var path8 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs6 = __toESM(require("fs"));
@@ -129786,6 +129786,9 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
   }
   return augmentedConfig;
 }
+function isCodeScanningEnabled(config) {
+  return config.analysisKinds.includes("code-scanning" /* CodeScanning */);
+}
 
 // src/setup-codeql.ts
 var fs12 = __toESM(require("fs"));
@@ -133750,6 +133753,11 @@ async function tryUploadSarifIfRunFailed(config, repositoryNwo, features, logger
       "CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */,
       process.env["CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */] ?? "JOB_STATUS_CONFIGURATION_ERROR" /* ConfigErrorStatus */
     );
+    if (!isCodeScanningEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Scanning is not enabled."
+      };
+    }
     try {
       return await maybeUploadFailedSarif(
         config,

lib/init-action.js

@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -86062,6 +86062,50 @@ function isAnalyzingPullRequest() {
   return getPullRequestBranches() !== void 0;
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind3) => {
+  AnalysisKind3["CodeScanning"] = "code-scanning";
+  AnalysisKind3["CodeQuality"] = "code-quality";
+  return AnalysisKind3;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+async function parseAnalysisKinds(input) {
+  const components = input.split(",");
+  if (components.length < 1) {
+    throw new ConfigurationError(
+      "At least one analysis kind must be configured."
+    );
+  }
+  for (const component of components) {
+    if (!supportedAnalysisKinds.has(component)) {
+      throw new ConfigurationError(`Unknown analysis kind: ${component}`);
+    }
+  }
+  return Array.from(
+    new Set(components.map((component) => component))
+  );
+}
+var cachedAnalysisKinds;
+async function getAnalysisKinds(logger, skipCache = false) {
+  if (!skipCache && cachedAnalysisKinds !== void 0) {
+    return cachedAnalysisKinds;
+  }
+  cachedAnalysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds")
+  );
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+  if (qualityQueriesInput !== void 0) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead."
+    );
+  }
+  if (!cachedAnalysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) {
+    cachedAnalysisKinds.push("code-quality" /* CodeQuality */);
+  }
+  return cachedAnalysisKinds;
+}
+var codeQualityQueries = ["code-quality"];
+
 // src/api-client.ts
 var core5 = __toESM(require_core());
 var githubUtils = __toESM(require_utils4());
@@ -86254,31 +86298,6 @@ var fs9 = __toESM(require("fs"));
 var path11 = __toESM(require("path"));
 var import_perf_hooks = require("perf_hooks");
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-async function parseAnalysisKinds(input) {
-  const components = input.split(",");
-  if (components.length < 1) {
-    throw new ConfigurationError(
-      "At least one analysis kind must be configured."
-    );
-  }
-  for (const component of components) {
-    if (!supportedAnalysisKinds.has(component)) {
-      throw new ConfigurationError(`Unknown analysis kind: ${component}`);
-    }
-  }
-  return Array.from(
-    new Set(components.map((component) => component))
-  );
-}
-var codeQualityQueries = ["code-quality"];
-
 // src/config/db-config.ts
 var path7 = __toESM(require("path"));
 var semver2 = __toESM(require_semver2());
@@ -86589,8 +86608,8 @@ var path9 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var crypto = __toESM(require("crypto"));
@@ -87691,10 +87710,8 @@ async function getRawLanguages(languagesInput, repository, sourceRoot, logger) {
   };
 }
 async function initActionState({
-  analysisKindsInput,
   languagesInput,
   queriesInput,
-  qualityQueriesInput,
   packsInput,
   buildModeInput,
   dbLocation,
@@ -87710,12 +87727,9 @@ async function initActionState({
   githubVersion,
   features,
   repositoryProperties,
+  analysisKinds,
   logger
 }, userConfig) {
-  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
-  if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) {
-    analysisKinds.push("code-quality" /* CodeQuality */);
-  }
   const languages = await getLanguages(
     codeql,
     languagesInput,
@@ -90683,6 +90697,19 @@ async function getWorkflowAbsolutePath(logger) {
 }
 
