Merge pull request #3324 from github/backport-v3.31.5-fdbfb4d27

Merge releases/v4 into releases/v3

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node24
+  using: node20
   main: index.js

.github/pull_request_template.md

@@ -18,14 +18,25 @@ For internal use only. Please select the risk level of this change:
 
 #### Which use cases does this change impact?
 
-<!-- Delete options that don't apply. -->
+<!-- Delete options that don't apply. If in doubt, do not delete an option. -->
 
-- **Advanced setup** - Impacts users who have custom workflows.
-- **Default setup** - Impacts users who use default setup.
-- **Code Scanning** - Impacts Code Scanning (i.e. `analysis-kinds: code-scanning`).
-- **Code Quality** - Impacts Code Quality (i.e. `analysis-kinds: code-quality`).
-- **Third-party analyses** - Impacts third-party analyses (i.e. `upload-sarif`).
-- **GHES** - Impacts GitHub Enterprise Server.
+Workflow types:
+
+- **Advanced setup** - Impacts users who have custom CodeQL workflows.
+- **Managed** - Impacts users with `dynamic` workflows (Default Setup, CCR, ...).
+
+Products:
+
+- **Code Scanning** - The changes impact analyses when `analysis-kinds: code-scanning`.
+- **Code Quality** - The changes impact analyses when `analysis-kinds: code-quality`.
+- **CCR** - The changes impact analyses for Copilot Code Reviews.
+- **Third-party analyses** - The changes affect the `upload-sarif` action.
+
+Environments:
+
+- **Dotcom** - Impacts CodeQL workflows on `github.com`.
+- **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
+- **Testing/None** - This change does not impact any CodeQL workflows in production.
 
 #### How did/will you validate this change?
 
@@ -54,6 +65,15 @@ For internal use only. Please select the risk level of this change:
     - **Alerts** - New or existing monitors will trip if something goes wrong with this change.
 - **Other** - Please provide details.
 
+#### Are there any special considerations for merging or releasing this change?
+
+<!--
+    Consider whether this change depends on a different change in another repository that should be released first.
+-->
+
+- **No special considerations** - This change can be merged at any time.
+- **Special considerations** - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.
+
 ### Merge / deployment checklist
 
 - Confirm this change is backwards compatible with existing workflows.

.github/workflows/__all-platform-bundle.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -74,6 +84,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - id: init
         uses: ./../action/init
         with:

.github/workflows/__analyze-ref-input.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -85,6 +95,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__autobuild-action.yml

@@ -21,9 +21,19 @@ on:
   schedule:
     - cron: '0 5 * * *'
   workflow_dispatch:
-    inputs: {}
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
-    inputs: {}
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -59,6 +69,10 @@ jobs:
           version: ${{ matrix.version }}
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: csharp

.github/workflows/__build-mode-manual.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -70,6 +80,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__export-file-baseline-information.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -74,6 +84,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__go-custom-queries.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -72,6 +82,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           languages: go

.github/workflows/__go.yml

@@ -18,6 +18,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 jobs:
   go-custom-queries:
     name: 'Go: Custom queries'
@@ -27,6 +32,7 @@ jobs:
     uses: ./.github/workflows/__go-custom-queries.yml
     with:
       go-version: ${{ inputs.go-version }}
+      dotnet-version: ${{ inputs.dotnet-version }}
   go-indirect-tracing-workaround-diagnostic:
     name: 'Go: diagnostic when Go is changed after init step'
     permissions:

.github/workflows/__local-bundle.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -85,6 +95,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -119,6 +129,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -96,6 +106,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -81,6 +91,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-js.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -81,6 +91,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging.yml

.github/workflows/__packaging-inputs-js.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -81,6 +91,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging2.yml

.github/workflows/__remote-config.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -87,6 +97,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__rubocop-multi-language.yml

@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+        uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__split-workflow.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -80,6 +90,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__swift-custom-build.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -74,6 +84,10 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__unset-environment.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -87,6 +97,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -85,6 +95,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -92,6 +102,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -32,6 +32,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
   workflow_call:
     inputs:
       go-version:
@@ -44,6 +49,11 @@ on:
         description: The version of Python to install
         required: false
         default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
   run:
     shell: bash
@@ -85,6 +95,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.

