Disable SIP disablement check

.github/actions/release-initialise/action.yml

@@ -16,9 +16,9 @@ runs:
       shell: bash
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@v5
       with:
-        python-version: '3.12'
+        python-version: 3.12
 
     - name: Install dependencies
       run: |

.github/workflows/__all-platform-bundle.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -84,10 +74,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - id: init
         uses: ./../action/init
         with:

.github/workflows/__analyze-ref-input.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -95,10 +85,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__autobuild-action.yml

@@ -21,19 +21,9 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
   workflow_call:
-    inputs:
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
+    inputs: {}
 defaults:
   run:
     shell: bash
@@ -69,10 +59,6 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: csharp

.github/workflows/__build-mode-manual.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -80,10 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__bundle-zstd.yml

@@ -79,7 +79,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-zstd-bundle.sarif
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-export.yml

@@ -67,7 +67,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__diagnostics-export.yml

@@ -78,7 +78,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__export-file-baseline-information.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -84,10 +74,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:
@@ -99,7 +85,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__go-custom-queries.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -82,10 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: go

.github/workflows/__go.yml

@@ -8,6 +8,9 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
 on:
+  push:
+    paths:
+      - .github/workflows/__go.yml
   workflow_dispatch:
     inputs:
       go-version:
@@ -15,11 +18,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 jobs:
   go-custom-queries:
     name: 'Go: Custom queries'
@@ -29,7 +27,6 @@ jobs:
     uses: ./.github/workflows/__go-custom-queries.yml
     with:
       go-version: ${{ inputs.go-version }}
-      dotnet-version: ${{ inputs.dotnet-version }}
   go-indirect-tracing-workaround-diagnostic:
     name: 'Go: diagnostic when Go is changed after init step'
     permissions:

.github/workflows/__job-run-uuid-sarif.yml

@@ -64,7 +64,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__local-bundle.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -95,10 +85,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -9,9 +9,6 @@ env:
   GO111MODULE: auto
 on:
   push:
-    branches:
-      - main
-      - releases/v*
   pull_request:
     types:
       - opened
@@ -32,11 +29,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +41,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -66,42 +53,8 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.20.7
-          - os: ubuntu-latest
-            version: stable-v2.20.7
-          - os: macos-latest
-            version: stable-v2.21.4
-          - os: ubuntu-latest
-            version: stable-v2.21.4
-          - os: macos-latest
-            version: stable-v2.22.4
-          - os: ubuntu-latest
-            version: stable-v2.22.4
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: default
           - os: macos-latest
             version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: nightly-latest
-          - os: ubuntu-latest
-            version: nightly-latest
     name: Multi-language repository
     if: github.triggering_actor != 'dependabot[bot]'
     permissions:
@@ -129,10 +82,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"
@@ -199,6 +148,3 @@ jobs:
             echo "Did not create a database for Swift, or created it in the wrong location."
             exit 1
           fi
-    env:
-      CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -106,10 +96,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -91,10 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-js.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -91,10 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging.yml

.github/workflows/__packaging-inputs-js.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -91,10 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging2.yml

.github/workflows/__quality-queries.yml

@@ -83,7 +83,7 @@ jobs:
           post-processed-sarif-path: ${{ runner.temp }}/post-processed
       - name: Upload security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,14 +91,14 @@ jobs:
           retention-days: 7
       - name: Upload quality SARIF
         if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
       - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: |
             post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json

.github/workflows/__remote-config.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -97,10 +87,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__rubocop-multi-language.yml

@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__split-workflow.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -90,10 +80,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__swift-custom-build.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -84,10 +74,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__unset-environment.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -97,10 +87,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -95,10 +85,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -102,10 +92,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -32,11 +32,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -49,11 +44,6 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
-      dotnet-version:
-        type: string
-        description: The version of .NET to install
-        required: false
-        default: 9.x
 defaults:
   run:
     shell: bash
@@ -95,10 +85,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.