 // src/init-action.ts
+async function sendStartingStatusReport(startedAt, config, logger) {
+  const statusReportBase = await createStatusReportBase(
+    "init" /* Init */,
+    "starting",
+    startedAt,
+    config,
+    await checkDiskUsage(logger),
+    logger
+  );
+  if (statusReportBase !== void 0) {
+    await sendStatusReport(statusReportBase);
+  }
+}
 async function sendCompletedStatusReport(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, overlayBaseDatabaseStats, dependencyCachingResults, logger, error2) {
   const statusReportBase = await createStatusReportBase(
     "init" /* Init */,
@@ -90773,16 +90800,19 @@ async function run() {
     getOptionalInput("source-root") || ""
   );
   try {
-    const statusReportBase = await createStatusReportBase(
-      "init" /* Init */,
-      "starting",
-      startedAt,
-      config,
-      await checkDiskUsage(logger),
-      logger
-    );
-    if (statusReportBase !== void 0) {
-      await sendStatusReport(statusReportBase);
+    let analysisKinds;
+    try {
+      analysisKinds = await getAnalysisKinds(logger);
+    } catch (err) {
+      logger.debug(
+        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`
+      );
+    }
+    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
+    if (process.env["CODEQL_ACTION_SETUP_CODEQL_HAS_RUN" /* SETUP_CODEQL_ACTION_HAS_RUN */] === "true") {
+      throw new ConfigurationError(
+        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`
+      );
     }
     const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
       gitHubVersion.type
@@ -90830,17 +90860,11 @@ async function run() {
         logger.info("Experimental Rust analysis enabled");
       }
     }
-    const qualityQueriesInput = getOptionalInput("quality-queries");
-    if (qualityQueriesInput !== void 0) {
-      logger.warning(
-        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead."
-      );
-    }
+    analysisKinds = await getAnalysisKinds(logger);
     config = await initConfig2({
-      analysisKindsInput: getRequiredInput("analysis-kinds"),
+      analysisKinds,
       languagesInput: getOptionalInput("languages"),
       queriesInput: getOptionalInput("queries"),
-      qualityQueriesInput,
       packsInput: getOptionalInput("packs"),
       buildModeInput: getOptionalInput("build-mode"),
       configFile,

lib/resolve-environment-action.js

@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/start-proxy-action-post.js

@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/start-proxy-action.js

@@ -44996,7 +44996,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -95060,8 +95060,8 @@ function getActionsLogger() {
 var core7 = __toESM(require_core());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/languages.ts
 var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => {

lib/upload-lib.js

@@ -33606,7 +33606,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -89065,8 +89065,8 @@ var path8 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));

lib/upload-sarif-action-post.js

@@ -26460,7 +26460,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {

lib/upload-sarif-action.js

@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "4.30.9",
+      version: "3.30.9",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -88976,8 +88976,8 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.30.9",
+  "version": "3.30.9",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/analyze-ref-input.yml

@@ -2,6 +2,7 @@ name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/bundle-from-toolcache.yml

@@ -15,10 +15,9 @@ steps:
         if (allCodeqlVersions.length === 0) {
           throw new Error(`CodeQL could not be found in the toolcache`);
         }
-  - id: init
-    uses: ./../action/init
+  - id: setup-codeql
+    uses: ./../action/setup-codeql
     with:
-      languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Check CodeQL is installed within the toolcache
     uses: actions/github-script@v8

pr-checks/checks/local-bundle.yml

@@ -2,6 +2,7 @@ name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
   - name: Fetch latest CodeQL bundle
     run: |

pr-checks/checks/multi-language-autodetect.yml

@@ -4,6 +4,7 @@ operatingSystems: ["macos", "ubuntu"]
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
+installPython: true
 steps:
   - name: Use Xcode 16
     if: runner.os == 'macOS' && matrix.version != 'nightly-latest'

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/remote-config.yml

@@ -6,6 +6,7 @@ versions:
   - linked
   - nightly-latest
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/unset-environment.yml

@@ -6,6 +6,7 @@ versions:
   - linked
   - nightly-latest
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/upload-ref-sha-input.yml

@@ -2,6 +2,7 @@ name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/upload-sarif.yml

@@ -3,6 +3,7 @@ description: "Checks that uploading SARIFs to the code quality endpoint works"
 versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/with-checkout-path.yml

