Fix linitng issues.

We don't use them yet and will re-save them during analysis.

.github/actions/release-initialise/action.yml

@@ -16,9 +16,9 @@ runs:
       shell: bash
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@v5
       with:
-        python-version: '3.12'
+        python-version: 3.12
 
     - name: Install dependencies
       run: |

.github/dependabot.yml

@@ -16,12 +16,9 @@ updates:
       - dependency-name: "eslint-plugin-import"
         versions: [">=2.30.0"]
     groups:
-      npm-minor:
+      npm:
         patterns:
           - "*"
-        update-types:
-          - "minor"
-          - "patch"
   - package-ecosystem: github-actions
     directories:
       - "/.github/workflows"
@@ -31,9 +28,6 @@ updates:
     labels:
       - Rebuild
     groups:
-      actions-minor:
+      actions:
         patterns:
           - "*"
-        update-types:
-          - "minor"
-          - "patch"

.github/sizeup.yml

@@ -1,55 +0,0 @@
-labeling:
-  applyCategoryLabels: true
-  categoryLabelPrefix: "size/"
-
-commenting:
-  addCommentWhenScoreThresholdHasBeenExceeded: false
-
-sizeup:
-  categories:
-    - name: extra small
-      lte: 25
-      label:
-        name: XS
-        description: Should be very easy to review
-        color: 3cbf00
-    - name: small
-      lte: 100
-      label:
-        name: S
-        description: Should be easy to review
-        color: 5d9801
-    - name: medium
-      lte: 250
-      label:
-        name: M
-        description: Should be of average difficulty to review
-        color: 7f7203
-    - name: large
-      lte: 500
-      label:
-        name: L
-        description: May be hard to review
-        color: a14c05
-    - name: extra large
-      lte: 1000
-      label:
-        name: XL
-        description: May be very hard to review
-        color: c32607
-    - name: extra extra large
-      label:
-        name: XXL
-        description: May be extremely hard to review
-        color: e50009
-  ignoredFilePatterns:
-    - ".github/workflows/__*"
-    - "lib/**/*"
-    - "package-lock.json"
-  testFilePatterns:
-    - "**/*.test.ts"
-  scoring:
-    # This formula and the aliases below it are written in prefix notation.
-    # For an explanation of how this works, please see:
-    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
-    formula: "- - + additions deletions comments whitespace"

.github/update-release-branch.py

@@ -371,10 +371,10 @@ def main():
       # releases.
       run_git('revert', vOlder_update_commits[0], '--no-edit')
 
-      # Also revert the "Rebuild" commit created by Actions.
+      # Also revert the "Update checked-in dependencies" commit created by Actions.
-      rebuild_commit = run_git('log', '--grep', '^Rebuild$', '--format=%H').split()[0]
+      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
-      print(f'  Reverting {rebuild_commit}')
+      print(f'  Reverting {update_dependencies_commit}')
-      run_git('revert', rebuild_commit, '--no-edit')
+      run_git('revert', update_dependencies_commit, '--no-edit')
 
     else:
       print('  Nothing to revert.')

.github/workflows/__analyze-ref-input.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__bundle-from-toolcache.yml

@@ -67,9 +67,10 @@ jobs:
             if (allCodeqlVersions.length === 0) {
               throw new Error(`CodeQL could not be found in the toolcache`);
             }
-      - id: setup-codeql
+      - id: init
-        uses: ./../action/setup-codeql
+        uses: ./../action/init
         with:
+          languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check CodeQL is installed within the toolcache
         uses: actions/github-script@v8

.github/workflows/__bundle-zstd.yml

@@ -79,7 +79,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-zstd-bundle.sarif
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-export.yml

@@ -67,7 +67,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-input.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__diagnostics-export.yml

@@ -78,7 +78,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__export-file-baseline-information.yml

@@ -85,7 +85,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__job-run-uuid-sarif.yml

@@ -64,7 +64,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__local-bundle.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -114,11 +104,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -73,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm
@@ -91,11 +81,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-config-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__quality-queries.yml

@@ -80,10 +80,9 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
-          post-processed-sarif-path: ${{ runner.temp }}/post-processed
       - name: Upload security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,20 +90,12 @@ jobs:
           retention-days: 7
       - name: Upload quality SARIF
         if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
-      - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
-        with:
-          name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/post-processed
-          retention-days: 7
-          if-no-files-found: error
       - name: Check quality query does not appear in security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v8

.github/workflows/__remote-config.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -82,11 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__rubocop-multi-language.yml

@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+        uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__unset-environment.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -82,11 +72,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -87,11 +77,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -27,11 +27,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -39,11 +34,6 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
-      python-version:
-        type: string
-        description: The version of Python to install
-        required: false
-        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -80,11 +70,6 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
-      - name: Install Python
-        if: matrix.version != 'nightly-latest'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.

.github/workflows/check-expected-release-files.yml

@@ -15,7 +15,7 @@ defaults:
 
 jobs:
   check-expected-release-files:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
 
     permissions:
       contents: read

.github/workflows/codeql.yml

@@ -81,7 +81,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 

.github/workflows/codescanning-config-cli.yml

@@ -56,7 +56,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Set up Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
       with:
         node-version: 24
         cache: 'npm'

.github/workflows/debug-artifacts-failure-safe.yml

@@ -79,7 +79,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
         run: |
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/debug-artifacts-safe.yml

@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v5
       - name: Check expected artifacts exist
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"

.github/workflows/label-pr-size.yml

@@ -1,26 +0,0 @@
-name: Label PR with size
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - edited
-      - ready_for_review
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  sizeup:
-    name: Label PR with size
-    runs-on: ubuntu-slim
-
-    steps:
-      - name: Run sizeup
-        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-file-path: ".github/sizeup.yml"

.github/workflows/post-release-mergeback.yml

@@ -24,7 +24,7 @@ defaults:
 
 jobs:
   merge-back:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
@@ -47,10 +47,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@v5
-      - uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
 
       - name: Update git config
         run: |
@@ -149,7 +146,6 @@ jobs:
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
       - name: Create the GitHub release
-        if: steps.check.outputs.exists != 'true'
         env:
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
           VERSION: "${{ steps.getVersion.outputs.version }}"

.github/workflows/pr-checks.yml

@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
@@ -73,7 +73,7 @@ jobs:
         run: npm run lint-ci
 
       - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@v3
         if: matrix.os == 'ubuntu-latest' && matrix.node-version == 24
         with:
           sarif_file: eslint.sarif

.github/workflows/prepare-release.yml

@@ -29,7 +29,7 @@ defaults:
 jobs:
   prepare:
     name: "Prepare release"
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.repository == 'github/codeql-action'
 
     permissions:

.github/workflows/publish-immutable-action.yml

@@ -1,10 +1,8 @@
 name: 'Publish Immutable Action Version'
 
 on:
-  push:
+  release:
-    tags:
+    types: [published]
-      # Match version tags, but not the major version tags.
-      - 'v[0-9]+.**'
 
 defaults:
   run:
@@ -12,16 +10,30 @@ defaults:
 
 jobs:
   publish:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
       packages: write
 
     steps:
-      - name: Checkout repository
+      - name: Check release name
+        id: check
+        env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+        run: |
+          echo "Release name: ${{ github.event.release.name }}"
+          if [[ $RELEASE_NAME == v* ]]; then
+            echo "This is a CodeQL Action release. Create an Immutable Action"
+            echo "is-action-release=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
+            echo "is-action-release=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Checking out
+        if: steps.check.outputs.is-action-release == 'true'
         uses: actions/checkout@v5
-
+      - name: Publish
-      - name: Publish immutable release
+        if: steps.check.outputs.is-action-release == 'true'
         id: publish
         uses: actions/publish-immutable-action@v0.0.4

.github/workflows/query-filters.yml

@@ -32,7 +32,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Install Node.js
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v5
       with:
         node-version: 24
         cache: npm

.github/workflows/script/bundle_changelog.py

@@ -1,18 +0,0 @@
-import os
-import re
-
-# Get the PR number from the PR URL.
-pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
-
-# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-with open('CHANGELOG.md', 'r') as f:
-    changelog = f.read()
-
-changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-# Add the changelog note to the bottom of the "[UNRELEASED]" section.
-changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-with open('CHANGELOG.md', 'w') as f:
-    f.write(changelog)

.github/workflows/script/update-required-checks.sh

@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

.github/workflows/update-bundle.yml

@@ -20,7 +20,7 @@ defaults:
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     permissions:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull requests
@@ -40,13 +40,8 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.12'
-
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 24
           cache: 'npm'
@@ -83,8 +78,28 @@ jobs:
           echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
 
       - name: Create changelog note
+        shell: python
         run: |
-          python .github/workflows/script/bundle_changelog.py
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)
 
       - name: Push changelog note
         run: |

.github/workflows/update-release-branch.yml

@@ -26,7 +26,7 @@ jobs:
 
   update:
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch'
     needs: [prepare]
     env:
@@ -77,7 +77,7 @@ jobs:
 
   backport:
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -4,18 +4,12 @@ on:
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/update-supported-enterprise-server-versions.yml
-      - .github/workflows/update-supported-enterprise-server-versions/update.py
 
 jobs:
   update-supported-enterprise-server-versions:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
     if: github.repository == 'github/codeql-action'
     permissions:
       contents: write # needed to push commits
@@ -34,7 +28,6 @@ jobs:
           repository: github/enterprise-releases
           token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
           path: ${{ github.workspace }}/enterprise-releases/
-          sparse-checkout: releases.json
       - name: Update Supported Enterprise Server Versions
         run: |
           cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -42,7 +35,6 @@ jobs:
           pipenv install
           pipenv run ./update.py
           rm --recursive "$ENTERPRISE_RELEASES_PATH"
-          npm ci
           npm run build
         env:
           ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -52,25 +44,16 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
-      - name: Commit changes
+      - name: Commit changes and open PR
-        id: prepare-commit
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           if [[ -z $(git status --porcelain) ]]; then
             echo "No changes to commit"
-            echo "committed=false" >> $GITHUB_OUTPUT
           else
             git checkout -b update-supported-enterprise-server-versions
             git add .
             git commit --message "Update supported GitHub Enterprise Server versions"
-
-            echo "committed=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Open PR
-        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
             git push origin update-supported-enterprise-server-versions
 
             body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
@@ -82,3 +65,4 @@ jobs:
             gh pr create --draft \
               --title "Update supported GitHub Enterprise Server versions" \
               --body "$body"
+          fi

CHANGELOG.md

@@ -4,28 +4,6 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
-
-## 4.31.2 - 30 Oct 2025
-
-No user facing changes.
-
-## 4.31.1 - 30 Oct 2025
-
-- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
-
-## 4.31.0 - 24 Oct 2025
-
-- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
-- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
-
-## 4.30.9 - 17 Oct 2025
-
-- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
-- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
-
-## 4.30.8 - 10 Oct 2025
-
 No user facing changes.
 