.github/workflows/check-expected-release-files.yml

@@ -15,7 +15,7 @@ defaults:
 
 jobs:
   check-expected-release-files:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
 
     permissions:
       contents: read

.github/workflows/codeql.yml

@@ -81,7 +81,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 

.github/workflows/debug-artifacts-failure-safe.yml

@@ -54,10 +54,6 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
@@ -83,7 +79,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
         run: |
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/debug-artifacts-safe.yml

@@ -50,10 +50,6 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
-      - name: Install .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          dotnet-version: '9.x'
       - uses: ./../action/init
         id: init
         with:
@@ -77,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"

.github/workflows/label-pr-size.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   sizeup:
     name: Label PR with size
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
 
     steps:
       - name: Run sizeup

.github/workflows/post-release-mergeback.yml

@@ -24,7 +24,7 @@ defaults:
 
 jobs:
   merge-back:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
@@ -48,9 +48,6 @@ jobs:
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
       - uses: actions/setup-node@v6
-      - uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
 
       - name: Update git config
         run: |

.github/workflows/prepare-release.yml

@@ -29,7 +29,7 @@ defaults:
 jobs:
   prepare:
     name: "Prepare release"
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.repository == 'github/codeql-action'
 
     permissions:

.github/workflows/publish-immutable-action.yml

@@ -1,10 +1,8 @@
 name: 'Publish Immutable Action Version'
 
 on:
-  push:
-    tags:
-      # Match version tags, but not the major version tags.
-      - 'v[0-9]+.**'
+  release:
+    types: [published]
 
 defaults:
   run:
@@ -12,16 +10,30 @@ defaults:
 
 jobs:
   publish:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
       packages: write
 
     steps:
-      - name: Checkout repository
+      - name: Check release name
+        id: check
+        env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+        run: |
+          echo "Release name: ${{ github.event.release.name }}"
+          if [[ $RELEASE_NAME == v* ]]; then
+            echo "This is a CodeQL Action release. Create an Immutable Action"
+            echo "is-action-release=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
+            echo "is-action-release=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Checking out
+        if: steps.check.outputs.is-action-release == 'true'
         uses: actions/checkout@v5
-
-      - name: Publish immutable release
+      - name: Publish
+        if: steps.check.outputs.is-action-release == 'true'
         id: publish
         uses: actions/publish-immutable-action@v0.0.4

.github/workflows/script/bundle_changelog.py

@@ -1,18 +0,0 @@
-import os
-import re
-
-# Get the PR number from the PR URL.
-pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
-
-# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-with open('CHANGELOG.md', 'r') as f:
-    changelog = f.read()
-
-changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-# Add the changelog note to the bottom of the "[UNRELEASED]" section.
-changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-with open('CHANGELOG.md', 'w') as f:
-    f.write(changelog)

.github/workflows/script/update-required-checks.sh

@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

.github/workflows/test-codeql-bundle-all.yml

@@ -43,10 +43,6 @@ jobs:
       with:
         version: ${{ matrix.version }}
         use-all-platform-bundle: true
-    - name: Install .NET
-      uses: actions/setup-dotnet@v5
-      with:
-        dotnet-version: '9.x'
     - id: init
       uses: ./../action/init
       with:

.github/workflows/update-bundle.yml

@@ -20,7 +20,7 @@ defaults:
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     permissions:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull requests
@@ -40,11 +40,6 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
-
       - name: Set up Node.js
         uses: actions/setup-node@v6
         with:
@@ -83,8 +78,28 @@ jobs:
           echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
 
       - name: Create changelog note
+        shell: python
         run: |
-          python .github/workflows/script/bundle_changelog.py
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)
 
       - name: Push changelog note
         run: |

.github/workflows/update-release-branch.yml

@@ -26,7 +26,7 @@ jobs:
 
   update:
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch'
     needs: [prepare]
     env:
@@ -77,7 +77,7 @@ jobs:
 
   backport:
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -4,18 +4,12 @@ on:
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/update-supported-enterprise-server-versions.yml
-      - .github/workflows/update-supported-enterprise-server-versions/update.py
 
 jobs:
   update-supported-enterprise-server-versions:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.repository == 'github/codeql-action'
     permissions:
       contents: write # needed to push commits
@@ -34,7 +28,6 @@ jobs:
           repository: github/enterprise-releases
           token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
           path: ${{ github.workspace }}/enterprise-releases/
-          sparse-checkout: releases.json
       - name: Update Supported Enterprise Server Versions
         run: |
           cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -42,7 +35,6 @@ jobs:
           pipenv install
           pipenv run ./update.py
           rm --recursive "$ENTERPRISE_RELEASES_PATH"
-          npm ci
           npm run build
         env:
           ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -52,25 +44,16 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
-      - name: Commit changes
-        id: prepare-commit
+      - name: Commit changes and open PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           if [[ -z $(git status --porcelain) ]]; then
             echo "No changes to commit"
-            echo "committed=false" >> $GITHUB_OUTPUT
           else
             git checkout -b update-supported-enterprise-server-versions
             git add .
             git commit --message "Update supported GitHub Enterprise Server versions"
-
-            echo "committed=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Open PR
-        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
             git push origin update-supported-enterprise-server-versions
 
             body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
@@ -82,3 +65,4 @@ jobs:
             gh pr create --draft \
               --title "Update supported GitHub Enterprise Server versions" \
               --body "$body"
+          fi

CHANGELOG.md

@@ -4,17 +4,8 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
-- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
-
-## 4.31.2 - 30 Oct 2025
-
 No user facing changes.
 