@@ -2,6 +2,7 @@ name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
   # This ensures we don't accidentally use the original checkout for any part of the test.
   - name: Delete original checkout

pr-checks/sync.py

@@ -184,6 +184,26 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
+    installPython = is_truthy(checkSpecification.get('installPython', ''))
+
+    if installPython:
+        basePythonVersionExpr = '3.13'
+        workflowInputs['python-version'] = {
+            'type': 'string',
+            'description': 'The version of Python to install',
+            'required': False,
+            'default': basePythonVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Python',
+            'if': 'matrix.version != \'nightly-latest\'',
+            'uses': 'actions/setup-python@v6',
+            'with': {
+                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
+            }
+        })
+
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

resolve-environment/action.yml

@@ -21,5 +21,5 @@ outputs:
   environment:
     description: The inferred build environment configuration.
 runs:
-  using: node24
+  using: node20
   main: '../lib/resolve-environment-action.js'

setup-codeql/action.yml

@@ -0,0 +1,39 @@
+name: 'CodeQL: Setup'
+description: 'Installs the CodeQL CLI'
+author: 'GitHub'
+inputs:
+  tools:
+    description: >-
+      By default, the Action will use the recommended version of the CodeQL
+      Bundle to analyze your project. You can override this choice using this
+      input. One of:
+
+      - A local path to a CodeQL Bundle tarball, or
+      - The URL of a CodeQL Bundle tarball GitHub release asset, or
+      - A special value `linked` which uses the version of the CodeQL tools
+        that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
+    required: false
+  token:
+    description: GitHub token to use for authenticating with this instance of GitHub.
+    default: ${{ github.token }}
+    required: false
+  matrix:
+    default: ${{ toJson(matrix) }}
+    required: false
+  external-repository-token:
+    description: A token for fetching additional files from private repositories in the same GitHub instance that is running this action.
+    required: false
+outputs:
+  codeql-path:
+    description: The path of the CodeQL binary that was installed.
+  codeql-version:
+    description: The version of the CodeQL binary that was installed.
+runs:
+  using: node20
+  main: '../lib/setup-codeql-action.js'

src/analyses.test.ts

@@ -1,12 +1,19 @@
 import test from "ava";
+import * as sinon from "sinon";
 
+import * as actionsUtil from "./actions-util";
 import {
   AnalysisKind,
+  getAnalysisKinds,
   parseAnalysisKinds,
   supportedAnalysisKinds,
 } from "./analyses";
+import { getRunnerLogger } from "./logging";
+import { setupTests } from "./testing-utils";
 import { ConfigurationError } from "./util";
 
+setupTests(test);
+
 test("All known analysis kinds can be parsed successfully", async (t) => {
   for (const analysisKind of supportedAnalysisKinds) {
     t.deepEqual(await parseAnalysisKinds(analysisKind), [analysisKind]);
@@ -34,3 +41,29 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
     instanceOf: ConfigurationError,
   });
 });
+
+test("getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub
+    .withArgs("analysis-kinds")
+    .returns("code-scanning,code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
+  const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+  optionalInputStub.withArgs("quality-queries").returns("code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
+  await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+});

src/analyses.ts

@@ -1,4 +1,8 @@
-import { fixCodeQualityCategory } from "./actions-util";
+import {
+  fixCodeQualityCategory,
+  getOptionalInput,
+  getRequiredInput,
+} from "./actions-util";
 import { Logger } from "./logging";
 import { ConfigurationError } from "./util";
 
@@ -41,6 +45,55 @@ export async function parseAnalysisKinds(
   );
 }
 
+// Used to avoid re-parsing the input after we have done it once.
+let cachedAnalysisKinds: AnalysisKind[] | undefined;
+
+/**
+ * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
+ * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
+ * If the `analysis-kinds` input cannot be parsed, a `ConfigurationError` is thrown.
+ *
+ * @param logger The logger to use.
+ * @param skipCache For testing, whether to ignore the cached values (default: false).
+ *
+ * @returns The array of enabled analysis kinds.
+ * @throws A `ConfigurationError` if the `analysis-kinds` input cannot be parsed.
+ */
+export async function getAnalysisKinds(
+  logger: Logger,
+  skipCache: boolean = false,
+): Promise<AnalysisKind[]> {
+  if (!skipCache && cachedAnalysisKinds !== undefined) {
+    return cachedAnalysisKinds;
+  }
+
+  cachedAnalysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds"),
+  );
+
+  // Warn that `quality-queries` is deprecated if there is an argument for it.
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+
+  if (qualityQueriesInput !== undefined) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
+        "Use the `analysis-kinds` input to configure different analysis kinds instead.",
+    );
+  }
+
+  // For backwards compatibility, add Code Quality to the enabled analysis kinds
+  // if an input to `quality-queries` was specified. We should remove this once
+  // `quality-queries` is no longer used.
+  if (
+    !cachedAnalysisKinds.includes(AnalysisKind.CodeQuality) &&
+    qualityQueriesInput !== undefined
+  ) {
+    cachedAnalysisKinds.push(AnalysisKind.CodeQuality);
+  }
+
+  return cachedAnalysisKinds;
+}
+
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];
 

