Merge pull request #1491 from github/update-v1.1.39-a34ca99b

Merge releases/v2 into releases/v1
Update checked-in dependencies
2025-12-07 00:08:06 +08:00 · 2023-01-18 19:25:27 +00:00 · 2023-01-18 18:25:04 +00:00 · 2023-01-18 18:16:30 +00:00 · 2023-01-18 18:16:28 +00:00 · 2023-01-18 18:16:28 +00:00
13304 changed files with 2685186 additions and 1261247 deletions
--- a/.eslintignore
+++ b/.eslintignore
@@ -0,0 +1,4 @@
+**/webpack.config.js
+lib/**
+src/testdata/**
+tests/**
--- a/.eslintrc.json
+++ b/.eslintrc.json
@@ -0,0 +1,59 @@
+
+{
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "project": "./tsconfig.json"
+    },
+    "plugins": ["@typescript-eslint", "filenames", "github", "import", "no-async-foreach"],
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended",
+        "plugin:@typescript-eslint/recommended-requiring-type-checking",
+        "plugin:github/recommended",
+        "plugin:github/typescript",
+        "plugin:import/typescript"
+    ],
+    "rules": {
+        "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+        "i18n-text/no-en": "off",
+        "import/extensions": "error",
+        "import/no-amd": "error",
+        "import/no-commonjs": "error",
+        "import/no-dynamic-require": "error",
+        // Disable the rule that checks that devDependencies aren't imported since we use a single
+        // linting configuration file for both source and test code.
+        "import/no-extraneous-dependencies": ["error", {"devDependencies": true}],
+        "import/no-namespace": "off",
+        "import/no-unresolved": "error",
+        "import/no-webpack-loader-syntax": "error",
+        "import/order": ["error", {
+            "alphabetize": {"order": "asc"},
+            "newlines-between": "always"
+        }],
+        "no-async-foreach/no-async-foreach": "error",
+        "no-console": "off",
+        "no-sequences": "error",
+        "no-shadow": "off",
+        "@typescript-eslint/no-shadow": ["error"],
+        "one-var": ["error", "never"]
+    },
+    "overrides": [{
+        // "temporarily downgraded during transition to eslint
+        "files": "**",
+        "rules": {
+            "@typescript-eslint/ban-types": "off",
+            "@typescript-eslint/explicit-module-boundary-types": "off",
+            "@typescript-eslint/no-explicit-any": "off",
+            "@typescript-eslint/no-unsafe-assignment": "off",
+            "@typescript-eslint/no-unsafe-call": "off",
+            "@typescript-eslint/no-unsafe-member-access": "off",
+            "@typescript-eslint/no-unsafe-return": "off",
+            "@typescript-eslint/no-var-requires": "off",
+            "@typescript-eslint/prefer-regexp-exec": "off",
+            "@typescript-eslint/require-await": "off",
+            "@typescript-eslint/restrict-template-expressions": "off",
+            "func-style": "off",
+            "sort-imports": "off"
+        }
+    }]
+}
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,3 +0,0 @@
-# .git-blame-ignore-revs
-# Added trailing commas to adhere to new eslint rules
-b16296be30e150034524d6dd0b0418fc6b184267
--- a/.github/actions/check-codescanning-config/action.yml
+++ b/.github/actions/check-codescanning-config/action.yml
@@ -1,72 +0,0 @@
-name: Check Code-Scanning Config
-description: |
-    Checks the code scanning configuration file generated by the
-    action to ensure it contains the expected contents
-inputs:
-  languages:
-    required: false
-    description: The languages field passed to the init action.
-
-  packs:
-    required: false
-    description: The packs field passed to the init action.
-
-  queries:
-    required: false
-    description: The queries field passed to the init action.
-
-  config-file-test:
-    required: false
-    description: |
-      The location of the config file to use. If empty,
-      then no config file is used.
-
-  expected-config-file-contents:
-    required: true
-    description: |
-      A JSON string containing the exact contents of the config file.
-
-  tools:
-    required: true
-    description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
-
-runs:
-  using: composite
-  steps:
-    - uses: ./../action/init
-      with:
-        languages: ${{ inputs.languages }}
-        config-file: ${{ inputs.config-file-test }}
-        queries: ${{ inputs.queries }}
-        packs: ${{ inputs.packs }}
-        tools: ${{ inputs.tools }}
-        db-location: ${{ runner.temp }}/codescanning-config-cli-test
-      env:
-        CODEQL_ACTION_TEST_MODE: 'true'
-
-    - name: Install dependencies
-      shell: bash
-      run: npm install --location=global ts-node js-yaml
-
-    - name: Check config
-      working-directory: ${{ github.action_path }}
-      shell: bash
-      env:
-        EXPECTED_CONFIG_FILE_CONTENTS: '${{ inputs.expected-config-file-contents }}'
-      run: ts-node ./index.ts "$RUNNER_TEMP/user-config.yaml" "$EXPECTED_CONFIG_FILE_CONTENTS"
-    - name: Clean up
-      shell: bash
-      if: always()
-      run: |
-        rm -rf $RUNNER_TEMP/codescanning-config-cli-test
-        rm -rf $RUNNER_TEMP/user-config.yaml
--- a/.github/actions/check-codescanning-config/index.ts
+++ b/.github/actions/check-codescanning-config/index.ts
@@ -1,49 +0,0 @@
-
-import * as core from '@actions/core'
-import * as yaml from 'js-yaml'
-import * as fs from 'fs'
-import * as assert from 'assert'
-
-const actualConfig = loadActualConfig()
-
-function sortConfigArrays(config) {
-  for (const key of Object.keys(config)) {
-    const value = config[key];
-    if (key === 'queries' && Array.isArray(value)) {
-      config[key] = value.sort();
-    }
-  }
-  return config;
-}
-
-const rawExpectedConfig = process.argv[3].trim()
-if (!rawExpectedConfig) {
-  core.setFailed('No expected configuration provided')
-} else {
-  core.startGroup('Expected generated user config')
-  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
-  core.endGroup()
-}
-
-const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;
-
-assert.deepStrictEqual(
-  sortConfigArrays(actualConfig),
-  sortConfigArrays(expectedConfig),
-  'Expected configuration does not match actual configuration'
-);
-
-
-function loadActualConfig() {
-  if (!fs.existsSync(process.argv[2])) {
-    core.info('No configuration file found')
-    return undefined
-  } else {
-    const rawActualConfig = fs.readFileSync(process.argv[2], 'utf8')
-    core.startGroup('Actual generated user config')
-    core.info(rawActualConfig)
-    core.endGroup()
-
-    return yaml.load(rawActualConfig)
-  }
-}
--- a/.github/actions/check-sarif/action.yml
+++ b/.github/actions/check-sarif/action.yml
@@ -1,20 +0,0 @@
-name: Check SARIF
-description: Checks a SARIF file to see if certain queries were run and others were not run.
-inputs:
-  sarif-file:
-    required: true
-    description: The SARIF file to check
-
-  queries-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should be included in this SARIF file.
-
-  queries-not-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should NOT be included in this SARIF file.
-
-runs:
-  using: node24
-  main: index.js
--- a/.github/actions/prepare-mergeback-branch/action.yml
+++ b/.github/actions/prepare-mergeback-branch/action.yml
@@ -1,80 +0,0 @@
-name: "Prepare mergeback branch"
-description: Prepares a mergeback branch and opens a PR for it
-inputs:
-  base:
-    description: "The name of the base branch"
-    required: true
-  head:
-    description: "The name of the head branch"
-    required: true
-  branch:
-    description: "The name of the branch to create."
-    required: true
-  version:
-    description: "The new version"
-    required: true
-  token:
-    description: "The token to use"
-    required: true
-  dry-run:
-    description: "Set to true to skip creating the PR. The branch will still be pushed."
-    default: "false"
-runs:
-  using: composite
-  steps:
-    - name: Create mergeback branch
-      shell: bash
-      env:
-        VERSION: "${{ inputs.version }}"
-        NEW_BRANCH: "${{ inputs.branch }}"
-      run: |
-        set -exu
-
-        # Ensure we are on the new branch
-        git checkout "${NEW_BRANCH}"
-
-        # Update the version number ready for the next release
-        npm version patch --no-git-tag-version
-
-        # Update the changelog, adding a new version heading directly above the most recent existing one
-        awk '!f && /##/{print "'"## [UNRELEASED]\n\nNo user facing changes.\n"'"; f=1}1' CHANGELOG.md > temp && mv temp CHANGELOG.md
-        git add .
-        git commit -m "Update changelog and version after ${VERSION}"
-
-        git push origin "${NEW_BRANCH}"
-
-    - name: Create PR
-      shell: bash
-      if: inputs.dry-run != 'true'
-      env:
-        VERSION: "${{ inputs.version }}"
-        BASE_BRANCH: "${{ inputs.base }}"
-        HEAD_BRANCH: "${{ inputs.head }}"
-        NEW_BRANCH: "${{ inputs.branch }}"
-        GITHUB_TOKEN: "${{ inputs.token }}"
-      run: |
-        set -exu
-        pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
-        pr_body=$(cat << EOF
-          This PR bumps the version number and updates the changelog after the ${VERSION} release.
-
-          Please do the following:
-
-          - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
-          - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
-          - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
-          - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
-                selected rather than "Squash and merge" or "Rebase and merge".
-        EOF
-        )
-
-        # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft
-        # so that a maintainer can take the PR out of draft, thereby triggering the PR checks.
-        gh pr create \
-          --head "${NEW_BRANCH}" \
-          --base "${BASE_BRANCH}" \
-          --title "${pr_title}" \
-          --label "Rebuild" \
-          --body "${pr_body}" \
-          --assignee "${GITHUB_ACTOR}" \
-          --draft
--- a/.github/actions/prepare-test/action.yml
+++ b/.github/actions/prepare-test/action.yml
@@ -1,79 +0,0 @@
-name: "Prepare test"
-description: Performs some preparation to run tests
-inputs:
-  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'toolcache', 'nightly', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
-    required: true
-  use-all-platform-bundle:
-    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
-    default: 'false'
-    required: false
-  setup-kotlin:
-    description: "If true, we setup kotlin"
-    default: 'true'
-    required: true
-outputs:
-  tools-url:
-    description: "The value that should be passed as the 'tools' input of the 'init' step."
-    value: ${{ steps.get-url.outputs.tools-url }}
-runs:
-  using: composite
-  steps:
-    - name: Move codeql-action
-      shell: bash
-      run: |
-        mkdir ../action
-        mv * .github ../action/
-        mv ../action/tests/multi-language-repo/{*,.github} .
-        mv ../action/.github/workflows .github
-    - id: get-url
-      name: Determine URL
-      shell: bash
-      env:
-        VERSION: ${{ inputs.version }}
-        USE_ALL_PLATFORM_BUNDLE: ${{ inputs.use-all-platform-bundle }}
-      run: |
-        set -e # Fail this Action if `gh release list` fails.
-
-        if [[ "$VERSION" == "nightly" || "$VERSION" == "nightly-latest" ]]; then
-          echo "tools-url=nightly" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ "$VERSION" == "linked" ]]; then
-          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ "$VERSION" == "toolcache" ]]; then
-          echo "tools-url=toolcache" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ "$VERSION" == "default" ]]; then
-          echo "tools-url=" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
-          artifact_name="codeql-bundle.tar.gz"
-        elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.tar.gz"
-        elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.tar.gz"
-        elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.tar.gz"
-        else
-          echo "::error::Unrecognized OS $RUNNER_OS"
-          exit 1
-        fi
-
-        if [[ "$VERSION" == *"nightly"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ "$VERSION" == *"stable"* ]]; then
-          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        else
-          echo "::error::Unrecognized version specified!"
-          exit 1
-        fi
-
-    - uses: fwilhe2/setup-kotlin@9c245a6425255f5e98ba1ce6c15d31fce7eca9da
-      if: ${{ inputs.setup-kotlin == 'true' }}
-      with:
-        version: 1.8.21
--- a/.github/actions/query-filter-test/action.yml
+++ b/.github/actions/query-filter-test/action.yml
@@ -1,62 +0,0 @@
-name: Query Filter Test
-description: Runs a test of query filters using the check SARIF action
-inputs:
-  sarif-file:
-    required: true
-    description: The SARIF file to check
-
-  queries-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should be included in this SARIF file.
-
-  queries-not-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should NOT be included in this SARIF file.
-
-  config-file:
-    required: true
-    description: |
-      The location of the codeql configuration file to use.
-
-  tools:
-    required: true
-    description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
-
-runs:
-  using: composite
-  steps:
-    - uses: ./../action/init
-      with:
-        languages: javascript
-        config-file: ${{ inputs.config-file }}
-        tools: ${{ inputs.tools }}
-        db-location: ${{ runner.temp }}/query-filter-test
-      env:
-        CODEQL_ACTION_TEST_MODE: "true"
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
-        upload: never
-      env:
-        CODEQL_ACTION_TEST_MODE: "true"
-    - name: Check SARIF
-      uses: ./../action/.github/actions/check-sarif
-      with:
-        sarif-file:  ${{ inputs.sarif-file }}
-        queries-run: ${{ inputs.queries-run}}
-        queries-not-run: ${{ inputs.queries-not-run}}
-    - name: Cleanup after test
-      shell: bash
-      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP/query-filter-test"
--- a/.github/actions/release-branches/action.yml
+++ b/.github/actions/release-branches/action.yml
@@ -1,28 +0,0 @@
-name: 'Release branches'
-description: 'Determine branches for release & backport'
-inputs:
-  major_version:
-    description: 'The version as extracted from the package.json file'
-    required: true
-  latest_tag:
-    description: 'The most recent tag published to the repository'
-    required: true
-outputs:
-  backport_source_branch:
-    description: "The release branch for the given tag"
-    value: ${{ steps.branches.outputs.backport_source_branch }}
-  backport_target_branches:
-    description: "JSON encoded list of branches to target with backports"
-    value: ${{ steps.branches.outputs.backport_target_branches }}
-runs:
-  using: "composite"
-  steps:
-    - id: branches
-      env:
-        MAJOR_VERSION: ${{ inputs.major_version }}
-        LATEST_TAG: ${{ inputs.latest_tag }}
-      run: |
-        python ${{ github.action_path }}/release-branches.py \
-            --major-version "$MAJOR_VERSION" \
-            --latest-tag "$LATEST_TAG"
-      shell: bash
--- a/.github/actions/release-branches/release-branches.py
+++ b/.github/actions/release-branches/release-branches.py
@@ -1,55 +0,0 @@
-import argparse
-import json
-import os
-import configparser
-
-# Name of the remote
-ORIGIN = 'origin'
-
-script_dir = os.path.dirname(os.path.realpath(__file__))
-grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
-
-config = configparser.ConfigParser()
-with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
-    config.read_string('[default]\n' + stream.read())
-
-OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
-
-def main():
-
-  parser = argparse.ArgumentParser()
-  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
-  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
-  args = parser.parse_args()
-
-  major_version = args.major_version
-  latest_tag = args.latest_tag
-
-  print("major_version: " + major_version)
-  print("latest_tag: " + latest_tag)
-
-  # If this is a primary release, we backport to all supported branches,
-  # so we check whether the major_version taken from the package.json
-  # is greater than or equal to the latest tag pulled from the repo.
-  # For example...
-  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
-  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
-  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
-  consider_backports = ( major_version >= latest_tag.split(".")[0] )
-
-  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
-
-    f.write(f"backport_source_branch=releases/{major_version}\n")
-
-    backport_target_branches = []
-
-    if consider_backports:
-      for i in range(int(major_version.strip("v"))-1, 0, -1):
-        branch_name = f"releases/v{i}"
-        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
-          backport_target_branches.append(branch_name)
-
-    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
-
-if __name__ == "__main__":
-  main()
--- a/.github/actions/release-initialise/action.yml
+++ b/.github/actions/release-initialise/action.yml
@@ -1,33 +0,0 @@
-name: 'Prepare release job'
-description: 'Prepare for updating a release branch'
-
-runs:
-  using: "composite"
-  steps:
-
-    - name: Dump environment
-      run: env
-      shell: bash
-
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: '${{ toJson(github) }}'
-      run: echo "$GITHUB_CONTEXT"
-      shell: bash
-
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: 3.12
-
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install PyGithub==2.3.0 requests
-      shell: bash
-
-    - name: Update git config
-      run: |
-        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-        git config --global user.name "github-actions[bot]"
-      shell: bash
--- a/.github/actions/update-bundle/action.yml
+++ b/.github/actions/update-bundle/action.yml
@@ -1,14 +0,0 @@
-name: Update default CodeQL bundle
-description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
-
-runs:
-  using: composite
-  steps:
-    - name: Install ts-node
-      shell: bash
-      run: npm install -g ts-node
-
-    - name: Run update script
-      working-directory: ${{ github.action_path }}
-      shell: bash
-      run: ts-node ./index.ts
--- a/.github/actions/update-bundle/index.ts
+++ b/.github/actions/update-bundle/index.ts
@@ -1,67 +0,0 @@
-import * as fs from 'fs';
-import * as github from '@actions/github';
-
-interface BundleInfo {
-  bundleVersion: string;
-  cliVersion: string;
-}
-
-interface Defaults {
-  bundleVersion: string;
-  cliVersion: string;
-  priorBundleVersion: string;
-  priorCliVersion: string;
-}
-
-function getCodeQLCliVersionForRelease(release): string {
-  // We do not currently tag CodeQL bundles based on the CLI version they contain.
-  // Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
-  // This marker file is uploaded as a release asset for all new CodeQL bundles.
-  const cliVersionsFromMarkerFiles = release.assets
-    .map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
-    .filter((v) => v)
-    .map((v) => v as string);
-  if (cliVersionsFromMarkerFiles.length > 1) {
-    throw new Error(
-      `Release ${release.tag_name} has multiple CLI version marker files.`
-    );
-  } else if (cliVersionsFromMarkerFiles.length === 0) {
-    throw new Error(
-      `Failed to find the CodeQL CLI version for release ${release.tag_name}.`
-    );
-  }
-  return cliVersionsFromMarkerFiles[0];
-}
-
-async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
-  return {
-    bundleVersion: release.tag_name,
-    cliVersion: getCodeQLCliVersionForRelease(release)
-  };
-}
-
-async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
-  const release = github.context.payload.release;
-  console.log('Updating default bundle as a result of the following release: ' +
-    `${JSON.stringify(release)}.`)
-
-  const bundleInfo = await getBundleInfoFromRelease(release);
-  return {
-    bundleVersion: bundleInfo.bundleVersion,
-    cliVersion: bundleInfo.cliVersion,
-    priorBundleVersion: currentDefaults.bundleVersion,
-    priorCliVersion: currentDefaults.cliVersion
-  };
-}
-
-async function main() {
-  const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
-  const newDefaults = await getNewDefaults(previousDefaults);
-  // Update the source file in the repository. Calling workflows should subsequently rebuild
-  // the Action to update `lib/defaults.json`.
-  fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
-}
-
-// Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
-// So instead we rely on the fact that Node won't exit until the event loop is empty.
-main();
--- a/.github/check-codescanning-config/action.yml
+++ b/.github/check-codescanning-config/action.yml
@@ -0,0 +1,62 @@
+name: Check Code-Scanning Config
+description: |
+    Checks the code scanning configuration file generated by the
+    action to ensure it contains the expected contents
+inputs:
+  languages:
+    required: false
+    description: The languages field passed to the init action.
+
+  packs:
+    required: false
+    description: The packs field passed to the init action.
+
+  queries:
+    required: false
+    description: The queries field passed to the init action.
+
+  config-file-test:
+    required: false
+    description: |
+      The location of the config file to use. If empty,
+      then no config file is used.
+
+  expected-config-file-contents:
+    required: true
+    description: |
+      A JSON string containing the exact contents of the config file.
+
+  tools:
+    required: true
+    description: |
+      The url of codeql to use.
+
+runs:
+  using: composite
+  steps:
+    - uses: ./../action/init
+      with:
+        languages: ${{ inputs.languages }}
+        config-file: ${{ inputs.config-file-test }}
+        queries: ${{ inputs.queries }}
+        packs: ${{ inputs.packs }}
+        tools: ${{ inputs.tools }}
+        db-location: ${{ runner.temp }}/codescanning-config-cli-test
+      env:
+        CODEQL_ACTION_TEST_MODE: 'true'
+
+    - name: Install dependencies
+      shell: bash
+      run: npm install --location=global ts-node js-yaml
+
+    - name: Check config
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
+
+    - name: Clean up
+      shell: bash
+      if: always()
+      run: |
+        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
+        rm -rf ${{ runner.temp }}/user-config.yaml
--- a/.github/check-codescanning-config/index.ts
+++ b/.github/check-codescanning-config/index.ts
@@ -0,0 +1,39 @@
+
+import * as core from '@actions/core'
+import * as yaml from 'js-yaml'
+import * as fs from 'fs'
+import * as assert from 'assert'
+
+const actualConfig = loadActualConfig()
+
+const rawExpectedConfig = process.argv[3].trim()
+if (!rawExpectedConfig) {
+  core.info('No expected configuration provided')
+} else {
+  core.startGroup('Expected generated user config')
+  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
+  core.endGroup()
+}
+
+const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;
+
+assert.deepStrictEqual(
+  actualConfig,
+  expectedConfig,
+  'Expected configuration does not match actual configuration'
+);
+
+
+function loadActualConfig() {
+  if (!fs.existsSync(process.argv[2])) {
+    core.info('No configuration file found')
+    return undefined
+  } else {
+    const rawActualConfig = fs.readFileSync(process.argv[2], 'utf8')
+    core.startGroup('Actual generated user config')
+    core.info(rawActualConfig)
+    core.endGroup()
+
+    return yaml.load(rawActualConfig)
+  }
+}
--- a/.github/check-sarif/action.yml
+++ b/.github/check-sarif/action.yml
@@ -0,0 +1,20 @@
+name: Check SARIF
+description: Checks a SARIF file to see if certain queries were run and others were not run.
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+runs:
+  using: node12
+  main: index.js
--- a/.github/actions/check-sarif/index.js
+++ b/.github/actions/check-sarif/index.js
--- a/.github/codeql/codeql-config-javascript.yml
+++ b/.github/codeql/codeql-config-javascript.yml
@@ -1,15 +0,0 @@
-name: "CodeQL config"
-queries: 
-  - name: Run custom queries
-    uses: ./queries
-  # Run all extra query suites, both because we want to
-  # and because it'll act as extra testing. This is why
-  # we include both even though one is a superset of the
-  # other, because we're testing the parsing logic and
-  # that the suites exist in the codeql bundle.
-  - uses: security-and-quality
-  - uses: security-experimental
-  - uses: security-extended
-paths-ignore:
-  - lib
-  - tests
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,14 @@
+name: "CodeQL config"
+queries: 
+  - name: Run custom queries
+    uses: ./queries
+  # Run all extra query suites, both because we want to
+  # and because it'll act as extra testing. This is why
+  # we include both even though one is a superset of the
+  # other, because we're testing the parsing logic and
+  # that the suites exist in the codeql bundle.
+  - uses: security-extended
+  - uses: security-and-quality
+paths-ignore:
+  - tests
+  - lib
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1,21 +0,0 @@
-# CodeQL Action - Copilot Instructions
-
-## Generated code
-
-The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` closely mirrors the TypeScript code it is generated from.
-
-GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that start with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores.
-
-## Release process
-
- A release-PR is a PR which matches all of the following patterns:
-  - PR title starts with the exact prefix: `Merge main into releases/v`
-    - Equivalent regex: `^Merge main into releases\/v`
-  - AND head (source) branch matches the update-branch pattern:
-    - Regex: `^update-v[0-9]+(?:\.[0-9]+)*(?:-[a-f0-9]+)?` (e.g. `update-v3.29.9-cc722e476`)
-  - AND base (target) branch matches a release branch:
-    - Regex: `^releases\/v` (e.g. `releases/v3`)
-
- Consider all files in release-PRs to have already been reviewed and do not review them, except for the following two files:
-    - `CHANGELOG.md`
-    - `package.json`
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,35 +5,13 @@ updates:
    schedule:
      interval: weekly
    labels:
-      - Rebuild
-    # Ignore incompatible dependency updates
+      - Update dependencies
    ignore:
-      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
-      - dependency-name: "@octokit/plugin-retry"
-        versions: ["~6.0.0"]
-      # This is broken due to the way configuration files have changed. 
-      # This might be fixed when we move to eslint v9.
-      - dependency-name: "eslint-plugin-import"
-        versions: [">=2.30.0"]
-    groups:
-      npm-minor:
-        patterns:
-          - "*"
+      - dependency-name: "*"
        update-types:
-          - "minor"
-          - "patch"
+          - version-update:semver-minor
+          - version-update:semver-patch
  - package-ecosystem: github-actions
-    directories:
-      - "/.github/workflows"
-      - "/.github/actions"
+    directory: "/"
    schedule:
      interval: weekly
-    labels:
-      - Rebuild
-    groups:
-      actions-minor:
-        patterns:
-          - "*"
-        update-types:
-          - "minor"
-          - "patch"
--- a/.github/prepare-test/action.yml
+++ b/.github/prepare-test/action.yml
@@ -0,0 +1,38 @@
+name: "Prepare test"
+description: Performs some preparation to run tests
+inputs:
+  version:
+    required: true
+outputs:
+  tools-url:
+    value: ${{ steps.get-url.outputs.tools-url }}
+runs:
+  using: composite
+  steps:
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
+        mv ../action/.github/workflows .github
+    - id: get-url
+      name: Determine URL
+      shell: bash
+      run: |
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+          export LATEST=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
+          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$VERSION-manual/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
+          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$VERSION/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "latest" ]]; then
+          echo "tools-url=latest" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "cached" ]]; then
+          echo "tools-url=" >> $GITHUB_OUTPUT
+        else
+          echo "::error Unrecognized version specified!"
+        fi
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,61 +1,5 @@
-<!--
-    For GitHub staff: Remember that this is a public repository. Do not link to internal resources.
-                      If necessary, link to this PR from an internal issue and include further details there.
-
-    Everyone: Include a summary of the context of this change, what it aims to accomplish, and why you
-              chose the approach you did if applicable. Indicate any open questions you want to answer
-              during the review process and anything you want reviewers to pay particular attention to.
-
-    See https://github.com/github/codeql-action/blob/main/CONTRIBUTING.md for additional information.
-->
-
-### Risk assessment
-
-For internal use only. Please select the risk level of this change:
-
- **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
- **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.
-
-#### Which use cases does this change impact?
-
-<!-- Delete options that don't apply. -->
-
- **Advanced setup** - Impacts users who have custom workflows.
- **Default setup** - Impacts users who use default setup.
- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
- **GHES** - Impacts GitHub Enterprise Server.
-
-#### How did/will you validate this change?
-
-<!-- Delete options that don't apply. -->
-
- **Test repository** - This change will be tested on a test repository before merging.
- **Unit tests** - I am depending on unit test coverage (i.e. tests in `.test.ts` files).
- **End-to-end tests** - I am depending on PR checks (i.e. tests in `pr-checks`).
- **Other** - Please provide details.
- **None** - I am not validating these changes.
-
-#### If something goes wrong after this change is released, what are the mitigation and rollback strategies?
-
-<!-- Delete strategies that don't apply. -->
-
- **Feature flags** - All new or changed code paths can be fully disabled with corresponding feature flags.
- **Rollback** - Change can only be disabled by rolling back the release or releasing a new version with a fix.
- **Other** - Please provide details.
-
-#### How will you know if something goes wrong after this change is released?
-
-<!-- Delete options that don't apply. -->
-
- **Telemetry** - I rely on existing telemetry or have made changes to the telemetry.
-    - **Dashboards** - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
-    - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
- **Other** - Please provide details.
-
 ### Merge / deployment checklist