-## 4.31.1 - 30 Oct 2025
-
-- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
-
 ## 4.31.0 - 24 Oct 2025
 
 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)

analyze/action.yml

@@ -32,10 +32,14 @@ inputs:
       and 13GB for macOS).
     required: false
   add-snippets:
-    description: Does not have any effect.
+    description: Specify whether or not to add code snippets to the output sarif file.
     required: false
+    default: "false"
     deprecationMessage: >-
-      The input "add-snippets" has been removed and no longer has any effect.
+      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
+      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
+      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
+      a no operation. No alternative is available.
   skip-queries:
     description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
     required: false

eslint.config.mjs

@@ -12,7 +12,6 @@ import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
 import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
-import jsdoc from "eslint-plugin-jsdoc";
 import globals from "globals";
 
 const __filename = fileURLToPath(import.meta.url);
@@ -53,7 +52,6 @@ export default [
       github: fixupPluginRules(github),
       import: fixupPluginRules(_import),
       "no-async-foreach": noAsyncForeach,
-      "jsdoc": jsdoc,
     },
 
     languageOptions: {
@@ -135,16 +133,6 @@ export default [
       "@typescript-eslint/no-shadow": "error",
       "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],
-
-      // Check param names to ensure that we don't have outdated JSDocs.
-      "jsdoc/check-param-names": [
-        "error",
-        {
-          // We don't currently require full JSDoc coverage, so this rule
-          // should not error on missing @param annotations.
-          disableMissingParamChecks: true,
-        }
-      ],
     },
   },
   {

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.5",
-  "cliVersion": "2.23.5",
-  "priorBundleVersion": "codeql-bundle-v2.23.3",
-  "priorCliVersion": "2.23.3"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.3",
+  "version": "4.31.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -24,20 +24,22 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "^4.0.0",
+    "@actions/artifact": "^2.3.1",
     "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
     "@actions/cache": "^4.1.0",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^6.0.0",
     "@actions/glob": "^0.5.0",
-    "@actions/http-client": "^3.0.0",
-    "@actions/io": "^2.0.0",
+    "@actions/http-client": "^2.2.3",
+    "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",
     "@octokit/plugin-retry": "^6.0.0",
-    "@octokit/request-error": "^7.0.2",
+    "@octokit/request-error": "^7.0.1",
     "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
+    "console-log-level": "^1.4.1",
+    "del": "^8.0.0",
     "fast-deep-equal": "^3.1.3",
     "follow-redirects": "^1.15.11",
     "get-folder-size": "^5.0.0",
@@ -45,34 +47,34 @@
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.1",
-    "octokit": "^5.0.5",
+    "octokit": "^5.0.4",
     "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^1.4.1",
+    "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^9.38.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^16.0.0",
-    "@types/archiver": "^7.0.0",
+    "@octokit/types": "^15.0.0",
+    "@types/archiver": "^6.0.3",
+    "@types/console-log-level": "^1.4.5",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "20.19.9",
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.4",
+    "@typescript-eslint/eslint-plugin": "^8.46.1",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.25.11",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.1.12",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.0.3",
     "nock": "^14.0.10",

pr-checks/checks/all-platform-bundle.yml

@@ -4,7 +4,6 @@ operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 useAllPlatformBundle: "true"
 installGo: true
-installDotNet: true
 steps:
   - id: init
     uses: ./../action/init

pr-checks/checks/analyze-ref-input.yml

@@ -3,7 +3,6 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/autobuild-action.yml

@@ -2,7 +2,6 @@ name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["linked"]
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/build-mode-manual.yml

@@ -2,7 +2,6 @@ name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
 versions: ["nightly-latest"]
 installGo: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/bundle-zstd.yml

@@ -27,7 +27,7 @@ steps:
       output: ${{ runner.temp }}/results
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: ${{ matrix.os }}-zstd-bundle.sarif
       path: ${{ runner.temp }}/results/javascript.sarif

pr-checks/checks/config-export.yml

@@ -12,7 +12,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/diagnostics-export.yml