 ## 4.30.7 - 06 Oct 2025

README.md

@@ -34,7 +34,6 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
-- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.
 
 ### Workflow Permissions
 

analyze/action.yml

@@ -6,7 +6,7 @@ inputs:
     description: The name of the check run to add text to.
     required: false
   output:
-    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
+    description: The path of the directory in which to save the SARIF results
     required: false
     default: "../results"
   upload:
@@ -32,10 +32,14 @@ inputs:
       and 13GB for macOS).
     required: false
   add-snippets:
-    description: Does not have any effect.
+    description: Specify whether or not to add code snippets to the output sarif file.
     required: false
+    default: "false"
     deprecationMessage: >-
-      The input "add-snippets" has been removed and no longer has any effect.
+      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
+      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
+      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
+      a no operation. No alternative is available.
   skip-queries:
     description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
     required: false
@@ -66,12 +70,6 @@ inputs:
     description: Whether to upload the resulting CodeQL database
     required: false
     default: "true"
-  post-processed-sarif-path:
-    description: >-
-      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
-      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
-      argument for this input, they are written to the specified directory.
-    required: false
   wait-for-processing:
     description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
     required: true

eslint.config.mjs

@@ -12,7 +12,6 @@ import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
 import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
-import jsdoc from "eslint-plugin-jsdoc";
 import globals from "globals";
 
 const __filename = fileURLToPath(import.meta.url);
@@ -53,7 +52,6 @@ export default [
       github: fixupPluginRules(github),
       import: fixupPluginRules(_import),
       "no-async-foreach": noAsyncForeach,
-      "jsdoc": jsdoc,
     },
 
     languageOptions: {
@@ -133,18 +131,7 @@ export default [
       "no-sequences": "error",
       "no-shadow": "off",
       "@typescript-eslint/no-shadow": "error",
-      "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],
-
-      // Check param names to ensure that we don't have outdated JSDocs.
-      "jsdoc/check-param-names": [
-        "error",
-        {
-          // We don't currently require full JSDoc coverage, so this rule
-          // should not error on missing @param annotations.
-          disableMissingParamChecks: true,
-        }
-      ],
     },
   },
   {

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
+  "bundleVersion": "codeql-bundle-v2.23.2",
-  "cliVersion": "2.23.3",
+  "cliVersion": "2.23.2",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorBundleVersion": "codeql-bundle-v2.23.1",
-  "priorCliVersion": "2.23.2"
+  "priorCliVersion": "2.23.1"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.3",
+  "version": "4.30.8",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -24,20 +24,23 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "^4.0.0",
+    "@actions/artifact": "^2.3.1",
     "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
     "@actions/cache": "^4.1.0",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^6.0.0",
     "@actions/glob": "^0.5.0",
-    "@actions/http-client": "^3.0.0",
+    "@actions/http-client": "^2.2.3",
-    "@actions/io": "^2.0.0",
+    "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",
     "@octokit/plugin-retry": "^6.0.0",
-    "@octokit/request-error": "^7.0.2",
+    "@octokit/request-error": "^7.0.1",
     "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
+    "check-disk-space": "^3.4.0",
+    "console-log-level": "^1.4.1",
+    "del": "^8.0.0",
     "fast-deep-equal": "^3.1.3",
     "follow-redirects": "^1.15.11",
     "get-folder-size": "^5.0.0",
@@ -45,34 +48,34 @@
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.1",
-    "octokit": "^5.0.5",
+    "octokit": "^5.0.3",
-    "semver": "^7.7.3",
+    "semver": "^7.7.2",
     "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^1.4.1",
+    "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^9.37.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^16.0.0",
+    "@octokit/types": "^15.0.0",
-    "@types/archiver": "^7.0.0",
+    "@types/archiver": "^6.0.3",
+    "@types/console-log-level": "^1.4.5",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "20.19.9",
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.4",
+    "@typescript-eslint/eslint-plugin": "^8.45.0",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.25.10",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.1.12",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.0.3",
     "nock": "^14.0.10",

pr-checks/checks/analyze-ref-input.yml

@@ -2,7 +2,6 @@ name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/bundle-from-toolcache.yml

@@ -15,9 +15,10 @@ steps:
         if (allCodeqlVersions.length === 0) {
           throw new Error(`CodeQL could not be found in the toolcache`);
         }
-  - id: setup-codeql
+  - id: init
-    uses: ./../action/setup-codeql
+    uses: ./../action/init
     with:
+      languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Check CodeQL is installed within the toolcache
     uses: actions/github-script@v8

pr-checks/checks/bundle-zstd.yml

@@ -27,7 +27,7 @@ steps:
       output: ${{ runner.temp }}/results
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: ${{ matrix.os }}-zstd-bundle.sarif
       path: ${{ runner.temp }}/results/javascript.sarif

pr-checks/checks/config-export.yml

@@ -12,7 +12,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/diagnostics-export.yml

@@ -25,7 +25,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/export-file-baseline-information.yml

@@ -17,7 +17,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/job-run-uuid-sarif.yml

@@ -11,7 +11,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/local-bundle.yml

@@ -2,7 +2,6 @@ name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
-installPython: true
 steps:
   - name: Fetch latest CodeQL bundle
     run: |

pr-checks/checks/multi-language-autodetect.yml

@@ -4,7 +4,6 @@ operatingSystems: ["macos", "ubuntu"]
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
-installPython: true
 steps:
   - name: Use Xcode 16
     if: runner.os == 'macOS' && matrix.version != 'nightly-latest'

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -3,7 +3,6 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/quality-queries.yml

@@ -36,10 +36,9 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
       upload-database: false
-      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
   - name: Upload security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,20 +46,12 @@ steps:
       retention-days: 7
   - name: Upload quality SARIF
     if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v4
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
-  - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v5
-    with:
-      name: |
-        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-      path: "${{ runner.temp }}/post-processed"
-      retention-days: 7
-      if-no-files-found: error
   - name: Check quality query does not appear in security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/github-script@v8

pr-checks/checks/remote-config.yml

@@ -6,7 +6,6 @@ versions:
   - linked
   - nightly-latest
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+    uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/checks/unset-environment.yml

@@ -6,7 +6,6 @@ versions:
   - linked
   - nightly-latest
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/upload-ref-sha-input.yml

@@ -2,7 +2,6 @@ name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/upload-sarif.yml

@@ -3,7 +3,6 @@ description: "Checks that uploading SARIFs to the code quality endpoint works"
 versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
-installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/with-checkout-path.yml

@@ -2,7 +2,6 @@ name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
 versions: ["linked"]
 installGo: true
-installPython: true
 steps:
   # This ensures we don't accidentally use the original checkout for any part of the test.
   - name: Delete original checkout

pr-checks/sync.py

@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
         steps.extend([
             {
                 'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v6',
+                'uses': 'actions/setup-node@v5',
                 'with': {
                     'node-version': '20.x',
                     'cache': 'npm',
@@ -184,26 +184,6 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
-    installPython = is_truthy(checkSpecification.get('installPython', ''))
-
-    if installPython:
-        basePythonVersionExpr = '3.13'
-        workflowInputs['python-version'] = {
-            'type': 'string',
-            'description': 'The version of Python to install',
-            'required': False,
-            'default': basePythonVersionExpr,
-        }
-
-        steps.append({
-            'name': 'Install Python',
-            'if': 'matrix.version != \'nightly-latest\'',
-            'uses': 'actions/setup-python@v6',
-            'with': {
-                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
-            }
-        })
-
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

scripts/check-node-modules.sh

@@ -9,15 +9,9 @@ if [ "$GITHUB_ACTIONS" = "true" ]; then
 fi
 
 # Check if npm install is likely needed before proceeding
-if [ ! -d node_modules ]; then
+if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules' directory is missing."
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
-  npm install
-elif [ package.json -nt package-lock.json ]; then
-  echo "Running 'npm install' because 'package-lock.json' appears to be outdated."
-  npm install
-elif [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated."
   npm install
 else
-  echo "Skipping 'npm install' because everything appears to be up-to-date."
+  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
 fi

setup-codeql/action.yml

@@ -1,39 +0,0 @@
-name: 'CodeQL: Setup'
-description: 'Installs the CodeQL CLI'
-author: 'GitHub'
-inputs:
-  tools:
-    description: >-
-      By default, the Action will use the recommended version of the CodeQL
-      Bundle to analyze your project. You can override this choice using this
-      input. One of:
-
-      - A local path to a CodeQL Bundle tarball, or
-      - The URL of a CodeQL Bundle tarball GitHub release asset, or
-      - A special value `linked` which uses the version of the CodeQL tools
-        that the Action has been bundled with.
-      - A special value `nightly` which uses the latest nightly version of the
-        CodeQL tools. Note that this is unstable and not recommended for
-        production use.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
-    required: false
-  token:
-    description: GitHub token to use for authenticating with this instance of GitHub.
-    default: ${{ github.token }}
-    required: false
-  matrix:
-    default: ${{ toJson(matrix) }}
-    required: false
-  external-repository-token:
-    description: A token for fetching additional files from private repositories in the same GitHub instance that is running this action.
-    required: false
-outputs:
-  codeql-path:
-    description: The path of the CodeQL binary that was installed.
-  codeql-version:
-    description: The version of the CodeQL binary that was installed.
-runs:
-  using: node24
-  main: '../lib/setup-codeql-action.js'

src/analyses.test.ts

@@ -1,19 +1,12 @@
 import test from "ava";
-import * as sinon from "sinon";
 