.github/workflows/debug-artifacts-failure-safe.yml

@@ -54,6 +54,10 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/debug-artifacts-safe.yml

@@ -50,6 +50,10 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
       - uses: ./../action/init
         id: init
         with:

.github/workflows/test-codeql-bundle-all.yml

@@ -43,6 +43,10 @@ jobs:
       with:
         version: ${{ matrix.version }}
         use-all-platform-bundle: true
+    - name: Install .NET
+      uses: actions/setup-dotnet@v5
+      with:
+        dotnet-version: '9.x'
     - id: init
       uses: ./../action/init
       with:

CHANGELOG.md

@@ -2,35 +2,44 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## [UNRELEASED]
+## 3.31.5 - 24 Nov 2025
 
-- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
+- Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)
 
-## 4.31.2 - 30 Oct 2025
+## 3.31.4 - 18 Nov 2025
 
 No user facing changes.
 
-## 4.31.1 - 30 Oct 2025
+## 3.31.3 - 13 Nov 2025
+
+- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
+- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)
+
+## 3.31.2 - 30 Oct 2025
+
+No user facing changes.
+
+## 3.31.1 - 30 Oct 2025
 
 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
 
-## 4.31.0 - 24 Oct 2025
+## 3.31.0 - 24 Oct 2025
 
 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
 - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
 
-## 4.30.9 - 17 Oct 2025
+## 3.30.9 - 17 Oct 2025
 
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
 
-## 4.30.8 - 10 Oct 2025
+## 3.30.8 - 10 Oct 2025
 
 No user facing changes.
 
-## 4.30.7 - 06 Oct 2025
+## 3.30.7 - 06 Oct 2025
 
-- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+No user facing changes.
 
 ## 3.30.6 - 02 Oct 2025
 
@@ -266,17 +275,13 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
-
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
-
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
-
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -399,12 +404,9 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
-
   As a result, the following inputs and environment variables are now ignored:
-
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
-
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)

analyze/action.yml

@@ -94,6 +94,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node24
+  using: node20
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node24
+  using: node20
   main: '../lib/autobuild-action.js'

init/action.yml

@@ -165,6 +165,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node24
+  using: node20
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.6",
+  "cliVersion": "2.23.6",
+  "priorBundleVersion": "codeql-bundle-v2.23.5",
+  "priorCliVersion": "2.23.5"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.3",
+  "version": "3.31.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -35,23 +35,21 @@
     "@actions/io": "^2.0.0",
     "@actions/tool-cache": "^2.0.2",
     "@octokit/plugin-retry": "^6.0.0",
-    "@octokit/request-error": "^7.0.2",
     "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
     "fast-deep-equal": "^3.1.3",
     "follow-redirects": "^1.15.11",
     "get-folder-size": "^5.0.0",
-    "js-yaml": "^4.1.0",
+    "js-yaml": "^4.1.1",
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.1",
-    "octokit": "^5.0.5",
     "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^1.4.1",
+    "@eslint/compat": "^2.0.0",
     "@eslint/eslintrc": "^3.3.1",
     "@eslint/js": "^9.39.1",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
@@ -59,10 +57,10 @@
     "@types/archiver": "^7.0.0",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "20.19.9",
+    "@types/node": "^20.19.9",
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
-    "@types/sinon": "^17.0.4",
+    "@types/sinon": "^21.0.0",
     "@typescript-eslint/eslint-plugin": "^8.46.4",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
@@ -72,9 +70,9 @@
     "eslint-plugin-filenames": "^1.3.2",
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.1.12",
+    "eslint-plugin-jsdoc": "^61.2.1",
     "eslint-plugin-no-async-foreach": "^0.1.1",
-    "glob": "^11.0.3",
+    "glob": "^11.1.0",
     "nock": "^14.0.10",
     "sinon": "^21.0.0",
     "typescript": "^5.9.3"
@@ -98,6 +96,7 @@
     "eslint-plugin-jsx-a11y": {
       "semver": ">=6.3.1"
     },
-    "brace-expansion@2.0.1": "2.0.2"
+    "brace-expansion@2.0.1": "2.0.2",
+    "glob": "^11.1.0"
   }
 }

pr-checks/checks/all-platform-bundle.yml

@@ -4,6 +4,7 @@ operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 useAllPlatformBundle: "true"
 installGo: true
+installDotNet: true
 steps:
   - id: init
     uses: ./../action/init

pr-checks/checks/analyze-ref-input.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/autobuild-action.yml

@@ -2,6 +2,7 @@ name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["linked"]
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/build-mode-manual.yml

@@ -2,6 +2,7 @@ name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
 versions: ["nightly-latest"]
 installGo: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/export-file-baseline-information.yml

@@ -3,6 +3,7 @@ description: "Tests that file baseline information is exported when the feature
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 installGo: true
+installDotNet: true
 env:
   CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
 steps:

pr-checks/checks/go-custom-queries.yml

@@ -7,6 +7,7 @@ versions:
   - linked
   - nightly-latest
 installGo: true
+installDotNet: true
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:

pr-checks/checks/local-bundle.yml

@@ -3,6 +3,7 @@ description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   - name: Fetch latest CodeQL bundle
     run: |

pr-checks/checks/multi-language-autodetect.yml

@@ -5,6 +5,7 @@ env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   - name: Use Xcode 16
     if: runner.os == 'macOS' && matrix.version != 'nightly-latest'