@@ -25,7 +25,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/export-file-baseline-information.yml

@@ -3,7 +3,6 @@ description: "Tests that file baseline information is exported when the feature
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 installGo: true
-installDotNet: true
 env:
   CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
 steps:
@@ -18,7 +17,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/go-custom-queries.yml

@@ -7,7 +7,6 @@ versions:
   - linked
   - nightly-latest
 installGo: true
-installDotNet: true
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:

pr-checks/checks/job-run-uuid-sarif.yml

@@ -11,7 +11,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/local-bundle.yml

@@ -3,7 +3,6 @@ description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   - name: Fetch latest CodeQL bundle
     run: |

pr-checks/checks/multi-language-autodetect.yml

@@ -5,7 +5,6 @@ env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   - name: Use Xcode 16
     if: runner.os == 'macOS' && matrix.version != 'nightly-latest'

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -4,7 +4,6 @@ versions: ["linked", "default", "nightly-latest"] # This feature is not compatib
 installGo: true
 installNode: true
 installPython: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/packaging-config-inputs-js.yml

@@ -3,7 +3,6 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/packaging-config-js.yml

@@ -3,7 +3,6 @@ description: "Checks that specifying packages using only a config file works"
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/packaging-inputs-js.yml

@@ -3,7 +3,6 @@ description: "Checks that specifying packages using the input to the Action work
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/quality-queries.yml

@@ -39,7 +39,7 @@ steps:
       post-processed-sarif-path: "${{ runner.temp }}/post-processed"
   - name: Upload security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,14 +47,14 @@ steps:
       retention-days: 7
   - name: Upload quality SARIF
     if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
   - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: |
         post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json

pr-checks/checks/remote-config.yml

@@ -7,7 +7,6 @@ versions:
   - nightly-latest
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/checks/split-workflow.yml

@@ -3,7 +3,6 @@ description: "Tests a split-up workflow in which we first build a database and l
 operatingSystems: ["ubuntu", "macos"]
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/swift-custom-build.yml

@@ -3,7 +3,6 @@ description: "Tests creation of a Swift database using custom build"
 versions: ["linked", "default", "nightly-latest"]
 operatingSystems: ["macos"]
 installGo: true
-installDotNet: true
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:

pr-checks/checks/unset-environment.yml

@@ -7,7 +7,6 @@ versions:
   - nightly-latest
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/upload-ref-sha-input.yml

@@ -3,7 +3,6 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/upload-sarif.yml

@@ -4,7 +4,6 @@ versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/with-checkout-path.yml

@@ -3,7 +3,6 @@ description: "Checks that a custom `checkout_path` will find the proper commit_o
 versions: ["linked"]
 installGo: true
 installPython: true
-installDotNet: true
 steps:
   # This ensures we don't accidentally use the original checkout for any part of the test.
   - name: Delete original checkout

pr-checks/sync.py

@@ -204,25 +204,6 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
-    installDotNet = is_truthy(checkSpecification.get('installDotNet', ''))
-
-    if installDotNet:
-        baseDotNetVersionExpr = '9.x'
-        workflowInputs['dotnet-version'] = {
-            'type': 'string',
-            'description': 'The version of .NET to install',
-            'required': False,
-            'default': baseDotNetVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install .NET',
-            'uses': 'actions/setup-dotnet@v5',
-            'with': {
-                'dotnet-version': '${{ inputs.dotnet-version || \'' + baseDotNetVersionExpr + '\' }}'
-            }
-        })
-
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -356,6 +337,11 @@ for collection_name in collections:
                 'GO111MODULE': 'auto'
             },
             'on': {
+                'push': {
+                    'paths': [
+                        f'.github/workflows/__{collection_name}.yml'
+                    ]
+                },
                 'workflow_dispatch': {
                     'inputs': combinedInputs
                 },

scripts/check-node-modules.sh

@@ -9,15 +9,9 @@ if [ "$GITHUB_ACTIONS" = "true" ]; then
 fi
 
 # Check if npm install is likely needed before proceeding
-if [ ! -d node_modules ]; then
-  echo "Running 'npm install' because 'node_modules' directory is missing."
-  npm install
-elif [ package.json -nt package-lock.json ]; then
-  echo "Running 'npm install' because 'package-lock.json' appears to be outdated."
-  npm install
-elif [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated."
+if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
   npm install
 else
-  echo "Skipping 'npm install' because everything appears to be up-to-date."
+  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
 fi