src/config-utils.test.ts

@@ -49,10 +49,9 @@ function createTestInitConfigInputs(
   return Object.assign(
     {},
     {
-      analysisKindsInput: "code-scanning",
+      analysisKinds: [AnalysisKind.CodeScanning],
       languagesInput: undefined,
       queriesInput: undefined,
-      qualityQueriesInput: undefined,
       packsInput: undefined,
       configFile: undefined,
       dbLocation: undefined,
@@ -189,7 +188,7 @@ test("load code quality config", async (t) => {
 
     const config = await configUtils.initConfig(
       createTestInitConfigInputs({
-        analysisKindsInput: "code-quality",
+        analysisKinds: [AnalysisKind.CodeQuality],
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
         tempDir,
@@ -273,7 +272,7 @@ test("initActionState doesn't throw if there are queries configured in the repos
     await t.notThrowsAsync(async () => {
       const config = await configUtils.initConfig(
         createTestInitConfigInputs({
-          analysisKindsInput: "code-quality",
+          analysisKinds: [AnalysisKind.CodeQuality],
           languagesInput: languages,
           repository: { owner: "github", repo: "example" },
           tempDir,

src/config-utils.ts

@@ -11,7 +11,6 @@ import {
   CodeQuality,
   codeQualityQueries,
   CodeScanning,
-  parseAnalysisKinds,
 } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
@@ -373,10 +372,8 @@ export async function getRawLanguages(
 
 /** Inputs required to initialize a configuration. */
 export interface InitConfigInputs {
-  analysisKindsInput: string;
   languagesInput: string | undefined;
   queriesInput: string | undefined;
-  qualityQueriesInput: string | undefined;
   packsInput: string | undefined;
   configFile: string | undefined;
   dbLocation: string | undefined;
@@ -396,6 +393,7 @@ export interface InitConfigInputs {
   apiDetails: api.GitHubApiCombinedDetails;
   features: FeatureEnablement;
   repositoryProperties: RepositoryProperties;
+  analysisKinds: AnalysisKind[];
   logger: Logger;
 }
 
@@ -405,10 +403,8 @@ export interface InitConfigInputs {
  */
 export async function initActionState(
   {
-    analysisKindsInput,
     languagesInput,
     queriesInput,
-    qualityQueriesInput,
     packsInput,
     buildModeInput,
     dbLocation,
@@ -424,22 +420,11 @@ export async function initActionState(
     githubVersion,
     features,
     repositoryProperties,
+    analysisKinds,
     logger,
   }: InitConfigInputs,
   userConfig: UserConfig,
 ): Promise<Config> {
-  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
-
-  // For backwards compatibility, add Code Quality to the enabled analysis kinds
-  // if an input to `quality-queries` was specified. We should remove this once
-  // `quality-queries` is no longer used.
-  if (
-    !analysisKinds.includes(AnalysisKind.CodeQuality) &&
-    qualityQueriesInput !== undefined
-  ) {
-    analysisKinds.push(AnalysisKind.CodeQuality);
-  }
-
   const languages = await getLanguages(
     codeql,
     languagesInput,

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.2",
-  "cliVersion": "2.23.2",
-  "priorBundleVersion": "codeql-bundle-v2.23.1",
-  "priorCliVersion": "2.23.1"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }

src/environment.ts

@@ -47,6 +47,9 @@ export enum EnvVar {
   /** Whether the CodeQL Action has already warned the user about low disk space. */
   HAS_WARNED_ABOUT_DISK_SPACE = "CODEQL_ACTION_HAS_WARNED_ABOUT_DISK_SPACE",
 