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -4,6 +4,7 @@ versions: ["linked", "default", "nightly-latest"] # This feature is not compatib
 installGo: true
 installNode: true
 installPython: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/packaging-config-inputs-js.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/packaging-config-js.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying packages using only a config file works"
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/packaging-inputs-js.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying packages using the input to the Action work
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/remote-config.yml

@@ -7,6 +7,7 @@ versions:
   - nightly-latest
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
+    uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/checks/split-workflow.yml

@@ -3,6 +3,7 @@ description: "Tests a split-up workflow in which we first build a database and l
 operatingSystems: ["ubuntu", "macos"]
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/swift-custom-build.yml

@@ -3,6 +3,7 @@ description: "Tests creation of a Swift database using custom build"
 versions: ["linked", "default", "nightly-latest"]
 operatingSystems: ["macos"]
 installGo: true
+installDotNet: true
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:

pr-checks/checks/unset-environment.yml

@@ -7,6 +7,7 @@ versions:
   - nightly-latest
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/upload-ref-sha-input.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/upload-sarif.yml

@@ -4,6 +4,7 @@ versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/with-checkout-path.yml

@@ -3,6 +3,7 @@ description: "Checks that a custom `checkout_path` will find the proper commit_o
 versions: ["linked"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
   # This ensures we don't accidentally use the original checkout for any part of the test.
   - name: Delete original checkout

pr-checks/sync.py

@@ -204,6 +204,25 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
+    installDotNet = is_truthy(checkSpecification.get('installDotNet', ''))
+
+    if installDotNet:
+        baseDotNetVersionExpr = '9.x'
+        workflowInputs['dotnet-version'] = {
+            'type': 'string',
+            'description': 'The version of .NET to install',
+            'required': False,
+            'default': baseDotNetVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install .NET',
+            'uses': 'actions/setup-dotnet@v5',
+            'with': {
+                'dotnet-version': '${{ inputs.dotnet-version || \'' + baseDotNetVersionExpr + '\' }}'
+            }
+        })
+
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

resolve-environment/action.yml

@@ -21,5 +21,5 @@ outputs:
   environment:
     description: The inferred build environment configuration.
 runs:
-  using: node24
+  using: node20
   main: '../lib/resolve-environment-action.js'

setup-codeql/action.yml

@@ -35,5 +35,5 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary that was installed.
 runs:
-  using: node24
+  using: node20
   main: '../lib/setup-codeql-action.js'

src/actions-util.ts

@@ -80,7 +80,7 @@ export function isRunningLocalAction(): boolean {
  *
  * This can be used to get the Action's name or tell if we're running a local Action.
  */
-export function getRelativeScriptPath(): string {
+function getRelativeScriptPath(): string {
   const runnerTemp = getRequiredEnvParam("RUNNER_TEMP");
   const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
   return path.relative(actionsDirectory, __filename);

src/analyses.ts

@@ -98,7 +98,7 @@ export async function getAnalysisKinds(
 export const codeQualityQueries: string[] = ["code-quality"];
 
 // Enumerates API endpoints that accept SARIF files.
-export enum SARIF_UPLOAD_ENDPOINT {
+enum SARIF_UPLOAD_ENDPOINT {
   CODE_SCANNING = "PUT /repos/:owner/:repo/code-scanning/analysis",
   CODE_QUALITY = "PUT /repos/:owner/:repo/code-quality/analysis",
 }

src/analyze-action.ts

@@ -25,7 +25,7 @@ import {
   isCodeQualityEnabled,
   isCodeScanningEnabled,
 } from "./config-utils";
-import { uploadDatabases } from "./database-upload";
+import { cleanupAndUploadDatabases } from "./database-upload";
 import {
   DependencyCacheUploadStatusReport,
   uploadDependencyCaches,
@@ -35,7 +35,7 @@ import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
-import { uploadOverlayBaseDatabaseToCache } from "./overlay-database-utils";
+import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay-database-utils";
 import { getRepositoryNwo } from "./repository";
 import * as statusReport from "./status-report";
 import {
@@ -417,12 +417,21 @@ async function run() {
     }
 
     // Possibly upload the overlay-base database to actions cache.
-    // If databases are to be uploaded, they will first be cleaned up at the overlay level.
-    await uploadOverlayBaseDatabaseToCache(codeql, config, logger);
+    // Note: Take care with the ordering of this call since databases may be cleaned up
+    // at the `overlay` level.
+    await cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger);
 