src/analyze-action-env.test.ts

@@ -78,7 +78,7 @@ test("analyze action with RAM & threads from environment variables", async (t) =
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
   });
 });

src/analyze-action-input.test.ts

@@ -76,7 +76,7 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
   });
 });

src/analyze-action.ts

@@ -324,16 +324,10 @@ async function run() {
     );
 
     if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-      // Warn if the removed `add-snippets` input is used.
-      if (actionsUtil.getOptionalInput("add-snippets") !== undefined) {
-        logger.warning(
-          "The `add-snippets` input has been removed and no longer has any effect.",
-        );
-      }
-
       runStats = await runQueries(
         outputDir,
         memory,
+        util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
         threads,
         diffRangePackDir,
         actionsUtil.getOptionalInput("category"),
@@ -438,11 +432,14 @@ async function run() {
 
     // Store dependency cache(s) if dependency caching is enabled.
     if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      dependencyCacheResults = await uploadDependencyCaches(
+      const minimizeJavaJars = await features.getValue(
+        Feature.JavaMinimizeDependencyJars,
         codeql,
-        features,
+      );
+      dependencyCacheResults = await uploadDependencyCaches(
         config,
         logger,
+        minimizeJavaJars,
       );
     }
 

src/analyze.test.ts

@@ -37,6 +37,7 @@ test("status report fields", async (t) => {
     setupActionsVars(tmpDir, tmpDir);
 
     const memoryFlag = "";
+    const addSnippetsFlag = "";
     const threadsFlag = "";
     sinon.stub(uploadLib, "validateSarifFileSchema");
 
@@ -102,6 +103,7 @@ test("status report fields", async (t) => {
       const statusReport = await runQueries(
         tmpDir,
         memoryFlag,
+        addSnippetsFlag,
         threadsFlag,
         undefined,
         undefined,

src/analyze.ts

@@ -3,6 +3,7 @@ import * as path from "path";
 import { performance } from "perf_hooks";
 
 import * as io from "@actions/io";
+import * as del from "del";
 import * as yaml from "js-yaml";
 
 import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
@@ -38,26 +39,89 @@ export class CodeQLAnalysisError extends Error {
   }
 }
 
-type KnownLanguageKey = keyof typeof KnownLanguage;
-
-type RunQueriesDurationStatusReport = {
+export interface QueriesStatusReport {
   /**
-   * Time taken in ms to run queries for the language (or undefined if this language was not analyzed).
+   * Time taken in ms to run queries for actions (or undefined if this language was not analyzed).
    *
    * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
    * taken to run _all_ the queries.
    */
-  [L in KnownLanguageKey as `analyze_builtin_queries_${L}_duration_ms`]?: number;
-};
+  analyze_builtin_queries_actions_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for cpp (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_cpp_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for csharp (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_csharp_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for go (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_go_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for java (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_java_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for javascript (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_javascript_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for python (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_python_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for ruby (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_ruby_duration_ms?: number;
+  /** Time taken in ms to run queries for swift (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_swift_duration_ms?: number;
 
-type InterpretResultsDurationStatusReport = {
-  /** Time taken in ms to interpret results for the language (or undefined if this language was not analyzed). */
-  [L in KnownLanguageKey as `interpret_results_${L}_duration_ms`]?: number;
-};
+  /** Time taken in ms to interpret results for actions (or undefined if this language was not analyzed). */
+  interpret_results_actions_duration_ms?: number;
+  /** Time taken in ms to interpret results for cpp (or undefined if this language was not analyzed). */
+  interpret_results_cpp_duration_ms?: number;
+  /** Time taken in ms to interpret results for csharp (or undefined if this language was not analyzed). */
+  interpret_results_csharp_duration_ms?: number;
+  /** Time taken in ms to interpret results for go (or undefined if this language was not analyzed). */
+  interpret_results_go_duration_ms?: number;
+  /** Time taken in ms to interpret results for java (or undefined if this language was not analyzed). */
+  interpret_results_java_duration_ms?: number;
+  /** Time taken in ms to interpret results for javascript (or undefined if this language was not analyzed). */
+  interpret_results_javascript_duration_ms?: number;
+  /** Time taken in ms to interpret results for python (or undefined if this language was not analyzed). */
+  interpret_results_python_duration_ms?: number;
+  /** Time taken in ms to interpret results for ruby (or undefined if this language was not analyzed). */
+  interpret_results_ruby_duration_ms?: number;
+  /** Time taken in ms to interpret results for swift (or undefined if this language was not analyzed). */
+  interpret_results_swift_duration_ms?: number;
 
