Update changelog for v3.28.21

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 3.28.21 - 28 July 2025
+
+No user facing changes.
+
+## 3.28.20 - 21 July 2025
+
+- Remove support for combining SARIF files from a single upload for GHES 3.18, see [the changelog post](https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload/). [#2959](https://github.com/github/codeql-action/pull/2959)
+
 ## 3.28.18 - 16 May 2025
 
 - Update default CodeQL bundle version to 2.21.3. [#2893](https://github.com/github/codeql-action/pull/2893)

lib/api-compatibility.json

@@ -1 +1 @@
-{ "maximumVersion": "3.17", "minimumVersion": "3.13" }
+{ "maximumVersion": "3.18", "minimumVersion": "3.13" }

lib/feature-flags.js

@@ -61,6 +61,7 @@ var Feature;
     Feature["CppBuildModeNone"] = "cpp_build_mode_none";
     Feature["CppDependencyInstallation"] = "cpp_dependency_installation_enabled";
     Feature["DiffInformedQueries"] = "diff_informed_queries";
+    Feature["DisableCombineSarifFiles"] = "disable_combine_sarif_files";
     Feature["DisableCsharpBuildless"] = "disable_csharp_buildless";
     Feature["DisableJavaBuildlessEnabled"] = "disable_java_buildless_enabled";
     Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
@@ -98,6 +99,11 @@ exports.featureConfig = {
         envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
         minimumVersion: "2.21.0",
     },
+    [Feature.DisableCombineSarifFiles]: {
+        defaultValue: false,
+        envVar: "CODEQL_ACTION_DISABLE_COMBINE_SARIF_FILES",
+        minimumVersion: undefined,
+    },
     [Feature.DisableCsharpBuildless]: {
         defaultValue: false,
         envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",

lib/upload-lib.js

@@ -38,6 +38,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.InvalidSarifUploadError = void 0;
 exports.shouldShowCombineSarifFilesDeprecationWarning = shouldShowCombineSarifFilesDeprecationWarning;
+exports.throwIfCombineSarifFilesDisabled = throwIfCombineSarifFilesDisabled;
 exports.populateRunAutomationDetails = populateRunAutomationDetails;
 exports.findSarifFilesInDir = findSarifFilesInDir;
 exports.readSarifFile = readSarifFile;
@@ -54,7 +55,6 @@ const zlib_1 = __importDefault(require("zlib"));
 const core = __importStar(require("@actions/core"));
 const file_url_1 = __importDefault(require("file-url"));
 const jsonschema = __importStar(require("jsonschema"));
-const semver = __importStar(require("semver"));
 const actionsUtil = __importStar(require("./actions-util"));
 const actions_util_1 = require("./actions-util");
 const api = __importStar(require("./api-client"));
@@ -63,6 +63,7 @@ const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
+const feature_flags_1 = require("./feature-flags");
 const fingerprints = __importStar(require("./fingerprints"));
 const gitUtils = __importStar(require("./git-utils"));
 const init_1 = require("./init");
@@ -136,7 +137,7 @@ function areAllRunsUnique(sarifObjects) {
 async function shouldShowCombineSarifFilesDeprecationWarning(sarifObjects, githubVersion) {
     // Do not show this warning on GHES versions before 3.14.0
     if (githubVersion.type === util_1.GitHubVariant.GHES &&
-        semver.lt(githubVersion.version, "3.14.0")) {
+        (0, util_1.satisfiesGHESVersion)(githubVersion.version, "<3.14", true)) {
         return false;
     }
     // Only give a deprecation warning when not all runs are unique and
@@ -144,6 +145,36 @@ async function shouldShowCombineSarifFilesDeprecationWarning(sarifObjects, githu
     return (!areAllRunsUnique(sarifObjects) &&
         !process.env.CODEQL_MERGE_SARIF_DEPRECATION_WARNING);
 }
+async function throwIfCombineSarifFilesDisabled(sarifObjects, features, githubVersion) {
+    if (!(await shouldDisableCombineSarifFiles(sarifObjects, features, githubVersion))) {
+        return;
+    }
+    // TODO: Update this changelog URL to the correct one when it's published.
+    const deprecationMoreInformationMessage = "For more information, see https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload";
+    throw new util_1.ConfigurationError(`The CodeQL Action does not support uploading multiple SARIF runs with the same category. Please update your workflow to upload a single run per category. ${deprecationMoreInformationMessage}`);
+}
+// Checks whether combining SARIF files should be disabled.
+async function shouldDisableCombineSarifFiles(sarifObjects, features, githubVersion) {
+    if (githubVersion.type === util_1.GitHubVariant.GHES) {
+        // Never block on GHES versions before 3.18.
+        if ((0, util_1.satisfiesGHESVersion)(githubVersion.version, "<3.18", true)) {
+            return false;
+        }
+    }
+    else {
+        // Never block when the feature flag is disabled.
+        if (!(await features.getValue(feature_flags_1.Feature.DisableCombineSarifFiles))) {
+            return false;
+        }
+    }
+    if (areAllRunsUnique(sarifObjects)) {
+        // If all runs are unique, we can safely combine them.
+        return false;
+    }
+    // Combining SARIF files is not supported and Code Scanning will return an
+    // error if multiple runs with the same category are uploaded.
+    return true;
+}
 // Takes a list of paths to sarif files and combines them together using the
 // CLI `github merge-results` command when all SARIF files are produced by
 // CodeQL. Otherwise, it will fall back to combining the files in the action.
@@ -158,9 +189,10 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
     });
     const deprecationWarningMessage = gitHubVersion.type === util_1.GitHubVariant.GHES
         ? "and will be removed in GitHub Enterprise Server 3.18"
-        : "and will be removed on June 4, 2025";
+        : "and will be removed in July 2025";
     const deprecationMoreInformationMessage = "For more information, see https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload";
     if (!areAllRunsProducedByCodeQL(sarifObjects)) {
+        await throwIfCombineSarifFilesDisabled(sarifObjects, features, gitHubVersion);
         logger.debug("Not all SARIF files were produced by CodeQL. Merging files in the action.");
         if (await shouldShowCombineSarifFilesDeprecationWarning(sarifObjects, gitHubVersion)) {
             logger.warning(`Uploading multiple SARIF runs with the same category is deprecated ${deprecationWarningMessage}. Please update your workflow to upload a single run per category. ${deprecationMoreInformationMessage}`);
@@ -192,6 +224,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
         codeQL = initCodeQLResult.codeql;
     }
     if (!(await codeQL.supportsFeature(tools_features_1.ToolsFeature.SarifMergeRunsFromEqualCategory))) {
+        await throwIfCombineSarifFilesDisabled(sarifObjects, features, gitHubVersion);
         logger.warning("The CodeQL CLI does not support merging SARIF files. Merging files in the action.");
         if (await shouldShowCombineSarifFilesDeprecationWarning(sarifObjects, gitHubVersion)) {
             logger.warning(`Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`);