-import * as actionsUtil from "./actions-util";
 import {
   AnalysisKind,
-  getAnalysisKinds,
   parseAnalysisKinds,
   supportedAnalysisKinds,
 } from "./analyses";
-import { getRunnerLogger } from "./logging";
-import { setupTests } from "./testing-utils";
 import { ConfigurationError } from "./util";
 
-setupTests(test);
-
 test("All known analysis kinds can be parsed successfully", async (t) => {
   for (const analysisKind of supportedAnalysisKinds) {
     t.deepEqual(await parseAnalysisKinds(analysisKind), [analysisKind]);
@@ -41,29 +34,3 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
     instanceOf: ConfigurationError,
   });
 });
-
-test("getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => {
-  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-  requiredInputStub
-    .withArgs("analysis-kinds")
-    .returns("code-scanning,code-quality");
-  const result = await getAnalysisKinds(getRunnerLogger(true), true);
-  t.assert(result.includes(AnalysisKind.CodeScanning));
-  t.assert(result.includes(AnalysisKind.CodeQuality));
-});
-
-test("getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => {
-  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-  requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
-  const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-  optionalInputStub.withArgs("quality-queries").returns("code-quality");
-  const result = await getAnalysisKinds(getRunnerLogger(true), true);
-  t.assert(result.includes(AnalysisKind.CodeScanning));
-  t.assert(result.includes(AnalysisKind.CodeQuality));
-});
-
-test("getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => {
-  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-  requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
-  await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
-});

src/analyses.ts

@@ -1,8 +1,4 @@
-import {
+import { fixCodeQualityCategory } from "./actions-util";
-  fixCodeQualityCategory,
-  getOptionalInput,
-  getRequiredInput,
-} from "./actions-util";
 import { Logger } from "./logging";
 import { ConfigurationError } from "./util";
 
@@ -45,55 +41,6 @@ export async function parseAnalysisKinds(
   );
 }
 
-// Used to avoid re-parsing the input after we have done it once.
-let cachedAnalysisKinds: AnalysisKind[] | undefined;
-
-/**
- * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
- * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
- * If the `analysis-kinds` input cannot be parsed, a `ConfigurationError` is thrown.
- *
- * @param logger The logger to use.
- * @param skipCache For testing, whether to ignore the cached values (default: false).
- *
- * @returns The array of enabled analysis kinds.
- * @throws A `ConfigurationError` if the `analysis-kinds` input cannot be parsed.
- */
-export async function getAnalysisKinds(
-  logger: Logger,
-  skipCache: boolean = false,
-): Promise<AnalysisKind[]> {
-  if (!skipCache && cachedAnalysisKinds !== undefined) {
-    return cachedAnalysisKinds;
-  }
-
-  cachedAnalysisKinds = await parseAnalysisKinds(
-    getRequiredInput("analysis-kinds"),
-  );
-
-  // Warn that `quality-queries` is deprecated if there is an argument for it.
-  const qualityQueriesInput = getOptionalInput("quality-queries");
-
-  if (qualityQueriesInput !== undefined) {
-    logger.warning(
-      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
-        "Use the `analysis-kinds` input to configure different analysis kinds instead.",
-    );
-  }
-
-  // For backwards compatibility, add Code Quality to the enabled analysis kinds
-  // if an input to `quality-queries` was specified. We should remove this once
-  // `quality-queries` is no longer used.
-  if (
-    !cachedAnalysisKinds.includes(AnalysisKind.CodeQuality) &&
-    qualityQueriesInput !== undefined
-  ) {
-    cachedAnalysisKinds.push(AnalysisKind.CodeQuality);
-  }
-
-  return cachedAnalysisKinds;
-}
-
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];
 

src/analyze-action-env.test.ts

@@ -24,9 +24,6 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from environment variables", async (t) => {
-  // This test frequently times out on Windows with the default timeout, so we bump
-  // it a bit to 20s.
-  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -78,7 +75,7 @@ test("analyze action with RAM & threads from environment variables", async (t) =
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
   });
 });

src/analyze-action-input.test.ts

@@ -24,7 +24,6 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from action inputs", async (t) => {
-  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -76,7 +75,7 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
   });
 });

src/analyze-action.ts

@@ -30,7 +30,6 @@ import {
   DependencyCacheUploadStatusReport,
   uploadDependencyCaches,
 } from "./dependency-caching";
-import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { KnownLanguage } from "./languages";
@@ -52,7 +51,6 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
-import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";
 
 interface AnalysisStatusReport
@@ -212,9 +210,7 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
 
 async function run() {
   const startedAt = new Date();
-  let uploadResults:
+  let uploadResult: UploadResult | undefined = undefined;
-    | Partial<Record<analyses.AnalysisKind, UploadResult>>
-    | undefined = undefined;
   let runStats: QueriesStatusReport | undefined = undefined;
   let config: Config | undefined = undefined;
   let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -302,14 +298,8 @@ async function run() {
       logger,
     );
 
-    const branches = await getDiffInformedAnalysisBranches(
+    // Setup diff informed analysis if needed (based on whether init created the file)
-      codeql,
+    const diffRangePackDir = await setupDiffInformedQueryRun(logger);
-      features,
-      logger,
-    );
-    const diffRangePackDir = branches
-      ? await setupDiffInformedQueryRun(branches, logger)
-      : undefined;
 
     await warnIfGoInstalledAfterInit(config, logger);
     await runAutobuildIfLegacyGoWorkflow(config, logger);
@@ -324,16 +314,10 @@ async function run() {
     );
 
     if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-      // Warn if the removed `add-snippets` input is used.
-      if (actionsUtil.getOptionalInput("add-snippets") !== undefined) {
-        logger.warning(
-          "The `add-snippets` input has been removed and no longer has any effect.",
-        );
-      }
-
       runStats = await runQueries(
         outputDir,
         memory,
+        util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
         threads,
         diffRangePackDir,
         actionsUtil.getOptionalInput("category"),
@@ -350,67 +334,31 @@ async function run() {
     }
     core.setOutput("db-locations", dbLocations);
     core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadKind = actionsUtil.getUploadValue(
+    const uploadInput = actionsUtil.getOptionalInput("upload");
-      actionsUtil.getOptionalInput("upload"),
+    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
-    );
-    if (runStats) {
-      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-      const category = actionsUtil.getOptionalInput("category");
-
-      if (await features.getValue(Feature.AnalyzeUseNewUpload)) {
-        uploadResults = await postProcessAndUploadSarif(
-          logger,
-          features,
-          uploadKind,
-          checkoutPath,
-          outputDir,
-          category,
-          actionsUtil.getOptionalInput("post-processed-sarif-path"),
-        );
-      } else if (uploadKind === "always") {
-        uploadResults = {};
-
       if (isCodeScanningEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeScanning] =
+        uploadResult = await uploadLib.uploadFiles(
-            await uploadLib.uploadFiles(
           outputDir,
-              checkoutPath,
+          actionsUtil.getRequiredInput("checkout_path"),
-              category,
+          actionsUtil.getOptionalInput("category"),
           features,
           logger,
           analyses.CodeScanning,
         );
+        core.setOutput("sarif-id", uploadResult.sarifID);
       }
 
       if (isCodeQualityEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeQuality] =
+        const analysis = analyses.CodeQuality;
-            await uploadLib.uploadFiles(
+        const qualityUploadResult = await uploadLib.uploadFiles(
           outputDir,
-              checkoutPath,
+          actionsUtil.getRequiredInput("checkout_path"),
-              category,
+          actionsUtil.getOptionalInput("category"),
           features,
           logger,
-              analyses.CodeQuality,
+          analysis,
-            );
-        }
-      } else {
-        uploadResults = {};
-        logger.info("Not uploading results");
-      }
-
-      // Set the SARIF id outputs only if we have results for them, to avoid
-      // having keys with empty values in the action output.
-      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
-        core.setOutput(
-          "sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
-        );
-      }
-      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
-        core.setOutput(
-          "quality-sarif-id",
-          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
         );
+        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
       }
     } else {
       logger.info("Not uploading results");
@@ -438,11 +386,14 @@ async function run() {
 