-export interface QueriesStatusReport
-  extends RunQueriesDurationStatusReport,
-    InterpretResultsDurationStatusReport {
   /**
    * Whether the analysis is diff-informed (in the sense that the action generates a diff-range data
    * extension for the analysis, regardless of whether the data extension is actually used by queries).
@@ -373,6 +437,7 @@ export function addSarifExtension(
 export async function runQueries(
   sarifFolder: string,
   memoryFlag: string,
+  addSnippetsFlag: string,
   threadsFlag: string,
   diffRangePackDir: string | undefined,
   automationDetailsId: string | undefined,
@@ -562,6 +627,7 @@ export async function runQueries(
       databasePath,
       queries,
       sarifFile,
+      addSnippetsFlag,
       threadsFlag,
       enableDebugLogging ? "-vv" : "-v",
       sarifRunPropertyFlag,
@@ -605,7 +671,7 @@ export async function runFinalize(
   logger: Logger,
 ): Promise<DatabaseCreationTimings> {
   try {
-    await fs.promises.rm(outputDir, { force: true, recursive: true });
+    await del.deleteAsync(outputDir, { force: true });
   } catch (error: any) {
     if (error?.code !== "ENOENT") {
       throw error;

src/api-client.test.ts

@@ -169,32 +169,4 @@ test("wrapApiConfigurationError correctly wraps specific configuration errors",
     res,
     new util.ConfigurationError("Resource not accessible by integration"),
   );
-
-  // Enablement errors.
-  const enablementErrorMessages = [
-    "Code Security must be enabled for this repository to use code scanning",
-    "Advanced Security must be enabled for this repository to use code scanning",
-    "Code Scanning is not enabled for this repository. Please enable code scanning in the repository settings.",
-  ];
-  const transforms = [
-    (msg: string) => msg,
-    (msg: string) => msg.toLowerCase(),
-    (msg: string) => msg.toLocaleUpperCase(),
-  ];
-
-  for (const enablementErrorMessage of enablementErrorMessages) {
-    for (const transform of transforms) {
-      const enablementError = new util.HTTPError(
-        transform(enablementErrorMessage),
-        403,
-      );
-      res = api.wrapApiConfigurationError(enablementError);
-      t.deepEqual(
-        res,
-        new util.ConfigurationError(
-          api.getFeatureEnablementError(enablementError.message),
-        ),
-      );
-    }
-  }
 });

src/api-client.ts

@@ -1,6 +1,7 @@
 import * as core from "@actions/core";
 import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
+import consoleLogLevel from "console-log-level";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
@@ -49,12 +50,7 @@ function createApiClientWithDetails(
     githubUtils.getOctokitOptions(auth, {
       baseUrl: apiDetails.apiURL,
       userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: {
-        debug: core.debug,
-        info: core.info,
-        warn: core.warning,
-        error: core.error,
-      },
+      log: consoleLogLevel({ level: "debug" }),
     }),
   );
 }
@@ -283,20 +279,6 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
   });
 }
 
-function isEnablementError(msg: string) {
-  return [
-    /Code Security must be enabled/i,
-    /Advanced Security must be enabled/i,
-    /Code Scanning is not enabled/i,
-  ].some((pattern) => pattern.test(msg));
-}
-
-// TODO: Move to `error-messages.ts` after refactoring import order to avoid cycle
-// since `error-messages.ts` currently depends on this file.
-export function getFeatureEnablementError(message: string): string {
-  return `Please verify that the necessary features are enabled: ${message}`;
-}
-
 export function wrapApiConfigurationError(e: unknown) {
   const httpError = asHTTPError(e);
   if (httpError !== undefined) {
@@ -318,11 +300,6 @@ export function wrapApiConfigurationError(e: unknown) {
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
       );
     }
-    if (httpError.status === 403 && isEnablementError(httpError.message)) {
-      return new ConfigurationError(
-        getFeatureEnablementError(httpError.message),
-      );
-    }
     if (httpError.status === 429) {
       return new ConfigurationError("API rate limit exceeded");
     }

src/caching-utils.ts

@@ -1,5 +1,3 @@
-import * as crypto from "crypto";
-
 import * as core from "@actions/core";
 
 import { getOptionalInput, isDefaultSetup } from "./actions-util";
@@ -73,33 +71,6 @@ export function getCachingKind(input: string | undefined): CachingKind {
   }
 }
 