     // Possibly upload the database bundles for remote queries.
-    // If databases are to be uploaded, they will first be cleaned up at the clear level.
-    await uploadDatabases(repositoryNwo, codeql, config, apiDetails, logger);
+    // Note: Take care with the ordering of this call since databases may be cleaned up
+    // at the `overlay` or `clear` level.
+    await cleanupAndUploadDatabases(
+      repositoryNwo,
+      codeql,
+      config,
+      apiDetails,
+      features,
+      logger,
+    );
 
     // Possibly upload the TRAP caches for later re-use
     const trapCacheUploadStartTime = performance.now();

src/api-client.ts

@@ -18,11 +18,6 @@ import {
 
 const GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
 
-export enum DisallowedAPIVersionReason {
-  ACTION_TOO_OLD,
-  ACTION_TOO_NEW,
-}
-
 export type GitHubApiCombinedDetails = GitHubApiDetails &
   GitHubApiExternalRepoDetails;
 

src/cli-errors.ts

@@ -159,10 +159,7 @@ type CliErrorConfiguration = {
  * All of our caught CLI error messages that we handle specially: ie. if we
  * would like to categorize an error as a configuration error or not.
  */
-export const cliErrorsConfig: Record<
-  CliConfigErrorCategory,
-  CliErrorConfiguration
-> = {
+const cliErrorsConfig: Record<CliConfigErrorCategory, CliErrorConfiguration> = {
   [CliConfigErrorCategory.AutobuildError]: {
     cliErrorMessageCandidates: [
       new RegExp("We were unable to automatically build your code"),

src/codeql.ts

@@ -35,7 +35,7 @@ import { ToolsDownloadStatusReport } from "./tools-download";
 import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
 import { shouldEnableIndirectTracing } from "./tracer-config";
 import * as util from "./util";
-import { BuildMode, getErrorMessage } from "./util";
+import { BuildMode, CleanupLevel, getErrorMessage } from "./util";
 
 type Options = Array<string | number | boolean>;
 
@@ -141,7 +141,10 @@ export interface CodeQL {
   /**
    * Clean up all the databases within a database cluster.
    */
-  databaseCleanupCluster(config: Config, cleanupLevel: string): Promise<void>;
+  databaseCleanupCluster(
+    config: Config,
+    cleanupLevel: CleanupLevel,
+  ): Promise<void>;
   /**
    * Run 'codeql database bundle'.
    */
@@ -513,7 +516,7 @@ export async function getCodeQLForTesting(
  *        version requirement. Must be set to true outside tests.
  * @returns A new CodeQL object
  */
-export async function getCodeQLForCmd(
+async function getCodeQLForCmd(
   cmd: string,
   checkVersion: boolean,
 ): Promise<CodeQL> {
@@ -878,7 +881,7 @@ export async function getCodeQLForCmd(
     },
     async databaseCleanupCluster(
       config: Config,
-      cleanupLevel: string,
+      cleanupLevel: CleanupLevel,
     ): Promise<void> {
       const cacheCleanupFlag = (await util.codeQlVersionAtLeast(
         this,
@@ -1222,7 +1225,7 @@ export async function getTrapCachingExtractorConfigArgsForLang(
  *
  * This will not exist if the configuration is being parsed in the Action.
  */
-export function getGeneratedCodeScanningConfigPath(config: Config): string {
+function getGeneratedCodeScanningConfigPath(config: Config): string {
   return path.resolve(config.tempDir, "user-config.yaml");
 }
 

src/config-utils.test.ts

@@ -37,7 +37,9 @@ import {
   ConfigurationError,
   withTmpDir,
   BuildMode,
+  DiskUsage,
 } from "./util";
+import * as util from "./util";
 
 setupTests(test);
 
@@ -200,12 +202,9 @@ test("load code quality config", async (t) => {
     );
 
     // And the config we expect it to result in
-    const expectedConfig: configUtils.Config = {
-      version: actionsUtil.getActionVersion(),
+    const expectedConfig = createTestConfig({
       analysisKinds: [AnalysisKind.CodeQuality],
       languages: [KnownLanguage.actions],
-      buildMode: undefined,
-      originalUserInput: {},
       // This gets set because we only have `AnalysisKind.CodeQuality`
       computedConfig: {
         "disable-default-queries": true,
@@ -219,14 +218,7 @@ test("load code quality config", async (t) => {
       debugMode: false,
       debugArtifactName: "",
       debugDatabaseName: "",
-      trapCaches: {},
-      trapCacheDownloadTime: 0,
-      dependencyCachingEnabled: CachingKind.None,
-      extraQueryExclusions: [],
-      overlayDatabaseMode: OverlayDatabaseMode.None,
-      useOverlayDatabaseCaching: false,
-      repositoryProperties: {},
-    };
+    });
 
     t.deepEqual(config, expectedConfig);
   });
@@ -507,9 +499,7 @@ test("load non-empty input", async (t) => {
     };
 