     // Store dependency cache(s) if dependency caching is enabled.
     if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      dependencyCacheResults = await uploadDependencyCaches(
+      const minimizeJavaJars = await features.getValue(
+        Feature.JavaMinimizeDependencyJars,
         codeql,
-        features,
+      );
+      dependencyCacheResults = await uploadDependencyCaches(
         config,
         logger,
+        minimizeJavaJars,
       );
     }
 
@@ -450,12 +401,12 @@ async function run() {
     if (util.isInTestMode()) {
       logger.debug("In test mode. Waiting for processing is disabled.");
     } else if (
-      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
+      uploadResult !== undefined &&
       actionsUtil.getRequiredInput("wait-for-processing") === "true"
     ) {
       await uploadLib.waitForProcessing(
         getRepositoryNwo(),
-        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        uploadResult.sarifID,
         getActionsLogger(),
       );
     }
@@ -492,16 +443,13 @@ async function run() {
     return;
   }
 
-  if (
+  if (runStats && uploadResult) {
-    runStats !== undefined &&
-    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
-  ) {
     await sendStatusReport(
       startedAt,
       config,
       {
         ...runStats,
-        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
+        ...uploadResult.statusReport,
       },
       undefined,
       trapCacheUploadTime,
@@ -511,7 +459,7 @@ async function run() {
       dependencyCacheResults,
       logger,
     );
-  } else if (runStats !== undefined) {
+  } else if (runStats) {
     await sendStatusReport(
       startedAt,
       config,

src/analyze.test.ts

@@ -37,6 +37,7 @@ test("status report fields", async (t) => {
     setupActionsVars(tmpDir, tmpDir);
 
     const memoryFlag = "";
+    const addSnippetsFlag = "";
     const threadsFlag = "";
     sinon.stub(uploadLib, "validateSarifFileSchema");
 
@@ -102,6 +103,7 @@ test("status report fields", async (t) => {
       const statusReport = await runQueries(
         tmpDir,
         memoryFlag,
+        addSnippetsFlag,
         threadsFlag,
         undefined,
         undefined,

src/analyze.ts

@@ -3,10 +3,12 @@ import * as path from "path";
 import { performance } from "perf_hooks";
 
 import * as io from "@actions/io";
+import * as del from "del";
 import * as yaml from "js-yaml";
 
-import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
+import { getTemporaryDirectory } from "./actions-util";
 import * as analyses from "./analyses";
+// (getApiClient import removed; no longer needed after diff refactor)
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
@@ -14,14 +16,14 @@ import { getJavaTempDependencyDir } from "./dependency-caching";
 import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
   DiffThunkRange,
-  writeDiffRangesJsonFile,
+  readDiffRangesJsonFile,
-  getPullRequestEditedDiffRanges,
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay-database-utils";
+// getRepositoryNwoFromEnv no longer needed after extracting diff logic
 import { DatabaseCreationTimings, EventReport } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
 import * as util from "./util";
@@ -38,26 +40,89 @@ export class CodeQLAnalysisError extends Error {
   }
 }
 
-type KnownLanguageKey = keyof typeof KnownLanguage;
+export interface QueriesStatusReport {
-
-type RunQueriesDurationStatusReport = {
   /**
-   * Time taken in ms to run queries for the language (or undefined if this language was not analyzed).
+   * Time taken in ms to run queries for actions (or undefined if this language was not analyzed).
    *
    * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
    * taken to run _all_ the queries.
    */
-  [L in KnownLanguageKey as `analyze_builtin_queries_${L}_duration_ms`]?: number;
+  analyze_builtin_queries_actions_duration_ms?: number;
-};
+  /**
+   * Time taken in ms to run queries for cpp (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_cpp_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for csharp (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_csharp_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for go (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_go_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for java (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_java_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for javascript (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_javascript_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for python (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_python_duration_ms?: number;
+  /**
+   * Time taken in ms to run queries for ruby (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_ruby_duration_ms?: number;
+  /** Time taken in ms to run queries for swift (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  analyze_builtin_queries_swift_duration_ms?: number;
 
-type InterpretResultsDurationStatusReport = {
+  /** Time taken in ms to interpret results for actions (or undefined if this language was not analyzed). */
-  /** Time taken in ms to interpret results for the language (or undefined if this language was not analyzed). */
+  interpret_results_actions_duration_ms?: number;
-  [L in KnownLanguageKey as `interpret_results_${L}_duration_ms`]?: number;
+  /** Time taken in ms to interpret results for cpp (or undefined if this language was not analyzed). */
-};
+  interpret_results_cpp_duration_ms?: number;
+  /** Time taken in ms to interpret results for csharp (or undefined if this language was not analyzed). */
+  interpret_results_csharp_duration_ms?: number;
+  /** Time taken in ms to interpret results for go (or undefined if this language was not analyzed). */
+  interpret_results_go_duration_ms?: number;
+  /** Time taken in ms to interpret results for java (or undefined if this language was not analyzed). */
+  interpret_results_java_duration_ms?: number;
+  /** Time taken in ms to interpret results for javascript (or undefined if this language was not analyzed). */
+  interpret_results_javascript_duration_ms?: number;
+  /** Time taken in ms to interpret results for python (or undefined if this language was not analyzed). */
+  interpret_results_python_duration_ms?: number;
+  /** Time taken in ms to interpret results for ruby (or undefined if this language was not analyzed). */
+  interpret_results_ruby_duration_ms?: number;
+  /** Time taken in ms to interpret results for swift (or undefined if this language was not analyzed). */
+  interpret_results_swift_duration_ms?: number;
 
-export interface QueriesStatusReport
-  extends RunQueriesDurationStatusReport,
-    InterpretResultsDurationStatusReport {
   /**
    * Whether the analysis is diff-informed (in the sense that the action generates a diff-range data
    * extension for the analysis, regardless of whether the data extension is actually used by queries).
@@ -218,16 +283,36 @@ async function finalizeDatabaseCreation(
  * the diff range information, or `undefined` if the feature is disabled.
  */
 export async function setupDiffInformedQueryRun(
-  branches: PullRequestBranches,
   logger: Logger,
 ): Promise<string | undefined> {
   return await withGroupAsync(
     "Generating diff range extension pack",
     async () => {
-      logger.info(
+      // Only use precomputed diff ranges; never recompute here.
-        `Calculating diff ranges for ${branches.base}...${branches.head}`,
+      let diffRanges: DiffThunkRange[] | undefined;
+      try {
+        diffRanges = readDiffRangesJsonFile(logger);
+      } catch (e) {
+        logger.debug(
+          `Failed to read precomputed diff ranges: ${util.getErrorMessage(e)}`,
         );
-      const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
+        diffRanges = undefined;
+      }
+
+      if (diffRanges === undefined) {
+        logger.info(
+          "No precomputed diff ranges found; skipping diff-informed analysis stage.",
+        );
+        return undefined;
+      }
+
+      const fileCount = new Set(
+        diffRanges.filter((r) => r.path).map((r) => r.path),
+      ).size;
+      logger.info(
+        `Using precomputed diff ranges (${diffRanges.length} ranges across ${fileCount} files).`,
+      );
+
       const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
       if (packDir === undefined) {
         logger.warning(
@@ -324,10 +409,6 @@ extensions:
     `Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`,
   );
 
-  // Write the diff ranges to a JSON file, for action-side alert filtering by the
-  // upload-lib module.
-  writeDiffRangesJsonFile(logger, ranges);
-
   return diffRangeDir;
 }
 
@@ -373,6 +454,7 @@ export function addSarifExtension(
 export async function runQueries(
   sarifFolder: string,
   memoryFlag: string,
+  addSnippetsFlag: string,
   threadsFlag: string,
   diffRangePackDir: string | undefined,
   automationDetailsId: string | undefined,
@@ -562,6 +644,7 @@ export async function runQueries(
       databasePath,
       queries,
       sarifFile,
+      addSnippetsFlag,
       threadsFlag,
       enableDebugLogging ? "-vv" : "-v",
       sarifRunPropertyFlag,
@@ -605,7 +688,7 @@ export async function runFinalize(
   logger: Logger,
 ): Promise<DatabaseCreationTimings> {
   try {
-    await fs.promises.rm(outputDir, { force: true, recursive: true });
+    await del.deleteAsync(outputDir, { force: true });
   } catch (error: any) {
     if (error?.code !== "ENOENT") {
       throw error;
@@ -672,3 +755,5 @@ export async function warnIfGoInstalledAfterInit(
     }
   }
 }
+
+export const exportedForTesting = {};

src/api-client.test.ts

@@ -169,32 +169,4 @@ test("wrapApiConfigurationError correctly wraps specific configuration errors",
     res,
     new util.ConfigurationError("Resource not accessible by integration"),
   );
-
-  // Enablement errors.
-  const enablementErrorMessages = [
-    "Code Security must be enabled for this repository to use code scanning",
-    "Advanced Security must be enabled for this repository to use code scanning",
-    "Code Scanning is not enabled for this repository. Please enable code scanning in the repository settings.",
-  ];
-  const transforms = [
-    (msg: string) => msg,
-    (msg: string) => msg.toLowerCase(),
-    (msg: string) => msg.toLocaleUpperCase(),
-  ];
-
-  for (const enablementErrorMessage of enablementErrorMessages) {
-    for (const transform of transforms) {
-      const enablementError = new util.HTTPError(
-        transform(enablementErrorMessage),
-        403,
-      );
-      res = api.wrapApiConfigurationError(enablementError);
-      t.deepEqual(
-        res,
-        new util.ConfigurationError(
-          api.getFeatureEnablementError(enablementError.message),
-        ),
-      );
-    }
-  }
 });

src/api-client.ts

@@ -1,17 +1,18 @@
 import * as core from "@actions/core";
 import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
+import consoleLogLevel from "console-log-level";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
-  asHTTPError,
   ConfigurationError,
   getRequiredEnvParam,
   GITHUB_DOTCOM_URL,
   GitHubVariant,
   GitHubVersion,
+  isHTTPError,
   parseGitHubUrl,
   parseMatrixInput,
 } from "./util";
@@ -49,12 +50,7 @@ function createApiClientWithDetails(
     githubUtils.getOctokitOptions(auth, {
       baseUrl: apiDetails.apiURL,
       userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: {
+      log: consoleLogLevel({ level: "debug" }),
-        debug: core.debug,
-        info: core.info,
-        warn: core.warning,
-        error: core.error,
-      },
     }),
   );
 }
@@ -283,49 +279,23 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
   });
 }
 