- Confirm this change is backwards compatible with existing workflows.
- Consider adding a [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) entry for this change.
- Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) and docs have been updated if necessary.
+- [ ] Confirm this change is backwards compatible with existing workflows.
+- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
+- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
--- a/.github/query-filter-test/action.yml
+++ b/.github/query-filter-test/action.yml
@@ -0,0 +1,54 @@
+name: Query Filter Test
+description: Runs a test of query filters using the check SARIF action
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+  config-file:
+    required: true
+    description: |
+      The location of the codeql configuration file to use.
+
+  tools:
+    required: true
+    description: |
+      The url of codeql to use.
+
+runs:
+  using: composite
+  steps:
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ${{ inputs.config-file }}
+        tools: ${{ inputs.tools }}
+        db-location: ${{ runner.temp }}/query-filter-test
+      env:
+        CODEQL_ACTION_TEST_MODE: "true"
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        CODEQL_ACTION_TEST_MODE: "true"
+    - name: Check SARIF
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ inputs.sarif-file }}
+        queries-run: ${{ inputs.queries-run}}
+        queries-not-run: ${{ inputs.queries-not-run}}
+    - name: Cleanup after test
+      shell: bash
+      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP/query-filter-test"
--- a/.github/releases.ini
+++ b/.github/releases.ini
@@ -1 +0,0 @@
-OLDEST_SUPPORTED_MAJOR_VERSION=3
--- a/.github/setup-swift/action.yml
+++ b/.github/setup-swift/action.yml
@@ -0,0 +1,32 @@
+name: "Set up Swift"
+description: Performs necessary steps to set up appropriate Swift version.
+inputs:
+  codeql-path:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Swift version
+      id: get_swift_version
+      # We don't support Swift on Windows or prior versions of CLI.
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      shell: bash
+      env: 
+        CODEQL_PATH: ${{inputs.codeql-path}}
+      run: |
+        if [ $RUNNER_OS = "macOS" ]; then
+          PLATFORM="osx64"
+        else # We do not run this step on Windows.
+          PLATFORM="linux64"
+        fi 
+        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
+        # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
+        if [ $VERSION = "5.7" ]; then
+          VERSION="5.7.0"
+        fi
+        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      with:
+        swift-version: "${{steps.get_swift_version.outputs.version}}"
--- a/.github/sizeup.yml
+++ b/.github/sizeup.yml
@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"
--- a/.github/update-release-branch.py
+++ b/.github/update-release-branch.py
@@ -1,7 +1,5 @@
 import argparse
 import datetime
-import fileinput
-import re
 from github import Github
 import json
 import os
@@ -15,9 +13,14 @@ No user facing changes.

 """

-# NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
-BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'
+# Value of the mode flag for a v1 release
+V1_MODE = 'v1-release'
+
+# Value of the mode flag for a v2 release
+V2_MODE = 'v2-release'
+
+SOURCE_BRANCH_FOR_MODE = { V1_MODE: 'releases/v2', V2_MODE: 'main' }
+TARGET_BRANCH_FOR_MODE = { V1_MODE: 'releases/v1', V2_MODE: 'releases/v2' }

 # Name of the remote
 ORIGIN = 'origin'
@@ -29,7 +32,7 @@ def run_git(*args, allow_non_zero_exit_code=False):
  cmd = ['git', *args]
  p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  if not allow_non_zero_exit_code and p.returncode != 0:
-    raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
+    raise Exception('Call to ' + ' '.join(cmd) + ' exited with code ' + str(p.returncode) + ' stderr:' + p.stderr.decode('ascii'))
  return p.stdout.decode('ascii')

 # Returns true if the given branch exists on the origin remote
@@ -39,21 +42,21 @@ def branch_exists_on_remote(branch_name):
 # Opens a PR from the given branch to the target branch
 def open_pr(
  repo, all_commits, source_branch_short_sha, new_branch_name, source_branch, target_branch,
-  conductor, is_primary_release, conflicted_files):
+  conductor, is_v2_release, labels, conflicted_files):
  # Sort the commits into the pull requests that introduced them,
  # and any commits that don't have a pull request
  pull_requests = []
  commits_without_pull_requests = []
  for commit in all_commits:
-    pr = get_pr_for_commit(commit)
+    pr = get_pr_for_commit(repo, commit)

    if pr is None:
      commits_without_pull_requests.append(commit)
    elif not any(p for p in pull_requests if p.number == pr.number):
      pull_requests.append(pr)

-  print(f'Found {len(pull_requests)} pull requests.')
-  print(f'Found {len(commits_without_pull_requests)} commits not in a pull request.')
+  print('Found ' + str(len(pull_requests)) + ' pull requests')
+  print('Found ' + str(len(commits_without_pull_requests)) + ' commits not in a pull request')

  # Sort PRs and commits by age
  pull_requests = sorted(pull_requests, key=lambda pr: pr.number)
@@ -61,7 +64,7 @@ def open_pr(

  # Start constructing the body text
  body = []
-  body.append(f'Merging {source_branch_short_sha} into `{target_branch}`.')
+  body.append('Merging ' + source_branch_short_sha + ' into ' + target_branch)

  body.append('')
  body.append(f'Conductor for this PR is @{conductor}.')
@@ -93,33 +96,32 @@ def open_pr(
      'branch to resolve the merge conflicts.')
  body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
  body.append(' - [ ] Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.')
-  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
+  body.append(' - [ ] Check that there are not any unexpected commits being merged into the ' + target_branch + ' branch.')
  body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')

-  if not is_primary_release:
-    body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
-    body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
+  if not is_v2_release:
+    body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.')
+    body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')

-  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')

-  if is_primary_release:
+  if is_v2_release:
    body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.')
-    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')
+    body.append(' - [ ] Merge the v1 release PR that will automatically be created once this PR is merged.')

-  title = f'Merge {source_branch} into {target_branch}'
-  labels = ['Rebuild'] if not is_primary_release else []
+  title = 'Merge ' + source_branch + ' into ' + target_branch

  # Create the pull request
  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
  # a maintainer can take the PR out of draft, thereby triggering the PR checks.
  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
  pr.add_to_labels(*labels)
-  print(f'Created PR #{str(pr.number)}')
+  print('Created PR #' + str(pr.number))

  # Assign the conductor
  pr.add_to_assignees(conductor)
-  print(f'Assigned PR to {conductor}')
+  print('Assigned PR to ' + conductor)

 # Gets a list of the SHAs of all commits that have happened on the source branch
 # since the last release to the target branch.
@@ -128,7 +130,7 @@ def open_pr(
 def get_commit_difference(repo, source_branch, target_branch):
  # Passing split nothing means that the empty string splits to nothing: compare `''.split() == []`
  # to `''.split('\n') == ['']`.
-  commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{target_branch}..{ORIGIN}/{source_branch}').strip().split()
+  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + target_branch + '..' + ORIGIN + '/' + source_branch).strip().split()

  # Convert to full-fledged commit objects
  commits = [repo.get_commit(c) for c in commits]
@@ -144,13 +146,13 @@ def is_pr_merge_commit(commit):
 def get_truncated_commit_message(commit):
  message = commit.commit.message.split('\n')[0]
  if len(message) > 60:
-    return f'{message[:57]}...'
+    return message[:57] + '...'
  else:
    return message

 # Converts a commit into the PR that introduced it to the source branch.
 # Returns the PR object, or None if no PR could be found.
-def get_pr_for_commit(commit):
+def get_pr_for_commit(repo, commit):
  prs = commit.get_pulls()

  if prs.totalCount > 0:
@@ -172,78 +174,10 @@ def get_current_version():
  with open('package.json', 'r') as f:
    return json.load(f)['version']

-# `npm version` doesn't always work because of merge conflicts, so we
-# replace the version in package.json textually.
-def replace_version_package_json(prev_version, new_version):
-  prev_line_is_codeql = False
-  for line in fileinput.input('package.json', inplace = True, encoding='utf-8'):
-    if prev_line_is_codeql and f'\"version\": \"{prev_version}\"' in line:
-      print(line.replace(prev_version, new_version), end='')
-    else:
-      prev_line_is_codeql = False
-      print(line, end='') 
-    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
-
 def get_today_string():
  today = datetime.datetime.today()
  return '{:%d %b %Y}'.format(today)

-def process_changelog_for_backports(source_branch_major_version, target_branch_major_version):
-
-  # changelog entries can use the following format to indicate
-  # that they only apply to newer versions
-  some_versions_only_regex = re.compile(r'\[v(\d+)\+ only\]')
-
-  output = ''
-
-  with open('CHANGELOG.md', 'r') as f:
-
-    # until we find the first section, just duplicate all lines
-    found_first_section = False
-    while not found_first_section:
-      line = f.readline()
-      if not line:
-        raise Exception('Could not find any change sections in CHANGELOG.md') # EOF
-
-      if line.startswith('## '):
-        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
-        found_first_section = True
-
-      output += line
-
-    # found_content tracks whether we hit two headings in a row
-    found_content = False
-    output += '\n'
-    while True:
-      line = f.readline()
-      if not line:
-        break # EOF
-      line = line.rstrip('\n')
-
-      # filter out changenote entries that apply only to newer versions
-      match = some_versions_only_regex.search(line)
-      if match:
-        if int(target_branch_major_version) < int(match.group(1)):
-          continue
-
-      if line.startswith('## '):
-        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
-        if found_content == False:
-          # we have found two headings in a row, so we need to add the placeholder message.
-          output += 'No user facing changes.\n'
-        found_content = False
-        output += f'\n{line}\n\n'
-      else:
-        if line.strip() != '':
-          found_content = True
-          # we use the original line here, rather than the stripped version
-          # so that we preserve indentation
-          output += line + '\n'
-
-    with open('CHANGELOG.md', 'w') as f:
-      f.write(output)
-
 def update_changelog(version):
  if (os.path.exists('CHANGELOG.md')):
    content = ''
@@ -252,7 +186,7 @@ def update_changelog(version):
  else:
    content = EMPTY_CHANGELOG

-  newContent = content.replace('[UNRELEASED]', f'{version} - {get_today_string()}', 1)
+  newContent = content.replace('[UNRELEASED]', version + ' - ' + get_today_string(), 1)

  with open('CHANGELOG.md', 'w') as f:
    f.write(newContent)
@@ -274,22 +208,14 @@ def main():
    help='The nwo of the repository, for example github/codeql-action.'
  )
  parser.add_argument(
-    '--source-branch',
+    '--mode',
    type=str,
    required=True,
-    help='Source branch for release branch update.'
-  )
-  parser.add_argument(
-    '--target-branch',
-    type=str,
-    required=True,
-    help='Target branch for release branch update.'
-  )
-  parser.add_argument(
-    '--is-primary-release',
-    action='store_true',
-    default=False,
-    help='Whether this update is the primary release for the current major version.'
+    choices=[V2_MODE, V1_MODE],
+    help=f"Which release to perform. '{V2_MODE}' uses {SOURCE_BRANCH_FOR_MODE[V2_MODE]} as the source " +
+      f"branch and {TARGET_BRANCH_FOR_MODE[V2_MODE]} as the target branch. " +
+      f"'{V1_MODE}' uses {SOURCE_BRANCH_FOR_MODE[V1_MODE]} as the source branch and " +
+      f"{TARGET_BRANCH_FOR_MODE[V1_MODE]} as the target branch."
  )
  parser.add_argument(
    '--conductor',
@@ -300,81 +226,71 @@ def main():

  args = parser.parse_args()

-  source_branch = args.source_branch
-  target_branch = args.target_branch
-  is_primary_release = args.is_primary_release
+  source_branch = SOURCE_BRANCH_FOR_MODE[args.mode]
+  target_branch = TARGET_BRANCH_FOR_MODE[args.mode]

  repo = Github(args.github_token).get_repo(args.repository_nwo)
+  version = get_current_version()

-  # the target branch will be of the form releases/vN, where N is the major version number
-  target_branch_major_version = target_branch.strip('releases/v')
-
-  # split version into major, minor, patch
-  _, v_minor, v_patch = get_current_version().split('.')
-
-  version = f"{target_branch_major_version}.{v_minor}.{v_patch}"
+  if args.mode == V1_MODE:
+    # Change the version number to a v1 equivalent
+    version = get_current_version()
+    version = f'1{version[1:]}'