     // And the config we expect it to parse to
-    const expectedConfig: configUtils.Config = {
-      version: actionsUtil.getActionVersion(),
-      analysisKinds: [AnalysisKind.CodeScanning],
+    const expectedConfig = createTestConfig({
       languages: [KnownLanguage.javascript],
       buildMode: BuildMode.None,
       originalUserInput: userConfig,
@@ -521,14 +511,7 @@ test("load non-empty input", async (t) => {
       debugMode: false,
       debugArtifactName: "my-artifact",
       debugDatabaseName: "my-db",
-      trapCaches: {},
-      trapCacheDownloadTime: 0,
-      dependencyCachingEnabled: CachingKind.None,
-      extraQueryExclusions: [],
-      overlayDatabaseMode: OverlayDatabaseMode.None,
-      useOverlayDatabaseCaching: false,
-      repositoryProperties: {},
-    };
+    });
 
     const languagesInput = "javascript";
     const configFilePath = createConfigFile(inputFileContents, tempDir);
@@ -990,12 +973,12 @@ interface OverlayDatabaseModeTestSetup {
   features: Feature[];
   isPullRequest: boolean;
   isDefaultBranch: boolean;
-  repositoryOwner: string;
   buildMode: BuildMode | undefined;
   languages: Language[];
   codeqlVersion: string;
   gitRoot: string | undefined;
   codeScanningConfig: configUtils.UserConfig;
+  diskUsage: DiskUsage | undefined;
 }
 
 const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
@@ -1003,12 +986,15 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
   features: [],
   isPullRequest: false,
   isDefaultBranch: false,
-  repositoryOwner: "github",
   buildMode: BuildMode.None,
   languages: [KnownLanguage.javascript],
   codeqlVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
   gitRoot: "/some/git/root",
   codeScanningConfig: {},
+  diskUsage: {
+    numAvailableBytes: 50_000_000_000,
+    numTotalBytes: 100_000_000_000,
+  },
 };
 
 const getOverlayDatabaseModeMacro = test.macro({
@@ -1041,6 +1027,8 @@ const getOverlayDatabaseModeMacro = test.macro({
             setup.overlayDatabaseEnvVar;
         }
 
+        sinon.stub(util, "checkDiskUsage").resolves(setup.diskUsage);
+
         // Mock feature flags
         const features = createFeatures(setup.features);
 
@@ -1049,12 +1037,6 @@ const getOverlayDatabaseModeMacro = test.macro({
           .stub(actionsUtil, "isAnalyzingPullRequest")
           .returns(setup.isPullRequest);
 
-        // Mock repository owner
-        const repository = {
-          owner: setup.repositoryOwner,
-          repo: "test-repo",
-        };
-
         // Set up CodeQL mock
         const codeql = mockCodeQLVersion(setup.codeqlVersion);
 
@@ -1077,7 +1059,6 @@ const getOverlayDatabaseModeMacro = test.macro({
 
         const result = await configUtils.getOverlayDatabaseMode(
           codeql,
-          repository,
           features,
           setup.languages,
           tempDir, // sourceRoot
@@ -1205,6 +1186,45 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay-base database on default branch if runner disk space is too low",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isDefaultBranch: true,
+    diskUsage: {
+      numAvailableBytes: 1_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay-base database on default branch if we can't determine runner disk space",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isDefaultBranch: true,
+    diskUsage: undefined,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
@@ -1375,6 +1395,45 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay analysis on PR if runner disk space is too low",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isPullRequest: true,
+    diskUsage: {
+      numAvailableBytes: 1_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay analysis on PR if we can't determine runner disk space",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isPullRequest: true,
+    diskUsage: undefined,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
@@ -1499,10 +1558,9 @@ test(
 
 test(
   getOverlayDatabaseModeMacro,
-  "Overlay PR analysis by env for dsp-testing",
+  "Overlay PR analysis by env",
   {
     overlayDatabaseEnvVar: "overlay",
-    repositoryOwner: "dsp-testing",
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.Overlay,
@@ -1512,10 +1570,10 @@ test(
 