-function isEnablementError(msg: string) {
-  return [
-    /Code Security must be enabled/i,
-    /Advanced Security must be enabled/i,
-    /Code Scanning is not enabled/i,
-  ].some((pattern) => pattern.test(msg));
-}
-
-// TODO: Move to `error-messages.ts` after refactoring import order to avoid cycle
-// since `error-messages.ts` currently depends on this file.
-export function getFeatureEnablementError(message: string): string {
-  return `Please verify that the necessary features are enabled: ${message}`;
-}
-
 export function wrapApiConfigurationError(e: unknown) {
-  const httpError = asHTTPError(e);
+  if (isHTTPError(e)) {
-  if (httpError !== undefined) {
     if (
-      [
+      e.message.includes("API rate limit exceeded for installation") ||
-        /API rate limit exceeded/,
+      e.message.includes("commit not found") ||
-        /commit not found/,
+      e.message.includes("Resource not accessible by integration") ||
-        /Resource not accessible by integration/,
+      /ref .* not found in this repository/.test(e.message)
-        /ref .* not found in this repository/,
-      ].some((pattern) => pattern.test(httpError.message))
     ) {
-      return new ConfigurationError(httpError.message);
+      return new ConfigurationError(e.message);
-    }
+    } else if (
-    if (
+      e.message.includes("Bad credentials") ||
-      httpError.message.includes("Bad credentials") ||
+      e.message.includes("Not Found")
-      httpError.message.includes("Not Found")
     ) {
       return new ConfigurationError(
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
       );
     }
-    if (httpError.status === 403 && isEnablementError(httpError.message)) {
-      return new ConfigurationError(
-        getFeatureEnablementError(httpError.message),
-      );
-    }
-    if (httpError.status === 429) {
-      return new ConfigurationError("API rate limit exceeded");
-    }
   }
   return e;
 }

src/caching-utils.ts

@@ -1,5 +1,3 @@
-import * as crypto from "crypto";
-
 import * as core from "@actions/core";
 
 import { getOptionalInput, isDefaultSetup } from "./actions-util";
@@ -73,33 +71,6 @@ export function getCachingKind(input: string | undefined): CachingKind {
   }
 }
 
-// The length to which `createCacheKeyHash` truncates hash strings.
-export const cacheKeyHashLength = 16;
-
-/**
- * Creates a SHA-256 hash of the cache key components to ensure uniqueness
- * while keeping the cache key length manageable.
- *
- * @param components Object containing all components that should influence cache key uniqueness
- * @returns A short SHA-256 hash (first 16 characters) of the components
- */
-export function createCacheKeyHash(components: Record<string, any>): string {
-  // From https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify
-  //
-  // "Properties are visited using the same algorithm as Object.keys(), which
-  // has a well-defined order and is stable across implementations. For example,
-  // JSON.stringify on the same object will always produce the same string, and
-  // JSON.parse(JSON.stringify(obj)) would produce an object with the same key
-  // ordering as the original (assuming the object is completely
-  // JSON-serializable)."
-  const componentsJson = JSON.stringify(components);
-  return crypto
-    .createHash("sha256")
-    .update(componentsJson)
-    .digest("hex")
-    .substring(0, cacheKeyHashLength);
-}
-
 /** Determines whether dependency caching is enabled. */
 export function getDependencyCachingEnabled(): CachingKind {
   // If the workflow specified something always respect that

src/cli-errors.test.ts

@@ -310,20 +310,6 @@ test("wrapCliConfigurationError - pack cannot be found", (t) => {
   t.true(wrappedError instanceof ConfigurationError);
 });
 
-test("wrapCliConfigurationError - unknown query file", (t) => {
-  const commandError = new CommandInvocationError(
-    "codeql",
-    ["database", "init"],
-    2,
-    "my-query-file is not a .ql file, .qls file, a directory, or a query pack specification. See the logs for more details.",
-  );
-  const cliError = new CliError(commandError);
-
-  const wrappedError = wrapCliConfigurationError(cliError);
-
-  t.true(wrappedError instanceof ConfigurationError);
-});
-
 test("wrapCliConfigurationError - pack missing auth", (t) => {
   const commandError = new CommandInvocationError(
     "codeql",

src/cli-errors.ts

@@ -264,9 +264,6 @@ export const cliErrorsConfig: Record<
       new RegExp(
         "Query pack .* cannot be found\\. Check the spelling of the pack\\.",
       ),
-      new RegExp(
-        "is not a .ql file, .qls file, a directory, or a query pack specification.",
-      ),
     ],
   },
   [CliConfigErrorCategory.PackMissingAuth]: {

src/codeql.test.ts

@@ -5,6 +5,7 @@ import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
 import * as toolcache from "@actions/tool-cache";
 import test, { ExecutionContext } from "ava";
+import * as del from "del";
 import * as yaml from "js-yaml";
 import nock from "nock";
 import * as sinon from "sinon";
@@ -35,6 +36,7 @@ import {
   createTestConfig,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
+import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import { initializeEnvironment } from "./util";
 
@@ -72,7 +74,6 @@ async function installIntoToolcache({
     cliVersion !== undefined
       ? { cliVersion, tagName }
       : SAMPLE_DEFAULT_CLI_VERSION,
-    createFeatures([]),
     getRunnerLogger(true),
     false,
   );
@@ -121,8 +122,6 @@ async function stubCodeql(): Promise<codeql.CodeQL> {
 }
 
 test("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
-  const features = createFeatures([]);
-
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -141,7 +140,6 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        features,
         getRunnerLogger(true),
         false,
       );
@@ -156,8 +154,6 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
 });
 
 test("caches semantically versioned bundles using their semantic version number", async (t) => {
-  const features = createFeatures([]);
-
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
     const url = mockBundleDownloadApi({
@@ -170,7 +166,6 @@ test("caches semantically versioned bundles using their semantic version number"
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
-      features,
       getRunnerLogger(true),
       false,
     );
@@ -186,8 +181,6 @@ test("caches semantically versioned bundles using their semantic version number"
 });
 
 test("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
-  const features = createFeatures([]);
-
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -206,7 +199,6 @@ test("downloads an explicitly requested bundle even if a different version is ca
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
-      features,
       getRunnerLogger(true),
       false,
     );
@@ -235,8 +227,6 @@ for (const {
   expectedToolcacheVersion,
 } of EXPLICITLY_REQUESTED_BUNDLE_TEST_CASES) {
   test(`caches explicitly requested bundle ${tagName} as ${expectedToolcacheVersion}`, async (t) => {
-    const features = createFeatures([]);
-
     await util.withTmpDir(async (tmpDir) => {
       setupActionsVars(tmpDir, tmpDir);
 
@@ -253,7 +243,6 @@ for (const {
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
-        features,
         getRunnerLogger(true),
         false,
       );
@@ -277,8 +266,6 @@ for (const toolcacheVersion of [
     `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
       `${toolcacheVersion} is installed`,
     async (t) => {
-      const features = createFeatures([]);
-
       await util.withTmpDir(async (tmpDir) => {
         setupActionsVars(tmpDir, tmpDir);
 
@@ -294,7 +281,6 @@ for (const toolcacheVersion of [
           tmpDir,
           util.GitHubVariant.DOTCOM,
           SAMPLE_DEFAULT_CLI_VERSION,
-          features,
           getRunnerLogger(true),
           false,
         );
@@ -309,8 +295,6 @@ for (const toolcacheVersion of [
 }
 
 test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
-  const features = createFeatures([]);
-
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -329,7 +313,6 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
         cliVersion: defaults.cliVersion,
         tagName: defaults.bundleVersion,
       },
-      features,
       getRunnerLogger(true),
       false,
     );
@@ -345,8 +328,6 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
 });
 
 test(`downloads bundle if only an unpinned version is cached on GHES`, async (t) => {
-  const features = createFeatures([]);
-
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -368,7 +349,6 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
         cliVersion: defaults.cliVersion,
         tagName: defaults.bundleVersion,
       },
-      features,
       getRunnerLogger(true),
       false,
     );
@@ -384,8 +364,6 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
 });
 
 test('downloads bundle if "latest" tools specified but not cached', async (t) => {
-  const features = createFeatures([]);
-
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -404,7 +382,6 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
-      features,
       getRunnerLogger(true),
       false,
     );
@@ -420,8 +397,6 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
 });
 
 test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
-  const features = createFeatures([]);
-
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
@@ -442,7 +417,6 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
-      features,
       getRunnerLogger(true),
       false,
     );
@@ -543,6 +517,7 @@ const injectedConfigMacro = test.macro({
         "",
         undefined,
         undefined,
+        undefined,
         getRunnerLogger(true),
       );
 
