Run testing Action using Node 24

.github/actions/verify-debug-artifact-scan-completed/action.yml

@@ -0,0 +1,6 @@
+name: Verify that the best-effort debug artifact scan completed
+description: Verifies that the best-effort debug artifact scan completed successfully during tests
+runs:
+  using: node24
+  main: index.js
+  post: post.js

.github/actions/verify-debug-artifact-scan-completed/index.js

@@ -0,0 +1,2 @@
+// The main step is a no-op, since we can only verify artifact scan completion in the post step.
+console.log("Will verify artifact scan completion in the post step.");

.github/actions/verify-debug-artifact-scan-completed/post.js

@@ -0,0 +1,11 @@
+// Post step - runs after the workflow completes, when artifact scan has finished
+const process = require("process");
+
+const scanFinished = process.env.CODEQL_ACTION_ARTIFACT_SCAN_FINISHED;
+
+if (scanFinished !== "true") {
+  console.error("Error: Best-effort artifact scan did not complete. Expected CODEQL_ACTION_ARTIFACT_SCAN_FINISHED=true");
+  process.exit(1);
+}
+
+console.log("✓ Best-effort artifact scan completed successfully");

.github/workflows/debug-artifacts-failure-safe.yml

@@ -58,6 +58,8 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/debug-artifacts-safe.yml

@@ -54,6 +54,8 @@ jobs:
         uses: actions/setup-dotnet@v5
         with:
           dotnet-version: '9.x'
+      - name: Assert best-effort artifact scan completed
+        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
       - uses: ./../action/init
         id: init
         with:

lib/analyze-action.js

@@ -26127,8 +26127,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare3 = require_compare();
-    var gte6 = (a, b, loose) => compare3(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare3(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -26149,7 +26149,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -26179,7 +26179,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -26938,7 +26938,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -26953,7 +26953,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -27268,7 +27268,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -27306,7 +27306,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -33489,7 +33489,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -33534,7 +33534,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -35435,8 +35435,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare3(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare3(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -35467,7 +35467,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -36012,7 +36012,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -36232,7 +36232,7 @@ var require_cacheUtils = __commonJS({
     var crypto3 = __importStar2(require("crypto"));
     var fs17 = __importStar2(require("fs"));
     var path16 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver8 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -36325,7 +36325,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver8.clean(versionOutput);
         core15.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -85918,7 +85918,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var core_1 = require_core3();
     var os5 = require("os");
     var cp = require("child_process");
@@ -85932,7 +85932,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver8.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -85941,7 +85941,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver8.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -86171,7 +86171,7 @@ var require_tool_cache = __commonJS({
     var os5 = __importStar2(require("os"));
     var path16 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib5());
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var stream2 = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -86445,7 +86445,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os5.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core15.debug(`source dir: ${sourceDir}`);
@@ -86464,7 +86464,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os5.arch();
         core15.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core15.debug(`source file: ${sourceFile}`);
@@ -86495,7 +86495,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver8.clean(versionSpec) || "";
         const cachePath = path16.join(_getCacheDirectory(), toolName, versionSpec, arch2);
         core15.debug(`checking cache: ${cachePath}`);
         if (fs17.existsSync(cachePath) && fs17.existsSync(`${cachePath}.complete`)) {
@@ -86579,7 +86579,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path16.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+        const folderPath = path16.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
         core15.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io7.rmRF(folderPath);
@@ -86589,15 +86589,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch2) {
-      const folderPath = path16.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+      const folderPath = path16.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
       const markerPath = `${folderPath}.complete`;
       fs17.writeFileSync(markerPath, "");
       core15.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver8.clean(versionSpec) || "";
       core15.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
+      const valid3 = semver8.valid(c) != null;
       core15.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -86606,14 +86606,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core15.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver8.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver8.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -93708,7 +93708,7 @@ function wrapApiConfigurationError(e) {
 
 // src/codeql.ts
 var fs11 = __toESM(require("fs"));
-var path11 = __toESM(require("path"));
+var path10 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());
 
@@ -93954,8 +93954,7 @@ function wrapCliConfigurationError(cliError) {
 
 // src/config-utils.ts
 var fs6 = __toESM(require("fs"));
-var path7 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
+var path6 = __toESM(require("path"));
 
 // src/caching-utils.ts
 var crypto2 = __toESM(require("crypto"));
@@ -93985,93 +93984,13 @@ var PACK_IDENTIFIER_PATTERN = (function() {
   return new RegExp(`^${component}/${component}$`);
 })();
 
-// src/diagnostics.ts
-var import_fs = require("fs");
-var import_path = __toESM(require("path"));
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-async function withGroupAsync(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return await f();
-  } finally {
-    core7.endGroup();
-  }
-}
-function formatDuration(durationMs) {
-  if (durationMs < 1e3) {
-    return `${durationMs}ms`;
-  }
-  if (durationMs < 60 * 1e3) {
-    return `${(durationMs / 1e3).toFixed(1)}s`;
-  }
-  const minutes = Math.floor(durationMs / (60 * 1e3));
-  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
-  return `${minutes}m${seconds}s`;
-}
-
-// src/diagnostics.ts
-var unwrittenDiagnostics = [];
-function makeDiagnostic(id, name, data = void 0) {
-  return {
-    ...data,
-    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
-    source: { ...data?.source, id, name }
-  };
-}
-function addDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  if ((0, import_fs.existsSync)(databasePath)) {
-    writeDiagnostic(config, language, diagnostic);
-  } else {
-    logger.debug(
-      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
-    );
-    unwrittenDiagnostics.push({ diagnostic, language });
-  }
-}
-function writeDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  const diagnosticsPath = import_path.default.resolve(
-    databasePath,
-    "diagnostic",
-    "codeql-action"
-  );
-  try {
-    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const jsonPath = import_path.default.resolve(
-      diagnosticsPath,
-      // Remove colons from the timestamp as these are not allowed in Windows filenames.
-      `codeql-action-${diagnostic.timestamp.replaceAll(":", "")}.json`
-    );
-    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
-  } catch (err) {
-    logger.warning(`Unable to write diagnostic message to database: ${err}`);
-    logger.debug(JSON.stringify(diagnostic));
-  }
-}
-
 // src/diff-informed-analysis-utils.ts
 var fs5 = __toESM(require("fs"));
-var path6 = __toESM(require("path"));
+var path5 = __toESM(require("path"));
 
 // src/feature-flags.ts
 var fs4 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
+var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
@@ -94080,17 +93999,17 @@ var cliVersion = "2.23.8";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
-var path4 = __toESM(require("path"));
+var path3 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache4());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -94110,7 +94029,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -94255,7 +94174,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core7.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -94280,6 +94199,39 @@ async function isAnalyzingDefaultBranch() {
   return currentRef === defaultBranch;
 }
 
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+async function withGroupAsync(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return await f();
+  } finally {
+    core8.endGroup();
+  }
+}
+function formatDuration(durationMs) {
+  if (durationMs < 1e3) {
+    return `${durationMs}ms`;
+  }
+  if (durationMs < 60 * 1e3) {
+    return `${(durationMs / 1e3).toFixed(1)}s`;
+  }
+  const minutes = Math.floor(durationMs / (60 * 1e3));
+  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
+  return `${minutes}m${seconds}s`;
+}
+
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.5";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
@@ -94306,7 +94258,7 @@ async function readBaseDatabaseOidsFile(config, logger) {
   }
 }
 function getBaseDatabaseOidsFilePath(config) {
-  return path4.join(config.dbLocation, "base-database-oids.json");
+  return path3.join(config.dbLocation, "base-database-oids.json");
 }
 async function writeOverlayChangesFile(config, sourceRoot, logger) {
   const baseFileOids = await readBaseDatabaseOidsFile(config, logger);
@@ -94316,7 +94268,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) {
     `Found ${changedFiles.length} changed file(s) under ${sourceRoot}.`
   );
   const changedFilesJson = JSON.stringify({ changes: changedFiles });
-  const overlayChangesFile = path4.join(
+  const overlayChangesFile = path3.join(
     getTemporaryDirectory(),
     "overlay-changes.json"
   );
@@ -94686,7 +94638,7 @@ var Features = class {
     this.gitHubFeatureFlags = new GitHubFeatureFlags(
       gitHubVersion,
       repositoryNwo,
-      path5.join(tempDir, FEATURE_FLAGS_FILE_NAME),
+      path4.join(tempDir, FEATURE_FLAGS_FILE_NAME),
       logger
     );
   }
@@ -94966,7 +94918,7 @@ async function getDiffInformedAnalysisBranches(codeql, features, logger) {
   return branches;
 }
 function getDiffRangesJsonFilePath() {
-  return path6.join(getTemporaryDirectory(), "pr-diff-range.json");
+  return path5.join(getTemporaryDirectory(), "pr-diff-range.json");
 }
 function writeDiffRangesJsonFile(logger, ranges) {
   const jsonContents = JSON.stringify(ranges, null, 2);
@@ -95046,7 +94998,7 @@ Error Response: ${JSON.stringify(error3.response, null, 2)}`
   }
 }
 function getDiffRanges(fileDiff, logger) {
-  const filename = path6.join(getRequiredInput("checkout_path"), fileDiff.filename).replaceAll(path6.sep, "/");
+  const filename = path5.join(getRequiredInput("checkout_path"), fileDiff.filename).replaceAll(path5.sep, "/");
   if (fileDiff.patch === void 0) {
     if (fileDiff.changes === 0) {
       return [];
@@ -95253,7 +95205,7 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
   swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
 };
 function getPathToParsedConfigFile(tempDir) {
-  return path7.join(tempDir, "config");
+  return path6.join(tempDir, "config");
 }
 async function getConfig(tempDir, logger) {
   const configFile = getPathToParsedConfigFile(tempDir);
@@ -95309,10 +95261,10 @@ function getPrimaryAnalysisConfig(config) {
 
 // src/setup-codeql.ts
 var fs9 = __toESM(require("fs"));
-var path9 = __toESM(require("path"));
+var path8 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
@@ -95375,7 +95327,7 @@ var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -95417,9 +95369,9 @@ async function isZstdAvailable(logger) {
       case "gnu":
         return {
           available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver6.gte(
-            semver6.coerce(version),
-            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver5.gte(
+            semver5.coerce(version),
+            semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
           ),
           foundZstdBinary,
           version: tarVersion
@@ -95428,7 +95380,7 @@ async function isZstdAvailable(logger) {
         return {
           available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
           // a patch version number.
-          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
           foundZstdBinary,
           version: tarVersion
         };
@@ -95529,13 +95481,13 @@ function inferCompressionMethod(tarPath) {
 // src/tools-download.ts
 var fs8 = __toESM(require("fs"));
 var os2 = __toESM(require("os"));
-var path8 = __toESM(require("path"));
+var path7 = __toESM(require("path"));
 var import_perf_hooks = require("perf_hooks");
 var core9 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -95662,10 +95614,10 @@ async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorizatio
   await extractTarZst(response, dest, tarVersion, logger);
 }
 function getToolcacheDirectory(version) {
-  return path8.join(
+  return path7.join(
     getRequiredEnvParam("RUNNER_TOOL_CACHE"),
     TOOLCACHE_TOOL_NAME,
-    semver7.clean(version) || version,
+    semver6.clean(version) || version,
     os2.arch() || ""
   );
 }
@@ -95790,13 +95742,13 @@ function tryGetTagNameFromUrl(url2, logger) {
   return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver8.valid(version)) {
+  if (!semver7.valid(version)) {
     logger.debug(
       `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
     );
     version = `0.0.0-${version}`;
   }
-  const s = semver8.clean(version);
+  const s = semver7.clean(version);
   if (!s) {
     throw new Error(`Bundle version ${version} is not in SemVer format.`);
   }
@@ -95806,7 +95758,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
   const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({
     folder: toolcache3.find("CodeQL", version),
     version
-  })).filter(({ folder }) => fs9.existsSync(path9.join(folder, "pinned-version")));
+  })).filter(({ folder }) => fs9.existsSync(path8.join(folder, "pinned-version")));
   if (candidates.length === 1) {
     const candidate = candidates[0];
     logger.debug(
@@ -95904,7 +95856,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
     url2 = toolsInput;
     if (tagName) {
       const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver7.valid(bundleVersion3)) {
         cliVersion2 = convertToSemVer(bundleVersion3, logger);
       }
     }
@@ -96175,11 +96127,11 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
   return (
     // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
   );
 }
 function getTempExtractionDir(tempDir) {
-  return path9.join(tempDir, v4_default());
+  return path8.join(tempDir, v4_default());
 }
 async function getNightlyToolsUrl(logger) {
   const zstdAvailability = await isZstdAvailable(logger);
@@ -96207,7 +96159,7 @@ async function getNightlyToolsUrl(logger) {
   }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
   logger.debug(
     `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
       allVersions
@@ -96228,7 +96180,7 @@ function isReservedToolsValue(tools) {
 
 // src/tracer-config.ts
 var fs10 = __toESM(require("fs"));
-var path10 = __toESM(require("path"));
+var path9 = __toESM(require("path"));
 async function shouldEnableIndirectTracing(codeql, config) {
   if (config.buildMode === "none" /* None */) {
     return false;
@@ -96243,7 +96195,7 @@ async function endTracingForCluster(codeql, config, logger) {
   logger.info(
     "Unsetting build tracing environment variables. Subsequent steps of this job will not be traced."
   );
-  const envVariablesFile = path10.resolve(
+  const envVariablesFile = path9.resolve(
     config.dbLocation,
     "temp/tracingEnvironment/end-tracing.json"
   );
@@ -96300,7 +96252,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
         toolsDownloadStatusReport
       )}`
     );
-    let codeqlCmd = path11.join(codeqlFolder, "codeql", "codeql");
+    let codeqlCmd = path10.join(codeqlFolder, "codeql", "codeql");
     if (process.platform === "win32") {
       codeqlCmd += ".exe";
     } else if (process.platform !== "linux" && process.platform !== "darwin") {
@@ -96362,7 +96314,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
     },
     async isTracedLanguage(language) {
       const extractorPath = await this.resolveExtractor(language);
-      const tracingConfigPath = path11.join(
+      const tracingConfigPath = path10.join(
         extractorPath,
         "tools",
         "tracing-config.lua"
@@ -96438,7 +96390,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
     },
     async runAutobuild(config, language) {
       applyAutobuildAzurePipelinesTimeoutFix();
-      const autobuildCmd = path11.join(
+      const autobuildCmd = path10.join(
         await this.resolveExtractor(language),
         "tools",
         process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh"
@@ -96861,7 +96813,7 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) {
   ];
 }
 function getGeneratedCodeScanningConfigPath(config) {
-  return path11.resolve(config.tempDir, "user-config.yaml");
+  return path10.resolve(config.tempDir, "user-config.yaml");
 }
 function getExtractionVerbosityArguments(enableDebugLogging) {
   return enableDebugLogging ? [`--verbosity=${EXTRACTION_DEBUG_MODE_VERBOSITY}`] : [];
@@ -96929,31 +96881,31 @@ async function runAutobuild(config, language, logger) {
 