  # Print what we intend to go
-  print(f'Considering difference between {source_branch} and {target_branch}...')
-  source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{source_branch}').strip()
-  print(f'Current head of {source_branch} is {source_branch_short_sha}.')
+  print('Considering difference between ' + source_branch + ' and ' + target_branch)
+  source_branch_short_sha = run_git('rev-parse', '--short', ORIGIN + '/' + source_branch).strip()
+  print('Current head of ' + source_branch + ' is ' + source_branch_short_sha)

  # See if there are any commits to merge in
  commits = get_commit_difference(repo=repo, source_branch=source_branch, target_branch=target_branch)
  if len(commits) == 0:
-    print(f'No commits to merge from {source_branch} to {target_branch}.')
+    print('No commits to merge from ' + source_branch + ' to ' + target_branch)
    return

-  # define distinct prefix in order to support specific pr checks on backports
-  branch_prefix = 'update' if is_primary_release else 'backport'
-
  # The branch name is based off of the name of branch being merged into
  # and the SHA of the branch being merged from. Thus if the branch already
  # exists we can assume we don't need to recreate it.
-  new_branch_name = f'{branch_prefix}-v{version}-{source_branch_short_sha}'
-  print(f'Branch name is {new_branch_name}.')
+  new_branch_name = 'update-v' + version + '-' + source_branch_short_sha
+  print('Branch name is ' + new_branch_name)

  # Check if the branch already exists. If so we can abort as this script
  # has already run on this combination of branches.
  if branch_exists_on_remote(new_branch_name):
-    print(f'Branch {new_branch_name} already exists. Nothing to do.')
+    print('Branch ' + new_branch_name + ' already exists. Nothing to do.')
    return

  # Create the new branch and push it to the remote
-  print(f'Creating branch {new_branch_name}.')
+  print('Creating branch ' + new_branch_name)

-  # The process of creating the v{Older} release can run into merge conflicts. We commit the unresolved
+  # The process of creating the v1 release can run into merge conflicts. We commit the unresolved
  # conflicts so a maintainer can easily resolve them (vs erroring and requiring maintainers to
  # reconstruct the release manually)
  conflicted_files = []

-  if not is_primary_release:
-
-    # the source branch will be of the form releases/vN, where N is the major version number
-    source_branch_major_version = source_branch.strip('releases/v')
-
+  if args.mode == V1_MODE:
    # If we're performing a backport, start from the target branch
    print(f'Creating {new_branch_name} from the {ORIGIN}/{target_branch} branch')
    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{target_branch}')

    # Revert the commit that we made as part of the last release that updated the version number and
-    # changelog to refer to {older}.x.x variants. This avoids merge conflicts in the changelog and
-    # package.json files when we merge in the v{latest} branch.
-    # This commit will not exist the first time we release the v{N-1} branch from the v{N} branch, so we
+    # changelog to refer to 1.x.x variants. This avoids merge conflicts in the changelog and
+    # package.json files when we merge in the v2 branch.
+    # This commit will not exist the first time we release the v1 branch from the v2 branch, so we
    # use `git log --grep` to conditionally revert the commit.
-    print('Reverting the version number and changelog updates from the last release to avoid conflicts')
-    vOlder_update_commits = run_git('log', '--grep', f'^{BACKPORT_COMMIT_MESSAGE}', '--format=%H').split()
+    print('Reverting the 1.x.x version number and changelog updates from the last release to avoid conflicts')
+    v1_update_commits = run_git('log', '--grep', '^Update version and changelog for v', '--format=%H').split()

-    if len(vOlder_update_commits) > 0:
-      print(f'  Reverting {vOlder_update_commits[0]}')
+    if len(v1_update_commits) > 0:
+      print(f'  Reverting {v1_update_commits[0]}')
      # Only revert the newest commit as older ones will already have been reverted in previous
      # releases.
-      run_git('revert', vOlder_update_commits[0], '--no-edit')
+      run_git('revert', v1_update_commits[0], '--no-edit')

-      # Also revert the "Rebuild" commit created by Actions.
-      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
-      print(f'  Reverting {rebuild_commit}')
-      run_git('revert', rebuild_commit, '--no-edit')
+      # Also revert the "Update checked-in dependencies" commit created by Actions.
+      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
+      print(f'  Reverting {update_dependencies_commit}')
+      run_git('revert', update_dependencies_commit, '--no-edit')

    else:
      print('  Nothing to revert.')
@@ -387,18 +303,21 @@ def main():
      run_git('add', '.')
      run_git('commit', '--no-edit')

-    # Migrate the package version number from a vLatest version number to a vOlder version number
-    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
-    run_git('add', 'package.json')
+    # Migrate the package version number from a v2 version number to a v1 version number
+    print(f'Setting version number to {version}')
+    subprocess.check_output(['npm', 'version', version, '--no-git-tag-version'])
+    run_git('add', 'package.json', 'package-lock.json')

-    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
-    print(f'Migrating changelog notes from v{source_branch_major_version} to v{target_branch_major_version}')
-    process_changelog_for_backports(source_branch_major_version, target_branch_major_version)
+    # Migrate the changelog notes from v2 version numbers to v1 version numbers
+    print('Migrating changelog notes from v2 to v1')
+    subprocess.check_output(['sed', '-i', 's/^## 2\./## 1./g', 'CHANGELOG.md'])
+
+    # Remove changelog notes from v2 that don't apply to v1
+    subprocess.check_output(['sed', '-i', '/^- \[v2+ only\]/d', 'CHANGELOG.md'])

    # Amend the commit generated by `npm version` to update the CHANGELOG
    run_git('add', 'CHANGELOG.md')
-    run_git('commit', '-m', f'{BACKPORT_COMMIT_MESSAGE}{version}')
+    run_git('commit', '-m', f'Update version and changelog for v{version}')
  else:
    # If we're performing a standard release, there won't be any new commits on the target branch,
    # as these will have already been merged back into the source branch. Therefore we can just
@@ -423,7 +342,8 @@ def main():
    source_branch=source_branch,
    target_branch=target_branch,
    conductor=args.conductor,
-    is_primary_release=is_primary_release,
+    is_v2_release=args.mode == V2_MODE,
+    labels=['Update dependencies'] if args.mode == V1_MODE else [],
    conflicted_files=conflicted_files
  )

--- a/.github/workflows/__all-platform-bundle.yml
+++ b/.github/workflows/__all-platform-bundle.yml
@@ -1,87 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - All-platform bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  all-platform-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: All-platform bundle
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'true'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - id: init
-        uses: ./../action/init
-        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -1,101 +1,95 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  analyze-ref-input:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: windows-2019
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-2019
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: "Analyze: 'ref' and 'sha' from inputs"
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -1,84 +1,69 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - autobuild-action
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  autobuild-action:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
    name: autobuild-action
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: csharp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        env:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: csharp
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/autobuild
+      env:
      # Explicitly disable the CLR tracer.
-          COR_ENABLE_PROFILING: ''
-          COR_PROFILER: ''
-          COR_PROFILER_PATH_64: ''
-          CORECLR_ENABLE_PROFILING: ''
-          CORECLR_PROFILER: ''
-          CORECLR_PROFILER_PATH_64: ''
-      - uses: ./../action/analyze
-      - name: Check database
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d csharp ]]; then
-            echo "Did not find a C# database"
-            exit 1
-          fi
+        COR_ENABLE_PROFILING: ''
+        COR_PROFILER: ''
+        COR_PROFILER_PATH_64: ''
+        CORECLR_ENABLE_PROFILING: ''
+        CORECLR_PROFILER: ''
+        CORECLR_PROFILER_PATH_64: ''
+    - uses: ./../action/analyze
+    - name: Check database
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d csharp ]]; then
+          echo "Did not find a C# database"
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
+++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
@@ -1,103 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing (custom working directory)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-  workflow_call:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  autobuild-direct-tracing-with-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing (custom working directory)
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
-      - name: Test setup
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          build-mode: autobuild
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check that indirect tracing is disabled
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__autobuild-working-dir.yml
+++ b/.github/workflows/__autobuild-working-dir.yml
@@ -1,80 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Autobuild working directory
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  autobuild-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Autobuild working directory
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-      - name: Check database
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d java ]]; then
-            echo "Did not find a Java database"
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__build-mode-autobuild.yml
+++ b/.github/workflows/__build-mode-autobuild.yml
@@ -1,117 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Build mode autobuild
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-  workflow_call:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  build-mode-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Build mode autobuild
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
-      - name: Set up Java test repo configuration
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Install yq
-        if: runner.os == 'Windows'
-        run: |
-          choco install yq -y
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "autobuild" ]]; then
-            echo "Expected build mode to be 'autobuild' but was $build_mode"
-            exit 1
-          fi
-
-      - name: Check that indirect tracing is disabled
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__build-mode-manual.yml
+++ b/.github/workflows/__build-mode-manual.yml
@@ -1,95 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Build mode manual
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  build-mode-manual:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode manual
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: manual
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "manual" ]]; then
-            echo "Expected build mode to be 'manual' but was $build_mode"
-            exit 1
-          fi
-
-      - name: Build code
-        run: ./build.sh
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__build-mode-none.yml
+++ b/.github/workflows/__build-mode-none.yml
@@ -1,83 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Build mode none
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  build-mode-none:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode none
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "none" ]]; then
-            echo "Expected build mode to be 'none' but was $build_mode"
-            exit 1
-          fi
-
-  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
-      - uses: ./../action/autobuild
-        if: matrix.version != 'nightly-latest'
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__build-mode-rollback.yml
+++ b/.github/workflows/__build-mode-rollback.yml
@@ -1,84 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Build mode rollback
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  build-mode-rollback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode rollback
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "autobuild" ]]; then
-            echo "Expected build mode to be 'autobuild' but was $build_mode"
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__bundle-from-toolcache.yml
+++ b/.github/workflows/__bundle-from-toolcache.yml
@@ -1,85 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: From toolcache'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  bundle-from-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: toolcache
-    name: 'Bundle: From toolcache'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
-      - name: Check toolcache contains CodeQL
-        continue-on-error: true
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            if (allCodeqlVersions.length === 0) {
-              throw new Error(`CodeQL could not be found in the toolcache`);
-            }
-      - id: setup-codeql
-        uses: ./../action/setup-codeql
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
-            if (allCodeqlVersions.length === 0) {
-              throw new Error('CodeQL not found in toolcache');
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__bundle-toolcache.yml
+++ b/.github/workflows/__bundle-toolcache.yml
@@ -1,105 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: Caching checks'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  bundle-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: 'Bundle: Caching checks'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
-      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            if (allCodeqlVersions.length !== 0) {
-              throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
-            }
-            console.log('No versions of CodeQL found in the toolcache');
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
-            if (allCodeqlVersions.length === 0) {
-              throw new Error('CodeQL not found in toolcache');
-            }
-            if (allCodeqlVersions.length > 1) {
-              throw new Error('Multiple CodeQL versions found in toolcache');
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__bundle-zstd.yml
+++ b/.github/workflows/__bundle-zstd.yml
@@ -1,122 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Bundle: Zstandard checks'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  bundle-zstd:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: 'Bundle: Zstandard checks'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v8
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
-
-            if (!toolsUrl.endsWith(expectedExtension)) {
-              core.setFailed(
-                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__cleanup-db-cluster-dir.yml
+++ b/.github/workflows/__cleanup-db-cluster-dir.yml
@@ -1,79 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Clean up database cluster directory
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  cleanup-db-cluster-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Clean up database cluster directory
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Add a file to the database cluster directory
-        run: |
-          mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
-          touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate file cleaned up
-        run: |
-          if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
-            echo "File was not cleaned up"
-            exit 1
-          fi
-          echo "File was cleaned up"
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@@ -1,102 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Config export
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  config-export:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Config export
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          queries: security-extended
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v8
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-            const configSummary = run.properties.codeqlConfigSummary;
-
-            if (configSummary === undefined) {
-              core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
-            }
-            if (configSummary.disableDefaultQueries !== false) {
-              core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
-                `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
-            }
-            const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
-            // Use JSON.stringify to deep-equal the arrays.
-            if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
-              core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
-                `${JSON.stringify(configSummary.queries)}.`);
-            }
-            core.info('Finished config export tests.');
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__config-input.yml
+++ b/.github/workflows/__config-input.yml
@@ -1,94 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Config input
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  config-input:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Config input
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Install Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 20.x
-          cache: npm
-      - name: Install dependencies
-        run: npm ci
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Copy queries into workspace
-        run: |
-          cp -a ../action/queries .
-
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: javascript
-          build-mode: none
-          config: |
-            disable-default-queries: true
-            queries:
-              - name: Run custom query
-                uses: ./queries/default-setup-environment-variables.ql
-            paths-ignore:
-              - tests
-              - lib
-
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-
-      - name: Check SARIF
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/codeql-action/default-setup-env-vars
-          queries-not-run: javascript/codeql-action/default-setup-context-properties
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__cpp-deptrace-disabled.yml
+++ b/.github/workflows/__cpp-deptrace-disabled.yml
@@ -1,81 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  cpp-deptrace-disabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - run: |
-          if ls /usr/bin/errno; then
-            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
+++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
@@ -1,81 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  cpp-deptrace-enabled-on-macos:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: macos-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - run: |
-          if ! ls /usr/bin/errno; then
-            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
-          else
-            echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__cpp-deptrace-enabled.yml
+++ b/.github/workflows/__cpp-deptrace-enabled.yml
@@ -1,81 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  cpp-deptrace-enabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies (Linux)'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - run: |
-          if ! ls /usr/bin/errno; then
-            echo "Did not autoinstall errno"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@@ -1,138 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Diagnostic export
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  diagnostics-export:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Diagnostic export
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Add test diagnostics
-        env:
-          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
-        run: |
-          "$CODEQL_PATH" database add-diagnostic \
-            "$RUNNER_TEMP/codeql_databases/javascript" \
-            --file-path /path/to/file \
-            --plaintext-message "Plaintext message" \
-            --source-id "lang/diagnostics/example" \
-            --source-name "Diagnostic name" \
-            --ready-for-status-page
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v8
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            function checkStatusPageNotification(n) {
-              const expectedMessage = 'Plaintext message';
-              if (n.message.text !== expectedMessage) {
-                core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
-              }
-              if (n.locations.length !== 1) {
-                core.setFailed(`Expected the status page diagnostic to have exactly 1 location, but found ${n.locations.length}.`);
-              }
-            }
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'lang/diagnostics/example' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-            checkStatusPageNotification(statusPageNotifications[0]);
-
-            const notifications = run.tool.driver.notifications;
-            const diagnosticNotification = notifications.filter(n =>
-              n.id === 'lang/diagnostics/example' && n.name === 'lang/diagnostics/example' &&
-                n.fullDescription.text === 'Diagnostic name'
-            );
-            if (diagnosticNotification.length !== 1) {
-              core.setFailed(
-                'Expected exactly one notification for this diagnostic in the ' +
-                  `'runs[].tool.driver.notifications[]' SARIF property, but found ` +
-                  `${diagnosticNotification.length}. All notifications: ` +
-                  `${JSON.stringify(notifications)}.`
-              );
-            }
-
-            core.info('Finished diagnostic export test');
-    env:
-      CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -1,114 +1,89 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Export file baseline information
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  export-file-baseline-information:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: Export file baseline information
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        run: |
-          cd "$RUNNER_TEMP/results"
-          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
-          if [[ $RUNNER_OS == "macOS" ]]; then
-            expected_baseline_languages+=" swift"
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        expected_baseline_languages="cpp cs go java js py rb swift"