@@ -556,7 +531,7 @@ const injectedConfigMacro = test.macro({
       const augmentedConfig = yaml.load(fs.readFileSync(configFile, "utf8"));
       t.deepEqual(augmentedConfig, expectedConfig);
 
-      await fs.promises.rm(configFile, { force: true });
+      await del.deleteAsync(configFile, { force: true });
     });
   },
 
@@ -829,6 +804,7 @@ test("passes a code scanning config AND qlconfig to the CLI", async (t: Executio
       "",
       undefined,
       "/path/to/qlconfig.yml",
+      undefined,
       getRunnerLogger(true),
     );
 
@@ -857,6 +833,7 @@ test("does not pass a qlconfig to the CLI when it is undefined", async (t: Execu
       "",
       undefined,
       undefined, // undefined qlconfigFile
+      undefined,
       getRunnerLogger(true),
     );
 
@@ -868,6 +845,84 @@ test("does not pass a qlconfig to the CLI when it is undefined", async (t: Execu
   });
 });
 
+const NEW_ANALYSIS_SUMMARY_TEST_CASES = [
+  {
+    codeqlVersion: makeVersionInfo("2.15.0", {
+      [ToolsFeature.AnalysisSummaryV2IsDefault]: true,
+    }),
+    githubVersion: {
+      type: util.GitHubVariant.DOTCOM,
+    },
+    flagPassed: false,
+    negativeFlagPassed: false,
+  },
+  {
+    codeqlVersion: makeVersionInfo("2.15.0"),
+    githubVersion: {
+      type: util.GitHubVariant.DOTCOM,
+    },
+    flagPassed: true,
+    negativeFlagPassed: false,
+  },
+  {
+    codeqlVersion: makeVersionInfo("2.15.0"),
+    githubVersion: {
+      type: util.GitHubVariant.GHES,
+      version: "3.10.0",
+    },
+    flagPassed: true,
+    negativeFlagPassed: false,
+  },
+];
+
+for (const {
+  codeqlVersion,
+  flagPassed,
+  githubVersion,
+  negativeFlagPassed,
+} of NEW_ANALYSIS_SUMMARY_TEST_CASES) {
+  test(`database interpret-results passes ${
+    flagPassed
+      ? "--new-analysis-summary"
+      : negativeFlagPassed
+        ? "--no-new-analysis-summary"
+        : "nothing"
+  } for CodeQL version ${JSON.stringify(codeqlVersion)} and ${
+    util.GitHubVariant[githubVersion.type]
+  } ${githubVersion.version ? ` ${githubVersion.version}` : ""}`, async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    sinon.stub(codeqlObject, "getVersion").resolves(codeqlVersion);
+    // io throws because of the test CodeQL object.
+    sinon.stub(io, "which").resolves("");
+    await codeqlObject.databaseInterpretResults(
+      "",
+      [],
+      "",
+      "",
+      "",
+      "-v",
+      undefined,
+      "",
+      Object.assign({}, stubConfig, { gitHubVersion: githubVersion }),
+      createFeatures([]),
+    );
+    const actualArgs = runnerConstructorStub.firstCall.args[1] as string[];
+    t.is(
+      actualArgs.includes("--new-analysis-summary"),
+      flagPassed,
+      `--new-analysis-summary should${flagPassed ? "" : "n't"} be passed`,
+    );
+    t.is(
+      actualArgs.includes("--no-new-analysis-summary"),
+      negativeFlagPassed,
+      `--no-new-analysis-summary should${
+        negativeFlagPassed ? "" : "n't"
+      } be passed`,
+    );
+  });
+}
+
 test("runTool summarizes several fatal errors", async (t) => {
   const heapError =
     "A fatal error occurred: Evaluator heap must be at least 384.00 MiB";
@@ -1028,6 +1083,7 @@ test("Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OP
     "sourceRoot",
     undefined,
     undefined,
+    undefined,
     getRunnerLogger(false),
   );
 
@@ -1045,7 +1101,7 @@ test("Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OP
   );
   t.truthy(configArg, "Should have injected a codescanning config");
   const configFile = configArg!.split("=")[1];
-  await fs.promises.rm(configFile, { force: true });
+  await del.deleteAsync(configFile, { force: true });
 });
 
 export function stubToolRunnerConstructor(

src/codeql.ts

@@ -3,6 +3,7 @@ import * as path from "path";
 
 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
+import { RequestError } from "@octokit/request-error";
 import * as yaml from "js-yaml";
 
 import {
@@ -95,6 +96,7 @@ export interface CodeQL {
     sourceRoot: string,
     processName: string | undefined,
     qlconfigFile: string | undefined,
+    prDiffChangedFiles: Set<string> | undefined,
     logger: Logger,
   ): Promise<void>;
   /**
@@ -167,6 +169,7 @@ export interface CodeQL {
     databasePath: string,
     querySuitePaths: string[] | undefined,
     sarifFile: string,
+    addSnippetsFlag: string,
     threadsFlag: string,
     verbosityFlag: string | undefined,
     sarifRunPropertyFlag: string | undefined,
@@ -266,7 +269,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
  * The version flags below can be used to conditionally enable certain features
  * on versions newer than this.
  */
-const CODEQL_MINIMUM_VERSION = "2.17.6";
+const CODEQL_MINIMUM_VERSION = "2.16.6";
 
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -307,7 +310,6 @@ const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
  * @param tempDir
  * @param variant
  * @param defaultCliVersion
- * @param features Information about the features that are enabled.
  * @param logger
  * @param checkVersion Whether to check that CodeQL CLI meets the minimum
  *        version requirement. Must be set to true outside tests.
@@ -319,7 +321,6 @@ export async function setupCodeQL(
   tempDir: string,
   variant: util.GitHubVariant,
   defaultCliVersion: CodeQLDefaultVersionInfo,
-  features: FeatureEnablement,
   logger: Logger,
   checkVersion: boolean,
 ): Promise<{
@@ -342,7 +343,6 @@ export async function setupCodeQL(
       tempDir,
       variant,
       defaultCliVersion,
-      features,
       logger,
     );
 
@@ -369,11 +369,11 @@ export async function setupCodeQL(
       toolsVersion,
       zstdAvailability,
     };
-  } catch (rawError) {
+  } catch (e) {
-    const e = api.wrapApiConfigurationError(rawError);
     const ErrorClass =
       e instanceof util.ConfigurationError ||
-      (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
+      (e instanceof Error && e.message.includes("ENOSPC")) || // out of disk space
+      (e instanceof RequestError && e.status === 429) // rate limited
         ? util.ConfigurationError
         : Error;
 
@@ -561,6 +561,7 @@ export async function getCodeQLForCmd(
       sourceRoot: string,
       processName: string | undefined,
       qlconfigFile: string | undefined,
+      prDiffChangedFiles: Set<string> | undefined,
       logger: Logger,
     ) {
       const extraArgs = config.languages.map(
@@ -603,6 +604,7 @@ export async function getCodeQLForCmd(
         const overlayChangesFile = await writeOverlayChangesFile(
           config,
           sourceRoot,
+          prDiffChangedFiles,
           logger,
         );
         extraArgs.push(`--overlay-changes=${overlayChangesFile}`);
@@ -816,6 +818,7 @@ export async function getCodeQLForCmd(
       databasePath: string,
       querySuitePaths: string[] | undefined,
       sarifFile: string,
+      addSnippetsFlag: string,
       threadsFlag: string,
       verbosityFlag: string,
       sarifRunPropertyFlag: string | undefined,
@@ -834,6 +837,7 @@ export async function getCodeQLForCmd(
         "--format=sarif-latest",
         verbosityFlag,
         `--output=${sarifFile}`,
+        addSnippetsFlag,
         "--print-diagnostics-summary",
         "--print-metrics-summary",
         "--sarif-add-baseline-file-info",
@@ -857,6 +861,14 @@ export async function getCodeQLForCmd(
       } else {
         codeqlArgs.push("--no-sarif-include-diagnostics");
       }
+      if (
+        !isSupportedToolsFeature(
+          await this.getVersion(),
+          ToolsFeature.AnalysisSummaryV2IsDefault,
+        )
+      ) {
+        codeqlArgs.push("--new-analysis-summary");
+      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);
@@ -1071,10 +1083,7 @@ export async function getCodeQLForCmd(
 /**
  * Gets the options for `path` of `options` as an array of extra option strings.
  *
- * @param paths The CLI command components to get extra options for.
+ * @param ignoringOptions Options that should be ignored, for example because they have already
- * @param args Additional arguments for this function.
- * @param args.ignoringOptions
- *   Options that should be ignored, for example because they have already
  *                        been passed and it is an error to pass them more than once.
  */
 function getExtraOptionsFromEnv(
@@ -1157,9 +1166,8 @@ async function runCli(
 /**
  * Writes the code scanning configuration that is to be used by the CLI.
  *
- * @param config The CodeQL Action state to write.
+ * @param codeql The CodeQL object to use.
- * @param logger The logger to use.
+ * @param config The CodeQL Action state to use.
- *
  * @returns The path to the generated user configuration file.
  */
 async function writeCodeScanningConfigFile(

src/config-utils.test.ts

@@ -49,9 +49,10 @@ function createTestInitConfigInputs(
   return Object.assign(
     {},
     {
-      analysisKinds: [AnalysisKind.CodeScanning],
+      analysisKindsInput: "code-scanning",
       languagesInput: undefined,
       queriesInput: undefined,
+      qualityQueriesInput: undefined,
       packsInput: undefined,
       configFile: undefined,
       dbLocation: undefined,
@@ -148,7 +149,6 @@ test("load empty config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
@@ -188,9 +188,8 @@ test("load code quality config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
-        analysisKinds: [AnalysisKind.CodeQuality],
+        analysisKindsInput: "code-quality",
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
         tempDir,
@@ -273,9 +272,8 @@ test("initActionState doesn't throw if there are queries configured in the repos
 