lib/upload-lib.test.js

@@ -39,6 +39,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
+const feature_flags_1 = require("./feature-flags");
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const uploadLib = __importStar(require("./upload-lib"));
@@ -223,6 +224,12 @@ ava_1.default.beforeEach(() => {
         version: "3.14.0",
     }));
 });
+(0, ava_1.default)("shouldShowCombineSarifFilesDeprecationWarning when on GHES 3.16 pre", async (t) => {
+    t.true(await uploadLib.shouldShowCombineSarifFilesDeprecationWarning([createMockSarif("abc", "def"), createMockSarif("abc", "def")], {
+        type: util_1.GitHubVariant.GHES,
+        version: "3.16.0.pre1",
+    }));
+});
 (0, ava_1.default)("shouldShowCombineSarifFilesDeprecationWarning with only 1 run", async (t) => {
     t.false(await uploadLib.shouldShowCombineSarifFilesDeprecationWarning([createMockSarif("abc", "def")], {
         type: util_1.GitHubVariant.DOTCOM,
@@ -244,6 +251,81 @@ ava_1.default.beforeEach(() => {
         type: util_1.GitHubVariant.DOTCOM,
     }));
 });
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on dotcom with feature flag", async (t) => {
+    await t.throwsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.DisableCombineSarifFiles]), {
+        type: util_1.GitHubVariant.DOTCOM,
+    }), {
+        message: /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    });
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on dotcom without feature flag", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.DOTCOM,
+    }));
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on GHES 3.13", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.GHES,
+        version: "3.13.2",
+    }));
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on GHES 3.14", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.GHES,
+        version: "3.14.0",
+    }));
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on GHES 3.17", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.GHES,
+        version: "3.17.0",
+    }));
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on GHES 3.18 pre", async (t) => {
+    await t.throwsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.GHES,
+        version: "3.18.0.pre1",
+    }), {
+        message: /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    });
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on GHES 3.18 alpha", async (t) => {
+    await t.throwsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.GHES,
+        version: "3.18.0-alpha.1",
+    }), {
+        message: /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    });
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled when on GHES 3.18", async (t) => {
+    await t.throwsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.GHES,
+        version: "3.18.0",
+    }), {
+        message: /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    });
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled with an invalid GHES version", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([]), {
+        type: util_1.GitHubVariant.GHES,
+        version: "foobar",
+    }));
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled with only 1 run", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.DisableCombineSarifFiles]), {
+        type: util_1.GitHubVariant.DOTCOM,
+    }));
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled with distinct categories", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "def"), createMockSarif("def", "def")], (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.DisableCombineSarifFiles]), {
+        type: util_1.GitHubVariant.DOTCOM,
+    }));
+});
+(0, ava_1.default)("throwIfCombineSarifFilesDisabled with distinct tools", async (t) => {
+    await t.notThrowsAsync(uploadLib.throwIfCombineSarifFilesDisabled([createMockSarif("abc", "abc"), createMockSarif("abc", "def")], (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.DisableCombineSarifFiles]), {
+        type: util_1.GitHubVariant.DOTCOM,
+    }));
+});
 (0, ava_1.default)("shouldConsiderConfigurationError correctly detects configuration errors", (t) => {
     const error1 = [
         "CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled",