 // src/dependency-caching.ts
 var os3 = __toESM(require("os"));
-var import_path2 = require("path");
+var import_path = require("path");
 var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies";
 var CODEQL_DEPENDENCY_CACHE_VERSION = 1;
 function getJavaTempDependencyDir() {
-  return (0, import_path2.join)(getTemporaryDirectory(), "codeql_java", "repository");
+  return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
 }
 async function getJavaDependencyDirs() {
   return [
     // Maven
-    (0, import_path2.join)(os3.homedir(), ".m2", "repository"),
+    (0, import_path.join)(os3.homedir(), ".m2", "repository"),
     // Gradle
-    (0, import_path2.join)(os3.homedir(), ".gradle", "caches"),
+    (0, import_path.join)(os3.homedir(), ".gradle", "caches"),
     // CodeQL Java build-mode: none
     getJavaTempDependencyDir()
   ];
 }
 function getCsharpTempDependencyDir() {
-  return (0, import_path2.join)(getTemporaryDirectory(), "codeql_csharp", "repository");
+  return (0, import_path.join)(getTemporaryDirectory(), "codeql_csharp", "repository");
 }
 async function getCsharpDependencyDirs(codeql, features) {
   const dirs = [
     // Nuget
-    (0, import_path2.join)(os3.homedir(), ".nuget", "packages")
+    (0, import_path.join)(os3.homedir(), ".nuget", "packages")
   ];
   if (await features.getValue("csharp_cache_bmn" /* CsharpCacheBuildModeNone */, codeql)) {
     dirs.push(getCsharpTempDependencyDir());
@@ -97008,7 +96960,7 @@ var defaultCacheConfigs = {
     getHashPatterns: getCsharpHashPatterns
   },
   go: {
-    getDependencyPaths: async () => [(0, import_path2.join)(os3.homedir(), "go", "pkg", "mod")],
+    getDependencyPaths: async () => [(0, import_path.join)(os3.homedir(), "go", "pkg", "mod")],
     getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"])
   }
 };
@@ -97127,6 +97079,51 @@ var internal = {
   makePatternCheck
 };
 
+// src/diagnostics.ts
+var import_fs = require("fs");
+var import_path2 = __toESM(require("path"));
+var unwrittenDiagnostics = [];
+function makeDiagnostic(id, name, data = void 0) {
+  return {
+    ...data,
+    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    source: { ...data?.source, id, name }
+  };
+}
+function addDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  if ((0, import_fs.existsSync)(databasePath)) {
+    writeDiagnostic(config, language, diagnostic);
+  } else {
+    logger.debug(
+      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
+    );
+    unwrittenDiagnostics.push({ diagnostic, language });
+  }
+}
+function writeDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  const diagnosticsPath = import_path2.default.resolve(
+    databasePath,
+    "diagnostic",
+    "codeql-action"
+  );
+  try {
+    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
+    const jsonPath = import_path2.default.resolve(
+      diagnosticsPath,
+      // Remove colons from the timestamp as these are not allowed in Windows filenames.
+      `codeql-action-${diagnostic.timestamp.replaceAll(":", "")}.json`
+    );
+    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
+  } catch (err) {
+    logger.warning(`Unable to write diagnostic message to database: ${err}`);
+    logger.debug(JSON.stringify(diagnostic));
+  }
+}
+
 // src/analyze.ts
 var CodeQLAnalysisError = class extends Error {
   constructor(queriesStatusReport, message, error3) {

lib/autobuild-action.js

@@ -26127,8 +26127,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var gte6 = (a, b, loose) => compare2(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -26149,7 +26149,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -26179,7 +26179,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -26938,7 +26938,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -26953,7 +26953,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -27268,7 +27268,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -27306,7 +27306,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -33489,7 +33489,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -33534,7 +33534,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -35435,8 +35435,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare2(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare2(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -35467,7 +35467,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -36012,7 +36012,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -36232,7 +36232,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs7 = __importStar2(require("fs"));
     var path7 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver8 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -36325,7 +36325,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver8.clean(versionOutput);
         core14.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -85918,7 +85918,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var core_1 = require_core3();
     var os2 = require("os");
     var cp = require("child_process");
@@ -85932,7 +85932,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver8.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -85941,7 +85941,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver8.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -86171,7 +86171,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path7 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib5());
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -86445,7 +86445,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch = arch || os2.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch}`);
         core14.debug(`source dir: ${sourceDir}`);
@@ -86464,7 +86464,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch = arch || os2.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch}`);
         core14.debug(`source file: ${sourceFile}`);
@@ -86495,7 +86495,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver8.clean(versionSpec) || "";
         const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core14.debug(`checking cache: ${cachePath}`);
         if (fs7.existsSync(cachePath) && fs7.existsSync(`${cachePath}.complete`)) {
@@ -86579,7 +86579,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path7.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch || "");
         core14.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io5.rmRF(folderPath);
@@ -86589,15 +86589,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path7.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs7.writeFileSync(markerPath, "");
       core14.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver8.clean(versionSpec) || "";
       core14.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
+      const valid3 = semver8.valid(c) != null;
       core14.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -86606,14 +86606,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core14.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver8.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver8.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -90553,7 +90553,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs4 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -90576,20 +90575,6 @@ var PACK_IDENTIFIER_PATTERN = (function() {
   return new RegExp(`^${component}/${component}$`);
 })();
 
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
@@ -90605,13 +90590,13 @@ var path2 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache4());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -90631,7 +90616,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -90742,7 +90727,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core7.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -90767,6 +90752,20 @@ async function isAnalyzingDefaultBranch() {
   return currentRef === defaultBranch;
 }
 
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.5";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
@@ -91376,20 +91375,20 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core9 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/tracer-config.ts

lib/init-action.js

@@ -20709,8 +20709,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var gte6 = (a, b, loose) => compare2(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -20731,7 +20731,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt2 = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -20761,7 +20761,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt2(a, b, loose);
         case "<=":
@@ -21520,7 +21520,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt2 = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -21535,7 +21535,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt2;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -21850,7 +21850,7 @@ var require_semver2 = __commonJS({
     var lt2 = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -21888,7 +21888,7 @@ var require_semver2 = __commonJS({
       lt: lt2,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -33640,7 +33640,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -33685,7 +33685,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -35586,8 +35586,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare2(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare2(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -35618,7 +35618,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt2(a, b, loose);
         case "<=":
@@ -36163,7 +36163,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt2;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -36383,7 +36383,7 @@ var require_cacheUtils = __commonJS({
     var crypto3 = __importStar2(require("crypto"));
     var fs15 = __importStar2(require("fs"));
     var path16 = __importStar2(require("path"));
-    var semver10 = __importStar2(require_semver3());
+    var semver9 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -36476,7 +36476,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver10.clean(versionOutput);
+        const version = semver9.clean(versionOutput);
         core14.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -86069,7 +86069,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var core_1 = require_core3();
     var os5 = require("os");
     var cp = require("child_process");
@@ -86083,7 +86083,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -86092,7 +86092,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver10.satisfies(osVersion, item.platform_version);
+                  chk = semver9.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -86322,7 +86322,7 @@ var require_tool_cache = __commonJS({
     var os5 = __importStar2(require("os"));
     var path16 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib5());
-    var semver10 = __importStar2(require_semver2());
+    var semver9 = __importStar2(require_semver2());
     var stream2 = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -86596,7 +86596,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch2 = arch2 || os5.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core14.debug(`source dir: ${sourceDir}`);
@@ -86615,7 +86615,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver10.clean(version) || version;
+        version = semver9.clean(version) || version;
         arch2 = arch2 || os5.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core14.debug(`source file: ${sourceFile}`);
@@ -86646,7 +86646,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver10.clean(versionSpec) || "";
+        versionSpec = semver9.clean(versionSpec) || "";
         const cachePath = path16.join(_getCacheDirectory(), toolName, versionSpec, arch2);
         core14.debug(`checking cache: ${cachePath}`);
         if (fs15.existsSync(cachePath) && fs15.existsSync(`${cachePath}.complete`)) {
@@ -86730,7 +86730,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path16.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || "");
+        const folderPath = path16.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
         core14.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io7.rmRF(folderPath);
@@ -86740,15 +86740,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch2) {
-      const folderPath = path16.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || "");
+      const folderPath = path16.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
       const markerPath = `${folderPath}.complete`;
       fs15.writeFileSync(markerPath, "");
       core14.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver10.clean(versionSpec) || "";
+      const c = semver9.clean(versionSpec) || "";
       core14.debug(`isExplicit: ${c}`);
-      const valid3 = semver10.valid(c) != null;
+      const valid3 = semver9.valid(c) != null;
       core14.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -86757,14 +86757,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core14.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver10.gt(a, b)) {
+        if (semver9.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver10.satisfies(potential, versionSpec);
+        const satisfied = semver9.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -87359,7 +87359,7 @@ var fs14 = __toESM(require("fs"));
 var path15 = __toESM(require("path"));
 var core13 = __toESM(require_core());
 var io6 = __toESM(require_io());
-var semver9 = __toESM(require_semver2());
+var semver8 = __toESM(require_semver2());
 
 // node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
@@ -91071,9 +91071,8 @@ function getDependencyCachingEnabled() {
 
 // src/config-utils.ts
 var fs6 = __toESM(require("fs"));
-var path8 = __toESM(require("path"));
+var path7 = __toESM(require("path"));
 var import_perf_hooks = require("perf_hooks");
-var semver5 = __toESM(require_semver2());
 
 // src/config/db-config.ts
 var path3 = __toESM(require("path"));
@@ -91418,121 +91417,9 @@ function parseUserConfig(logger, pathInput, contents, validateConfig) {
   }
 }
 
-// src/diagnostics.ts
-var import_fs = require("fs");
-var import_path = __toESM(require("path"));
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-async function withGroupAsync(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return await f();
-  } finally {
-    core7.endGroup();
-  }
-}
-function formatDuration(durationMs) {
-  if (durationMs < 1e3) {
-    return `${durationMs}ms`;
-  }
-  if (durationMs < 60 * 1e3) {
-    return `${(durationMs / 1e3).toFixed(1)}s`;
-  }
-  const minutes = Math.floor(durationMs / (60 * 1e3));
-  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
-  return `${minutes}m${seconds}s`;
-}
-
-// src/diagnostics.ts
-var unwrittenDiagnostics = [];
-function makeDiagnostic(id, name, data = void 0) {
-  return {
-    ...data,
-    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
-    source: { ...data?.source, id, name }
-  };
-}
-function addDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  if ((0, import_fs.existsSync)(databasePath)) {
-    writeDiagnostic(config, language, diagnostic);
-  } else {
-    logger.debug(
-      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
-    );
-    unwrittenDiagnostics.push({ diagnostic, language });
-  }
-}
-function writeDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  const diagnosticsPath = import_path.default.resolve(
-    databasePath,
-    "diagnostic",
-    "codeql-action"
-  );
-  try {
-    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const jsonPath = import_path.default.resolve(
-      diagnosticsPath,
-      // Remove colons from the timestamp as these are not allowed in Windows filenames.
-      `codeql-action-${diagnostic.timestamp.replaceAll(":", "")}.json`
-    );
-    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
-  } catch (err) {
-    logger.warning(`Unable to write diagnostic message to database: ${err}`);
-    logger.debug(JSON.stringify(diagnostic));
-  }
-}
-function logUnwrittenDiagnostics() {
-  const logger = getActionsLogger();
-  const num = unwrittenDiagnostics.length;
-  if (num > 0) {
-    logger.warning(
-      `${num} diagnostic(s) could not be written to the database and will not appear on the Tool Status Page.`
-    );
-    for (const unwritten of unwrittenDiagnostics) {
-      logger.debug(JSON.stringify(unwritten.diagnostic));
-    }
-  }
-}
-function flushDiagnostics(config) {
-  const logger = getActionsLogger();
-  logger.debug(
-    `Writing ${unwrittenDiagnostics.length} diagnostic(s) to database.`
-  );
-  for (const unwritten of unwrittenDiagnostics) {
-    writeDiagnostic(config, unwritten.language, unwritten.diagnostic);
-  }
-  unwrittenDiagnostics = [];
-}
-function makeTelemetryDiagnostic(id, name, attributes) {
-  return makeDiagnostic(id, name, {
-    attributes,
-    visibility: {
-      cliSummaryTable: false,
-      statusPage: false,
-      telemetry: true
-    }
-  });
-}
-
 // src/feature-flags.ts
 var fs4 = __toESM(require("fs"));
-var path6 = __toESM(require("path"));
+var path5 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
@@ -91541,30 +91428,17 @@ var cliVersion = "2.23.8";
 
 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
+var path4 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache4());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.38.0";
-async function getGitVersionOrThrow() {
-  const stdout = await runGitCommand(
-    void 0,
-    ["--version"],
-    "Failed to get git version."
-  );
-  const match = stdout.match(/git version (\d+\.\d+\.\d+)/);
-  if (match?.[1]) {
-    return match[1];
-  }
-  throw new Error(`Could not parse Git version from output: ${stdout.trim()}`);
-}
 var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -91584,7 +91458,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -91707,7 +91581,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core7.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -91732,6 +91606,39 @@ async function isAnalyzingDefaultBranch() {
   return currentRef === defaultBranch;
 }
 
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+async function withGroupAsync(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return await f();
+  } finally {
+    core8.endGroup();
+  }
+}
+function formatDuration(durationMs) {
+  if (durationMs < 1e3) {
+    return `${durationMs}ms`;
+  }
+  if (durationMs < 60 * 1e3) {
+    return `${(durationMs / 1e3).toFixed(1)}s`;
+  }
+  const minutes = Math.floor(durationMs / (60 * 1e3));
+  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
+  return `${minutes}m${seconds}s`;
+}
+
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.5";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
@@ -91758,7 +91665,7 @@ async function readBaseDatabaseOidsFile(config, logger) {
   }
 }
 function getBaseDatabaseOidsFilePath(config) {
-  return path5.join(config.dbLocation, "base-database-oids.json");
+  return path4.join(config.dbLocation, "base-database-oids.json");
 }
 async function writeOverlayChangesFile(config, sourceRoot, logger) {
   const baseFileOids = await readBaseDatabaseOidsFile(config, logger);
@@ -91768,7 +91675,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) {
     `Found ${changedFiles.length} changed file(s) under ${sourceRoot}.`
   );
   const changedFilesJson = JSON.stringify({ changes: changedFiles });
-  const overlayChangesFile = path5.join(
+  const overlayChangesFile = path4.join(
     getTemporaryDirectory(),
     "overlay-changes.json"
   );
@@ -92150,7 +92057,7 @@ var Features = class {
     this.gitHubFeatureFlags = new GitHubFeatureFlags(
       gitHubVersion,
       repositoryNwo,
-      path6.join(tempDir, FEATURE_FLAGS_FILE_NAME),
+      path5.join(tempDir, FEATURE_FLAGS_FILE_NAME),
       logger
     );
   }
@@ -92450,7 +92357,7 @@ var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => {
 