     await t.notThrowsAsync(async () => {
       const config = await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
-          analysisKinds: [AnalysisKind.CodeQuality],
+          analysisKindsInput: "code-quality",
           languagesInput: languages,
           repository: { owner: "github", repo: "example" },
           tempDir,
@@ -312,7 +310,6 @@ test("loading a saved config produces the same config", async (t) => {
     t.deepEqual(await configUtils.getConfig(tempDir, logger), undefined);
 
     const config1 = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
@@ -364,7 +361,6 @@ test("loading config with version mismatch throws", async (t) => {
       .returns("does-not-exist");
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
@@ -393,7 +389,6 @@ test("load input outside of workspace", async (t) => {
   return await withTmpDir(async (tempDir) => {
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile: "../input",
           tempDir,
@@ -421,7 +416,6 @@ test("load non-local input with invalid repo syntax", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile,
           tempDir,
@@ -450,7 +444,6 @@ test("load non-existent input", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           configFile,
@@ -534,7 +527,6 @@ test("load non-empty input", async (t) => {
     const configFilePath = createConfigFile(inputFileContents, tempDir);
 
     const actualConfig = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         buildModeInput: "none",
@@ -591,7 +583,6 @@ test("Using config input and file together, config input should be used.", async
     const languagesInput = "javascript";
 
     const config = await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         configFile: configFilePath,
@@ -642,7 +633,6 @@ test("API client used when reading remote config", async (t) => {
     const languagesInput = "javascript";
 
     await configUtils.initConfig(
-      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         configFile,
@@ -663,7 +653,6 @@ test("Remote config handles the case where a directory is provided", async (t) =
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
@@ -692,7 +681,6 @@ test("Invalid format of remote config handled correctly", async (t) => {
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
@@ -722,7 +710,6 @@ test("No detected languages", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           tempDir,
           codeql,
@@ -745,7 +732,6 @@ test("Unknown languages", async (t) => {
 
     try {
       await configUtils.initConfig(
-        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           tempDir,
@@ -873,7 +859,13 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
     expectedLanguages: ["javascript"],
   },
 ].forEach((args) => {
-  test(`getLanguages: ${args.name}`, async (t) => {
+  for (const resolveSupportedLanguagesUsingCli of [true, false]) {
+    test(`getLanguages${resolveSupportedLanguagesUsingCli ? " (supported languages via CLI)" : ""}: ${args.name}`, async (t) => {
+      const features = createFeatures(
+        resolveSupportedLanguagesUsingCli
+          ? [Feature.ResolveSupportedLanguagesUsingCli]
+          : [],
+      );
       const mockRequest = mockLanguagesInRepo(args.languagesInRepository);
       const stubExtractorEntry = {
         extractor_root: "",
@@ -909,6 +901,7 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
           args.languagesInput,
           mockRepositoryNwo,
           ".",
+          features,
           mockLogger,
         );
 
@@ -922,6 +915,7 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
               args.languagesInput,
               mockRepositoryNwo,
               ".",
+              features,
               mockLogger,
             ),
           { message: args.expectedError },
@@ -929,6 +923,7 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
       }
       t.deepEqual(mockRequest.called, args.expectedApiCall);
     });
+  }
 });
 
 for (const { displayName, language, feature } of [

src/config-utils.ts

@@ -11,6 +11,7 @@ import {
   CodeQuality,
   codeQualityQueries,
   CodeScanning,
+  parseAnalysisKinds,
 } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
@@ -19,7 +20,6 @@ import {
   calculateAugmentation,
   ExcludeQueryFilter,
   generateCodeScanningConfig,
-  parseUserConfig,
   UserConfig,
 } from "./config/db-config";
 import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
@@ -34,7 +34,6 @@ import {
   OverlayDatabaseMode,
 } from "./overlay-database-utils";
 import { RepositoryNwo } from "./repository";
-import { ToolsFeature } from "./tools-features";
 import { downloadTrapCaches } from "./trap-caching";
 import {
   GitHubVersion,
@@ -178,10 +177,12 @@ export interface Config {
 
 export async function getSupportedLanguageMap(
   codeql: CodeQL,
+  features: FeatureEnablement,
   logger: Logger,
 ): Promise<Record<string, string>> {
-  const resolveSupportedLanguagesUsingCli = await codeql.supportsFeature(
+  const resolveSupportedLanguagesUsingCli = await features.getValue(
-    ToolsFeature.BuiltinExtractorsSpecifyDefaultQueries,
+    Feature.ResolveSupportedLanguagesUsingCli,
+    codeql,
   );
   const resolveResult = await codeql.betterResolveLanguages({
     filterToLanguagesWithQueries: resolveSupportedLanguagesUsingCli,
@@ -282,6 +283,7 @@ export async function getLanguages(
   languagesInput: string | undefined,
   repository: RepositoryNwo,
   sourceRoot: string,
+  features: FeatureEnablement,
   logger: Logger,
 ): Promise<Language[]> {
   // Obtain languages without filtering them.
@@ -292,7 +294,7 @@ export async function getLanguages(
     logger,
   );
 
-  const languageMap = await getSupportedLanguageMap(codeql, logger);
+  const languageMap = await getSupportedLanguageMap(codeql, features, logger);
   const languagesSet = new Set<Language>();
   const unknownLanguages: string[] = [];
 
@@ -371,8 +373,10 @@ export async function getRawLanguages(
 
 /** Inputs required to initialize a configuration. */
 export interface InitConfigInputs {
+  analysisKindsInput: string;
   languagesInput: string | undefined;
   queriesInput: string | undefined;
+  qualityQueriesInput: string | undefined;
   packsInput: string | undefined;
   configFile: string | undefined;
   dbLocation: string | undefined;
@@ -392,7 +396,6 @@ export interface InitConfigInputs {
   apiDetails: api.GitHubApiCombinedDetails;
   features: FeatureEnablement;
   repositoryProperties: RepositoryProperties;
-  analysisKinds: AnalysisKind[];
   logger: Logger;
 }
 
@@ -402,8 +405,10 @@ export interface InitConfigInputs {
  */
 export async function initActionState(
   {
+    analysisKindsInput,
     languagesInput,
     queriesInput,
+    qualityQueriesInput,
     packsInput,
     buildModeInput,
     dbLocation,
@@ -419,16 +424,28 @@ export async function initActionState(
     githubVersion,
     features,
     repositoryProperties,
-    analysisKinds,
     logger,
   }: InitConfigInputs,
   userConfig: UserConfig,
 ): Promise<Config> {
+  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
+
+  // For backwards compatibility, add Code Quality to the enabled analysis kinds
+  // if an input to `quality-queries` was specified. We should remove this once
+  // `quality-queries` is no longer used.
+  if (
+    !analysisKinds.includes(AnalysisKind.CodeQuality) &&
+    qualityQueriesInput !== undefined
+  ) {
+    analysisKinds.push(AnalysisKind.CodeQuality);
+  }
+
   const languages = await getLanguages(
     codeql,
     languagesInput,
     repository,
     sourceRoot,
+    features,
     logger,
   );
 
@@ -523,12 +540,10 @@ async function downloadCacheWithTime(
 }
 
 async function loadUserConfig(
-  logger: Logger,
   configFile: string,
   workspacePath: string,
   apiDetails: api.GitHubApiCombinedDetails,
   tempDir: string,
-  validateConfig: boolean,
 ): Promise<UserConfig> {
   if (isLocal(configFile)) {
     if (configFile !== userConfigFromActionPath(tempDir)) {
@@ -541,14 +556,9 @@ async function loadUserConfig(
         );
       }
     }
-    return getLocalConfig(logger, configFile, validateConfig);
+    return getLocalConfig(configFile);
   } else {
-    return await getRemoteConfig(
+    return await getRemoteConfig(configFile, apiDetails);
-      logger,
-      configFile,
-      apiDetails,
-      validateConfig,
-    );
   }
 }
 
@@ -784,10 +794,7 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
  * This will parse the config from the user input if present, or generate
  * a default config. The parsed config is then stored to a known location.
  */
-export async function initConfig(
+export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
-  features: FeatureEnablement,
-  inputs: InitConfigInputs,
-): Promise<Config> {
   const { logger, tempDir } = inputs;
 
   // if configInput is set, it takes precedence over configFile
@@ -807,14 +814,11 @@ export async function initConfig(
     logger.debug("No configuration file was provided");
   } else {
     logger.debug(`Using configuration file: ${inputs.configFile}`);
-    const validateConfig = await features.getValue(Feature.ValidateDbConfig);
     userConfig = await loadUserConfig(
-      logger,
       inputs.configFile,
       inputs.workspacePath,
       inputs.apiDetails,
       tempDir,
-      validateConfig,
     );
   }
 
@@ -908,11 +912,7 @@ function isLocal(configPath: string): boolean {
   return configPath.indexOf("@") === -1;
 }
 
-function getLocalConfig(
+function getLocalConfig(configFile: string): UserConfig {
-  logger: Logger,
-  configFile: string,
-  validateConfig: boolean,
-): UserConfig {
   // Error if the file does not exist
   if (!fs.existsSync(configFile)) {
     throw new ConfigurationError(
@@ -920,19 +920,12 @@ function getLocalConfig(
     );
   }
 