lib/util.js

@@ -77,6 +77,7 @@ exports.getErrorMessage = getErrorMessage;
 exports.prettyPrintPack = prettyPrintPack;
 exports.checkDiskUsage = checkDiskUsage;
 exports.checkActionVersion = checkActionVersion;
+exports.satisfiesGHESVersion = satisfiesGHESVersion;
 exports.cloneObject = cloneObject;
 exports.checkSipEnablement = checkSipEnablement;
 exports.cleanUpGlob = cleanUpGlob;
@@ -887,6 +888,24 @@ function checkActionVersion(version, githubVersion) {
         }
     }
 }
+/**
+ * This will check whether the given GitHub version satisfies the given range,
+ * taking into account that a range like >=3.18 will also match the GHES 3.18
+ * pre-release/RC versions.
+ *
+ * When the given `githubVersion` is not a GHES version, or if the version
+ * is invalid, this will return `defaultIfInvalid`.
+ */
+function satisfiesGHESVersion(ghesVersion, range, defaultIfInvalid) {
+    const semverVersion = semver.coerce(ghesVersion);
+    if (semverVersion === null) {
+        return defaultIfInvalid;
+    }
+    // We always drop the pre-release part of the version, since anything that
+    // applies to GHES 3.18.0 should also apply to GHES 3.18.0.pre1.
+    semverVersion.prerelease = [];
+    return semver.satisfies(semverVersion, range);
+}
 /**
  * Supported build modes.
  *

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.18",
+  "version": "3.28.20",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "3.28.18",
+  "version": "3.28.20",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "3.28.18",
+      "version": "3.28.20",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^2.3.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.18",
+  "version": "3.28.20",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

src/api-compatibility.json

@@ -1 +1 @@
-{"maximumVersion": "3.17", "minimumVersion": "3.13"}
+{"maximumVersion": "3.18", "minimumVersion": "3.13"}

src/feature-flags.ts

@@ -46,6 +46,7 @@ export enum Feature {
   CppBuildModeNone = "cpp_build_mode_none",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   DiffInformedQueries = "diff_informed_queries",
+  DisableCombineSarifFiles = "disable_combine_sarif_files",
   DisableCsharpBuildless = "disable_csharp_buildless",
   DisableJavaBuildlessEnabled = "disable_java_buildless_enabled",
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
@@ -114,6 +115,11 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
     minimumVersion: "2.21.0",
   },
+  [Feature.DisableCombineSarifFiles]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_DISABLE_COMBINE_SARIF_FILES",
+    minimumVersion: undefined,
+  },
   [Feature.DisableCsharpBuildless]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",

src/upload-lib.test.ts

@@ -3,8 +3,9 @@ import * as path from "path";
 
 import test from "ava";
 
+import { Feature } from "./feature-flags";
 import { getRunnerLogger, Logger } from "./logging";
-import { setupTests } from "./testing-utils";
+import { createFeatures, setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
 import { GitHubVariant, initializeEnvironment, withTmpDir } from "./util";
 