 // src/trap-caching.ts
 var fs5 = __toESM(require("fs"));
-var path7 = __toESM(require("path"));
+var path6 = __toESM(require("path"));
 var actionsCache2 = __toESM(require_cache4());
 var CACHE_VERSION2 = 1;
 var CODEQL_TRAP_CACHE_PREFIX = "codeql-trap";
@@ -92466,12 +92373,12 @@ async function downloadTrapCaches(codeql, languages, logger) {
     `Found ${languagesSupportingCaching.length} languages that support TRAP caching`
   );
   if (languagesSupportingCaching.length === 0) return result;
-  const cachesDir = path7.join(
+  const cachesDir = path6.join(
     getTemporaryDirectory(),
     "trapCaches"
   );
   for (const language of languagesSupportingCaching) {
-    const cacheDir = path7.join(cachesDir, language);
+    const cacheDir = path6.join(cachesDir, language);
     fs5.mkdirSync(cacheDir, { recursive: true });
     result[language] = cacheDir;
   }
@@ -92484,7 +92391,7 @@ async function downloadTrapCaches(codeql, languages, logger) {
   let baseSha = "unknown";
   const eventPath = process.env.GITHUB_EVENT_PATH;
   if (getWorkflowEventName() === "pull_request" && eventPath !== void 0) {
-    const event = JSON.parse(fs5.readFileSync(path7.resolve(eventPath), "utf-8"));
+    const event = JSON.parse(fs5.readFileSync(path6.resolve(eventPath), "utf-8"));
     baseSha = event.pull_request?.base?.sha || baseSha;
   }
   for (const language of languages) {
@@ -92588,7 +92495,7 @@ async function getSupportedLanguageMap(codeql, logger) {
 }
 var baseWorkflowsPath = ".github/workflows";
 function hasActionsWorkflows(sourceRoot) {
-  const workflowsPath = path8.resolve(sourceRoot, baseWorkflowsPath);
+  const workflowsPath = path7.resolve(sourceRoot, baseWorkflowsPath);
   const stats = fs6.lstatSync(workflowsPath, { throwIfNoEntry: false });
   return stats !== void 0 && stats.isDirectory() && fs6.readdirSync(workflowsPath).length > 0;
 }
@@ -92755,8 +92662,8 @@ async function downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logg
 async function loadUserConfig(logger, configFile, workspacePath, apiDetails, tempDir, validateConfig) {
   if (isLocal(configFile)) {
     if (configFile !== userConfigFromActionPath(tempDir)) {
-      configFile = path8.resolve(workspacePath, configFile);
-      if (!(configFile + path8.sep).startsWith(workspacePath + path8.sep)) {
+      configFile = path7.resolve(workspacePath, configFile);
+      if (!(configFile + path7.sep).startsWith(workspacePath + path7.sep)) {
         throw new ConfigurationError(
           getConfigFileOutsideWorkspaceErrorMessage(configFile)
         );
@@ -92836,7 +92743,7 @@ async function runnerSupportsOverlayAnalysis(ramInput, logger) {
   }
   return true;
 }
-async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, buildMode, ramInput, codeScanningConfig, gitVersion, logger) {
+async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, buildMode, ramInput, codeScanningConfig, logger) {
   let overlayDatabaseMode = "none" /* None */;
   let useOverlayDatabaseCaching = false;
   const modeEnv = process.env.CODEQL_OVERLAY_DATABASE_MODE;
@@ -92904,28 +92811,16 @@ async function getOverlayDatabaseMode(codeql, features, languages, sourceRoot, b
     );
     return nonOverlayAnalysis;
   }
-  if (gitVersion === void 0) {
-    logger.warning(
-      `Cannot build an ${overlayDatabaseMode} database because the Git version could not be determined. Falling back to creating a normal full database instead.`
-    );
-    return nonOverlayAnalysis;
-  }
-  if (!semver5.gte(gitVersion, GIT_MINIMUM_VERSION_FOR_OVERLAY)) {
-    logger.warning(
-      `Cannot build an ${overlayDatabaseMode} database because the installed Git version is older than ${GIT_MINIMUM_VERSION_FOR_OVERLAY}. Falling back to creating a normal full database instead.`
-    );
-    return nonOverlayAnalysis;
-  }
   return {
     overlayDatabaseMode,
     useOverlayDatabaseCaching
   };
 }
 function dbLocationOrDefault(dbLocation, tempDir) {
-  return dbLocation || path8.resolve(tempDir, "codeql_databases");
+  return dbLocation || path7.resolve(tempDir, "codeql_databases");
 }
 function userConfigFromActionPath(tempDir) {
-  return path8.resolve(tempDir, "user-config-from-action.yml");
+  return path7.resolve(tempDir, "user-config-from-action.yml");
 }
 function hasQueryCustomisation(userConfig) {
   return isDefined(userConfig["disable-default-queries"]) || isDefined(userConfig.queries) || isDefined(userConfig["query-filters"]);
@@ -92969,14 +92864,6 @@ async function initConfig(features, inputs) {
     config.computedConfig.queries = queries;
     config.computedConfig["query-filters"] = [];
   }
-  let gitVersion = void 0;
-  try {
-    gitVersion = await getGitVersionOrThrow();
-    logger.info(`Using Git version ${gitVersion}`);
-    await logGitVersionTelemetry(config, gitVersion);
-  } catch (e) {
-    logger.debug(`Could not determine Git version: ${getErrorMessage(e)}`);
-  }
   const { overlayDatabaseMode, useOverlayDatabaseCaching } = await getOverlayDatabaseMode(
     inputs.codeql,
     inputs.features,
@@ -92985,7 +92872,6 @@ async function initConfig(features, inputs) {
     config.buildMode,
     inputs.ramInput,
     config.computedConfig,
-    gitVersion,
     logger
   );
   logger.info(
@@ -93074,12 +92960,12 @@ async function getRemoteConfig(logger, configFile, apiDetails, validateConfig) {
   );
 }
 function getPathToParsedConfigFile(tempDir) {
-  return path8.join(tempDir, "config");
+  return path7.join(tempDir, "config");
 }
 async function saveConfig(config, logger) {
   const configString = JSON.stringify(config);
   const configFile = getPathToParsedConfigFile(config.tempDir);
-  fs6.mkdirSync(path8.dirname(configFile), { recursive: true });
+  fs6.mkdirSync(path7.dirname(configFile), { recursive: true });
   fs6.writeFileSync(configFile, configString, "utf8");
   logger.debug("Saved config:");
   logger.debug(configString);
@@ -93090,7 +92976,7 @@ async function generateRegistries(registriesInput, tempDir, logger) {
   let qlconfigFile;
   if (registries) {
     const qlconfig = createRegistriesBlock(registries);
-    qlconfigFile = path8.join(tempDir, "qlconfig.yml");
+    qlconfigFile = path7.join(tempDir, "qlconfig.yml");
     const qlconfigContents = dump(qlconfig);
     fs6.writeFileSync(qlconfigFile, qlconfigContents, "utf8");
     logger.debug("Generated qlconfig.yml:");
@@ -93188,49 +93074,34 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
 function isCodeQualityEnabled(config) {
   return config.analysisKinds.includes("code-quality" /* CodeQuality */);
 }
-async function logGitVersionTelemetry(config, gitVersion) {
-  if (config.languages.length > 0) {
-    addDiagnostic(
-      config,
-      // Arbitrarily choose the first language. We could also choose all languages, but that
-      // increases the risk of misinterpreting the data.
-      config.languages[0],
-      makeTelemetryDiagnostic(
-        "codeql-action/git-version-telemetry",
-        "Git version telemetry",
-        { gitVersion }
-      )
-    );
-  }
-}
 
 // src/dependency-caching.ts
 var os2 = __toESM(require("os"));
-var import_path2 = require("path");
+var import_path = require("path");
 var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies";
 var CODEQL_DEPENDENCY_CACHE_VERSION = 1;
 function getJavaTempDependencyDir() {
-  return (0, import_path2.join)(getTemporaryDirectory(), "codeql_java", "repository");
+  return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
 }
 async function getJavaDependencyDirs() {
   return [
     // Maven
-    (0, import_path2.join)(os2.homedir(), ".m2", "repository"),
+    (0, import_path.join)(os2.homedir(), ".m2", "repository"),
     // Gradle
-    (0, import_path2.join)(os2.homedir(), ".gradle", "caches"),
+    (0, import_path.join)(os2.homedir(), ".gradle", "caches"),
     // CodeQL Java build-mode: none
     getJavaTempDependencyDir()
   ];
 }
 function getCsharpTempDependencyDir() {
-  return (0, import_path2.join)(getTemporaryDirectory(), "codeql_csharp", "repository");
+  return (0, import_path.join)(getTemporaryDirectory(), "codeql_csharp", "repository");
 }
 async function getCsharpDependencyDirs(codeql, features) {
   const dirs = [
     // Nuget
-    (0, import_path2.join)(os2.homedir(), ".nuget", "packages")
+    (0, import_path.join)(os2.homedir(), ".nuget", "packages")
   ];
   if (await features.getValue("csharp_cache_bmn" /* CsharpCacheBuildModeNone */, codeql)) {
     dirs.push(getCsharpTempDependencyDir());
@@ -93285,7 +93156,7 @@ var defaultCacheConfigs = {
     getHashPatterns: getCsharpHashPatterns
   },
   go: {
-    getDependencyPaths: async () => [(0, import_path2.join)(os2.homedir(), "go", "pkg", "mod")],
+    getDependencyPaths: async () => [(0, import_path.join)(os2.homedir(), "go", "pkg", "mod")],
     getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"])
   }
 };
@@ -93393,6 +93264,73 @@ var internal = {
   makePatternCheck
 };
 
+// src/diagnostics.ts
+var import_fs = require("fs");
+var import_path2 = __toESM(require("path"));
+var unwrittenDiagnostics = [];
+function makeDiagnostic(id, name, data = void 0) {
+  return {
+    ...data,
+    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    source: { ...data?.source, id, name }
+  };
+}
+function addDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  if ((0, import_fs.existsSync)(databasePath)) {
+    writeDiagnostic(config, language, diagnostic);
+  } else {
+    logger.debug(
+      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
+    );
+    unwrittenDiagnostics.push({ diagnostic, language });
+  }
+}
+function writeDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  const diagnosticsPath = import_path2.default.resolve(
+    databasePath,
+    "diagnostic",
+    "codeql-action"
+  );
+  try {
+    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
+    const jsonPath = import_path2.default.resolve(
+      diagnosticsPath,
+      // Remove colons from the timestamp as these are not allowed in Windows filenames.
+      `codeql-action-${diagnostic.timestamp.replaceAll(":", "")}.json`
+    );
+    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
+  } catch (err) {
+    logger.warning(`Unable to write diagnostic message to database: ${err}`);
+    logger.debug(JSON.stringify(diagnostic));
+  }
+}
+function logUnwrittenDiagnostics() {
+  const logger = getActionsLogger();
+  const num = unwrittenDiagnostics.length;
+  if (num > 0) {
+    logger.warning(
+      `${num} diagnostic(s) could not be written to the database and will not appear on the Tool Status Page.`
+    );
+    for (const unwritten of unwrittenDiagnostics) {
+      logger.debug(JSON.stringify(unwritten.diagnostic));
+    }
+  }
+}
+function flushDiagnostics(config) {
+  const logger = getActionsLogger();
+  logger.debug(
+    `Writing ${unwrittenDiagnostics.length} diagnostic(s) to database.`
+  );
+  for (const unwritten of unwrittenDiagnostics) {
+    writeDiagnostic(config, unwritten.language, unwritten.diagnostic);
+  }
+  unwrittenDiagnostics = [];
+}
+
 // src/init.ts
 var fs12 = __toESM(require("fs"));
 var path13 = __toESM(require("path"));
@@ -93650,7 +93588,7 @@ var fs9 = __toESM(require("fs"));
 var path10 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_child_process = require("child_process");
@@ -93659,7 +93597,7 @@ var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -93701,9 +93639,9 @@ async function isZstdAvailable(logger) {
       case "gnu":
         return {
           available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver6.gte(
-            semver6.coerce(version),
-            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver5.gte(
+            semver5.coerce(version),
+            semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
           ),
           foundZstdBinary,
           version: tarVersion
@@ -93712,7 +93650,7 @@ async function isZstdAvailable(logger) {
         return {
           available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
           // a patch version number.
-          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
           foundZstdBinary,
           version: tarVersion
         };
@@ -93819,7 +93757,7 @@ var core9 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -93949,7 +93887,7 @@ function getToolcacheDirectory(version) {
   return path9.join(
     getRequiredEnvParam("RUNNER_TOOL_CACHE"),
     TOOLCACHE_TOOL_NAME,
-    semver7.clean(version) || version,
+    semver6.clean(version) || version,
     os3.arch() || ""
   );
 }
@@ -94074,13 +94012,13 @@ function tryGetTagNameFromUrl(url, logger) {
   return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver8.valid(version)) {
+  if (!semver7.valid(version)) {
     logger.debug(
       `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
     );
     version = `0.0.0-${version}`;
   }
-  const s = semver8.clean(version);
+  const s = semver7.clean(version);
   if (!s) {
     throw new Error(`Bundle version ${version} is not in SemVer format.`);
   }
@@ -94188,7 +94126,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
     url = toolsInput;
     if (tagName) {
       const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver7.valid(bundleVersion3)) {
         cliVersion2 = convertToSemVer(bundleVersion3, logger);
       }
     }
@@ -94459,7 +94397,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
   return (
     // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
   );
 }
 function getTempExtractionDir(tempDir) {
@@ -94491,7 +94429,7 @@ async function getNightlyToolsUrl(logger) {
   }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
   logger.debug(
     `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
       allVersions
@@ -95869,12 +95807,12 @@ async function run() {
       const experimental = "2.19.3";
       const publicPreview = "2.22.1";
       const actualVer = (await codeql.getVersion()).version;
-      if (semver9.lt(actualVer, experimental)) {
+      if (semver8.lt(actualVer, experimental)) {
         throw new ConfigurationError(
           `Rust analysis is supported by CodeQL CLI version ${experimental} or higher, but found version ${actualVer}`
         );
       }
-      if (semver9.lt(actualVer, publicPreview)) {
+      if (semver8.lt(actualVer, publicPreview)) {
         core13.exportVariable("CODEQL_ENABLE_EXPERIMENTAL_FEATURES" /* EXPERIMENTAL_FEATURES */, "true");
         logger.info("Experimental Rust analysis enabled");
       }
@@ -95957,10 +95895,17 @@ async function run() {
         // Arbitrarily choose the first language. We could also choose all languages, but that
         // increases the risk of misinterpreting the data.
         config.languages[0],
-        makeTelemetryDiagnostic(
+        makeDiagnostic(
           "codeql-action/bundle-download-telemetry",
           "CodeQL bundle download telemetry",
-          toolsDownloadStatusReport
+          {
+            attributes: toolsDownloadStatusReport,
+            visibility: {
+              cliSummaryTable: false,
+              statusPage: false,
+              telemetry: true
+            }
+          }
         )
       );
     }
@@ -96206,10 +96151,17 @@ async function recordZstdAvailability(config, zstdAvailability) {
     // Arbitrarily choose the first language. We could also choose all languages, but that
     // increases the risk of misinterpreting the data.
     config.languages[0],
-    makeTelemetryDiagnostic(
+    makeDiagnostic(
       "codeql-action/zstd-availability",
       "Zstandard availability",
-      zstdAvailability
+      {
+        attributes: zstdAvailability,
+        visibility: {
+          cliSummaryTable: false,
+          statusPage: false,
+          telemetry: true
+        }
+      }
     )
   );
 }

lib/resolve-environment-action.js

@@ -26127,8 +26127,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var gte6 = (a, b, loose) => compare2(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -26149,7 +26149,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -26179,7 +26179,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -26938,7 +26938,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -26953,7 +26953,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -27268,7 +27268,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -27306,7 +27306,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -33489,7 +33489,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -33534,7 +33534,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -35435,8 +35435,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare2(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare2(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -35467,7 +35467,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -36012,7 +36012,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -36232,7 +36232,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs5 = __importStar2(require("fs"));
     var path5 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver8 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -36325,7 +36325,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver8.clean(versionOutput);
         core13.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -85918,7 +85918,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var core_1 = require_core3();
     var os2 = require("os");
     var cp = require("child_process");
@@ -85932,7 +85932,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver8.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -85941,7 +85941,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver8.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -86171,7 +86171,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path5 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib5());
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -86445,7 +86445,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch = arch || os2.arch();
         core13.debug(`Caching tool ${tool} ${version} ${arch}`);
         core13.debug(`source dir: ${sourceDir}`);
@@ -86464,7 +86464,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch = arch || os2.arch();
         core13.debug(`Caching tool ${tool} ${version} ${arch}`);
         core13.debug(`source file: ${sourceFile}`);
@@ -86495,7 +86495,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver8.clean(versionSpec) || "";
         const cachePath = path5.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core13.debug(`checking cache: ${cachePath}`);
         if (fs5.existsSync(cachePath) && fs5.existsSync(`${cachePath}.complete`)) {
@@ -86579,7 +86579,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path5.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path5.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch || "");
         core13.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io5.rmRF(folderPath);
@@ -86589,15 +86589,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path5.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path5.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs5.writeFileSync(markerPath, "");
       core13.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver8.clean(versionSpec) || "";
       core13.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
+      const valid3 = semver8.valid(c) != null;
       core13.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -86606,14 +86606,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core13.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver8.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver8.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -90552,7 +90552,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -90575,20 +90574,6 @@ var PACK_IDENTIFIER_PATTERN = (function() {
   return new RegExp(`^${component}/${component}$`);
 })();
 