-  return parseUserConfig(
+  return yaml.load(fs.readFileSync(configFile, "utf8")) as UserConfig;
-    logger,
-    configFile,
-    fs.readFileSync(configFile, "utf-8"),
-    validateConfig,
-  );
 }
 
 async function getRemoteConfig(
-  logger: Logger,
   configFile: string,
   apiDetails: api.GitHubApiCombinedDetails,
-  validateConfig: boolean,
 ): Promise<UserConfig> {
   // retrieve the various parts of the config location, and ensure they're present
   const format = new RegExp(
@@ -940,7 +933,7 @@ async function getRemoteConfig(
   );
   const pieces = format.exec(configFile);
   // 5 = 4 groups + the whole expression
-  if (pieces?.groups === undefined || pieces.length < 5) {
+  if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
     throw new ConfigurationError(
       errorMessages.getConfigFileRepoFormatInvalidMessage(configFile),
     );
@@ -968,12 +961,9 @@ async function getRemoteConfig(
     );
   }
 
-  return parseUserConfig(
+  return yaml.load(
-    logger,
-    configFile,
     Buffer.from(fileContents, "base64").toString("binary"),
-    validateConfig,
+  ) as UserConfig;
-  );
 }
 
 /**
@@ -1033,6 +1023,7 @@ export async function getConfig(
  * pack.
  *
  * @param registriesInput The value of the `registries` input.
+ * @param codeQL a codeQL object, used only for checking the version of CodeQL.
  * @param tempDir a temporary directory to store the generated qlconfig.yml file.
  * @param logger a logger object.
  * @returns The path to the generated `qlconfig.yml` file and the auth tokens to

src/config/db-config.test.ts

@@ -2,13 +2,7 @@ import test, { ExecutionContext } from "ava";
 
 import { RepositoryProperties } from "../feature-flags/properties";
 import { KnownLanguage, Language } from "../languages";
-import { getRunnerLogger } from "../logging";
+import { prettyPrintPack } from "../util";
-import {
-  checkExpectedLogMessages,
-  getRecordingLogger,
-  LoggedMessage,
-} from "../testing-utils";
-import { ConfigurationError, prettyPrintPack } from "../util";
 
 import * as dbConfig from "./db-config";
 
@@ -397,111 +391,3 @@ test(
   {},
   /"a-pack-without-a-scope" is not a valid pack/,
 );
-
-test("parseUserConfig - successfully parses valid YAML", (t) => {
-  const result = dbConfig.parseUserConfig(
-    getRunnerLogger(true),
-    "test",
-    `
-    paths-ignore:
-      - "some/path"
-    queries:
-      - uses: foo
-    some-unknown-option: true
-    `,
-    true,
-  );
-  t.truthy(result);
-  if (t.truthy(result["paths-ignore"])) {
-    t.is(result["paths-ignore"].length, 1);
-    t.is(result["paths-ignore"][0], "some/path");
-  }
-  if (t.truthy(result["queries"])) {
-    t.is(result["queries"].length, 1);
-    t.deepEqual(result["queries"][0], { uses: "foo" });
-  }
-});
-
-test("parseUserConfig - throws a ConfigurationError if the file is not valid YAML", (t) => {
-  t.throws(
-    () =>
-      dbConfig.parseUserConfig(
-        getRunnerLogger(true),
-        "test",
-        `
-        paths-ignore:
-         - "some/path"
-         queries:
-         - foo
-        `,
-        true,
-      ),
-    {
-      instanceOf: ConfigurationError,
-    },
-  );
-});
-
-test("parseUserConfig - validation isn't picky about `query-filters`", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  t.notThrows(() =>
-    dbConfig.parseUserConfig(
-      logger,
-      "test",
-      `
-        query-filters:
-          - something
-          - include: foo
-          - exclude: bar
-        `,
-      true,
-    ),
-  );
-});
-
-test("parseUserConfig - throws a ConfigurationError if validation fails", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  t.throws(
-    () =>
-      dbConfig.parseUserConfig(
-        logger,
-        "test",
-        `
-        paths-ignore:
-         - "some/path"
-        queries: true
-        `,
-        true,
-      ),
-    {
-      instanceOf: ConfigurationError,
-      message:
-        'The configuration file "test" is invalid: instance.queries is not of a type(s) array.',
-    },
-  );
-
-  const expectedMessages = ["instance.queries is not of a type(s) array"];
-  checkExpectedLogMessages(t, loggedMessages, expectedMessages);
-});
-
-test("parseUserConfig - throws no ConfigurationError if validation should fail, but feature is disabled", (t) => {
-  const loggedMessages: LoggedMessage[] = [];
-  const logger = getRecordingLogger(loggedMessages);
-
-  t.notThrows(() =>
-    dbConfig.parseUserConfig(
-      logger,
-      "test",
-      `
-        paths-ignore:
-         - "some/path"
-        queries: true
-        `,
-      false,
-    ),
-  );
-});

src/config/db-config.ts

@@ -1,7 +1,5 @@
 import * as path from "path";
 
-import * as yaml from "js-yaml";
-import * as jsonschema from "jsonschema";
 import * as semver from "semver";
 
 import * as errorMessages from "../error-messages";
@@ -160,6 +158,7 @@ const PACK_IDENTIFIER_PATTERN = (function () {
  * Version and path are optional.
  *
  * @param packStr the package specification to verify.
+ * @param configFile Config file to use for error reporting
  */
 export function parsePacksSpecification(packStr: string): Pack {
   if (typeof packStr !== "string") {
@@ -379,7 +378,10 @@ function combineQueries(
   const result: QuerySpec[] = [];
 
   // Query settings obtained from the repository properties have the highest precedence.
-  if (augmentationProperties.repoPropertyQueries?.input) {
+  if (
+    augmentationProperties.repoPropertyQueries &&
+    augmentationProperties.repoPropertyQueries.input
+  ) {
     logger.info(
       `Found query configuration in the repository properties (${RepositoryPropertyName.EXTRA_QUERIES}): ` +
         `${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}`,
@@ -472,53 +474,3 @@ export function generateCodeScanningConfig(
 
   return augmentedConfig;
 }
-
-/**
- * Attempts to parse `contents` into a `UserConfig` value.
- *
- * @param logger The logger to use.
- * @param pathInput The path to the file where `contents` was obtained from, for use in error messages.
- * @param contents The string contents of a YAML file to try and parse as a `UserConfig`.
- * @param validateConfig Whether to validate the configuration file against the schema.
- * @returns The `UserConfig` corresponding to `contents`, if parsing was successful.
- * @throws A `ConfigurationError` if parsing failed.
- */
-export function parseUserConfig(
-  logger: Logger,
-  pathInput: string,
-  contents: string,
-  validateConfig: boolean,
-): UserConfig {
-  try {
-    const schema =
-      // eslint-disable-next-line @typescript-eslint/no-require-imports
-      require("../../src/db-config-schema.json") as jsonschema.Schema;
-
-    const doc = yaml.load(contents);
-
-    if (validateConfig) {
-      const result = new jsonschema.Validator().validate(doc, schema);
-
-      if (result.errors.length > 0) {
-        for (const error of result.errors) {
-          logger.error(error.stack);
-        }
-        throw new ConfigurationError(
-          errorMessages.getInvalidConfigFileMessage(
-            pathInput,
-            result.errors.map((e) => e.stack),
-          ),
-        );
-      }
-    }
-
-    return doc as UserConfig;
-  } catch (error) {
-    if (error instanceof yaml.YAMLException) {
-      throw new ConfigurationError(
-        errorMessages.getConfigFileParseErrorMessage(pathInput, error.message),
-      );
-    }
-    throw error;
-  }
-}

src/database-upload.test.ts

@@ -5,7 +5,6 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
-import { AnalysisKind } from "./analyses";
 import { GitHubApiDetails } from "./api-client";
 import * as apiClient from "./api-client";
 import { createStubCodeQL } from "./codeql";
@@ -109,39 +108,6 @@ test("Abort database upload if 'upload-database' input set to false", async (t)
   });
 });
 
-test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    setupActionsVars(tmpDir, tmpDir);
-    sinon
-      .stub(actionsUtil, "getRequiredInput")
-      .withArgs("upload-database")
-      .returns("true");
-    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
-
-    await mockHttpRequests(201);
-
-    const loggedMessages = [];
-    await uploadDatabases(
-      testRepoName,
-      getCodeQL(),
-      {
-        ...getTestConfig(tmpDir),
-        analysisKinds: [AnalysisKind.CodeQuality],
-      },
-      testApiDetails,
-      getRecordingLogger(loggedMessages),
-    );
-    t.assert(
-      loggedMessages.find(
-        (v: LoggedMessage) =>
-          v.type === "debug" &&
-          v.message ===
-            "Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
-      ) !== undefined,
-    );
-  });
-});
-
 test("Abort database upload if running against GHES", async (t) => {
   await withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);

src/database-upload.ts

@@ -1,7 +1,6 @@
 import * as fs from "fs";
 
 import * as actionsUtil from "./actions-util";
-import { AnalysisKind } from "./analyses";
 import { getApiClient, GitHubApiDetails } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
@@ -23,13 +22,6 @@ export async function uploadDatabases(
     return;
   }
 
-  if (!config.analysisKinds.includes(AnalysisKind.CodeScanning)) {
-    logger.debug(
-      `Not uploading database because 'analysis-kinds: ${AnalysisKind.CodeScanning}' is not enabled.`,
-    );
-    return;
-  }
-
   if (util.isInTestMode()) {
     logger.debug("In test mode. Skipping database upload.");
     return;