+  /** Whether the `setup-codeql` action has been run. */
+  SETUP_CODEQL_ACTION_HAS_RUN = "CODEQL_ACTION_SETUP_CODEQL_HAS_RUN",
+
   /** Whether the init action has been run. */
   INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
 

src/init-action-post-helper.test.ts

@@ -2,6 +2,7 @@ import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import * as codeql from "./codeql";
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
@@ -28,12 +29,13 @@ test("post: init action with debug mode off", async (t) => {
     const gitHubVersion: util.GitHubVersion = {
       type: util.GitHubVariant.DOTCOM,
     };
-    sinon.stub(configUtils, "getConfig").resolves({
-      debugMode: false,
-      gitHubVersion,
-      languages: [],
-      packs: [],
-    } as unknown as configUtils.Config);
+    sinon.stub(configUtils, "getConfig").resolves(
+      createTestConfig({
+        debugMode: false,
+        gitHubVersion,
+        languages: [],
+      }),
+    );
 
     const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
     const printDebugLogsSpy = sinon.spy();
@@ -295,6 +297,17 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
   t.truthy(result.upload_failed_run_stack_trace);
 });
 
+test("not uploading failed SARIF when `code-scanning` is not an enabled analysis kind", async (t) => {
+  const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
+    analysisKinds: [AnalysisKind.CodeQuality],
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_skipped_because,
+    "Code Scanning is not enabled.",
+  );
+});
+
 function createTestWorkflow(
   steps: workflow.WorkflowJobStep[],
 ): workflow.Workflow {
@@ -327,20 +340,22 @@ async function testFailedSarifUpload(
     expectUpload = true,
     exportDiagnosticsEnabled = false,
     matrix = {},
+    analysisKinds = [AnalysisKind.CodeScanning],
   }: {
     category?: string;
     databaseExists?: boolean;
     expectUpload?: boolean;
     exportDiagnosticsEnabled?: boolean;
     matrix?: { [key: string]: string };
+    analysisKinds?: AnalysisKind[];
   } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
-  const config = {
+  const config = createTestConfig({
+    analysisKinds,
     codeQLCmd: "codeql",
     debugMode: true,
     languages: [],
-    packs: [],
-  } as unknown as configUtils.Config;
+  });
   if (databaseExists) {
     config.dbLocation = "path/to/database";
   }

src/init-action-post-helper.ts

@@ -7,7 +7,7 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config } from "./config-utils";
+import { Config, isCodeScanningEnabled } from "./config-utils";
 import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -139,6 +139,15 @@ export async function tryUploadSarifIfRunFailed(
       EnvVar.JOB_STATUS,
       process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
     );
+
+    // If the only enabled analysis kind is `code-quality`, then we shouldn't
+    // upload the failed SARIF to Code Scanning.
+    if (!isCodeScanningEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Scanning is not enabled.",
+      };
+    }
+
     try {
       return await maybeUploadFailedSarif(
         config,

src/init-action.ts

@@ -15,6 +15,7 @@ import {
   getTemporaryDirectory,
   persistInputs,
 } from "./actions-util";
+import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import {
   getDependencyCachingEnabled,
@@ -56,6 +57,7 @@ import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
   InitStatusReport,
+  InitToolsDownloadFields,
   InitWithConfigStatusReport,
   createInitWithConfigStatusReport,
   createStatusReportBase,
@@ -86,14 +88,29 @@ import {
 } from "./util";
 import { validateWorkflow } from "./workflow";
 
-/** Fields of the init status report populated when the tools source is `download`. */
-interface InitToolsDownloadFields {
-  /** Time taken to download the bundle, in milliseconds. */
-  tools_download_duration_ms?: number;
-  /**
-   * Whether the relevant tools dotcom feature flags have been misconfigured.
-   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
-  tools_feature_flags_valid?: boolean;
+/**
+ * Sends a status report indicating that the `init` Action is starting.
+ *
+ * @param startedAt
+ * @param config
+ * @param logger
+ */
+async function sendStartingStatusReport(
+  startedAt: Date,
+  config: Partial<configUtils.Config> | undefined,
+  logger: Logger,
+) {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.Init,
+    "starting",
+    startedAt,
+    config,
+    await checkDiskUsage(logger),
+    logger,
+  );
+  if (statusReportBase !== undefined) {
+    await sendStatusReport(statusReportBase);
+  }
 }
 
 async function sendCompletedStatusReport(
@@ -210,6 +227,7 @@ async function run() {
     ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
     : {};
 