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
 var semver4 = __toESM(require_semver2());
 
@@ -90598,13 +90583,13 @@ var path2 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache4());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -90624,7 +90609,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -90735,7 +90720,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core7.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -90760,6 +90745,20 @@ async function isAnalyzingDefaultBranch() {
   return currentRef === defaultBranch;
 }
 
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.5";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
@@ -91105,20 +91104,20 @@ var toolrunner3 = __toESM(require_toolrunner());
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core9 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/tracer-config.ts

lib/setup-codeql-action.js

@@ -26127,8 +26127,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var gte6 = (a, b, loose) => compare2(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -26149,7 +26149,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -26179,7 +26179,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -26938,7 +26938,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -26953,7 +26953,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -27268,7 +27268,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -27306,7 +27306,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -32192,7 +32192,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -32237,7 +32237,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -34138,8 +34138,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare2(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare2(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -34170,7 +34170,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -34715,7 +34715,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -34935,7 +34935,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs9 = __importStar2(require("fs"));
     var path8 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver8 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -35028,7 +35028,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver8.clean(versionOutput);
         core13.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -85918,7 +85918,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var core_1 = require_core3();
     var os3 = require("os");
     var cp = require("child_process");
@@ -85932,7 +85932,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver8.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -85941,7 +85941,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver8.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -86171,7 +86171,7 @@ var require_tool_cache = __commonJS({
     var os3 = __importStar2(require("os"));
     var path8 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib5());
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var stream2 = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -86445,7 +86445,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os3.arch();
         core13.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core13.debug(`source dir: ${sourceDir}`);
@@ -86464,7 +86464,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os3.arch();
         core13.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core13.debug(`source file: ${sourceFile}`);
@@ -86495,7 +86495,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver8.clean(versionSpec) || "";
         const cachePath = path8.join(_getCacheDirectory(), toolName, versionSpec, arch2);
         core13.debug(`checking cache: ${cachePath}`);
         if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) {
@@ -86579,7 +86579,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path8.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+        const folderPath = path8.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
         core13.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -86589,15 +86589,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch2) {
-      const folderPath = path8.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+      const folderPath = path8.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
       const markerPath = `${folderPath}.complete`;
       fs9.writeFileSync(markerPath, "");
       core13.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver8.clean(versionSpec) || "";
       core13.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
+      const valid3 = semver8.valid(c) != null;
       core13.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -86606,14 +86606,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core13.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver8.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver8.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -91451,9 +91451,6 @@ function wrapCliConfigurationError(cliError) {
   return new ConfigurationError(errorMessageBuilder);
 }
 
-// src/config-utils.ts
-var semver5 = __toESM(require_semver2());
-
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
   AnalysisKind2["CodeScanning"] = "code-scanning";
@@ -91527,7 +91524,7 @@ var fs7 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_child_process = require("child_process");
@@ -91536,7 +91533,7 @@ var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -91578,9 +91575,9 @@ async function isZstdAvailable(logger) {
       case "gnu":
         return {
           available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver6.gte(
-            semver6.coerce(version),
-            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver5.gte(
+            semver5.coerce(version),
+            semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
           ),
           foundZstdBinary,
           version: tarVersion
@@ -91589,7 +91586,7 @@ async function isZstdAvailable(logger) {
         return {
           available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
           // a patch version number.
-          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
           foundZstdBinary,
           version: tarVersion
         };
@@ -91696,7 +91693,7 @@ var core9 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -91826,7 +91823,7 @@ function getToolcacheDirectory(version) {
   return path5.join(
     getRequiredEnvParam("RUNNER_TOOL_CACHE"),
     TOOLCACHE_TOOL_NAME,
-    semver7.clean(version) || version,
+    semver6.clean(version) || version,
     os.arch() || ""
   );
 }
@@ -91951,13 +91948,13 @@ function tryGetTagNameFromUrl(url, logger) {
   return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver8.valid(version)) {
+  if (!semver7.valid(version)) {
     logger.debug(
       `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
     );
     version = `0.0.0-${version}`;
   }
-  const s = semver8.clean(version);
+  const s = semver7.clean(version);
   if (!s) {
     throw new Error(`Bundle version ${version} is not in SemVer format.`);
   }
@@ -92065,7 +92062,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
     url = toolsInput;
     if (tagName) {
       const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver7.valid(bundleVersion3)) {
         cliVersion2 = convertToSemVer(bundleVersion3, logger);
       }
     }
@@ -92336,7 +92333,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
   return (
     // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
   );
 }
 function getTempExtractionDir(tempDir) {
@@ -92368,7 +92365,7 @@ async function getNightlyToolsUrl(logger) {
   }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
   logger.debug(
     `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
       allVersions

lib/start-proxy-action-post.js

@@ -19569,11 +19569,11 @@ var require_exec = __commonJS({
       });
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.exec = exec;
+    exports2.exec = exec3;
     exports2.getExecOutput = getExecOutput;
     var string_decoder_1 = require("string_decoder");
     var tr = __importStar2(require_toolrunner());
-    function exec(commandLine, args, options) {
+    function exec3(commandLine, args, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const commandArgs = tr.argStringToArray(commandLine);
         if (commandArgs.length === 0) {
@@ -19607,7 +19607,7 @@ var require_exec = __commonJS({
           }
         };
         const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener });
-        const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
+        const exitCode = yield exec3(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
         stdout += stdoutDecoder.end();
         stderr += stderrDecoder.end();
         return {
@@ -19695,12 +19695,12 @@ var require_platform = __commonJS({
     exports2.isLinux = exports2.isMacOS = exports2.isWindows = exports2.arch = exports2.platform = void 0;
     exports2.getDetails = getDetails;
     var os_1 = __importDefault2(require("os"));
-    var exec = __importStar2(require_exec());
+    var exec3 = __importStar2(require_exec());
     var getWindowsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout: version } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
+      const { stdout: version } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
         silent: true
       });
-      const { stdout: name } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
+      const { stdout: name } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
         silent: true
       });
       return {
@@ -19710,7 +19710,7 @@ var require_platform = __commonJS({
     });
     var getMacOsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
       var _a, _b, _c, _d;
-      const { stdout } = yield exec.getExecOutput("sw_vers", void 0, {
+      const { stdout } = yield exec3.getExecOutput("sw_vers", void 0, {
         silent: true
       });
       const version = (_b = (_a = stdout.match(/ProductVersion:\s*(.+)/)) === null || _a === void 0 ? void 0 : _a[1]) !== null && _b !== void 0 ? _b : "";
@@ -19721,7 +19721,7 @@ var require_platform = __commonJS({
       };
     });
     var getLinuxInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout } = yield exec.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
+      const { stdout } = yield exec3.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
         silent: true
       });
       const [name, version] = stdout.trim().split("\n");
@@ -19819,7 +19819,7 @@ var require_core = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.platform = exports2.toPlatformPath = exports2.toWin32Path = exports2.toPosixPath = exports2.markdownSummary = exports2.summary = exports2.ExitCode = void 0;
-    exports2.exportVariable = exportVariable5;
+    exports2.exportVariable = exportVariable6;
     exports2.setSecret = setSecret;
     exports2.addPath = addPath;
     exports2.getInput = getInput2;
@@ -19851,7 +19851,7 @@ var require_core = __commonJS({
       ExitCode2[ExitCode2["Success"] = 0] = "Success";
       ExitCode2[ExitCode2["Failure"] = 1] = "Failure";
     })(ExitCode || (exports2.ExitCode = ExitCode = {}));
-    function exportVariable5(name, val) {
+    function exportVariable6(name, val) {
       const convertedVal = (0, utils_1.toCommandValue)(val);
       process.env[name] = convertedVal;
       const filePath = process.env["GITHUB_ENV"] || "";
@@ -26127,8 +26127,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare2 = require_compare();
-    var gte6 = (a, b, loose) => compare2(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare2(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -26149,7 +26149,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -26179,7 +26179,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -26938,7 +26938,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -26953,7 +26953,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -27268,7 +27268,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -27306,7 +27306,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -32654,7 +32654,7 @@ var require_exec2 = __commonJS({
     exports2.getExecOutput = exports2.exec = void 0;
     var string_decoder_1 = require("string_decoder");
     var tr = __importStar2(require_toolrunner2());
-    function exec(commandLine, args, options) {
+    function exec3(commandLine, args, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const commandArgs = tr.argStringToArray(commandLine);
         if (commandArgs.length === 0) {
@@ -32666,7 +32666,7 @@ var require_exec2 = __commonJS({
         return runner.exec();
       });
     }
-    exports2.exec = exec;
+    exports2.exec = exec3;
     function getExecOutput(commandLine, args, options) {
       var _a, _b;
       return __awaiter2(this, void 0, void 0, function* () {
@@ -32689,7 +32689,7 @@ var require_exec2 = __commonJS({
           }
         };
         const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener });
-        const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
+        const exitCode = yield exec3(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
         stdout += stdoutDecoder.end();
         stderr += stderrDecoder.end();
         return {
@@ -32767,12 +32767,12 @@ var require_platform2 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.getDetails = exports2.isLinux = exports2.isMacOS = exports2.isWindows = exports2.arch = exports2.platform = void 0;
     var os_1 = __importDefault2(require("os"));
-    var exec = __importStar2(require_exec2());
+    var exec3 = __importStar2(require_exec2());
     var getWindowsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout: version } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
+      const { stdout: version } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
         silent: true
       });
-      const { stdout: name } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
+      const { stdout: name } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
         silent: true
       });
       return {
@@ -32782,7 +32782,7 @@ var require_platform2 = __commonJS({
     });
     var getMacOsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
       var _a, _b, _c, _d;
-      const { stdout } = yield exec.getExecOutput("sw_vers", void 0, {
+      const { stdout } = yield exec3.getExecOutput("sw_vers", void 0, {
         silent: true
       });
       const version = (_b = (_a = stdout.match(/ProductVersion:\s*(.+)/)) === null || _a === void 0 ? void 0 : _a[1]) !== null && _b !== void 0 ? _b : "";
@@ -32793,7 +32793,7 @@ var require_platform2 = __commonJS({
       };
     });
     var getLinuxInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout } = yield exec.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
+      const { stdout } = yield exec3.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
         silent: true
       });
       const [name, version] = stdout.trim().split("\n");
@@ -32893,7 +32893,7 @@ var require_core2 = __commonJS({
       ExitCode2[ExitCode2["Success"] = 0] = "Success";
       ExitCode2[ExitCode2["Failure"] = 1] = "Failure";
     })(ExitCode || (exports2.ExitCode = ExitCode = {}));
-    function exportVariable5(name, val) {
+    function exportVariable6(name, val) {
       const convertedVal = (0, utils_1.toCommandValue)(val);
       process.env[name] = convertedVal;
       const filePath = process.env["GITHUB_ENV"] || "";
@@ -32902,7 +32902,7 @@ var require_core2 = __commonJS({
       }
       (0, command_1.issueCommand)("set-env", { name }, convertedVal);
     }
-    exports2.exportVariable = exportVariable5;
+    exports2.exportVariable = exportVariable6;
     function setSecret(secret) {
       (0, command_1.issueCommand)("add-mask", {}, secret);
     }
@@ -33489,7 +33489,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -33534,7 +33534,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -35435,8 +35435,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare2(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare2(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -35467,7 +35467,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -36012,7 +36012,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -36226,13 +36226,13 @@ var require_cacheUtils = __commonJS({
     exports2.getCacheVersion = getCacheVersion;
     exports2.getRuntimeToken = getRuntimeToken;
     var core14 = __importStar2(require_core());
-    var exec = __importStar2(require_exec());
+    var exec3 = __importStar2(require_exec());
     var glob2 = __importStar2(require_glob());
     var io6 = __importStar2(require_io());
     var crypto2 = __importStar2(require("crypto"));
     var fs2 = __importStar2(require("fs"));
     var path2 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver8 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -36306,7 +36306,7 @@ var require_cacheUtils = __commonJS({
         additionalArgs.push("--version");
         core14.debug(`Checking ${app} ${additionalArgs.join(" ")}`);
         try {
-          yield exec.exec(`${app}`, additionalArgs, {
+          yield exec3.exec(`${app}`, additionalArgs, {
             ignoreReturnCode: true,
             silent: true,
             listeners: {
@@ -36325,7 +36325,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver8.clean(versionOutput);
         core14.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -86078,7 +86078,7 @@ var require_brace_expansion2 = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -86128,7 +86128,7 @@ var require_brace_expansion2 = __commonJS({
           var reverse = y < x;
           if (reverse) {
             incr *= -1;
-            test = gte6;
+            test = gte5;
           }
           var pad = n.some(isPadded);
           N = [];
@@ -99433,7 +99433,7 @@ var require_commonjs19 = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand_(str2, isTop) {
@@ -99482,7 +99482,7 @@ var require_commonjs19 = __commonJS({
           const reverse = y < x;
           if (reverse) {
             incr *= -1;
-            test = gte6;
+            test = gte5;
           }
           const pad = n.some(isPadded);
           N = [];
@@ -116499,7 +116499,7 @@ var require_exec3 = __commonJS({
     exports2.getExecOutput = exports2.exec = void 0;
     var string_decoder_1 = require("string_decoder");
     var tr = __importStar2(require_toolrunner3());
-    function exec(commandLine, args, options) {
+    function exec3(commandLine, args, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const commandArgs = tr.argStringToArray(commandLine);
         if (commandArgs.length === 0) {
@@ -116511,7 +116511,7 @@ var require_exec3 = __commonJS({
         return runner.exec();
       });
     }
-    exports2.exec = exec;
+    exports2.exec = exec3;
     function getExecOutput(commandLine, args, options) {
       var _a, _b;
       return __awaiter2(this, void 0, void 0, function* () {
@@ -116534,7 +116534,7 @@ var require_exec3 = __commonJS({
           }
         };
         const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener });
-        const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
+        const exitCode = yield exec3(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
         stdout += stdoutDecoder.end();
         stderr += stderrDecoder.end();
         return {
@@ -116612,12 +116612,12 @@ var require_platform3 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.getDetails = exports2.isLinux = exports2.isMacOS = exports2.isWindows = exports2.arch = exports2.platform = void 0;
     var os_1 = __importDefault2(require("os"));
-    var exec = __importStar2(require_exec3());
+    var exec3 = __importStar2(require_exec3());
     var getWindowsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout: version } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
+      const { stdout: version } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
         silent: true
       });
-      const { stdout: name } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
+      const { stdout: name } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
         silent: true
       });
       return {
@@ -116627,7 +116627,7 @@ var require_platform3 = __commonJS({
     });
     var getMacOsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
       var _a, _b, _c, _d;
-      const { stdout } = yield exec.getExecOutput("sw_vers", void 0, {
+      const { stdout } = yield exec3.getExecOutput("sw_vers", void 0, {
         silent: true
       });
       const version = (_b = (_a = stdout.match(/ProductVersion:\s*(.+)/)) === null || _a === void 0 ? void 0 : _a[1]) !== null && _b !== void 0 ? _b : "";
@@ -116638,7 +116638,7 @@ var require_platform3 = __commonJS({
       };
     });
     var getLinuxInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout } = yield exec.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
+      const { stdout } = yield exec3.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
         silent: true
       });
       const [name, version] = stdout.trim().split("\n");
@@ -116738,7 +116738,7 @@ var require_core4 = __commonJS({
       ExitCode2[ExitCode2["Success"] = 0] = "Success";
       ExitCode2[ExitCode2["Failure"] = 1] = "Failure";
     })(ExitCode || (exports2.ExitCode = ExitCode = {}));
-    function exportVariable5(name, val) {
+    function exportVariable6(name, val) {
       const convertedVal = (0, utils_1.toCommandValue)(val);
       process.env[name] = convertedVal;
       const filePath = process.env["GITHUB_ENV"] || "";
@@ -116747,7 +116747,7 @@ var require_core4 = __commonJS({
       }
       (0, command_1.issueCommand)("set-env", { name }, convertedVal);
     }
-    exports2.exportVariable = exportVariable5;
+    exports2.exportVariable = exportVariable6;
     function setSecret(secret) {
       (0, command_1.issueCommand)("add-mask", {}, secret);
     }
@@ -121763,7 +121763,7 @@ var require_exec4 = __commonJS({
     exports2.getExecOutput = exports2.exec = void 0;
     var string_decoder_1 = require("string_decoder");
     var tr = __importStar2(require_toolrunner4());
-    function exec(commandLine, args, options) {
+    function exec3(commandLine, args, options) {
       return __awaiter2(this, void 0, void 0, function* () {
         const commandArgs = tr.argStringToArray(commandLine);
         if (commandArgs.length === 0) {
@@ -121775,7 +121775,7 @@ var require_exec4 = __commonJS({
         return runner.exec();
       });
     }
-    exports2.exec = exec;
+    exports2.exec = exec3;
     function getExecOutput(commandLine, args, options) {
       var _a, _b;
       return __awaiter2(this, void 0, void 0, function* () {
@@ -121798,7 +121798,7 @@ var require_exec4 = __commonJS({
           }
         };
         const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener });
-        const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
+        const exitCode = yield exec3(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
         stdout += stdoutDecoder.end();
         stderr += stderrDecoder.end();
         return {
@@ -121876,12 +121876,12 @@ var require_platform4 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.getDetails = exports2.isLinux = exports2.isMacOS = exports2.isWindows = exports2.arch = exports2.platform = void 0;
     var os_1 = __importDefault2(require("os"));
-    var exec = __importStar2(require_exec4());
+    var exec3 = __importStar2(require_exec4());
     var getWindowsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout: version } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
+      const { stdout: version } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
         silent: true
       });
-      const { stdout: name } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
+      const { stdout: name } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
         silent: true
       });
       return {
@@ -121891,7 +121891,7 @@ var require_platform4 = __commonJS({
     });
     var getMacOsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
       var _a, _b, _c, _d;
-      const { stdout } = yield exec.getExecOutput("sw_vers", void 0, {
+      const { stdout } = yield exec3.getExecOutput("sw_vers", void 0, {
         silent: true
       });
       const version = (_b = (_a = stdout.match(/ProductVersion:\s*(.+)/)) === null || _a === void 0 ? void 0 : _a[1]) !== null && _b !== void 0 ? _b : "";
@@ -121902,7 +121902,7 @@ var require_platform4 = __commonJS({
       };
     });
     var getLinuxInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
-      const { stdout } = yield exec.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
+      const { stdout } = yield exec3.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
         silent: true
       });
       const [name, version] = stdout.trim().split("\n");
@@ -122002,7 +122002,7 @@ var require_core5 = __commonJS({
       ExitCode2[ExitCode2["Success"] = 0] = "Success";
       ExitCode2[ExitCode2["Failure"] = 1] = "Failure";
     })(ExitCode || (exports2.ExitCode = ExitCode = {}));
-    function exportVariable5(name, val) {
+    function exportVariable6(name, val) {
       const convertedVal = (0, utils_1.toCommandValue)(val);
       process.env[name] = convertedVal;
       const filePath = process.env["GITHUB_ENV"] || "";
@@ -122011,7 +122011,7 @@ var require_core5 = __commonJS({
       }
       (0, command_1.issueCommand)("set-env", { name }, convertedVal);
     }
-    exports2.exportVariable = exportVariable5;
+    exports2.exportVariable = exportVariable6;
     function setSecret(secret) {
       (0, command_1.issueCommand)("add-mask", {}, secret);
     }
@@ -122220,7 +122220,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var core_1 = require_core5();
     var os = require("os");
     var cp = require("child_process");
@@ -122234,7 +122234,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver8.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -122243,7 +122243,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver8.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -122473,7 +122473,7 @@ var require_tool_cache = __commonJS({
     var os = __importStar2(require("os"));
     var path2 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib7());
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -122747,7 +122747,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch = arch || os.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch}`);
         core14.debug(`source dir: ${sourceDir}`);
@@ -122766,7 +122766,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch = arch || os.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch}`);
         core14.debug(`source file: ${sourceFile}`);
@@ -122797,7 +122797,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver8.clean(versionSpec) || "";
         const cachePath = path2.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core14.debug(`checking cache: ${cachePath}`);
         if (fs2.existsSync(cachePath) && fs2.existsSync(`${cachePath}.complete`)) {
@@ -122881,7 +122881,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path2.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+        const folderPath = path2.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch || "");
         core14.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -122891,15 +122891,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path2.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || "");
+      const folderPath = path2.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs2.writeFileSync(markerPath, "");
       core14.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver8.clean(versionSpec) || "";
       core14.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
+      const valid3 = semver8.valid(c) != null;
       core14.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -122908,14 +122908,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core14.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver8.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver8.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -126326,7 +126326,6 @@ async function getGitHubVersion() {
 // src/config-utils.ts
 var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
 