@@ -371,6 +372,18 @@ test("shouldShowCombineSarifFilesDeprecationWarning when on GHES 3.14", async (t
   );
 });
 
+test("shouldShowCombineSarifFilesDeprecationWarning when on GHES 3.16 pre", async (t) => {
+  t.true(
+    await uploadLib.shouldShowCombineSarifFilesDeprecationWarning(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      {
+        type: GitHubVariant.GHES,
+        version: "3.16.0.pre1",
+      },
+    ),
+  );
+});
+
 test("shouldShowCombineSarifFilesDeprecationWarning with only 1 run", async (t) => {
   t.false(
     await uploadLib.shouldShowCombineSarifFilesDeprecationWarning(
@@ -417,6 +430,173 @@ test("shouldShowCombineSarifFilesDeprecationWarning when environment variable is
   );
 });
 
+test("throwIfCombineSarifFilesDisabled when on dotcom with feature flag", async (t) => {
+  await t.throwsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([Feature.DisableCombineSarifFiles]),
+      {
+        type: GitHubVariant.DOTCOM,
+      },
+    ),
+    {
+      message:
+        /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    },
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled when on dotcom without feature flag", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.DOTCOM,
+      },
+    ),
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled when on GHES 3.13", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.GHES,
+        version: "3.13.2",
+      },
+    ),
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled when on GHES 3.14", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.GHES,
+        version: "3.14.0",
+      },
+    ),
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled when on GHES 3.17", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.GHES,
+        version: "3.17.0",
+      },
+    ),
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled when on GHES 3.18 pre", async (t) => {
+  await t.throwsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.GHES,
+        version: "3.18.0.pre1",
+      },
+    ),
+    {
+      message:
+        /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    },
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled when on GHES 3.18 alpha", async (t) => {
+  await t.throwsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.GHES,
+        version: "3.18.0-alpha.1",
+      },
+    ),
+    {
+      message:
+        /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    },
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled when on GHES 3.18", async (t) => {
+  await t.throwsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.GHES,
+        version: "3.18.0",
+      },
+    ),
+    {
+      message:
+        /The CodeQL Action does not support uploading multiple SARIF runs with the same category/,
+    },
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled with an invalid GHES version", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("abc", "def")],
+      createFeatures([]),
+      {
+        type: GitHubVariant.GHES,
+        version: "foobar",
+      },
+    ),
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled with only 1 run", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def")],
+      createFeatures([Feature.DisableCombineSarifFiles]),
+      {
+        type: GitHubVariant.DOTCOM,
+      },
+    ),
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled with distinct categories", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "def"), createMockSarif("def", "def")],
+      createFeatures([Feature.DisableCombineSarifFiles]),
+      {
+        type: GitHubVariant.DOTCOM,
+      },
+    ),
+  );
+});
+
+test("throwIfCombineSarifFilesDisabled with distinct tools", async (t) => {
+  await t.notThrowsAsync(
+    uploadLib.throwIfCombineSarifFilesDisabled(
+      [createMockSarif("abc", "abc"), createMockSarif("abc", "def")],
+      createFeatures([Feature.DisableCombineSarifFiles]),
+      {
+        type: GitHubVariant.DOTCOM,
+      },
+    ),
+  );
+});
+
 test("shouldConsiderConfigurationError correctly detects configuration errors", (t) => {
   const error1 = [
     "CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled",

src/upload-lib.ts

@@ -6,7 +6,6 @@ import * as core from "@actions/core";
 import { OctokitResponse } from "@octokit/types";
 import fileUrl from "file-url";
 import * as jsonschema from "jsonschema";
-import * as semver from "semver";
 
 import * as actionsUtil from "./actions-util";
 import { getOptionalInput, getRequiredInput } from "./actions-util";
@@ -16,7 +15,7 @@ import { CodeQL, getCodeQL } from "./codeql";
 import { getConfig } from "./config-utils";
 import { readDiffRangesJsonFile } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
-import { FeatureEnablement } from "./feature-flags";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import * as fingerprints from "./fingerprints";
 import * as gitUtils from "./git-utils";
 import { initCodeQL } from "./init";
@@ -30,6 +29,7 @@ import {
   getRequiredEnvParam,
   GitHubVariant,
   GitHubVersion,
+  satisfiesGHESVersion,
   SarifFile,
   SarifRun,
 } from "./util";
@@ -132,7 +132,7 @@ export async function shouldShowCombineSarifFilesDeprecationWarning(
   // Do not show this warning on GHES versions before 3.14.0
   if (
     githubVersion.type === GitHubVariant.GHES &&
-    semver.lt(githubVersion.version, "3.14.0")
+    satisfiesGHESVersion(githubVersion.version, "<3.14", true)
   ) {
     return false;
   }
@@ -145,6 +145,58 @@ export async function shouldShowCombineSarifFilesDeprecationWarning(
   );
 }
 