-          for lang in ${expected_baseline_languages}; do
-            rule_name="cli/expected-extracted-files/${lang}"
-            found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
-              select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
-            if [[ "${found_notification}" != "true" ]]; then
-              echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
-              exit 1
-            else
-              echo "Found notification '${rule_name}'."
-            fi
-          done
+        for lang in ${expected_baseline_languages}; do
+          rule_name="${lang}/baseline/expected-extracted-files"
+          found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+            select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+          if [[ "${found_notification}" != "true" ]]; then
+            echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+            exit 1
+          else
+            echo "Found notification '${rule_name}'."
+          fi
+        done
    env:
-      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -1,82 +1,67 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Extractor ram and threads options test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  extractor-ram-threads:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
    name: Extractor ram and threads options test
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: java
-          ram: 230
-          threads: 1
-      - name: Assert Results
-        run: |
-          if [ "${CODEQL_RAM}" != "230" ]; then
-            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_THREADS}" != "1" ]; then
-            echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: java
+        ram: 230
+        threads: 1
+    - name: Assert Results
+      shell: bash
+      run: |
+        if [ "${CODEQL_RAM}" != "230" ]; then
+          echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
+          exit 1
+        fi
+        if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
+          echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
+          exit 1
+        fi
+        if [ "${CODEQL_THREADS}" != "1" ]; then
+          echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
+          exit 1
+        fi
+        if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
+          echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__global-proxy.yml
+++ b/.github/workflows/__global-proxy.yml
@@ -1,86 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Proxy test
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  global-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Proxy test
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
-      - name: Set up GitHub CLI
-        run: |
-          apt update
-          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-add-repository https://cli.github.com/packages
-          apt install -y gh
-        env: {}
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'false'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-    env:
-      https_proxy: http://squid-proxy:3128
-      CODEQL_ACTION_TEST_MODE: true
-    container:
-      image: ubuntu:22.04
-    services:
-      squid-proxy:
-        image: ubuntu/squid:latest
-        ports:
-          - 3128:3128
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -1,85 +1,92 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Go: Custom queries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  go-custom-queries:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: windows-2019
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-2019
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: 'Go: Custom queries'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          config-file: ./.github/codeql/custom-queries.yml
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        config-file: ./.github/codeql/custom-queries.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
    env:
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
@@ -1,111 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Go: diagnostic when Go is changed after init step'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  go-indirect-tracing-workaround-diagnostic:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when Go is changed after init step'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-  # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v6
-        with:
-          go-version: '1.20'
-      - name: Build code
-        run: go build main.go
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
@@ -1,112 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Go: diagnostic when `file` is not installed'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  go-indirect-tracing-workaround-no-file-program:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when `file` is not installed'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Remove `file` program
-        run: |
-          echo $(which file)
-          sudo rm -rf $(which file)
-          echo $(which file)
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: go build main.go
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v8
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'go/workflow/file-program-unavailable' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-indirect-tracing-workaround.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround.yml
@@ -1,106 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: 'PR Check - Go: workaround for indirect tracing'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  go-indirect-tracing-workaround:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: workaround for indirect tracing'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: go build main.go
-      - uses: ./../action/analyze
-      - run: |
-          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
-            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
-              "CODEQL_ACTION_GO_BINARY environment variable is not set."
-            exit 1
-          fi
-          if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
-            echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
-            exit 1
-          fi
-
-
-          # Once we start running Bash 4.2 in all environments, we can replace the
-          # `! -z` flag with the more elegant `-v` which confirms that the variable
-          # is actually unset and not potentially set to a blank value.
-          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
-            echo "Expected the Go autobuilder not to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-tracing-autobuilder.yml
+++ b/.github/workflows/__go-tracing-autobuilder.yml
@@ -1,126 +1,89 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Go: tracing with autobuilder step'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  go-tracing-autobuilder:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: 'Go: tracing with autobuilder step'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-      - uses: ./../action/analyze
-      - run: |
-          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
-            echo "Expected the Go autobuilder to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/autobuild
+    - uses: ./../action/analyze
+    - shell: bash
+      run: |
+        if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
+          echo "Expected the Go autobuilder to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
    env:
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@@ -1,129 +1,93 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Go: tracing with custom build steps'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  go-tracing-custom-build-steps:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: 'Go: tracing with custom build steps'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: go build main.go
-      - uses: ./../action/analyze
-      - run: |
-          # Once we start running Bash 4.2 in all environments, we can replace the
-          # `! -z` flag with the more elegant `-v` which confirms that the variable
-          # is actually unset and not potentially set to a blank value.
-          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
-            echo "Expected the Go autobuilder not to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+    - shell: bash
+      run: |
+        # Once we start running Bash 4.2 in all environments, we can replace the
+        # `! -z` flag with the more elegant `-v` which confirms that the variable
+        # is actually unset and not potentially set to a blank value.
+        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+          echo "Expected the Go autobuilder not to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-tracing-legacy-workflow.yml
@@ -1,120 +1,83 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Go: tracing with legacy workflow'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  go-tracing-legacy-workflow:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: 'Go: tracing with legacy workflow'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-      - run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+    - shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
    env:
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__go.yml
+++ b/.github/workflows/__go.yml
@@ -1,77 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: Manual Check - go
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    paths:
-      - .github/workflows/__go.yml
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-jobs:
-  go-custom-queries:
-    name: 'Go: Custom queries'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-custom-queries.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround-diagnostic:
-    name: 'Go: diagnostic when Go is changed after init step'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround-no-file-program:
-    name: 'Go: diagnostic when `file` is not installed'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-indirect-tracing-workaround:
-    name: 'Go: workaround for indirect tracing'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-indirect-tracing-workaround.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-autobuilder:
-    name: 'Go: tracing with autobuilder step'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-autobuilder.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-custom-build-steps:
-    name: 'Go: tracing with custom build steps'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-custom-build-steps.yml
-    with:
-      go-version: ${{ inputs.go-version }}
-  go-tracing-legacy-workflow:
-    name: 'Go: tracing with legacy workflow'
-    permissions:
-      contents: read
-      security-events: read
-    uses: ./.github/workflows/__go-tracing-legacy-workflow.yml
-    with:
-      go-version: ${{ inputs.go-version }}
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@@ -1,122 +1,80 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Packaging: Download using registries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  init-with-registries:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: 'Packaging: Download using registries'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      packages: read
-
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Init with registries
-        uses: ./../action/init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          config-file: ./.github/codeql/codeql-config-registries.yml
-          languages: javascript
-          registries: |
-            - url: "https://ghcr.io/v2/"
-              packages: "*/*"
-              token: "${{ secrets.GITHUB_TOKEN }}"
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Init with registries
+      uses: ./../action/init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        config-file: ./.github/codeql/codeql-config-registries.yml
+        languages: javascript
+        registries: |
+          - url: "https://ghcr.io/v2/"
+            packages: "*/*"
+            token: "${{ secrets.GITHUB_TOKEN }}"

-      - name: Verify packages installed
-        run: |
-          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
-          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
+    - name: Verify packages installed
+      shell: bash
+      run: |
+        PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
+        CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"

-          if [[ -d $PRIVATE_PACK ]]
-          then
-              echo "$PRIVATE_PACK was installed."
-          else
-              echo "::error $PRIVATE_PACK pack was not installed."
-              exit 1
-          fi
+        if [[ -d $PRIVATE_PACK ]]
+        then
+            echo "$PRIVATE_PACK was installed."
+        else
+            echo "::error $PRIVATE_PACK pack was not installed."
+            exit 1
+        fi

-          if [[ -d $CODEQL_PACK1 ]]
-          then
-              echo "$CODEQL_PACK1 was installed."
-          else
-              echo "::error $CODEQL_PACK1 pack was not installed."
-              exit 1
-          fi
-
-      - name: Verify qlconfig.yml file was created
-        run: |
-          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
-          if [[ -f $QLCONFIG_PATH ]]
-          then
-              echo "qlconfig.yml file was created."
-          else
-              echo "::error qlconfig.yml file was not created."
-              exit 1
-          fi
-
-      - name: Verify contents of qlconfig.yml
-        run: |
-          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
-          if [[ $? -eq 0 ]]
-          then
-              echo "Registry was added to qlconfig.yml file."
-          else
-              echo "::error Registry was not added to qlconfig.yml file."
-              echo "Contents of qlconfig.yml file:"
-              cat $QLCONFIG_PATH
-              exit 1
-          fi
+        if [[ -d $CODEQL_PACK1 ]]
+        then
+            echo "$CODEQL_PACK1 was installed."
+        else
+            echo "::error $CODEQL_PACK1 pack was not installed."
+            exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -1,82 +1,69 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Custom source root
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  javascript-source-root:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
    name: Custom source root
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Move codeql-action
-        run: |
-          mkdir ../new-source-root
-          mv * ../new-source-root
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          source-root: ../new-source-root
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          skip-queries: true
-      - name: Assert database exists
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d javascript ]]; then
-            echo "Did not find a JavaScript database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../new-source-root
+        mv * ../new-source-root
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        source-root: ../new-source-root
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        skip-queries: true
+        upload: false
+    - name: Assert database exists
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d javascript ]]; then
+          echo "Did not find a JavaScript database"
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__job-run-uuid-sarif.yml
+++ b/.github/workflows/__job-run-uuid-sarif.yml
@@ -1,83 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Job run UUID added to SARIF
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  job-run-uuid-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Job run UUID added to SARIF
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        run: |
-          cd "$RUNNER_TEMP/results"
-          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
-          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
-            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
-            exit 1
-          else
-            echo "Found job run UUID '$actual'."
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__language-aliases.yml
+++ b/.github/workflows/__language-aliases.yml
@@ -1,74 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Language aliases
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  language-aliases:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Language aliases
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: C#,java-kotlin,swift,typescript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Check languages
-        run: |
-          expected_languages="csharp,java,swift,javascript"
-          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
-
-          if [ "$expected_languages" != "$actual_languages" ]; then
-            echo "Resolved languages did not match expected list. " \
-              "Expected languages: $expected_languages. Actual languages: $actual_languages."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__local-bundle.yml
+++ b/.github/workflows/__local-bundle.yml
@@ -1,101 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Local CodeQL bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  local-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Local CodeQL bundle
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Fetch latest CodeQL bundle
-        run: |
-          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
-      - id: init
-        uses: ./../action/init
-        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.zst
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__ml-powered-queries.yml
+++ b/.github/workflows/__ml-powered-queries.yml
@@ -0,0 +1,136 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - ML-powered queries
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  ml-powered-queries:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-2019
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: ML-powered queries
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        queries: security-extended
+        source-root: ./../action/tests/ml-powered-queries-repo
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+
+    - name: Check sarif
+      uses: ./../action/.github/check-sarif
+    # Running on Windows requires CodeQL CLI 2.9.0+.
+      if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
+        queries-not-run: foo,bar
+
+    - name: Check results
+      env:
+      # Running on Windows requires CodeQL CLI 2.9.0+.
+        SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220120' &&
+          runner.os == 'Windows') }}
+      shell: bash
+      run: |
+        echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
+
+        cd "$RUNNER_TEMP/results"
+        # We should run at least the ML-powered queries in `expected_rules`.
+        expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
+
+        for rule in ${expected_rules}; do
+          found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
+            flatten | .[].id] | any(. == $rule)' javascript.sarif)
+          echo "Did find rule '${rule}': ${found_rule}"
+          if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
+            echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
+            exit 1
+          elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
+            echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
+            exit 1
+          fi
+        done
+
+        # We should have at least one alert from an ML-powered query.
+        num_alerts=$(jq '[.runs[0].results[] |
+          select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
+          javascript.sarif)
+        echo "Found ${num_alerts} alerts from ML-powered queries.";
+        if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
+          echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
+          exit 1
+        elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
+          echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
+          exit 1
+        fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -1,150 +1,143 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Multi-language repository
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  multi-language-autodetect:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: Multi-language repository
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Use Xcode 16
-        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
-        run: sudo xcode-select -s "/Applications/Xcode_16.app"
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      id: init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}