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
@@ -126349,20 +126348,6 @@ var PACK_IDENTIFIER_PATTERN = (function() {
   return new RegExp(`^${component}/${component}$`);
 })();
 
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
 var semver4 = __toESM(require_semver2());
 
@@ -126370,10 +126355,24 @@ var semver4 = __toESM(require_semver2());
 var actionsCache = __toESM(require_cache4());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
 
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.5";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
@@ -126788,26 +126787,29 @@ var cliErrorsConfig = {
 // src/setup-codeql.ts
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // src/tar.ts
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 
 // src/tools-download.ts
 var core9 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 
 // src/dependency-caching.ts
 var actionsCache3 = __toESM(require_cache4());
 var glob = __toESM(require_glob());
 
+// src/artifact-scanner.ts
+var exec = __toESM(require_exec());
+
 // src/debug-artifacts.ts
 async function getArtifactUploaderClient(logger, ghVariant) {
   if (ghVariant === "GitHub Enterprise Server" /* GHES */) {

lib/start-proxy-action.js

@@ -23498,8 +23498,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare = require_compare();
-    var gte4 = (a, b, loose) => compare(a, b, loose) >= 0;
-    module2.exports = gte4;
+    var gte3 = (a, b, loose) => compare(a, b, loose) >= 0;
+    module2.exports = gte3;
   }
 });
 
@@ -23520,7 +23520,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte4 = require_gte();
+    var gte3 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -23550,7 +23550,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte4(a, b, loose);
+          return gte3(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -24309,7 +24309,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte4 = require_gte();
+    var gte3 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -24324,7 +24324,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte4;
+          ltefn = gte3;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -24639,7 +24639,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte4 = require_gte();
+    var gte3 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce2 = require_coerce();
@@ -24677,7 +24677,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte4,
+      gte: gte3,
       lte,
       cmp,
       coerce: coerce2,
@@ -24767,7 +24767,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver6 = __importStar2(require_semver2());
+    var semver5 = __importStar2(require_semver2());
     var core_1 = require_core2();
     var os2 = require("os");
     var cp = require("child_process");
@@ -24781,7 +24781,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver6.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver5.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -24790,7 +24790,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver6.satisfies(osVersion, item.platform_version);
+                  chk = semver5.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -25020,7 +25020,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path2 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib2());
-    var semver6 = __importStar2(require_semver2());
+    var semver5 = __importStar2(require_semver2());
     var stream = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -25294,7 +25294,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir2(sourceDir, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver6.clean(version) || version;
+        version = semver5.clean(version) || version;
         arch = arch || os2.arch();
         core12.debug(`Caching tool ${tool} ${version} ${arch}`);
         core12.debug(`source dir: ${sourceDir}`);
@@ -25313,7 +25313,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir2;
     function cacheFile(sourceFile, targetFile, tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver6.clean(version) || version;
+        version = semver5.clean(version) || version;
         arch = arch || os2.arch();
         core12.debug(`Caching tool ${tool} ${version} ${arch}`);
         core12.debug(`source file: ${sourceFile}`);
@@ -25344,7 +25344,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver6.clean(versionSpec) || "";
+        versionSpec = semver5.clean(versionSpec) || "";
         const cachePath = path2.join(_getCacheDirectory(), toolName, versionSpec, arch);
         core12.debug(`checking cache: ${cachePath}`);
         if (fs.existsSync(cachePath) && fs.existsSync(`${cachePath}.complete`)) {
@@ -25428,7 +25428,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path2.join(_getCacheDirectory(), tool, semver6.clean(version) || version, arch || "");
+        const folderPath = path2.join(_getCacheDirectory(), tool, semver5.clean(version) || version, arch || "");
         core12.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io4.rmRF(folderPath);
@@ -25438,15 +25438,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch) {
-      const folderPath = path2.join(_getCacheDirectory(), tool, semver6.clean(version) || version, arch || "");
+      const folderPath = path2.join(_getCacheDirectory(), tool, semver5.clean(version) || version, arch || "");
       const markerPath = `${folderPath}.complete`;
       fs.writeFileSync(markerPath, "");
       core12.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver6.clean(versionSpec) || "";
+      const c = semver5.clean(versionSpec) || "";
       core12.debug(`isExplicit: ${c}`);
-      const valid2 = semver6.valid(c) != null;
+      const valid2 = semver5.valid(c) != null;
       core12.debug(`explicit? ${valid2}`);
       return valid2;
     }
@@ -25455,14 +25455,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core12.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver6.gt(a, b)) {
+        if (semver5.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver6.satisfies(potential, versionSpec);
+        const satisfied = semver5.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -54851,7 +54851,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte4(i, y) {
+    function gte3(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -54896,7 +54896,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte4;
+          test = gte3;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -56797,8 +56797,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare(a, b, loose) !== 0;
     }
-    exports2.gte = gte4;
-    function gte4(a, b, loose) {
+    exports2.gte = gte3;
+    function gte3(a, b, loose) {
       return compare(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -56829,7 +56829,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte4(a, b, loose);
+          return gte3(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -57374,7 +57374,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte4;
+          ltefn = gte3;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -57594,7 +57594,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs = __importStar2(require("fs"));
     var path2 = __importStar2(require("path"));
-    var semver6 = __importStar2(require_semver3());
+    var semver5 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -57687,7 +57687,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver6.clean(versionOutput);
+        const version = semver5.clean(versionOutput);
         core12.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -107527,9 +107527,6 @@ async function getDownloadUrl(logger) {
 var os = __toESM(require("os"));
 var core10 = __toESM(require_core());
 
-// src/config-utils.ts
-var semver5 = __toESM(require_semver2());
-
 // src/analyses.ts
 var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
   AnalysisKind2["CodeScanning"] = "code-scanning";

lib/upload-lib.js

@@ -27424,8 +27424,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare3 = require_compare();
-    var gte6 = (a, b, loose) => compare3(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare3(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -27446,7 +27446,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -27476,7 +27476,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -28235,7 +28235,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -28250,7 +28250,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -28565,7 +28565,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -28603,7 +28603,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -33489,7 +33489,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -33534,7 +33534,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -35435,8 +35435,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare3(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare3(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -35467,7 +35467,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -36012,7 +36012,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -36232,7 +36232,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs12 = __importStar2(require("fs"));
     var path11 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver8 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -36325,7 +36325,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver8.clean(versionOutput);
         core12.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -85918,7 +85918,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var core_1 = require_core3();
     var os2 = require("os");
     var cp = require("child_process");
@@ -85932,7 +85932,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver8.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -85941,7 +85941,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver8.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -86171,7 +86171,7 @@ var require_tool_cache = __commonJS({
     var os2 = __importStar2(require("os"));
     var path11 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib5());
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var stream2 = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -86445,7 +86445,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os2.arch();
         core12.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core12.debug(`source dir: ${sourceDir}`);
@@ -86464,7 +86464,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os2.arch();
         core12.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core12.debug(`source file: ${sourceFile}`);
@@ -86495,7 +86495,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver8.clean(versionSpec) || "";
         const cachePath = path11.join(_getCacheDirectory(), toolName, versionSpec, arch2);
         core12.debug(`checking cache: ${cachePath}`);
         if (fs12.existsSync(cachePath) && fs12.existsSync(`${cachePath}.complete`)) {
@@ -86579,7 +86579,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path11.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+        const folderPath = path11.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
         core12.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -86589,15 +86589,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch2) {
-      const folderPath = path11.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+      const folderPath = path11.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
       const markerPath = `${folderPath}.complete`;
       fs12.writeFileSync(markerPath, "");
       core12.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver8.clean(versionSpec) || "";
       core12.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
+      const valid3 = semver8.valid(c) != null;
       core12.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -86606,14 +86606,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core12.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver8.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver8.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -93582,7 +93582,6 @@ function wrapCliConfigurationError(cliError) {
 // src/config-utils.ts
 var fs5 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
 