 test(
   getOverlayDatabaseModeMacro,
-  "Overlay PR analysis by env for other-org",
+  "Overlay PR analysis by env on a runner with low disk space",
   {
     overlayDatabaseEnvVar: "overlay",
-    repositoryOwner: "other-org",
+    diskUsage: { numAvailableBytes: 0, numTotalBytes: 100_000_000_000 },
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.Overlay,
@@ -1525,12 +1583,11 @@ test(
 
 test(
   getOverlayDatabaseModeMacro,
-  "Overlay PR analysis by feature flag for dsp-testing",
+  "Overlay PR analysis by feature flag",
   {
     languages: [KnownLanguage.javascript],
     features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
     isPullRequest: true,
-    repositoryOwner: "dsp-testing",
   },
   {
     overlayDatabaseMode: OverlayDatabaseMode.Overlay,
@@ -1538,21 +1595,6 @@ test(
   },
 );
 
-test(
-  getOverlayDatabaseModeMacro,
-  "No overlay PR analysis by feature flag for other-org",
-  {
-    languages: [KnownLanguage.javascript],
-    features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript],
-    isPullRequest: true,
-    repositoryOwner: "other-org",
-  },
-  {
-    overlayDatabaseMode: OverlayDatabaseMode.None,
-    useOverlayDatabaseCaching: false,
-  },
-);
-
 test(
   getOverlayDatabaseModeMacro,
   "Fallback due to autobuild with traced language",

src/config-utils.ts

@@ -43,10 +43,22 @@ import {
   codeQlVersionAtLeast,
   cloneObject,
   isDefined,
+  checkDiskUsage,
 } from "./util";
 
 export * from "./config/db-config";
 
+/**
+ * The minimum available disk space (in MB) required to perform overlay analysis.
+ * If the available disk space on the runner is below the threshold when deciding
+ * whether to perform overlay analysis, then the action will not perform overlay
+ * analysis unless overlay analysis has been explicitly enabled via environment
+ * variable.
+ */
+const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 20000;
+const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES =
+  OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1_000_000;
+
 export type RegistryConfigWithCredentials = RegistryConfigNoCredentials & {
   // Token to use when downloading packs from this registry.
   token: string;
@@ -148,6 +160,9 @@ export interface Config {
   /** A value indicating how dependency caching should be used. */
   dependencyCachingEnabled: CachingKind;
 
+  /** The keys of caches that we restored, if any. */
+  dependencyCachingRestoredKeys: string[];
+
   /**
    * Extra query exclusions to append to the config.
    */
@@ -176,7 +191,7 @@ export interface Config {
   repositoryProperties: RepositoryProperties;
 }
 
-export async function getSupportedLanguageMap(
+async function getSupportedLanguageMap(
   codeql: CodeQL,
   logger: Logger,
 ): Promise<Record<string, string>> {
@@ -239,7 +254,7 @@ export function hasActionsWorkflows(sourceRoot: string): boolean {
 /**
  * Gets the set of languages in the current repository.
  */
-export async function getRawLanguagesInRepo(
+async function getRawLanguagesInRepo(
   repository: RepositoryNwo,
   sourceRoot: string,
   logger: Logger,
@@ -348,7 +363,7 @@ export function getRawLanguagesNoAutodetect(
  * @returns A tuple containing a list of languages in this repository that might be
  * analyzable and whether or not this list was determined automatically.
  */
-export async function getRawLanguages(
+async function getRawLanguages(
   languagesInput: string | undefined,
   repository: RepositoryNwo,
   sourceRoot: string,
@@ -496,6 +511,7 @@ export async function initActionState(
     trapCaches,
     trapCacheDownloadTime,
     dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled),
+    dependencyCachingRestoredKeys: [],
     extraQueryExclusions: [],
     overlayDatabaseMode: OverlayDatabaseMode.None,
     useOverlayDatabaseCaching: false,
@@ -579,17 +595,11 @@ const OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES: Record<Language, Feature> = {
 };
 