+  // Create a unique identifier for this run.
   const jobRunUuid = uuidV4();
   logger.info(`Job run UUID is ${jobRunUuid}.`);
   core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
@@ -227,17 +245,30 @@ async function run() {
   );
 
   try {
-    const statusReportBase = await createStatusReportBase(
-      ActionName.Init,
-      "starting",
-      startedAt,
-      config,
-      await checkDiskUsage(logger),
-      logger,
-    );
-    if (statusReportBase !== undefined) {
-      await sendStatusReport(statusReportBase);
+    // Parsing the `analysis-kinds` input may throw a `ConfigurationError`, which we don't want before
+    // we have called `sendStartingStatusReport` below. However, we want the analysis kinds for that status
+    // report. To work around this, we ignore exceptions that are thrown here and then call `getAnalysisKinds`
+    // a second time later. The second call will then throw the exception again. If `getAnalysisKinds` is
+    // successful, the results are cached so that we don't duplicate the work in normal runs.
+    let analysisKinds: AnalysisKind[] | undefined;
+    try {
+      analysisKinds = await getAnalysisKinds(logger);
+    } catch (err) {
+      logger.debug(
+        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
+      );
     }
+
+    // Send a status report indicating that an analysis is starting.
+    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
+
+    // Throw a `ConfigurationError` if the `setup-codeql` action has been run.
+    if (process.env[EnvVar.SETUP_CODEQL_ACTION_HAS_RUN] === "true") {
+      throw new ConfigurationError(
+        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`,
+      );
+    }
+
     const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
       gitHubVersion.type,
     );
@@ -293,21 +324,11 @@ async function run() {
       }
     }
 
-    // Warn that `quality-queries` is deprecated if there is an argument for it.
-    const qualityQueriesInput = getOptionalInput("quality-queries");
-
-    if (qualityQueriesInput !== undefined) {
-      logger.warning(
-        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
-          "Use the `analysis-kinds` input to configure different analysis kinds instead.",
-      );
-    }
-
+    analysisKinds = await getAnalysisKinds(logger);
     config = await initConfig({
-      analysisKindsInput: getRequiredInput("analysis-kinds"),
+      analysisKinds,
       languagesInput: getOptionalInput("languages"),
       queriesInput: getOptionalInput("queries"),
-      qualityQueriesInput,
       packsInput: getOptionalInput("packs"),
       buildModeInput: getOptionalInput("build-mode"),
       configFile,