-// The length to which `createCacheKeyHash` truncates hash strings.
-export const cacheKeyHashLength = 16;
-
-/**
- * Creates a SHA-256 hash of the cache key components to ensure uniqueness
- * while keeping the cache key length manageable.
- *
- * @param components Object containing all components that should influence cache key uniqueness
- * @returns A short SHA-256 hash (first 16 characters) of the components
- */
-export function createCacheKeyHash(components: Record<string, any>): string {
-  // From https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify
-  //
-  // "Properties are visited using the same algorithm as Object.keys(), which
-  // has a well-defined order and is stable across implementations. For example,
-  // JSON.stringify on the same object will always produce the same string, and
-  // JSON.parse(JSON.stringify(obj)) would produce an object with the same key
-  // ordering as the original (assuming the object is completely
-  // JSON-serializable)."
-  const componentsJson = JSON.stringify(components);
-  return crypto
-    .createHash("sha256")
-    .update(componentsJson)
-    .digest("hex")
-    .substring(0, cacheKeyHashLength);
-}
-
 /** Determines whether dependency caching is enabled. */
 export function getDependencyCachingEnabled(): CachingKind {
   // If the workflow specified something always respect that

src/codeql.test.ts

@@ -5,6 +5,7 @@ import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
 import * as toolcache from "@actions/tool-cache";
 import test, { ExecutionContext } from "ava";
+import * as del from "del";
 import * as yaml from "js-yaml";
 import nock from "nock";
 import * as sinon from "sinon";
@@ -556,7 +557,7 @@ const injectedConfigMacro = test.macro({
       const augmentedConfig = yaml.load(fs.readFileSync(configFile, "utf8"));
       t.deepEqual(augmentedConfig, expectedConfig);
 
-      await fs.promises.rm(configFile, { force: true });
+      await del.deleteAsync(configFile, { force: true });
     });
   },
 
@@ -1045,7 +1046,7 @@ test("Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OP
   );
   t.truthy(configArg, "Should have injected a codescanning config");
   const configFile = configArg!.split("=")[1];
-  await fs.promises.rm(configFile, { force: true });
+  await del.deleteAsync(configFile, { force: true });
 });
 
 export function stubToolRunnerConstructor(

src/codeql.ts

@@ -167,6 +167,7 @@ export interface CodeQL {
     databasePath: string,
     querySuitePaths: string[] | undefined,
     sarifFile: string,
+    addSnippetsFlag: string,
     threadsFlag: string,
     verbosityFlag: string | undefined,
     sarifRunPropertyFlag: string | undefined,
@@ -816,6 +817,7 @@ export async function getCodeQLForCmd(
       databasePath: string,
       querySuitePaths: string[] | undefined,
       sarifFile: string,
+      addSnippetsFlag: string,
       threadsFlag: string,
       verbosityFlag: string,
       sarifRunPropertyFlag: string | undefined,
@@ -834,6 +836,7 @@ export async function getCodeQLForCmd(
         "--format=sarif-latest",
         verbosityFlag,
         `--output=${sarifFile}`,
+        addSnippetsFlag,
         "--print-diagnostics-summary",
         "--print-metrics-summary",
         "--sarif-add-baseline-file-info",
@@ -1071,10 +1074,7 @@ export async function getCodeQLForCmd(
 /**
  * Gets the options for `path` of `options` as an array of extra option strings.
  *
- * @param paths The CLI command components to get extra options for.
- * @param args Additional arguments for this function.
- * @param args.ignoringOptions
- *   Options that should be ignored, for example because they have already
+ * @param ignoringOptions Options that should be ignored, for example because they have already
  *                        been passed and it is an error to pass them more than once.
  */
 function getExtraOptionsFromEnv(
@@ -1157,9 +1157,8 @@ async function runCli(
 /**
  * Writes the code scanning configuration that is to be used by the CLI.
  *
- * @param config The CodeQL Action state to write.
- * @param logger The logger to use.
- *
+ * @param codeql The CodeQL object to use.
+ * @param config The CodeQL Action state to use.
  * @returns The path to the generated user configuration file.
  */
 async function writeCodeScanningConfigFile(