 async function isOverlayAnalysisFeatureEnabled(
-  repository: RepositoryNwo,
   features: FeatureEnablement,
   codeql: CodeQL,
   languages: Language[],
   codeScanningConfig: UserConfig,
 ): Promise<boolean> {
-  // TODO: Remove the repository owner check once support for overlay analysis
-  // stabilizes, and no more backward-incompatible changes are expected.
-  if (!["github", "dsp-testing"].includes(repository.owner)) {
-    return false;
-  }
   if (!(await features.getValue(Feature.OverlayAnalysis, codeql))) {
     return false;
   }
@@ -647,7 +657,6 @@ async function isOverlayAnalysisFeatureEnabled(
  */
 export async function getOverlayDatabaseMode(
   codeql: CodeQL,
-  repository: RepositoryNwo,
   features: FeatureEnablement,
   languages: Language[],
   sourceRoot: string,
@@ -676,27 +685,43 @@ export async function getOverlayDatabaseMode(
     );
   } else if (
     await isOverlayAnalysisFeatureEnabled(
-      repository,
       features,
       codeql,
       languages,
       codeScanningConfig,
     )
   ) {
-    if (isAnalyzingPullRequest()) {
-      overlayDatabaseMode = OverlayDatabaseMode.Overlay;
-      useOverlayDatabaseCaching = true;
+    const diskUsage = await checkDiskUsage(logger);
+    if (
+      diskUsage === undefined ||
+      diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES
+    ) {
+      const diskSpaceMb =
+        diskUsage === undefined
+          ? 0
+          : Math.round(diskUsage.numAvailableBytes / 1_000_000);
+      overlayDatabaseMode = OverlayDatabaseMode.None;
+      useOverlayDatabaseCaching = false;
       logger.info(
         `Setting overlay database mode to ${overlayDatabaseMode} ` +
-          "with caching because we are analyzing a pull request.",
-      );
-    } else if (await isAnalyzingDefaultBranch()) {
-      overlayDatabaseMode = OverlayDatabaseMode.OverlayBase;
-      useOverlayDatabaseCaching = true;
-      logger.info(
-        `Setting overlay database mode to ${overlayDatabaseMode} ` +
-          "with caching because we are analyzing the default branch.",
+          `due to insufficient disk space (${diskSpaceMb} MB).`,
       );
+    } else {
+      if (isAnalyzingPullRequest()) {
+        overlayDatabaseMode = OverlayDatabaseMode.Overlay;
+        useOverlayDatabaseCaching = true;
+        logger.info(
+          `Setting overlay database mode to ${overlayDatabaseMode} ` +
+            "with caching because we are analyzing a pull request.",
+        );
+      } else if (await isAnalyzingDefaultBranch()) {
+        overlayDatabaseMode = OverlayDatabaseMode.OverlayBase;
+        useOverlayDatabaseCaching = true;
+        logger.info(
+          `Setting overlay database mode to ${overlayDatabaseMode} ` +
+            "with caching because we are analyzing the default branch.",
+        );
+      }
     }
   }
 
@@ -846,7 +871,6 @@ export async function initConfig(
   const { overlayDatabaseMode, useOverlayDatabaseCaching } =
     await getOverlayDatabaseMode(
       inputs.codeql,
-      inputs.repository,
       inputs.features,
       config.languages,
       inputs.sourceRoot,
@@ -1235,7 +1259,7 @@ export function isCodeQualityEnabled(config: Config): boolean {
  * @returns Returns `AnalysisKind.CodeScanning` if `AnalysisKind.CodeScanning` is enabled;
  * otherwise `AnalysisKind.CodeQuality`.
  */
-export function getPrimaryAnalysisKind(config: Config): AnalysisKind {
+function getPrimaryAnalysisKind(config: Config): AnalysisKind {
   return isCodeScanningEnabled(config)
     ? AnalysisKind.CodeScanning
     : AnalysisKind.CodeQuality;

src/database-upload.test.ts

@@ -10,11 +10,12 @@ import { GitHubApiDetails } from "./api-client";
 import * as apiClient from "./api-client";
 import { createStubCodeQL } from "./codeql";
 import { Config } from "./config-utils";
-import { uploadDatabases } from "./database-upload";
+import { cleanupAndUploadDatabases } from "./database-upload";
 import * as gitUtils from "./git-utils";
 import { KnownLanguage } from "./languages";
 import { RepositoryNwo } from "./repository";
 import {
+  createFeatures,
   createTestConfig,
   getRecordingLogger,
   LoggedMessage,
@@ -91,11 +92,12 @@ test("Abort database upload if 'upload-database' input set to false", async (t)
     sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
 
     const loggedMessages = [];
-    await uploadDatabases(
+    await cleanupAndUploadDatabases(
       testRepoName,
       getCodeQL(),
       getTestConfig(tmpDir),
       testApiDetails,
+      createFeatures([]),
       getRecordingLogger(loggedMessages),
     );
     t.assert(
@@ -121,7 +123,7 @@ test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled",
     await mockHttpRequests(201);
 
     const loggedMessages = [];
-    await uploadDatabases(
+    await cleanupAndUploadDatabases(
       testRepoName,
       getCodeQL(),
       {
@@ -129,6 +131,7 @@ test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled",
         analysisKinds: [AnalysisKind.CodeQuality],
       },
       testApiDetails,
+      createFeatures([]),
       getRecordingLogger(loggedMessages),
     );
     t.assert(
@@ -155,11 +158,12 @@ test("Abort database upload if running against GHES", async (t) => {
     config.gitHubVersion = { type: GitHubVariant.GHES, version: "3.0" };
 