src/setup-codeql-action.ts

@@ -0,0 +1,196 @@
+import * as core from "@actions/core";
+import { v4 as uuidV4 } from "uuid";
+
+import {
+  getActionVersion,
+  getOptionalInput,
+  getRequiredInput,
+  getTemporaryDirectory,
+} from "./actions-util";
+import { getGitHubVersion } from "./api-client";
+import { CodeQL } from "./codeql";
+import { EnvVar } from "./environment";
+import { Features } from "./feature-flags";
+import { initCodeQL } from "./init";
+import { getActionsLogger, Logger } from "./logging";
+import { getRepositoryNwo } from "./repository";
+import { ToolsSource } from "./setup-codeql";
+import {
+  ActionName,
+  InitStatusReport,
+  InitToolsDownloadFields,
+  createStatusReportBase,
+  getActionsStatus,
+  sendStatusReport,
+} from "./status-report";
+import { ToolsDownloadStatusReport } from "./tools-download";
+import {
+  checkDiskUsage,
+  checkForTimeout,
+  checkGitHubVersionInRange,
+  getRequiredEnvParam,
+  initializeEnvironment,
+  ConfigurationError,
+  wrapError,
+  checkActionVersion,
+  getErrorMessage,
+} from "./util";
+
+/**
+ * Helper function to send a full status report for this action.
+ */
+async function sendCompletedStatusReport(
+  startedAt: Date,
+  toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined,
+  toolsFeatureFlagsValid: boolean | undefined,
+  toolsSource: ToolsSource,
+  toolsVersion: string,
+  logger: Logger,
+  error?: Error,
+): Promise<void> {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.SetupCodeQL,
+    getActionsStatus(error),
+    startedAt,
+    undefined,
+    await checkDiskUsage(logger),
+    logger,
+    error?.message,
+    error?.stack,
+  );
+
+  if (statusReportBase === undefined) {
+    return;
+  }
+
+  const initStatusReport: InitStatusReport = {
+    ...statusReportBase,
+    tools_input: getOptionalInput("tools") || "",
+    tools_resolved_version: toolsVersion,
+    tools_source: toolsSource || ToolsSource.Unknown,
+    workflow_languages: "",
+  };
+
+  const initToolsDownloadFields: InitToolsDownloadFields = {};
+
+  if (toolsDownloadStatusReport?.downloadDurationMs !== undefined) {
+    initToolsDownloadFields.tools_download_duration_ms =
+      toolsDownloadStatusReport.downloadDurationMs;
+  }
+  if (toolsFeatureFlagsValid !== undefined) {
+    initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
+  }
+
+  await sendStatusReport({ ...initStatusReport, ...initToolsDownloadFields });
+}
+
+/** The main behaviour of this action. */
+async function run(): Promise<void> {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
+  initializeEnvironment(getActionVersion());
+
+  let codeql: CodeQL;
+  let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
+  let toolsFeatureFlagsValid: boolean | undefined;
+  let toolsSource: ToolsSource;
+  let toolsVersion: string;
+
+  const apiDetails = {
+    auth: getRequiredInput("token"),
+    externalRepoAuth: getOptionalInput("external-repository-token"),
+    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
+    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+  };
+
+  const gitHubVersion = await getGitHubVersion();
+  checkGitHubVersionInRange(gitHubVersion, logger);
+  checkActionVersion(getActionVersion(), gitHubVersion);
+
+  const repositoryNwo = getRepositoryNwo();
+
+  const features = new Features(
+    gitHubVersion,
+    repositoryNwo,
+    getTemporaryDirectory(),
+    logger,
+  );
+
+  const jobRunUuid = uuidV4();
+  logger.info(`Job run UUID is ${jobRunUuid}.`);
+  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+
+  try {
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      "starting",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const initCodeQLResult = await initCodeQL(
+      getOptionalInput("tools"),
+      apiDetails,
+      getTemporaryDirectory(),
+      gitHubVersion.type,
+      codeQLDefaultVersionInfo,
+      features,
+      logger,
+    );
+    codeql = initCodeQLResult.codeql;
+    toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
+    toolsVersion = initCodeQLResult.toolsVersion;
+    toolsSource = initCodeQLResult.toolsSource;
+
+    core.setOutput("codeql-path", codeql.getPath());
+    core.setOutput("codeql-version", (await codeql.getVersion()).version);
+
+    core.exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
+  } catch (unwrappedError) {
+    const error = wrapError(unwrappedError);
+    core.setFailed(error.message);
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      error instanceof ConfigurationError ? "user-error" : "failure",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+      error.message,
+      error.stack,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    return;
+  }
+
+  await sendCompletedStatusReport(
+    startedAt,
+    toolsDownloadStatusReport,
+    toolsFeatureFlagsValid,
+    toolsSource,
+    toolsVersion,
+    logger,
+  );
+}
+
+/** Run the action and catch any unhandled errors. */
+async function runWrapper(): Promise<void> {
+  try {
+    await run();
+  } catch (error) {
+    core.setFailed(`setup-codeql action failed: ${getErrorMessage(error)}`);
+  }
+  await checkForTimeout();
+}
+
+void runWrapper();

src/status-report.ts

@@ -41,6 +41,7 @@ export enum ActionName {
   Init = "init",
   InitPost = "init-post",
   ResolveEnvironment = "resolve-environment",
+  SetupCodeQL = "setup-codeql",
   StartProxy = "start-proxy",
   UploadSarif = "upload-sarif",
 }
@@ -516,6 +517,16 @@ export interface InitWithConfigStatusReport extends InitStatusReport {
   config_file: string;
 }
 
+/** Fields of the init status report populated when the tools source is `download`. */
+export interface InitToolsDownloadFields {
+  /** Time taken to download the bundle, in milliseconds. */
+  tools_download_duration_ms?: number;
+  /**
+   * Whether the relevant tools dotcom feature flags have been misconfigured.
+   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
+  tools_feature_flags_valid?: boolean;
+}
+
 /**
  * Composes a `InitWithConfigStatusReport` from the given values.
  *

start-proxy/action.yml

@@ -29,6 +29,6 @@ outputs:
   proxy_urls:
     description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
-  using: node24
+  using: node20
   main: "../lib/start-proxy-action.js"
   post: "../lib/start-proxy-action-post.js"

upload-sarif/action.yml

@@ -41,6 +41,6 @@ outputs:
 
       { "code-scanning": "some-id", "code-quality": "some-other-id" }
 runs:
-  using: node24
+  using: node20
   main: '../lib/upload-sarif-action.js'
   post: '../lib/upload-sarif-action-post.js'