src/config-utils.test.ts

@@ -873,7 +873,13 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
     expectedLanguages: ["javascript"],
   },
 ].forEach((args) => {
-  test(`getLanguages: ${args.name}`, async (t) => {
+  for (const resolveSupportedLanguagesUsingCli of [true, false]) {
+    test(`getLanguages${resolveSupportedLanguagesUsingCli ? " (supported languages via CLI)" : ""}: ${args.name}`, async (t) => {
+      const features = createFeatures(
+        resolveSupportedLanguagesUsingCli
+          ? [Feature.ResolveSupportedLanguagesUsingCli]
+          : [],
+      );
       const mockRequest = mockLanguagesInRepo(args.languagesInRepository);
       const stubExtractorEntry = {
         extractor_root: "",
@@ -909,6 +915,7 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
           args.languagesInput,
           mockRepositoryNwo,
           ".",
+          features,
           mockLogger,
         );
 
@@ -922,6 +929,7 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
               args.languagesInput,
               mockRepositoryNwo,
               ".",
+              features,
               mockLogger,
             ),
           { message: args.expectedError },
@@ -929,6 +937,7 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
       }
       t.deepEqual(mockRequest.called, args.expectedApiCall);
     });
+  }
 });
 
 for (const { displayName, language, feature } of [

src/config-utils.ts

@@ -34,7 +34,6 @@ import {
   OverlayDatabaseMode,
 } from "./overlay-database-utils";
 import { RepositoryNwo } from "./repository";
-import { ToolsFeature } from "./tools-features";
 import { downloadTrapCaches } from "./trap-caching";
 import {
   GitHubVersion,
@@ -178,10 +177,12 @@ export interface Config {
 
 export async function getSupportedLanguageMap(
   codeql: CodeQL,
+  features: FeatureEnablement,
   logger: Logger,
 ): Promise<Record<string, string>> {
-  const resolveSupportedLanguagesUsingCli = await codeql.supportsFeature(
-    ToolsFeature.BuiltinExtractorsSpecifyDefaultQueries,
+  const resolveSupportedLanguagesUsingCli = await features.getValue(
+    Feature.ResolveSupportedLanguagesUsingCli,
+    codeql,
   );
   const resolveResult = await codeql.betterResolveLanguages({
     filterToLanguagesWithQueries: resolveSupportedLanguagesUsingCli,
@@ -282,6 +283,7 @@ export async function getLanguages(
   languagesInput: string | undefined,
   repository: RepositoryNwo,
   sourceRoot: string,
+  features: FeatureEnablement,
   logger: Logger,
 ): Promise<Language[]> {
   // Obtain languages without filtering them.
@@ -292,7 +294,7 @@ export async function getLanguages(
     logger,
   );
 
-  const languageMap = await getSupportedLanguageMap(codeql, logger);
+  const languageMap = await getSupportedLanguageMap(codeql, features, logger);
   const languagesSet = new Set<Language>();
   const unknownLanguages: string[] = [];
 
@@ -429,6 +431,7 @@ export async function initActionState(
     languagesInput,
     repository,
     sourceRoot,
+    features,
     logger,
   );
 
@@ -1033,6 +1036,7 @@ export async function getConfig(
  * pack.
  *
  * @param registriesInput The value of the `registries` input.
+ * @param codeQL a codeQL object, used only for checking the version of CodeQL.
  * @param tempDir a temporary directory to store the generated qlconfig.yml file.
  * @param logger a logger object.
  * @returns The path to the generated `qlconfig.yml` file and the auth tokens to

src/config/db-config.ts

@@ -160,6 +160,7 @@ const PACK_IDENTIFIER_PATTERN = (function () {
  * Version and path are optional.
  *
  * @param packStr the package specification to verify.
+ * @param configFile Config file to use for error reporting
  */
 export function parsePacksSpecification(packStr: string): Pack {
   if (typeof packStr !== "string") {

src/debug-artifacts.ts

@@ -5,6 +5,7 @@ import * as artifact from "@actions/artifact";
 import * as artifactLegacy from "@actions/artifact-legacy";
 import * as core from "@actions/core";
 import archiver from "archiver";
+import * as del from "del";
 
 import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
@@ -344,7 +345,7 @@ async function createPartialDatabaseBundle(
   );
   // See `bundleDb` for explanation behind deleting existing db bundle.
   if (fs.existsSync(databaseBundlePath)) {
-    await fs.promises.rm(databaseBundlePath, { force: true });
+    await del.deleteAsync(databaseBundlePath, { force: true });
   }
   const output = fs.createWriteStream(databaseBundlePath);
   const zip = archiver("zip");