+export async function throwIfCombineSarifFilesDisabled(
+  sarifObjects: util.SarifFile[],
+  features: FeatureEnablement,
+  githubVersion: GitHubVersion,
+) {
+  if (
+    !(await shouldDisableCombineSarifFiles(
+      sarifObjects,
+      features,
+      githubVersion,
+    ))
+  ) {
+    return;
+  }
+
+  // TODO: Update this changelog URL to the correct one when it's published.
+  const deprecationMoreInformationMessage =
+    "For more information, see https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload";
+
+  throw new ConfigurationError(
+    `The CodeQL Action does not support uploading multiple SARIF runs with the same category. Please update your workflow to upload a single run per category. ${deprecationMoreInformationMessage}`,
+  );
+}
+
+// Checks whether combining SARIF files should be disabled.
+async function shouldDisableCombineSarifFiles(
+  sarifObjects: util.SarifFile[],
+  features: FeatureEnablement,
+  githubVersion: GitHubVersion,
+) {
+  if (githubVersion.type === GitHubVariant.GHES) {
+    // Never block on GHES versions before 3.18.
+    if (satisfiesGHESVersion(githubVersion.version, "<3.18", true)) {
+      return false;
+    }
+  } else {
+    // Never block when the feature flag is disabled.
+    if (!(await features.getValue(Feature.DisableCombineSarifFiles))) {
+      return false;
+    }
+  }
+
+  if (areAllRunsUnique(sarifObjects)) {
+    // If all runs are unique, we can safely combine them.
+    return false;
+  }
+
+  // Combining SARIF files is not supported and Code Scanning will return an
+  // error if multiple runs with the same category are uploaded.
+  return true;
+}
+
 // Takes a list of paths to sarif files and combines them together using the
 // CLI `github merge-results` command when all SARIF files are produced by
 // CodeQL. Otherwise, it will fall back to combining the files in the action.
@@ -167,11 +219,17 @@ async function combineSarifFilesUsingCLI(
   const deprecationWarningMessage =
     gitHubVersion.type === GitHubVariant.GHES
       ? "and will be removed in GitHub Enterprise Server 3.18"
-      : "and will be removed on June 4, 2025";
+      : "and will be removed in July 2025";
   const deprecationMoreInformationMessage =
     "For more information, see https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload";
 
   if (!areAllRunsProducedByCodeQL(sarifObjects)) {
+    await throwIfCombineSarifFilesDisabled(
+      sarifObjects,
+      features,
+      gitHubVersion,
+    );
+
     logger.debug(
       "Not all SARIF files were produced by CodeQL. Merging files in the action.",
     );
@@ -235,6 +293,12 @@ async function combineSarifFilesUsingCLI(
       ToolsFeature.SarifMergeRunsFromEqualCategory,
     ))
   ) {
+    await throwIfCombineSarifFilesDisabled(
+      sarifObjects,
+      features,
+      gitHubVersion,
+    );
+
     logger.warning(
       "The CodeQL CLI does not support merging SARIF files. Merging files in the action.",
     );

src/util.ts

@@ -1132,6 +1132,31 @@ export function checkActionVersion(
   }
 }
 
+/**
+ * This will check whether the given GitHub version satisfies the given range,
+ * taking into account that a range like >=3.18 will also match the GHES 3.18
+ * pre-release/RC versions.
+ *
+ * When the given `githubVersion` is not a GHES version, or if the version
+ * is invalid, this will return `defaultIfInvalid`.
+ */
+export function satisfiesGHESVersion(
+  ghesVersion: string,
+  range: string,
+  defaultIfInvalid: boolean,
+): boolean {
+  const semverVersion = semver.coerce(ghesVersion);
+  if (semverVersion === null) {
+    return defaultIfInvalid;
+  }
+
+  // We always drop the pre-release part of the version, since anything that
+  // applies to GHES 3.18.0 should also apply to GHES 3.18.0.pre1.
+  semverVersion.prerelease = [];
+
+  return semver.satisfies(semverVersion, range);
+}
+
 /**
  * Supported build modes.
  *