-      - uses: ./../action/init
-        id: init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}

-      - name: Build code
-        run: ./build.sh
+    - name: Build code
+      shell: bash
+      run: ./build.sh

-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
+    - uses: ./../action/analyze
+      id: analysis

-      - name: Check language autodetect for all languages excluding Swift
-        run: |
-          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
-          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for CPP, or created it in the wrong location."
-            exit 1
-          fi
-          CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
-          if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for C Sharp, or created it in the wrong location."
-            exit 1
-          fi
-          GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
-          if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Go, or created it in the wrong location."
-            exit 1
-          fi
-          JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
-          if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Java, or created it in the wrong location."
-            exit 1
-          fi
-          JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
-          if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Javascript, or created it in the wrong location."
-            exit 1
-          fi
-          PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
-          if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Python, or created it in the wrong location."
-            exit 1
-          fi
-          RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
-          if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Ruby, or created it in the wrong location."
-            exit 1
-          fi
+    - name: Check language autodetect for all languages excluding Ruby, Swift
+      shell: bash
+      run: |
+        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
+        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for CPP, or created it in the wrong location."
+          exit 1
+        fi
+        CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
+        if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for C Sharp, or created it in the wrong location."
+          exit 1
+        fi
+        GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
+        if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Go, or created it in the wrong location."
+          exit 1
+        fi
+        JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
+        if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Java, or created it in the wrong location."
+          exit 1
+        fi
+        JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
+        if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Javascript, or created it in the wrong location."
+          exit 1
+        fi
+        PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
+        if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Python, or created it in the wrong location."
+          exit 1
+        fi

-      - name: Check language autodetect for Swift on macOS
-        if: runner.os == 'macOS'
-        run: |
-          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
-          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Swift, or created it in the wrong location."
-            exit 1
-          fi
+    - name: Check language autodetect for Ruby
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest')
+      shell: bash
+      run: |
+        RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
+        if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Ruby, or created it in the wrong location."
+          exit 1
+        fi
+
+    - name: Check language autodetect for Swift
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest')
+      shell: bash
+      run: |
+        SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
+        if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Swift, or created it in the wrong location."
+          exit 1
+        fi
+    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__overlay-init-fallback.yml
+++ b/.github/workflows/__overlay-init-fallback.yml
@@ -1,78 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Overlay database init fallback
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  overlay-init-fallback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Overlay database init fallback
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: actions # Any language without overlay support will do
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-        env:
-          CODEQL_OVERLAY_DATABASE_MODE: overlay-base
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases/actions"
-          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
-            echo "This test needs to be updated to use a non-overlay language."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -1,134 +1,95 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input passed to the CLI'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Install Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 20.x
-          cache: npm
-      - name: Install dependencies
-        run: npm ci
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +dsp-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results

-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar

-      - name: Assert Results
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"

-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
    env:
+      CODEQL_PASS_CONFIG_TO_CLI: true
+
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -1,119 +1,93 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  packaging-config-inputs-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: 'Packaging: Config and input'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Install Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 20.x
-          cache: npm
-      - name: Install dependencies
-        run: npm ci
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +dsp-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results

-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar

-      - name: Assert Results
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"

-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -1,118 +1,92 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Packaging: Config file'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  packaging-config-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: 'Packaging: Config file'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Install Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 20.x
-          cache: npm
-      - name: Install dependencies
-        run: npm ci
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging.yml
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging.yml
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results

-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar

-      - name: Assert Results
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"

-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -1,118 +1,93 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: 'PR Check - Packaging: Action input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  packaging-inputs-js:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: 'Packaging: Action input'
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Install Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 20.x
-          cache: npm
-      - name: Install dependencies
-        run: npm ci
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging2.yml
-          languages: javascript
-          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging2.yml
+        languages: javascript
+        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results

-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar

-      - name: Assert Results
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"

-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__quality-queries.yml
+++ b/.github/workflows/__quality-queries.yml
@@ -1,148 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Quality queries input
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  quality-queries:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: code-scanning
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: code-quality
-          - os: ubuntu-latest
-            version: linked
-            analysis-kinds: code-scanning,code-quality
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: code-quality
-          - os: ubuntu-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning,code-quality
-    name: Quality queries input
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          analysis-kinds: ${{ matrix.analysis-kinds }}
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
-      - name: Upload security SARIF
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v4
-        with:
-          name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Upload quality SARIF
-        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v4
-        with:
-          name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
-          path: ${{ runner.temp }}/results/javascript.quality.sarif
-          retention-days: 7
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
-          retention-days: 7
-          if-no-files-found: error
-      - name: Check quality query does not appear in security SARIF
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/github-script@v8
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-          EXPECT_PRESENT: 'false'
-        with:
-          script: ${{ env.CHECK_SCRIPT }}
-      - name: Check quality query appears in quality SARIF
-        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/github-script@v8
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
-          EXPECT_PRESENT: 'true'
-        with:
-          script: ${{ env.CHECK_SCRIPT }}
-    env:
-      CHECK_SCRIPT: |
-        const fs = require('fs');
-
-        const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-        const expectPresent = JSON.parse(process.env['EXPECT_PRESENT']);
-        const run = sarif.runs[0];
-        const extensions = run.tool.extensions;
-
-        if (extensions === undefined) {
-          core.setFailed('`extensions` property not found in the SARIF run property bag.');
-        }
-
-        // ID of a query we want to check the presence for
-        const targetId = 'js/regex/always-matches';
-        const found = extensions.find(extension => extension.rules && extension.rules.find(rule => rule.id === targetId));
-
-        if (found && expectPresent) {
-          console.log(`Found rule with id '${targetId}'.`);
-        } else if (!found && !expectPresent) {
-          console.log(`Rule with id '${targetId}' was not found.`);
-        } else {
-          core.setFailed(`${ found ? "Found" : "Didn't find" } rule ${targetId}`);
-        }
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -1,100 +1,92 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Remote config file
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  remote-config:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: windows-2019
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-2019
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: Remote config file
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__resolve-environment-action.yml
+++ b/.github/workflows/__resolve-environment-action.yml
@@ -1,88 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Resolve environment
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  resolve-environment-action:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Resolve environment
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: go,javascript-typescript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Resolve environment for Go
-        uses: ./../action/resolve-environment
-        id: resolve-environment-go
-        with:
-          language: go
-
-      - name: Fail if Go configuration missing
-        if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
-        run: exit 1
-
-      - name: Resolve environment for JavaScript/TypeScript
-        uses: ./../action/resolve-environment
-        id: resolve-environment-js
-        with:
-          language: javascript-typescript
-
-      - name: Fail if JavaScript/TypeScript configuration present
-        if:
-          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -1,76 +1,63 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - RuboCop multi-language
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  rubocop-multi-language:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
+        - os: ubuntu-latest
+          version: cached
    name: RuboCop multi-language
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Ruby
-        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
-        with:
-          ruby-version: 2.6
-      - name: Install Code Scanning integration
-        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
-      - name: Install dependencies
-        run: bundle install
-      - name: RuboCop run
-        run: |
-          bash -c "
-            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
-            [[ $? -ne 2 ]]
-          "
-      - uses: ./../action/upload-sarif
-        with:
-          sarif_file: rubocop.sarif
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    - name: Install Code Scanning integration
+      shell: bash
+      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+    - name: Install dependencies
+      shell: bash
+      run: bundle install
+    - name: RuboCop run
+      shell: bash
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+    - uses: ./../action/upload-sarif
+      with:
+        sarif_file: rubocop.sarif
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__ruby.yml
+++ b/.github/workflows/__ruby.yml
@@ -1,84 +1,67 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Ruby analysis
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  ruby:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: Ruby analysis
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        run: |
-          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
-          if [[ ! -d "$RUBY_DB" ]]; then
-            echo "Did not create a database for Ruby."
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: ruby
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      id: analysis
+    - name: Check database
+      shell: bash
+      run: |
+        RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
+        if [[ ! -d "$RUBY_DB" ]]; then
+          echo "Did not create a database for Ruby."
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__rust.yml
+++ b/.github/workflows/__rust.yml
@@ -1,82 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Rust analysis
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  rust:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.19.3
-          - os: ubuntu-latest
-            version: stable-v2.22.1
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Rust analysis
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: rust
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        run: |
-          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
-          if [[ ! -d "$RUST_DB" ]]; then
-            echo "Did not create a database for Rust."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -1,121 +1,92 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Split workflow
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  split-workflow:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: Split workflow
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          skip-queries: true
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +dsp-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        skip-queries: true
+        output: ${{ runner.temp }}/results

-      - name: Assert No Results
-        run: |
-          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
-            echo "Expected results directory to be empty after skipping query execution!"
-            exit 1
-          fi
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Assert Results
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert No Results
+      shell: bash
+      run: |
+        if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
+          echo "Expected results directory to be empty after skipping query execution!"
+          exit 1
+        fi
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"