 // src/caching-utils.ts
 var core6 = __toESM(require_core());
@@ -93597,20 +93596,6 @@ var PACK_IDENTIFIER_PATTERN = (function() {
   return new RegExp(`^${component}/${component}$`);
 })();
 
-// src/logging.ts
-var core7 = __toESM(require_core());
-function formatDuration(durationMs) {
-  if (durationMs < 1e3) {
-    return `${durationMs}ms`;
-  }
-  if (durationMs < 60 * 1e3) {
-    return `${(durationMs / 1e3).toFixed(1)}s`;
-  }
-  const minutes = Math.floor(durationMs / (60 * 1e3));
-  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
-  return `${minutes}m${seconds}s`;
-}
-
 // src/diff-informed-analysis-utils.ts
 var fs4 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
@@ -93628,13 +93613,13 @@ var path3 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache4());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -93654,7 +93639,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -93799,7 +93784,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core7.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -93824,6 +93809,20 @@ async function isAnalyzingDefaultBranch() {
   return currentRef === defaultBranch;
 }
 
+// src/logging.ts
+var core8 = __toESM(require_core());
+function formatDuration(durationMs) {
+  if (durationMs < 1e3) {
+    return `${durationMs}ms`;
+  }
+  if (durationMs < 60 * 1e3) {
+    return `${(durationMs / 1e3).toFixed(1)}s`;
+  }
+  const minutes = Math.floor(durationMs / (60 * 1e3));
+  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
+  return `${minutes}m${seconds}s`;
+}
+
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.5";
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
@@ -94184,7 +94183,7 @@ var fs8 = __toESM(require("fs"));
 var path7 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
@@ -94247,7 +94246,7 @@ var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -94289,9 +94288,9 @@ async function isZstdAvailable(logger) {
       case "gnu":
         return {
           available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver6.gte(
-            semver6.coerce(version),
-            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver5.gte(
+            semver5.coerce(version),
+            semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
           ),
           foundZstdBinary,
           version: tarVersion
@@ -94300,7 +94299,7 @@ async function isZstdAvailable(logger) {
         return {
           available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
           // a patch version number.
-          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
           foundZstdBinary,
           version: tarVersion
         };
@@ -94407,7 +94406,7 @@ var core9 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -94537,7 +94536,7 @@ function getToolcacheDirectory(version) {
   return path6.join(
     getRequiredEnvParam("RUNNER_TOOL_CACHE"),
     TOOLCACHE_TOOL_NAME,
-    semver7.clean(version) || version,
+    semver6.clean(version) || version,
     os.arch() || ""
   );
 }
@@ -94662,13 +94661,13 @@ function tryGetTagNameFromUrl(url2, logger) {
   return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver8.valid(version)) {
+  if (!semver7.valid(version)) {
     logger.debug(
       `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
     );
     version = `0.0.0-${version}`;
   }
-  const s = semver8.clean(version);
+  const s = semver7.clean(version);
   if (!s) {
     throw new Error(`Bundle version ${version} is not in SemVer format.`);
   }
@@ -94776,7 +94775,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
     url2 = toolsInput;
     if (tagName) {
       const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver7.valid(bundleVersion3)) {
         cliVersion2 = convertToSemVer(bundleVersion3, logger);
       }
     }
@@ -95047,7 +95046,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
   return (
     // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
   );
 }
 function getTempExtractionDir(tempDir) {
@@ -95079,7 +95078,7 @@ async function getNightlyToolsUrl(logger) {
   }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
   logger.debug(
     `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
       allVersions

lib/upload-sarif-action.js

@@ -26127,8 +26127,8 @@ var require_gte = __commonJS({
   "node_modules/semver/functions/gte.js"(exports2, module2) {
     "use strict";
     var compare3 = require_compare();
-    var gte6 = (a, b, loose) => compare3(a, b, loose) >= 0;
-    module2.exports = gte6;
+    var gte5 = (a, b, loose) => compare3(a, b, loose) >= 0;
+    module2.exports = gte5;
   }
 });
 
@@ -26149,7 +26149,7 @@ var require_cmp = __commonJS({
     var eq = require_eq();
     var neq = require_neq();
     var gt = require_gt();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lt = require_lt();
     var lte = require_lte();
     var cmp = (a, op, b, loose) => {
@@ -26179,7 +26179,7 @@ var require_cmp = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -26938,7 +26938,7 @@ var require_outside = __commonJS({
     var gt = require_gt();
     var lt = require_lt();
     var lte = require_lte();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var outside = (version, range, hilo, options) => {
       version = new SemVer(version, options);
       range = new Range2(range, options);
@@ -26953,7 +26953,7 @@ var require_outside = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -27268,7 +27268,7 @@ var require_semver2 = __commonJS({
     var lt = require_lt();
     var eq = require_eq();
     var neq = require_neq();
-    var gte6 = require_gte();
+    var gte5 = require_gte();
     var lte = require_lte();
     var cmp = require_cmp();
     var coerce3 = require_coerce();
@@ -27306,7 +27306,7 @@ var require_semver2 = __commonJS({
       lt,
       eq,
       neq,
-      gte: gte6,
+      gte: gte5,
       lte,
       cmp,
       coerce: coerce3,
@@ -32192,7 +32192,7 @@ var require_brace_expansion = __commonJS({
     function lte(i, y) {
       return i <= y;
     }
-    function gte6(i, y) {
+    function gte5(i, y) {
       return i >= y;
     }
     function expand(str2, isTop) {
@@ -32237,7 +32237,7 @@ var require_brace_expansion = __commonJS({
         var reverse = y < x;
         if (reverse) {
           incr *= -1;
-          test = gte6;
+          test = gte5;
         }
         var pad = n.some(isPadded);
         N = [];
@@ -34138,8 +34138,8 @@ var require_semver3 = __commonJS({
     function neq(a, b, loose) {
       return compare3(a, b, loose) !== 0;
     }
-    exports2.gte = gte6;
-    function gte6(a, b, loose) {
+    exports2.gte = gte5;
+    function gte5(a, b, loose) {
       return compare3(a, b, loose) >= 0;
     }
     exports2.lte = lte;
@@ -34170,7 +34170,7 @@ var require_semver3 = __commonJS({
         case ">":
           return gt(a, b, loose);
         case ">=":
-          return gte6(a, b, loose);
+          return gte5(a, b, loose);
         case "<":
           return lt(a, b, loose);
         case "<=":
@@ -34715,7 +34715,7 @@ var require_semver3 = __commonJS({
           break;
         case "<":
           gtfn = lt;
-          ltefn = gte6;
+          ltefn = gte5;
           ltfn = gt;
           comp = "<";
           ecomp = "<=";
@@ -34935,7 +34935,7 @@ var require_cacheUtils = __commonJS({
     var crypto2 = __importStar2(require("crypto"));
     var fs13 = __importStar2(require("fs"));
     var path12 = __importStar2(require("path"));
-    var semver9 = __importStar2(require_semver3());
+    var semver8 = __importStar2(require_semver3());
     var util = __importStar2(require("util"));
     var constants_1 = require_constants7();
     var versionSalt = "1.0";
@@ -35028,7 +35028,7 @@ var require_cacheUtils = __commonJS({
     function getCompressionMethod() {
       return __awaiter2(this, void 0, void 0, function* () {
         const versionOutput = yield getVersion("zstd", ["--quiet"]);
-        const version = semver9.clean(versionOutput);
+        const version = semver8.clean(versionOutput);
         core14.debug(`zstd version: ${version}`);
         if (versionOutput === "") {
           return constants_1.CompressionMethod.Gzip;
@@ -85918,7 +85918,7 @@ var require_manifest = __commonJS({
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2._readLinuxVersionFile = exports2._getOsVersion = exports2._findMatch = void 0;
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var core_1 = require_core3();
     var os3 = require("os");
     var cp = require("child_process");
@@ -85932,7 +85932,7 @@ var require_manifest = __commonJS({
         for (const candidate of candidates) {
           const version = candidate.version;
           (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`);
-          if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
+          if (semver8.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) {
             file = candidate.files.find((item) => {
               (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`);
               let chk = item.arch === archFilter && item.platform === platFilter;
@@ -85941,7 +85941,7 @@ var require_manifest = __commonJS({
                 if (osVersion === item.platform_version) {
                   chk = true;
                 } else {
-                  chk = semver9.satisfies(osVersion, item.platform_version);
+                  chk = semver8.satisfies(osVersion, item.platform_version);
                 }
               }
               return chk;
@@ -86171,7 +86171,7 @@ var require_tool_cache = __commonJS({
     var os3 = __importStar2(require("os"));
     var path12 = __importStar2(require("path"));
     var httpm = __importStar2(require_lib5());
-    var semver9 = __importStar2(require_semver2());
+    var semver8 = __importStar2(require_semver2());
     var stream2 = __importStar2(require("stream"));
     var util = __importStar2(require("util"));
     var assert_1 = require("assert");
@@ -86445,7 +86445,7 @@ var require_tool_cache = __commonJS({
     }
     function cacheDir(sourceDir, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os3.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core14.debug(`source dir: ${sourceDir}`);
@@ -86464,7 +86464,7 @@ var require_tool_cache = __commonJS({
     exports2.cacheDir = cacheDir;
     function cacheFile(sourceFile, targetFile, tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        version = semver9.clean(version) || version;
+        version = semver8.clean(version) || version;
         arch2 = arch2 || os3.arch();
         core14.debug(`Caching tool ${tool} ${version} ${arch2}`);
         core14.debug(`source file: ${sourceFile}`);
@@ -86495,7 +86495,7 @@ var require_tool_cache = __commonJS({
       }
       let toolPath = "";
       if (versionSpec) {
-        versionSpec = semver9.clean(versionSpec) || "";
+        versionSpec = semver8.clean(versionSpec) || "";
         const cachePath = path12.join(_getCacheDirectory(), toolName, versionSpec, arch2);
         core14.debug(`checking cache: ${cachePath}`);
         if (fs13.existsSync(cachePath) && fs13.existsSync(`${cachePath}.complete`)) {
@@ -86579,7 +86579,7 @@ var require_tool_cache = __commonJS({
     }
     function _createToolPath(tool, version, arch2) {
       return __awaiter2(this, void 0, void 0, function* () {
-        const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+        const folderPath = path12.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
         core14.debug(`destination ${folderPath}`);
         const markerPath = `${folderPath}.complete`;
         yield io6.rmRF(folderPath);
@@ -86589,15 +86589,15 @@ var require_tool_cache = __commonJS({
       });
     }
     function _completeToolPath(tool, version, arch2) {
-      const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || "");
+      const folderPath = path12.join(_getCacheDirectory(), tool, semver8.clean(version) || version, arch2 || "");
       const markerPath = `${folderPath}.complete`;
       fs13.writeFileSync(markerPath, "");
       core14.debug("finished caching tool");
     }
     function isExplicitVersion(versionSpec) {
-      const c = semver9.clean(versionSpec) || "";
+      const c = semver8.clean(versionSpec) || "";
       core14.debug(`isExplicit: ${c}`);
-      const valid3 = semver9.valid(c) != null;
+      const valid3 = semver8.valid(c) != null;
       core14.debug(`explicit? ${valid3}`);
       return valid3;
     }
@@ -86606,14 +86606,14 @@ var require_tool_cache = __commonJS({
       let version = "";
       core14.debug(`evaluating ${versions.length} versions`);
       versions = versions.sort((a, b) => {
-        if (semver9.gt(a, b)) {
+        if (semver8.gt(a, b)) {
           return 1;
         }
         return -1;
       });
       for (let i = versions.length - 1; i >= 0; i--) {
         const potential = versions[i];
-        const satisfied = semver9.satisfies(potential, versionSpec);
+        const satisfied = semver8.satisfies(potential, versionSpec);
         if (satisfied) {
           version = potential;
           break;
@@ -94158,7 +94158,6 @@ var core9 = __toESM(require_core());
 // src/config-utils.ts
 var fs6 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
 
 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib4());
@@ -94705,7 +94704,7 @@ var fs9 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
 var toolcache3 = __toESM(require_tool_cache());
 var import_fast_deep_equal = __toESM(require_fast_deep_equal());
-var semver8 = __toESM(require_semver2());
+var semver7 = __toESM(require_semver2());
 
 // node_modules/uuid/dist-node/stringify.js
 var byteToHex = [];
@@ -94768,7 +94767,7 @@ var stream = __toESM(require("stream"));
 var import_toolrunner = __toESM(require_toolrunner());
 var io4 = __toESM(require_io());
 var toolcache = __toESM(require_tool_cache());
-var semver6 = __toESM(require_semver2());
+var semver5 = __toESM(require_semver2());
 var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 var MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
 async function getTarVersion() {
@@ -94810,9 +94809,9 @@ async function isZstdAvailable(logger) {
       case "gnu":
         return {
           available: foundZstdBinary && // GNU tar only uses major and minor version numbers
-          semver6.gte(
-            semver6.coerce(version),
-            semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
+          semver5.gte(
+            semver5.coerce(version),
+            semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION)
           ),
           foundZstdBinary,
           version: tarVersion
@@ -94821,7 +94820,7 @@ async function isZstdAvailable(logger) {
         return {
           available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain
           // a patch version number.
-          semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
+          semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
           foundZstdBinary,
           version: tarVersion
         };
@@ -94928,7 +94927,7 @@ var core10 = __toESM(require_core());
 var import_http_client = __toESM(require_lib());
 var toolcache2 = __toESM(require_tool_cache());
 var import_follow_redirects = __toESM(require_follow_redirects());
-var semver7 = __toESM(require_semver2());
+var semver6 = __toESM(require_semver2());
 var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
 var TOOLCACHE_TOOL_NAME = "CodeQL";
 function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) {
@@ -95058,7 +95057,7 @@ function getToolcacheDirectory(version) {
   return path7.join(
     getRequiredEnvParam("RUNNER_TOOL_CACHE"),
     TOOLCACHE_TOOL_NAME,
-    semver7.clean(version) || version,
+    semver6.clean(version) || version,
     os2.arch() || ""
   );
 }
@@ -95183,13 +95182,13 @@ function tryGetTagNameFromUrl(url2, logger) {
   return match[1];
 }
 function convertToSemVer(version, logger) {
-  if (!semver8.valid(version)) {
+  if (!semver7.valid(version)) {
     logger.debug(
       `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
     );
     version = `0.0.0-${version}`;
   }
-  const s = semver8.clean(version);
+  const s = semver7.clean(version);
   if (!s) {
     throw new Error(`Bundle version ${version} is not in SemVer format.`);
   }
@@ -95297,7 +95296,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
     url2 = toolsInput;
     if (tagName) {
       const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger);
-      if (bundleVersion3 && semver8.valid(bundleVersion3)) {
+      if (bundleVersion3 && semver7.valid(bundleVersion3)) {
         cliVersion2 = convertToSemVer(bundleVersion3, logger);
       }
     }
@@ -95568,7 +95567,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
 async function useZstdBundle(cliVersion2, tarSupportsZstd) {
   return (
     // In testing, gzip performs better than zstd on Windows.
-    process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
+    process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE)
   );
 }
 function getTempExtractionDir(tempDir) {
@@ -95600,7 +95599,7 @@ async function getNightlyToolsUrl(logger) {
   }
 }
 function getLatestToolcacheVersion(logger) {
-  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a));
+  const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver7.compare(b, a));
   logger.debug(
     `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
       allVersions

src/artifact-scanner.test.ts

@@ -0,0 +1,98 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+
+import test from "ava";
+
+import { scanArtifactsForTokens } from "./artifact-scanner";
+import { getRunnerLogger } from "./logging";
+import { getRecordingLogger, LoggedMessage } from "./testing-utils";
+
+test("scanArtifactsForTokens detects GitHub tokens in files", async (t) => {
+  const logger = getRunnerLogger(true);
+  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "scanner-test-"));
+
+  try {
+    // Create a test file with a fake GitHub token
+    const testFile = path.join(tempDir, "test.txt");
+    fs.writeFileSync(
+      testFile,
+      "This is a test file with token ghp_1234567890123456789012345678901234AB",
+    );
+
+    const error = await t.throwsAsync(
+      async () => await scanArtifactsForTokens([testFile], logger),
+    );
+
+    t.regex(
+      error?.message || "",
+      /Found 1 potential GitHub token.*Personal Access Token/,
+    );
+    t.regex(error?.message || "", /test\.txt/);
+  } finally {
+    // Clean up
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+test("scanArtifactsForTokens handles files without tokens", async (t) => {
+  const logger = getRunnerLogger(true);
+  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "scanner-test-"));
+
+  try {
+    // Create a test file without tokens
+    const testFile = path.join(tempDir, "test.txt");
+    fs.writeFileSync(
+      testFile,
+      "This is a test file without any sensitive data",
+    );
+
+    await t.notThrowsAsync(
+      async () => await scanArtifactsForTokens([testFile], logger),
+    );
+  } finally {
+    // Clean up
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+if (os.platform() !== "win32") {
+  test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
+    t.timeout(15000); // 15 seconds
+    const messages: LoggedMessage[] = [];
+    const logger = getRecordingLogger(messages, { logToConsole: false });
+    // The zip here is a regression test based on
+    // https://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfm
+    const testZip = path.join(
+      __dirname,
+      "..",
+      "src",
+      "testdata",
+      "debug-artifacts-with-fake-token.zip",
+    );
+
+    // This zip file contains a nested structure with a fake token in:
+    // my-db-java-partial.zip/trap/java/invocations/kotlin.9017231652989744319.trap
+    const error = await t.throwsAsync(
+      async () => await scanArtifactsForTokens([testZip], logger),
+    );
+
+    t.regex(
+      error?.message || "",
+      /Found.*potential GitHub token/,
+      "Should detect token in nested zip",
+    );
+    t.regex(
+      error?.message || "",
+      /kotlin\.9017231652989744319\.trap/,
+      "Should report the .trap file containing the token",
+    );
+
+    const logOutput = messages.map((msg) => msg.message).join("\n");
+    t.regex(
+      logOutput,
+      /^Extracting gz file: .*\.gz$/m,
+      "Logs should show that .gz files were extracted",
+    );
+  });
+}

src/artifact-scanner.ts

@@ -0,0 +1,357 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+
+import * as exec from "@actions/exec";
+
+import { Logger } from "./logging";
+import { getErrorMessage } from "./util";
+
+/**
+ * GitHub token patterns to scan for.
+ * These patterns match various GitHub token formats.
+ */
+const GITHUB_TOKEN_PATTERNS = [
+  {
+    name: "Personal Access Token",
+    pattern: /\bghp_[a-zA-Z0-9]{36}\b/g,
+  },
+  {
+    name: "OAuth Access Token",
+    pattern: /\bgho_[a-zA-Z0-9]{36}\b/g,
+  },
+  {
+    name: "User-to-Server Token",
+    pattern: /\bghu_[a-zA-Z0-9]{36}\b/g,
+  },
+  {
+    name: "Server-to-Server Token",
+    pattern: /\bghs_[a-zA-Z0-9]{36}\b/g,
+  },
+  {
+    name: "Refresh Token",
+    pattern: /\bghr_[a-zA-Z0-9]{36}\b/g,
+  },
+  {
+    name: "App Installation Access Token",
+    pattern: /\bghs_[a-zA-Z0-9]{255}\b/g,
+  },
+];
+
+interface TokenFinding {
+  tokenType: string;
+  filePath: string;
+}
+
+interface ScanResult {
+  scannedFiles: number;
+  findings: TokenFinding[];
+}
+
+/**
+ * Scans a file for GitHub tokens.
+ *
+ * @param filePath Path to the file to scan
+ * @param relativePath Relative path for display purposes
+ * @param logger Logger instance
+ * @returns Array of token findings in the file
+ */
+function scanFileForTokens(
+  filePath: string,
+  relativePath: string,
+  logger: Logger,
+): TokenFinding[] {
+  const findings: TokenFinding[] = [];
+  try {
+    const content = fs.readFileSync(filePath, "utf8");
+
+    for (const { name, pattern } of GITHUB_TOKEN_PATTERNS) {
+      const matches = content.match(pattern);
+      if (matches) {
+        for (let i = 0; i < matches.length; i++) {
+          findings.push({ tokenType: name, filePath: relativePath });
+        }
+        logger.debug(`Found ${matches.length} ${name}(s) in ${relativePath}`);
+      }
+    }
+
+    return findings;
+  } catch (e) {
+    // If we can't read the file as text, it's likely binary or inaccessible
+    logger.debug(
+      `Could not scan file ${filePath} for tokens: ${getErrorMessage(e)}`,
+    );
+    return [];
+  }
+}
+
+/**
+ * Recursively extracts and scans archive files (.zip, .gz, .tar.gz).
+ *
+ * @param archivePath Path to the archive file
+ * @param relativeArchivePath Relative path of the archive for display
+ * @param extractDir Directory to extract to
+ * @param logger Logger instance
+ * @param depth Current recursion depth (to prevent infinite loops)
+ * @returns Scan results
+ */
+async function scanArchiveFile(
+  archivePath: string,
+  relativeArchivePath: string,
+  extractDir: string,
+  logger: Logger,
+  depth: number = 0,
+): Promise<ScanResult> {
+  const MAX_DEPTH = 10; // Prevent infinite recursion
+  if (depth > MAX_DEPTH) {
+    throw new Error(
+      `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`,
+    );
+  }
+
+  const result: ScanResult = {
+    scannedFiles: 0,
+    findings: [],
+  };
+
+  try {
+    const tempExtractDir = fs.mkdtempSync(
+      path.join(extractDir, `extract-${depth}-`),
+    );
+
+    // Determine archive type and extract accordingly
+    const fileName = path.basename(archivePath).toLowerCase();
+    if (fileName.endsWith(".tar.gz") || fileName.endsWith(".tgz")) {
+      // Extract tar.gz files
+      logger.debug(`Extracting tar.gz file: ${archivePath}`);
+      await exec.exec("tar", ["-xzf", archivePath, "-C", tempExtractDir], {
+        silent: true,
+      });
+    } else if (fileName.endsWith(".gz")) {
+      // Extract .gz files (single file compression)
+      logger.debug(`Extracting gz file: ${archivePath}`);
+      const outputFile = path.join(
+        tempExtractDir,
+        path.basename(archivePath, ".gz"),
+      );
+      await exec.exec("gunzip", ["-c", archivePath], {
+        outStream: fs.createWriteStream(outputFile),
+        silent: true,
+      });
+    } else if (fileName.endsWith(".zip")) {
+      // Extract zip files
+      logger.debug(`Extracting zip file: ${archivePath}`);
+      await exec.exec(
+        "unzip",
+        ["-q", "-o", archivePath, "-d", tempExtractDir],
+        {
+          silent: true,
+        },
+      );
+    }
+
+    // Scan the extracted contents
+    const scanResult = await scanDirectory(
+      tempExtractDir,
+      relativeArchivePath,
+      logger,
+      depth + 1,
+    );
+    result.scannedFiles += scanResult.scannedFiles;
+    result.findings.push(...scanResult.findings);
+
+    // Clean up extracted files
+    fs.rmSync(tempExtractDir, { recursive: true, force: true });
+  } catch (e) {
+    logger.debug(
+      `Could not extract or scan archive file ${archivePath}: ${getErrorMessage(e)}`,
+    );
+  }
+
+  return result;
+}
+
+/**
+ * Scans a single file, including recursive archive extraction if applicable.
+ *
+ * @param fullPath Full path to the file
+ * @param relativePath Relative path for display
+ * @param extractDir Directory to use for extraction (for archive files)
+ * @param logger Logger instance
+ * @param depth Current recursion depth
+ * @returns Scan results
+ */
+async function scanFile(
+  fullPath: string,
+  relativePath: string,
+  extractDir: string,
+  logger: Logger,
+  depth: number = 0,
+): Promise<ScanResult> {
+  const result: ScanResult = {
+    scannedFiles: 1,
+    findings: [],
+  };
+
+  // Check if it's an archive file and recursively scan it
+  const fileName = path.basename(fullPath).toLowerCase();
+  const isArchive =
+    fileName.endsWith(".zip") ||
+    fileName.endsWith(".tar.gz") ||
+    fileName.endsWith(".tgz") ||
+    fileName.endsWith(".gz");
+
+  if (isArchive) {
+    const archiveResult = await scanArchiveFile(
+      fullPath,
+      relativePath,
+      extractDir,
+      logger,
+      depth,
+    );
+    result.scannedFiles += archiveResult.scannedFiles;
+    result.findings.push(...archiveResult.findings);
+  }
+
+  // Scan the file itself for tokens (unless it's a pure binary archive format)
+  const fileFindings = scanFileForTokens(fullPath, relativePath, logger);
+  result.findings.push(...fileFindings);
+
+  return result;
+}
+
+/**
+ * Recursively scans a directory for GitHub tokens.
+ *
+ * @param dirPath Directory path to scan
+ * @param baseRelativePath Base relative path for computing display paths
+ * @param logger Logger instance
+ * @param depth Current recursion depth
+ * @returns Scan results
+ */
+async function scanDirectory(
+  dirPath: string,
+  baseRelativePath: string,
+  logger: Logger,
+  depth: number = 0,
+): Promise<ScanResult> {
+  const result: ScanResult = {
+    scannedFiles: 0,
+    findings: [],
+  };
+
+  const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+
+  for (const entry of entries) {
+    const fullPath = path.join(dirPath, entry.name);
+    const relativePath = path.join(baseRelativePath, entry.name);
+
+    if (entry.isDirectory()) {
+      const subResult = await scanDirectory(
+        fullPath,
+        relativePath,
+        logger,
+        depth,
+      );
+      result.scannedFiles += subResult.scannedFiles;
+      result.findings.push(...subResult.findings);
+    } else if (entry.isFile()) {
+      const fileResult = await scanFile(
+        fullPath,
+        relativePath,
+        path.dirname(fullPath),
+        logger,
+        depth,
+      );
+      result.scannedFiles += fileResult.scannedFiles;
+      result.findings.push(...fileResult.findings);
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Scans a list of files and directories for GitHub tokens.
+ * Recursively extracts and scans archive files (.zip, .gz, .tar.gz).
+ *
+ * @param filesToScan List of file paths to scan
+ * @param logger Logger instance
+ * @returns Scan results
+ */
+export async function scanArtifactsForTokens(
+  filesToScan: string[],
+  logger: Logger,
+): Promise<void> {
+  logger.info(
+    "Starting best-effort check for potential GitHub tokens in debug artifacts (for testing purposes only)...",
+  );
+
+  const result: ScanResult = {
+    scannedFiles: 0,
+    findings: [],
+  };
+
+  // Create a temporary directory for extraction
+  const tempScanDir = fs.mkdtempSync(path.join(os.tmpdir(), "artifact-scan-"));
+
+  try {
+    for (const filePath of filesToScan) {
+      const stats = fs.statSync(filePath);
+      const fileName = path.basename(filePath);
+
+      if (stats.isDirectory()) {
+        const dirResult = await scanDirectory(filePath, fileName, logger);
+        result.scannedFiles += dirResult.scannedFiles;
+        result.findings.push(...dirResult.findings);
+      } else if (stats.isFile()) {
+        const fileResult = await scanFile(
+          filePath,
+          fileName,
+          tempScanDir,
+          logger,
+        );
+        result.scannedFiles += fileResult.scannedFiles;
+        result.findings.push(...fileResult.findings);
+      }
+    }
+
+    // Compute statistics from findings
+    const tokenTypesCounts = new Map<string, number>();
+    const filesWithTokens = new Set<string>();
+    for (const finding of result.findings) {
+      tokenTypesCounts.set(
+        finding.tokenType,
+        (tokenTypesCounts.get(finding.tokenType) || 0) + 1,
+      );
+      filesWithTokens.add(finding.filePath);
+    }
+
+    const tokenTypesSummary = Array.from(tokenTypesCounts.entries())
+      .map(([type, count]) => `${count} ${type}${count > 1 ? "s" : ""}`)
+      .join(", ");
+
+    const baseSummary = `scanned ${result.scannedFiles} files, found ${result.findings.length} potential token(s) in ${filesWithTokens.size} file(s)`;
+    const summaryWithTypes = tokenTypesSummary
+      ? `${baseSummary} (${tokenTypesSummary})`
+      : baseSummary;
+
+    logger.info(`Artifact check complete: ${summaryWithTypes}`);
+
+    if (result.findings.length > 0) {
+      const fileList = Array.from(filesWithTokens).join(", ");
+      throw new Error(
+        `Found ${result.findings.length} potential GitHub token(s) (${tokenTypesSummary}) in debug artifacts at: ${fileList}. This is a best-effort check for testing purposes only.`,
+      );
+    }
+  } finally {
+    // Clean up temporary directory
+    try {
+      fs.rmSync(tempScanDir, { recursive: true, force: true });
+    } catch (e) {
+      logger.debug(
+        `Could not clean up temporary scan directory: ${getErrorMessage(e)}`,
+      );
+    }
+  }
+}

src/config-utils.test.ts

@@ -978,7 +978,6 @@ interface OverlayDatabaseModeTestSetup {
   languages: Language[];
   codeqlVersion: string;
   gitRoot: string | undefined;
-  gitVersion: string | undefined;
   codeScanningConfig: configUtils.UserConfig;
   diskUsage: DiskUsage | undefined;
   memoryFlagValue: number;
@@ -993,7 +992,6 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
   languages: [KnownLanguage.javascript],
   codeqlVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
   gitRoot: "/some/git/root",
-  gitVersion: gitUtils.GIT_MINIMUM_VERSION_FOR_OVERLAY,
   codeScanningConfig: {},
   diskUsage: {
     numAvailableBytes: 50_000_000_000,
@@ -1072,7 +1070,6 @@ const getOverlayDatabaseModeMacro = test.macro({
           setup.buildMode,
           undefined,
           setup.codeScanningConfig,
-          setup.gitVersion,
           logger,
         );
 
@@ -1776,32 +1773,6 @@ test(
   },
 );
 