-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__start-proxy.yml
+++ b/.github/workflows/__start-proxy.yml
@@ -1,85 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Start proxy
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  start-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Start proxy
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: csharp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Setup proxy for registries
-        id: proxy
-        uses: ./../action/start-proxy
-        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
-            }]'
-
-      - name: Print proxy outputs
-        run: |
-          echo "${{ steps.proxy.outputs.proxy_host }}"
-          echo "${{ steps.proxy.outputs.proxy_port }}"
-          echo "${{ steps.proxy.outputs.proxy_urls }}"
-
-      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
-          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@@ -1,83 +1,65 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Submit SARIF after failure
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  submit-sarif-failure:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
    name: Submit SARIF after failure
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: write # needed to upload the SARIF file
-
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/checkout@v5
-      - uses: ./init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Fail
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/checkout@v3
+    - uses: ./init
+      with:
+        languages: javascript
+    - name: Fail
    # We want this job to pass if the Action correctly uploads the SARIF file for
    # the failed run.
    # Setting this step to continue on error means that it is marked as completing
    # successfully, so will not fail the job.
-        continue-on-error: true
-        run: exit 1
-      - uses: ./analyze
+      continue-on-error: true
+      run: exit 1
+    - uses: ./analyze
    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
    # above, we manually disable it with an `if` condition.
-        if: false
-        with:
-          category: /test-codeql-version:${{ matrix.version }}
+      if: false
+      with:
+        category: /test-codeql-version:${{ matrix.version }}
    env:
  # Internal-only environment variable used to indicate that the post-init Action
  # should expect to upload a SARIF file for the failed run.
--- a/.github/workflows/__swift-autobuild.yml
+++ b/.github/workflows/__swift-autobuild.yml
@@ -1,80 +1,70 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Swift analysis using autobuild
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs: {}
-  workflow_call:
-    inputs: {}
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  swift-autobuild:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: nightly-latest
+        - os: macos-latest
+          version: latest
+        - os: macos-latest
+          version: cached
+        - os: macos-latest
+          version: nightly-latest
    name: Swift analysis using autobuild
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: swift
-          build-mode: autobuild
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check working directory
-        run: pwd
-      - uses: ./../action/autobuild
-        timeout-minutes: 30
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        run: |
-          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-          if [[ ! -d "$SWIFT_DB" ]]; then
-            echo "Did not create a database for Swift."
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: swift
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
+    - uses: ./../action/autobuild
+    - uses: ./../action/analyze
+      id: analysis
+    - name: Check database
+      shell: bash
+      run: |
+        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
+        if [[ ! -d "$SWIFT_DB" ]]; then
+          echo "Did not create a database for Swift."
+          exit 1
+        fi
    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -1,102 +1,79 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Swift analysis using a custom build command
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  swift-custom-build:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: linked
-          - os: macos-latest
-            version: default
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
    name: Swift analysis using a custom build command
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Use Xcode 16
-        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
-        run: sudo xcode-select -s "/Applications/Xcode_16.app"
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: swift
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check working directory
-        run: pwd
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        run: |
-          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-          if [[ ! -d "$SWIFT_DB" ]]; then
-            echo "Did not create a database for Swift."
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: swift
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      id: analysis
+    - name: Check database
+      shell: bash
+      run: |
+        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
+        if [[ ! -d "$SWIFT_DB" ]]; then
+          echo "Did not create a database for Swift."
+          exit 1
+        fi
    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@@ -0,0 +1,66 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Autobuild working directory
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  test-autobuild-working-dir:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+    name: Autobuild working directory
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Test setup
+      shell: bash
+      run: |
+        # Make sure that Gradle build succeeds in autobuild-dir ...
+        cp -a ../action/tests/java-repo autobuild-dir
+        # ... and fails if attempted in the current directory
+        echo > build.gradle
+    - uses: ./../action/init
+      with:
+        languages: java
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/autobuild
+      with:
+        working-directory: autobuild-dir
+    - uses: ./../action/analyze
+    - name: Check database
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d java ]]; then
+          echo "Did not find a Java database"
+          exit 1
+        fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -0,0 +1,56 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Local CodeQL bundle
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  test-local-codeql:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: nightly-latest
+    name: Local CodeQL bundle
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Fetch a CodeQL bundle
+      shell: bash
+      env:
+        CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+      run: |
+        wget "$CODEQL_URL"
+    - uses: ./../action/init
+      with:
+        tools: ./codeql-bundle.tar.gz
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -0,0 +1,57 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Proxy test
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  test-proxy:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+    name: Proxy test
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+    env:
+      https_proxy: http://squid-proxy:3128
+      CODEQL_ACTION_TEST_MODE: true
+    container:
+      image: ubuntu:22.04
+      options: --dns 127.0.0.1
+    services:
+      squid-proxy:
+        image: ubuntu/squid:latest
+        ports:
+        - 3128:3128
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -1,141 +1,108 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Test unsetting environment variables
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  unset-environment:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
    name: Test unsetting environment variables
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - uses: ./../action/init
-        id: init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - run: |
-          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
-          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
-            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
-            exit 1
-          fi
-          CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
-          if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
-            echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
-            exit 1
-          fi
-          GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
-          if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
-            echo "::error::Did not create a database for Go, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
-            exit 1
-          fi
-          JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
-          if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
-            echo "::error::Did not create a database for Java, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
-            exit 1
-          fi
-          JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
-          if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
-            echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
-            exit 1
-          fi
-          PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
-          if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
-            echo "::error::Did not create a database for Python, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+    # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+    # workaround for our PR checks.
+      run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME"
+        ./build.sh
+    - uses: ./../action/analyze
+      id: analysis
+    - shell: bash
+      run: |
+        CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
+        if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
+          echo "::error::Did not create a database for CPP, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
+          exit 1
+        fi
+        CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
+        if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
+          echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
+          exit 1
+        fi
+        GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
+        if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
+          echo "::error::Did not create a database for Go, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
+          exit 1
+        fi
+        JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
+        if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
+          echo "::error::Did not create a database for Java, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
+          exit 1
+        fi
+        JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
+        if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
+          echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
+          exit 1
+        fi
+        PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
+        if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
+          echo "::error::Did not create a database for Python, or created it in the wrong location." \
+            "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -1,107 +1,100 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  upload-ref-sha-input:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: default
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: windows-2019
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-2019
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+        upload: false
+    - uses: ./../action/upload-sarif
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__upload-sarif.yml
+++ b/.github/workflows/__upload-sarif.yml
@@ -1,173 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Test different uses of `upload-sarif`
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  upload-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-scanning
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-quality
-          - os: ubuntu-latest
-            version: default
-            analysis-kinds: code-scanning,code-quality
-    name: Test different uses of `upload-sarif`
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: csharp,java,javascript,python
-          analysis-kinds: ${{ matrix.analysis-kinds }}
-      - name: Build code
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-          output: ${{ runner.temp }}/results
-
-      - name: |
-          Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}`
-        uses: ./../action/upload-sarif
-        id: upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          sarif_file: ${{ runner.temp }}/results
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/
-      - name: Fail for missing output from `upload-sarif` step for `code-scanning`
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)
-        run: exit 1
-      - name: Fail for missing output from `upload-sarif` step for `code-quality`
-        if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)
-        run: exit 1
-
-      - name: Upload single SARIF file for Code Scanning
-        uses: ./../action/upload-sarif
-        id: upload-single-sarif-code-scanning
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          sarif_file: ${{ runner.temp }}/results/javascript.sarif
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/
-      - name: Fail for missing output from `upload-single-sarif-code-scanning` step
-        if: contains(matrix.analysis-kinds, 'code-scanning') &&
-          !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)
-        run: exit 1
-      - name: Upload single SARIF file for Code Quality
-        uses: ./../action/upload-sarif
-        id: upload-single-sarif-code-quality
-        if: contains(matrix.analysis-kinds, 'code-quality')
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/
-      - name: Fail for missing output from `upload-single-sarif-code-quality` step
-        if: contains(matrix.analysis-kinds, 'code-quality') &&
-          !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)
-        run: exit 1
-
-      - name: Change SARIF file extension
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json
-      - name: Upload single non-`.sarif` file
-        uses: ./../action/upload-sarif
-        id: upload-single-non-sarif
-        if: contains(matrix.analysis-kinds, 'code-scanning')
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          sarif_file: ${{ runner.temp }}/results/javascript.sarif.json
-          category: |
-            ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/
-      - name: Fail for missing output from `upload-single-non-sarif` step
-        if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -1,148 +1,144 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.

 name: PR Check - Use a custom `checkout_path`
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
  push:
    branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-  workflow_call:
-    inputs:
-      go-version:
-        type: string
-        description: The version of Go to install
-        required: false
-        default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
 jobs:
  with-checkout-path:
    strategy:
-      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: linked
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: windows-2019
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-2019
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: windows-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
    name: Use a custom `checkout_path`
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: ${{ inputs.go-version || '>=1.21.0' }}
-          cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Delete original checkout
-        run: |
-          # delete the original checkout so we don't accidentally use it.
-          # Actions does not support deleting the current working directory, so we
-          # delete the contents of the directory instead.
-          rm -rf ./* .github .git
-  # Check out the actions repo again, but at a different location.
-  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v5
-        with:
-          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-          path: x/y/z/some-path
-
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Go
+      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
+      uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: actions/checkout@v3
+      with:
+        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        path: x/y/z/some-path
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
      # it's enough to test one compiled language and one interpreted language
-          languages: csharp,javascript
-          source-root: x/y/z/some-path/tests/multi-language-repo
+        languages: csharp,javascript
+        source-path: x/y/z/some-path/tests/multi-language-repo
+        debug: true
+    - name: Build code (non-windows)
+      shell: bash
+      if: ${{ runner.os != 'Windows' }}
+      run: |
+        $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
+    - name: Build code (windows)
+      shell: bash
+      if: ${{ runner.os == 'Windows' }}
+      run: |
+        x/y/z/some-path/tests/multi-language-repo/build.sh
+    - uses: ./../action/analyze
+      with:
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        upload: false

-      - name: Build code
-        working-directory: x/y/z/some-path/tests/multi-language-repo
-        run: |
-          ./build.sh
+    - uses: ./../action/upload-sarif
+      with:
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        checkout_path: x/y/z/some-path/tests/multi-language-repo

-      - uses: ./../action/analyze
-        with:
-          checkout_path: x/y/z/some-path/tests/multi-language-repo
-          ref: v1.1.0
-          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+    - name: Verify SARIF after upload
+      shell: bash
+      run: |
+        EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+        EXPECTED_REF="v1.1.0"
+        EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"

-      - name: Verify SARIF after upload
-        run: |
-          PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json"
-          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
-          EXPECTED_REF="v1.1.0"
-          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+        ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+        ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+        ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"

-          ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)"
+        if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+          echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi

-          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
-            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$PAYLOAD_FILE"
-            exit 1
-          fi
+        if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+          echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi

-          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
-            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$PAYLOAD_FILE"
-            exit 1
-          fi
-
-          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
-            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$PAYLOAD_FILE"
-            exit 1
-          fi
+        if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+          echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -9,20 +9,13 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

-defaults:
-  run:
-    shell: bash
-
 jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest

-    permissions:
-      contents: read
-
    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v5
+        uses: actions/checkout@v3
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -2,20 +2,15 @@ name: "CodeQL action"

 on:
  push:
-    branches: [main, releases/v*]
+    branches: [main, releases/v1, releases/v2]
  pull_request:
-    branches: [main, releases/v*]
+    branches: [main, releases/v1, releases/v2]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
-  workflow_dispatch:
-
-defaults:
-  run:
-    shell: bash

 env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
@@ -23,16 +18,15 @@ env:
 jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
  check-codeql-versions:
-    if: github.triggering_actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    outputs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
-      contents: read
+      security-events: write

    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v3
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
@@ -46,7 +40,7 @@ jobs:
      id: init-latest
      uses: ./init
      with:
-        tools: linked
+        tools: latest
        languages: javascript
    - name: Compare default and latest CodeQL bundle versions
      id: compare
@@ -59,88 +53,45 @@ jobs:
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"

-        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
+        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
-        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
        else
-          VERSIONS_JSON='[null, "linked"]'
+          VERSIONS_JSON='[null, "latest"]'
        fi

        # Output a JSON-encoded list with the distinct versions to test against.
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

-  analyze-javascript:
-    if: github.triggering_actor != 'dependabot[bot]'
+  build:
    needs: [check-codeql-versions]
    strategy:
-      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
+        os: [ubuntu-latest,windows-latest,macos-latest]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    permissions:
-      contents: read
      security-events: write

    steps:
    - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@v3
    - name: Initialize CodeQL
      uses: ./init
      id: init
      with:
        languages: javascript
-        config-file: ./.github/codeql/codeql-config-javascript.yml
+        config-file: ./.github/codeql/codeql-config.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
-      run: >
-        "$CODEQL" version --format=json
-      env:
-        CODEQL: ${{steps.init.outputs.codeql-path}}
+      run: ${{steps.init.outputs.codeql-path}} version --format=json
    - name: Perform CodeQL Analysis
      uses: ./analyze
-      with:
-        category: "/language:javascript"
-        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
-
-  analyze-other:
-    if: github.triggering_actor != 'dependabot[bot]'
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - language: actions
-          - language: python
-
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v5
-    - name: Initialize CodeQL
-      uses: ./init
-      with:
-        languages: ${{ matrix.language }}
-        build-mode: none
-        config: >
-          paths-ignore:
-            - lib
-            - tests
-          queries:
-            - uses: security-and-quality
-    - name: Perform CodeQL Analysis
-      uses: ./analyze
-      with:
-        category: "/language:${{ matrix.language }}"
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -3,49 +3,41 @@
 name: Code-Scanning config CLI tests
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  # Diff informed queries add an additional query filter which is not yet
-  # taken into account by these tests.
-  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+  CODEQL_PASS_CONFIG_TO_CLI: true

 on:
  push:
    branches:
    - main
-    - releases/v*
+    - releases/v1
+    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
  workflow_dispatch: {}

-defaults:
-  run:
-    shell: bash
-
 jobs:
  code-scanning-config-tests:
-    if: github.triggering_actor != 'dependabot[bot]'
    continue-on-error: true

-    permissions:
-      contents: read
-      packages: read
-      security-events: read
-
    strategy:
-      fail-fast: false
      matrix:
        include:
        - os: ubuntu-latest
-          version: linked
+          version: latest
+        - os: macos-latest
+          version: latest
        - os: ubuntu-latest
-          version: default
+          version: cached
+        - os: macos-latest
+          version: cached
        - os: ubuntu-latest
          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest

    # Code-Scanning config not created because environment variable is not set
    name: Code Scanning Configuration tests
@@ -53,25 +45,15 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v5
-
-    - name: Set up Node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version: 24
-        cache: 'npm'
-
-    - name: Install dependencies
-      run: npm ci
-
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
-      uses: ./.github/actions/prepare-test
+      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}

    - name: Empty file
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
@@ -79,31 +61,31 @@ jobs:

    - name: Packs from input
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
-            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
          }
        languages: javascript
-        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
+        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
        tools: ${{ steps.prepare-test.outputs.tools-url }}

    - name: Packs from input with +
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
-            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
          }
        languages: javascript
-        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
+        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
        tools: ${{ steps.prepare-test.outputs.tools-url }}

    - name: Queries from input
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
@@ -115,7 +97,7 @@ jobs:

    - name: Queries from input with +
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
@@ -127,27 +109,27 @@ jobs:

    - name: Queries and packs from input with +
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
-            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
          }
        languages: javascript
        queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
-        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
+        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
        tools: ${{ steps.prepare-test.outputs.tools-url }}

    - name: Queries and packs from config
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
            "packs": {
-              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
            }
          }
        languages: javascript
@@ -156,7 +138,7 @@ jobs:

    - name: Queries and packs from config overriden by input
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
@@ -171,17 +153,17 @@ jobs:

    - name: Queries and packs from config merging with input
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
-            "packs": {
-              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
-            },
            "queries": [
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" },
-              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }
-            ]
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" },
+              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
+            ],
+            "packs": {
+              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
+            }
          }
        languages: javascript
        queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
@@ -191,12 +173,12 @@ jobs:

    - name: Multi-language packs from config
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "packs": {
-              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
+              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
              "ruby": ["codeql/ruby-queries"]
            },
            "queries": [
@@ -209,7 +191,7 @@ jobs:

    - name: Other config properties
      if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
@@ -223,3 +205,15 @@ jobs:
        packs: + codeql/javascript-queries
        config-file-test: .github/codeql/other-config-properties.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+    - name: Config not generated when env var is not set
+      if: success() || failure()
+      env:
+        CODEQL_PASS_CONFIG_TO_CLI: false
+      uses: ./../action/.github/check-codescanning-config
+      with:
+        expected-config-file-contents: ""
+        languages: javascript
+        packs: + codeql/javascript-queries
+        config-file-test: .github/codeql/other-config-properties.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -1,107 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist
-# when the analyze step fails.
-name: PR Check - Debug artifacts after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  upload-artifacts:
-    if: github.triggering_actor != 'dependabot[bot]'
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts after failure in analyze
-    continue-on-error: true
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    permissions:
-      contents: read
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump GitHub event
-        run: cat "${GITHUB_EVENT_PATH}"
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        env:
-          # Forces a failure in this step.
-          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
-        with:
-          expect-error: true
-  download-and-check-artifacts:
-    name: Download and check debug artifacts after failure in analyze
-    if: github.triggering_actor != 'dependabot[bot]'
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v5
-      - name: Check expected artifacts exist
-        run: |
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            echo "Artifacts from version $version:"
-            pushd "./my-debug-artifacts-${version//./}"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-                echo "Missing a partial database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "log" ]] ; then
-                echo "Missing database initialization logs"
-                exit 1
-              fi
-              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
--- a/.github/workflows/debug-artifacts-failure.yml
+++ b/.github/workflows/debug-artifacts-failure.yml
@@ -0,0 +1,94 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist
+# when the analyze step fails.
+name: PR Check - Debug artifacts after failure
+env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    name: Upload debug artifacts after failure in analyze
+    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Dump GitHub event
+        run: cat "${GITHUB_EVENT_PATH}"
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/prepare-test
+        with:
+          version: latest
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis  
+        with:
+          expect-error: true
+          ram: 1
+  download-and-check-artifacts:
+    name: Download and check debug artifacts after failure in analyze
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for os in $OPERATING_SYSTEMS; do
+            pushd "./my-debug-artifacts-$os"
+            echo "Artifacts from run on $os:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+                echo "Missing a partial database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "log" ]] ; then
+                echo "Missing database initialization logs"
+                exit 1
+              fi
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -1,102 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist.
-name: PR Check - Debug artifact upload
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  upload-artifacts:
-    if: github.triggering_actor != 'dependabot[bot]'
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v6
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby
-      - name: Build code
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    if: github.triggering_actor != 'dependabot[bot]'
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v5
-      - name: Check expected artifacts exist
-        run: |
-          VERSIONS="stable-v2.20.3 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
--- a/.github/workflows/debug-artifacts.yml
+++ b/.github/workflows/debug-artifacts.yml
@@ -0,0 +1,120 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist.
+name: PR Check - Debug artifact upload
+env:
+  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
+  # workaround for our PR checks.
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-20.04
+          version: stable-20211005
+        - os: macos-latest
+          version: stable-20211005
+        - os: ubuntu-20.04
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: stable-20220401
+        - os: macos-latest
+          version: stable-20220401
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis  
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          VERSIONS="stable-20211005 stable-20220120 stable-20220401 cached latest nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            if [[ "$version" =~ stable-(20211005|20220120|20210809) ]]; then
+              # Note the absence of the period in "ubuntu-2004": this is present in the image name
+              # but not the artifact name
+              OPERATING_SYSTEMS="ubuntu-2004 macos-latest"
+            else
+              OPERATING_SYSTEMS="ubuntu-latest macos-latest"
+            fi
+            for os in $OPERATING_SYSTEMS; do
+              pushd "./my-debug-artifacts-$os-$version"
+              echo "Artifacts from version $version on $os:"
+              for language in $LANGUAGES; do
+                echo "- Checking $language"
+                if [[ ! -f "$language.sarif" ]] ; then
+                  echo "Missing a SARIF file for $language"
+                  exit 1
+                fi
+                if [[ ! -f "my-db-$language.zip" ]] ; then
+                  echo "Missing a database bundle for $language"
+                  exit 1
+                fi
+                if [[ ! -d "$language/log" ]] ; then
+                  echo "Missing logs for $language"
+                  exit 1
+                fi
+              done
+              popd
+            done
+          done
+        env:
+          GO111MODULE: auto
--- a/.github/workflows/expected-queries-runs.yml
+++ b/.github/workflows/expected-queries-runs.yml
@@ -0,0 +1,47 @@
+name: Check queries that ran
+
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+
+jobs:
+  expected-queries:
+    name: Expected Queries Tests
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: latest
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/incomplete-hostname-regexp,js/path-injection
+        queries-not-run: foo,bar
--- a/.github/workflows/label-pr-size.yml
+++ b/.github/workflows/label-pr-size.yml
@@ -1,26 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -1,9 +1,8 @@
-# This workflow runs after a merge to any release branch of the action. It:
-# 1. Tags the merge commit on the release branch that represents the new release with an `vN.x.y`
-#    tag
-# 2. Updates the `vN` tag to refer to this merge commit.
-# 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
-#    Typically, this is two commits – one to update the version number and one to rebuild.
+# This workflow runs after a release of the action. For v2 releases, it merges any changes from the
+# release back into the main branch. Typically, this is just a single commit that updates the
+# changelog. For v2 and v1 releases, it then (a) tags the merge commit on the release branch that
+# represents the new release with an `vx.y.z` tag and (b) updates the `vx` tag to refer to this
+# commit.
 name: Tag release and merge back

 on:
@@ -16,25 +15,17 @@ on:

  push:
    branches:
-      - releases/v*
-
-defaults:
-  run:
-    shell: bash
+      - releases/v1
+      - releases/v2

 jobs:
  merge-back:
    runs-on: ubuntu-latest
-    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

-    permissions:
-      contents: write # needed to create tags and push commits
-      pull-requests: write
-
    steps:
      - name: Dump environment
        run: env
@@ -44,14 +35,12 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3

      - name: Update git config
        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.email "github-actions@github.com"
          git config --global user.name "github-actions[bot]"

      - name: Get version and new branch
@@ -62,8 +51,6 @@ jobs:
          short_sha="${GITHUB_SHA:0:8}"
          NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
          echo "newBranch=${NEW_BRANCH}" >> $GITHUB_OUTPUT
-          LATEST_RELEASE_BRANCH=$(git branch -r | grep -E "origin/releases/v[0-9]+$" | sed 's/origin\///g' | sort -V | tail -1 | xargs)
-          echo "latest_release_branch=${LATEST_RELEASE_BRANCH}" >> $GITHUB_OUTPUT

      - name: Dump branches
        env:
@@ -72,8 +59,6 @@ jobs:
          echo "BASE_BRANCH ${BASE_BRANCH}"
          echo "HEAD_BRANCH ${HEAD_BRANCH}"
          echo "NEW_BRANCH ${NEW_BRANCH}"
-          echo "LATEST_RELEASE_BRANCH ${LATEST_RELEASE_BRANCH}"
-          echo "GITHUB_REF ${GITHUB_REF}"

      - name: Create mergeback branch
        env:
@@ -104,6 +89,8 @@ jobs:
        env:
          VERSION: ${{ steps.getVersion.outputs.version }}
        run: |
+          # Unshallow the repo in order to allow pushes
+          git fetch --unshallow
          # Create the `vx.y.z` tag
          git tag --annotate "${VERSION}" --message "${VERSION}"
          # Update the `vx` tag
@@ -112,49 +99,50 @@ jobs:
          git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force
          # Push the tags, using:
          # - `--atomic` to make sure we either update both tags or neither (an intermediate state,
-          #   e.g. where we update the vN.x.y tag on the remote but not the vN tag, could result in
-          #   unwanted Dependabot updates, e.g. from vN to vN.x.y)
-          # - `--force` since we're overwriting the `vN` tag
+          #   e.g. where we update the v2.x.y tag on the remote but not the v2 tag, could result in
+          #   unwanted Dependabot updates, e.g. from v2 to v2.x.y)
+          # - `--force` since we're overwriting the `vx` tag
          git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"

-      - name: Prepare partial Changelog
+      - name: Create mergeback branch
+        if: steps.check.outputs.exists != 'true' && contains(github.ref, 'releases/v2')
        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
          VERSION: "${{ steps.getVersion.outputs.version }}"
+          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
+          set -exu
+          pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          pr_body=$(cat << EOF
+            This PR bumps the version number and updates the changelog after the ${VERSION} release.

-          echo "::group::Partial CHANGELOG"
-          cat $PARTIAL_CHANGELOG
-          echo "::endgroup::"
+            Please do the following:

-      - name: Create mergeback branch and PR
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
-        uses: ./.github/actions/prepare-mergeback-branch
-        with:
-          base: "${{ env.BASE_BRANCH }}"
-          head: "${{ env.HEAD_BRANCH }}"
-          branch: "${{ steps.getVersion.outputs.newBranch }}"
-          version: "${{ steps.getVersion.outputs.version }}"
-          token: "${{ secrets.GITHUB_TOKEN }}"
+            - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
+            - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
+            - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
+            - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
+                  selected rather than "Squash and merge" or "Rebase and merge".
+          EOF
+          )

-      - name: Generate token
-        uses: actions/create-github-app-token@v2.1.4
-        id: app-token
-        with:
-          app-id: ${{ vars.AUTOMATION_APP_ID }}
-          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          # Update the version number ready for the next release
+          npm version patch --no-git-tag-version

-      - name: Create the GitHub release
-        if: steps.check.outputs.exists != 'true'
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: |
-          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
-          gh release create \
-            "$VERSION" \
-            --latest=false \
-            --title "$VERSION" \
-            --notes-file "$PARTIAL_CHANGELOG"
+          # Update the changelog
+          perl -i -pe 's/^/## \[UNRELEASED\]\n\nNo user facing changes.\n\n/ if($.==3)' CHANGELOG.md
+          git add .
+          git commit -m "Update changelog and version after ${VERSION}"
+
+          git push origin "${NEW_BRANCH}"
+
+          # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft
+          # so that a maintainer can take the PR out of draft, thereby triggering the PR checks.
+          gh pr create \
+            --head "${NEW_BRANCH}" \
+            --base "${BASE_BRANCH}" \
+            --title "${pr_title}" \
+            --label "Update dependencies" \
+            --body "${pr_body}" \
+            --assignee "${GITHUB_ACTOR}" \
+            --draft
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -2,123 +2,119 @@ name: PR Checks

 on:
  push:
+    branches: [main, releases/v1, releases/v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:

-defaults:
-  run:
-    shell: bash
-
 jobs:
-  unit-tests:
-    name: Unit Tests
-    if: github.triggering_actor != 'dependabot[bot]'
+  check-js:
+    name: Check JS
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+
+    strategy:
+      matrix:
+        node-types-version: [12.12, current]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Lint
+        run: npm run-script lint
+
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
+
+      - name: Check generated JS
+        run: .github/workflows/script/check-js.sh
+
+  check-node-modules:
+    name: Check modules up to date
+    runs-on: macos-latest
+    timeout-minutes: 45
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check node modules up to date
+        run: .github/workflows/script/check-node-modules.sh
+
+  check-file-contents:
+    name: Check file contents
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Checks for any conflict markers created by git. This check is primarily intended to validate that
+      # any merge conflicts in the v2 -> v1 backport PR are fixed before the PR is merged.
+      - name: Check for merge conflicts
+        run: |
+          # Use `|| true` since grep returns exit code 1 if there are no matches, and we don't want
+          # this to fail the workflow.
+          FILES_WITH_CONFLICTS=$(grep --extended-regexp --ignore-case --line-number --recursive \
+            '^(<<<<<<<|>>>>>>>)' . || true)
+          if [[ "${FILES_WITH_CONFLICTS}" ]]; then
+            echo "Fail: Found merge conflict markers in the following files:"
+            echo ""
+            echo "${FILES_WITH_CONFLICTS}"
+            exit 1
+          else
+            echo "Success: Found no merge conflict markers."
+          fi
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruamel.yaml
+
+      # Ensure the generated PR check workflows are up to date.
+      - name: Verify PR checks up to date
+        run: .github/workflows/script/verify-pr-checks.sh
+
+  npm-test:
+    name: Unit Test
+    needs: [check-js, check-node-modules]
    strategy:
-      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
-        node-version: [20, 24]
-    permissions:
-      contents: read
-      security-events: write # needed to upload ESLint results
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

    steps:
-      - name: Prepare git (Windows)
-        if: runner.os == 'Windows'
-        run: git config --global core.autocrlf false
-
-      - uses: actions/checkout@v5
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
-      - name: Install dependencies
+      - uses: actions/checkout@v3
+      - name: npm test
        run: |
-          # Use the system Bash shell to ensure we can run commands like `npm ci`
-          # that are not available in the default shell on Windows.
+          # Run any commands referenced in package.json using Bash, otherwise
+          # we won't be able to find them on Windows.
          npm config set script-shell bash
-          npm ci
-
-      - name: Verify compiled JS up to date
-        run: .github/workflows/script/check-js.sh
-
-      - name: Verify PR checks up to date
-        if: always()
-        run: .github/workflows/script/verify-pr-checks.sh
-
-      - name: Run unit tests
-        if: always()
-        run: npm test
-
-      - name: Run pr-checks tests
-        if: always()
-        working-directory: pr-checks
-        run: python -m unittest discover
-
-      - name: Lint
-        if: always() && matrix.os != 'windows-latest'
-        run: npm run lint-ci
-
-      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v4
-        if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
-        with:
-          sarif_file: eslint.sarif
-          category: eslint
-
-  check-node-version:
-    if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]'
-    name: Check Action Node versions
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    env:
-      BASE_REF: ${{ github.base_ref }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v5
-      - id: head-version
-        name: Verify all Actions use the same Node version
-        run: |
-          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
-          echo "NODE_VERSION: ${NODE_VERSION}"
-          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
-            echo "::error::More than one node version used in 'action.yml' files."
-            exit 1
-          fi
-          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
-
-      - id: checkout-base
-        name: 'Backport: Check out base ref'
-        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v5
-        with:
-          ref: ${{ env.BASE_REF }}
-
-      - name: 'Backport: Verify Node versions unchanged'
-        if: steps.checkout-base.outcome == 'success'
-        env:
-          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
-        run: |
-          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
-          echo "HEAD_VERSION: ${HEAD_VERSION}"
-          echo "BASE_VERSION: ${BASE_VERSION}"
-          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
-            echo "::error::Cannot change the Node version of an Action in a backport PR."
-            exit 1
-          fi
+          npm test
--- a/Show More
+++ b/Show More