-test(
-  getOverlayDatabaseModeMacro,
-  "Fallback due to old git version",
-  {
-    overlayDatabaseEnvVar: "overlay",
-    gitVersion: "2.30.0", // Version below required 2.38.0
-  },
-  {
-    overlayDatabaseMode: OverlayDatabaseMode.None,
-    useOverlayDatabaseCaching: false,
-  },
-);
-
-test(
-  getOverlayDatabaseModeMacro,
-  "Fallback when git version cannot be determined",
-  {
-    overlayDatabaseEnvVar: "overlay",
-    gitVersion: undefined,
-  },
-  {
-    overlayDatabaseMode: OverlayDatabaseMode.None,
-    useOverlayDatabaseCaching: false,
-  },
-);
-
 // Exercise language-specific overlay analysis features code paths
 for (const language in KnownLanguage) {
   test(

src/config-utils.ts

@@ -3,7 +3,6 @@ import * as path from "path";
 import { performance } from "perf_hooks";
 
 import * as yaml from "js-yaml";
-import * as semver from "semver";
 
 import { getActionVersion, isAnalyzingPullRequest } from "./actions-util";
 import {
@@ -23,17 +22,11 @@ import {
   parseUserConfig,
   UserConfig,
 } from "./config/db-config";
-import { addDiagnostic, makeTelemetryDiagnostic } from "./diagnostics";
 import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
-import {
-  getGitRoot,
-  getGitVersionOrThrow,
-  GIT_MINIMUM_VERSION_FOR_OVERLAY,
-  isAnalyzingDefaultBranch,
-} from "./git-utils";
+import { getGitRoot, isAnalyzingDefaultBranch } from "./git-utils";
 import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import {
@@ -52,7 +45,6 @@ import {
   isDefined,
   checkDiskUsage,
   getCodeQLMemoryLimit,
-  getErrorMessage,
 } from "./util";
 
 export * from "./config/db-config";
@@ -717,7 +709,6 @@ export async function getOverlayDatabaseMode(
   buildMode: BuildMode | undefined,
   ramInput: string | undefined,
   codeScanningConfig: UserConfig,
-  gitVersion: string | undefined,
   logger: Logger,
 ): Promise<{
   overlayDatabaseMode: OverlayDatabaseMode;
@@ -820,22 +811,6 @@ export async function getOverlayDatabaseMode(
     );
     return nonOverlayAnalysis;
   }
-  if (gitVersion === undefined) {
-    logger.warning(
-      `Cannot build an ${overlayDatabaseMode} database because ` +
-        "the Git version could not be determined. " +
-        "Falling back to creating a normal full database instead.",
-    );
-    return nonOverlayAnalysis;
-  }
-  if (!semver.gte(gitVersion, GIT_MINIMUM_VERSION_FOR_OVERLAY)) {
-    logger.warning(
-      `Cannot build an ${overlayDatabaseMode} database because ` +
-        `the installed Git version is older than ${GIT_MINIMUM_VERSION_FOR_OVERLAY}. ` +
-        "Falling back to creating a normal full database instead.",
-    );
-    return nonOverlayAnalysis;
-  }
 
   return {
     overlayDatabaseMode,
@@ -928,15 +903,6 @@ export async function initConfig(
     config.computedConfig["query-filters"] = [];
   }
 
-  let gitVersion: string | undefined = undefined;
-  try {
-    gitVersion = await getGitVersionOrThrow();
-    logger.info(`Using Git version ${gitVersion}`);
-    await logGitVersionTelemetry(config, gitVersion);
-  } catch (e) {
-    logger.debug(`Could not determine Git version: ${getErrorMessage(e)}`);
-  }
-
   // The choice of overlay database mode depends on the selection of languages
   // and queries, which in turn depends on the user config and the augmentation
   // properties. So we need to calculate the overlay database mode after the
@@ -950,7 +916,6 @@ export async function initConfig(
       config.buildMode,
       inputs.ramInput,
       config.computedConfig,
-      gitVersion,
       logger,
     );
   logger.info(
@@ -1351,23 +1316,3 @@ export function getPrimaryAnalysisConfig(config: Config): AnalysisConfig {
     ? CodeScanning
     : CodeQuality;
 }
-
-/** Logs the Git version as a telemetry diagnostic. */
-async function logGitVersionTelemetry(
-  config: Config,
-  gitVersion: string,
-): Promise<void> {
-  if (config.languages.length > 0) {
-    addDiagnostic(
-      config,
-      // Arbitrarily choose the first language. We could also choose all languages, but that
-      // increases the risk of misinterpreting the data.
-      config.languages[0],
-      makeTelemetryDiagnostic(
-        "codeql-action/git-version-telemetry",
-        "Git version telemetry",
-        { gitVersion },
-      ),
-    );
-  }
-}

src/debug-artifacts.ts

@@ -8,6 +8,7 @@ import archiver from "archiver";
 
 import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
+import { scanArtifactsForTokens } from "./artifact-scanner";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
@@ -23,6 +24,7 @@ import {
   getCodeQLDatabasePath,
   getErrorMessage,
   GitHubVariant,
+  isInTestMode,
   listFolder,
 } from "./util";
 
@@ -269,6 +271,14 @@ export async function uploadDebugArtifacts(
     return "upload-not-supported";
   }
 
+  // When running in test mode, perform a best effort scan of the debug artifacts. The artifact
+  // scanner is basic and not reliable or fast enough for production use, but it can help catch
+  // some issues early.
+  if (isInTestMode()) {
+    await scanArtifactsForTokens(toUpload, logger);
+    core.exportVariable("CODEQL_ACTION_ARTIFACT_SCAN_FINISHED", "true");
+  }
+
   let suffix = "";
   const matrix = getOptionalInput("matrix");
   if (matrix) {

src/diagnostics.ts

@@ -185,27 +185,3 @@ export function flushDiagnostics(config: Config) {
   // Reset the unwritten diagnostics array.
   unwrittenDiagnostics = [];
 }
-
-/**
- * Creates a telemetry-only diagnostic message. This is a convenience function
- * for creating diagnostics that should only be sent to telemetry and not
- * displayed on the status page or CLI summary table.
- *
- * @param id An identifier under which it makes sense to group this diagnostic message
- * @param name Display name
- * @param attributes Structured metadata
- */
-export function makeTelemetryDiagnostic(
-  id: string,
-  name: string,
-  attributes: { [key: string]: any },
-): DiagnosticMessage {
-  return makeDiagnostic(id, name, {
-    attributes,
-    visibility: {
-      cliSummaryTable: false,
-      statusPage: false,
-      telemetry: true,
-    },
-  });
-}

src/git-utils.test.ts

@@ -315,23 +315,27 @@ test("getFileOidsUnderPath returns correct file mapping", async (t) => {
         "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
     );
 
-  const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+  try {
+    const result = await gitUtils.getFileOidsUnderPath("/fake/path");
 
-  t.deepEqual(result, {
-    "lib/git-utils.js": "30d998ded095371488be3a729eb61d86ed721a18",
-    "lib/git-utils.js.map": "d89514599a9a99f22b4085766d40af7b99974827",
-    "src/git-utils.ts": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
-  });
+    t.deepEqual(result, {
+      "lib/git-utils.js": "30d998ded095371488be3a729eb61d86ed721a18",
+      "lib/git-utils.js.map": "d89514599a9a99f22b4085766d40af7b99974827",
+      "src/git-utils.ts": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
+    });
 
-  t.deepEqual(runGitCommandStub.firstCall.args, [
-    "/fake/path",
-    ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
-    "Cannot list Git OIDs of tracked files.",
-  ]);
+    t.deepEqual(runGitCommandStub.firstCall.args, [
+      "/fake/path",
+      ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
+      "Cannot list Git OIDs of tracked files.",
+    ]);
+  } finally {
+    runGitCommandStub.restore();
+  }
 });
 
 test("getFileOidsUnderPath handles quoted paths", async (t) => {
-  sinon
+  const runGitCommandStub = sinon
     .stub(gitUtils as any, "runGitCommand")
     .resolves(
       "30d998ded095371488be3a729eb61d86ed721a18_lib/normal-file.js\n" +
@@ -339,24 +343,34 @@ test("getFileOidsUnderPath handles quoted paths", async (t) => {
         'a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_"lib/file\\twith\\ttabs.js"',
     );
 
-  const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+  try {
+    const result = await gitUtils.getFileOidsUnderPath("/fake/path");
 
-  t.deepEqual(result, {
-    "lib/normal-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
-    "lib/file with spaces.js": "d89514599a9a99f22b4085766d40af7b99974827",
-    "lib/file\twith\ttabs.js": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
-  });
+    t.deepEqual(result, {
+      "lib/normal-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
+      "lib/file with spaces.js": "d89514599a9a99f22b4085766d40af7b99974827",
+      "lib/file\twith\ttabs.js": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
+    });
+  } finally {
+    runGitCommandStub.restore();
+  }
 });
 
 test("getFileOidsUnderPath handles empty output", async (t) => {
-  sinon.stub(gitUtils as any, "runGitCommand").resolves("");
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .resolves("");
 
-  const result = await gitUtils.getFileOidsUnderPath("/fake/path");
-  t.deepEqual(result, {});
+  try {
+    const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+    t.deepEqual(result, {});
+  } finally {
+    runGitCommandStub.restore();
+  }
 });
 
 test("getFileOidsUnderPath throws on unexpected output format", async (t) => {
-  sinon
+  const runGitCommandStub = sinon
     .stub(gitUtils as any, "runGitCommand")
     .resolves(
       "30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
@@ -364,60 +378,17 @@ test("getFileOidsUnderPath throws on unexpected output format", async (t) => {
         "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
     );
 
-  await t.throwsAsync(
-    async () => {
-      await gitUtils.getFileOidsUnderPath("/fake/path");
-    },
-    {
-      instanceOf: Error,
-      message: 'Unexpected "git ls-files" output: invalid-line-format',
-    },
-  );
-});
-
-test("getGitVersionOrThrow returns version for valid git output", async (t) => {
-  sinon.stub(gitUtils as any, "runGitCommand").resolves("git version 2.40.0\n");
-
-  const version = await gitUtils.getGitVersionOrThrow();
-  t.is(version, "2.40.0");
-});
-
-test("getGitVersionOrThrow throws for invalid git output", async (t) => {
-  sinon.stub(gitUtils as any, "runGitCommand").resolves("invalid output");
-
-  await t.throwsAsync(
-    async () => {
-      await gitUtils.getGitVersionOrThrow();
-    },
-    {
-      instanceOf: Error,
-      message: "Could not parse Git version from output: invalid output",
-    },
-  );
-});
-
-test("getGitVersionOrThrow handles Windows-style git output", async (t) => {
-  sinon
-    .stub(gitUtils as any, "runGitCommand")
-    .resolves("git version 2.40.0.windows.1\n");
-
-  const version = await gitUtils.getGitVersionOrThrow();
-  // Should extract just the major.minor.patch portion
-  t.is(version, "2.40.0");
-});
-
-test("getGitVersionOrThrow throws when git command fails", async (t) => {
-  sinon
-    .stub(gitUtils as any, "runGitCommand")
-    .rejects(new Error("git not found"));
-
-  await t.throwsAsync(
-    async () => {
-      await gitUtils.getGitVersionOrThrow();
-    },
-    {
-      instanceOf: Error,
-      message: "git not found",
-    },
-  );
+  try {
+    await t.throwsAsync(
+      async () => {
+        await gitUtils.getFileOidsUnderPath("/fake/path");
+      },
+      {
+        instanceOf: Error,
+        message: 'Unexpected "git ls-files" output: invalid-line-format',
+      },
+    );
+  } finally {
+    runGitCommandStub.restore();
+  }
 });

src/git-utils.ts

@@ -9,34 +9,6 @@ import {
 } from "./actions-util";
 import { ConfigurationError, getRequiredEnvParam } from "./util";
 
-/**
- * Minimum Git version required for overlay analysis. The `git ls-files --format`
- * option, which is used by `getFileOidsUnderPath`, was introduced in Git 2.38.0.
- */
-export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.38.0";
-
-/**
- * Gets the version of Git installed on the system and throws an error if
- * the version cannot be determined.
- *
- * @returns The Git version string (e.g., "2.40.0").
- * @throws {Error} if the version could not be determined.
- */
-export async function getGitVersionOrThrow(): Promise<string> {
-  const stdout = await runGitCommand(
-    undefined,
-    ["--version"],
-    "Failed to get git version.",
-  );
-  // Git version output can vary: "git version 2.40.0" or "git version 2.40.0.windows.1"
-  // We capture just the major.minor.patch portion to ensure semver compatibility.
-  const match = stdout.match(/git version (\d+\.\d+\.\d+)/);
-  if (match?.[1]) {
-    return match[1];
-  }
-  throw new Error(`Could not parse Git version from output: ${stdout.trim()}`);
-}
-
 export const runGitCommand = async function (
   workingDirectory: string | undefined,
   args: string[],

src/init-action.ts

@@ -33,7 +33,6 @@ import {
   flushDiagnostics,
   logUnwrittenDiagnostics,
   makeDiagnostic,
-  makeTelemetryDiagnostic,
 } from "./diagnostics";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
@@ -426,10 +425,17 @@ async function run() {
         // Arbitrarily choose the first language. We could also choose all languages, but that
         // increases the risk of misinterpreting the data.
         config.languages[0],
-        makeTelemetryDiagnostic(
+        makeDiagnostic(
           "codeql-action/bundle-download-telemetry",
           "CodeQL bundle download telemetry",
-          toolsDownloadStatusReport,
+          {
+            attributes: toolsDownloadStatusReport,
+            visibility: {
+              cliSummaryTable: false,
+              statusPage: false,
+              telemetry: true,
+            },
+          },
         ),
       );
     }
@@ -788,10 +794,17 @@ async function recordZstdAvailability(
     // Arbitrarily choose the first language. We could also choose all languages, but that
     // increases the risk of misinterpreting the data.
     config.languages[0],
-    makeTelemetryDiagnostic(
+    makeDiagnostic(
       "codeql-action/zstd-availability",
       "Zstandard availability",
-      zstdAvailability,
+      {
+        attributes: zstdAvailability,
+        visibility: {
+          cliSummaryTable: false,
+          statusPage: false,
+          telemetry: true,
+        },
+      },
     ),
   );
 }

src/testing-utils.ts

@@ -152,27 +152,38 @@ export interface LoggedMessage {
   message: string | Error;
 }
 
-export function getRecordingLogger(messages: LoggedMessage[]): Logger {
+export function getRecordingLogger(
+  messages: LoggedMessage[],
+  { logToConsole }: { logToConsole?: boolean } = { logToConsole: true },
+): Logger {
   return {
     debug: (message: string) => {
       messages.push({ type: "debug", message });
-      // eslint-disable-next-line no-console
-      console.debug(message);
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.debug(message);
+      }
     },
     info: (message: string) => {
       messages.push({ type: "info", message });
-      // eslint-disable-next-line no-console
-      console.info(message);
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.info(message);
+      }
     },
     warning: (message: string | Error) => {
       messages.push({ type: "warning", message });
-      // eslint-disable-next-line no-console
-      console.warn(message);
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.warn(message);
+      }
     },
     error: (message: string | Error) => {
       messages.push({ type: "error", message });
-      // eslint-disable-next-line no-console
-      console.error(message);
+      if (logToConsole) {
+        // eslint-disable-next-line no-console
+        console.error(message);
+      }
     },
     isDebug: () => true,
     startGroup: () => undefined,