     const loggedMessages = [];
-    await uploadDatabases(
+    await cleanupAndUploadDatabases(
       testRepoName,
       getCodeQL(),
       config,
       testApiDetails,
+      createFeatures([]),
       getRecordingLogger(loggedMessages),
     );
     t.assert(
@@ -183,11 +187,12 @@ test("Abort database upload if not analyzing default branch", async (t) => {
     sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(false);
 
     const loggedMessages = [];
-    await uploadDatabases(
+    await cleanupAndUploadDatabases(
       testRepoName,
       getCodeQL(),
       getTestConfig(tmpDir),
       testApiDetails,
+      createFeatures([]),
       getRecordingLogger(loggedMessages),
     );
     t.assert(
@@ -212,11 +217,12 @@ test("Don't crash if uploading a database fails", async (t) => {
     await mockHttpRequests(500);
 
     const loggedMessages = [] as LoggedMessage[];
-    await uploadDatabases(
+    await cleanupAndUploadDatabases(
       testRepoName,
       getCodeQL(),
       getTestConfig(tmpDir),
       testApiDetails,
+      createFeatures([]),
       getRecordingLogger(loggedMessages),
     );
 
@@ -243,11 +249,12 @@ test("Successfully uploading a database to github.com", async (t) => {
     await mockHttpRequests(201);
 
     const loggedMessages = [] as LoggedMessage[];
-    await uploadDatabases(
+    await cleanupAndUploadDatabases(
       testRepoName,
       getCodeQL(),
       getTestConfig(tmpDir),
       testApiDetails,
+      createFeatures([]),
       getRecordingLogger(loggedMessages),
     );
     t.assert(
@@ -272,7 +279,7 @@ test("Successfully uploading a database to GHEC-DR", async (t) => {
     const databaseUploadSpy = await mockHttpRequests(201);
 
     const loggedMessages = [] as LoggedMessage[];
-    await uploadDatabases(
+    await cleanupAndUploadDatabases(
       testRepoName,
       getCodeQL(),
       getTestConfig(tmpDir),
@@ -281,6 +288,7 @@ test("Successfully uploading a database to GHEC-DR", async (t) => {
         url: "https://tenant.ghe.com",
         apiURL: undefined,
       },
+      createFeatures([]),
       getRecordingLogger(loggedMessages),
     );
     t.assert(

src/database-upload.ts

@@ -5,17 +5,20 @@ import { AnalysisKind } from "./analyses";
 import { getApiClient, GitHubApiDetails } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import * as gitUtils from "./git-utils";
 import { Logger, withGroupAsync } from "./logging";
+import { OverlayDatabaseMode } from "./overlay-database-utils";
 import { RepositoryNwo } from "./repository";
 import * as util from "./util";
-import { bundleDb, parseGitHubUrl } from "./util";
+import { bundleDb, CleanupLevel, parseGitHubUrl } from "./util";
 
-export async function uploadDatabases(
+export async function cleanupAndUploadDatabases(
   repositoryNwo: RepositoryNwo,
   codeql: CodeQL,
   config: Config,
   apiDetails: GitHubApiDetails,
+  features: FeatureEnablement,
   logger: Logger,
 ): Promise<void> {
   if (actionsUtil.getRequiredInput("upload-database") !== "true") {
@@ -50,10 +53,16 @@ export async function uploadDatabases(
     return;
   }
 
+  const cleanupLevel =
+    config.overlayDatabaseMode === OverlayDatabaseMode.OverlayBase &&
+    (await features.getValue(Feature.UploadOverlayDbToApi))
+      ? CleanupLevel.Overlay
+      : CleanupLevel.Clear;
+
   // Clean up the database, since intermediate results may still be written to the
   // database if there is high RAM pressure.
   await withGroupAsync("Cleaning up databases", async () => {
-    await codeql.databaseCleanupCluster(config, "clear");
+    await codeql.databaseCleanupCluster(config, cleanupLevel);
   });
 
   const client = getApiClient();

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.6",
+  "cliVersion": "2.23.6",
+  "priorBundleVersion": "codeql-bundle-v2.23.5",
+  "priorCliVersion": "2.23.5"
 }

src/dependency-caching.test.ts

@@ -7,6 +7,7 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import { cacheKeyHashLength } from "./caching-utils";
+import * as cachingUtils from "./caching-utils";
 import { createStubCodeQL } from "./codeql";
 import {
   CacheConfig,
@@ -20,6 +21,8 @@ import {
   downloadDependencyCaches,
   CacheHitKind,
   cacheKey,
+  uploadDependencyCaches,
+  CacheStoreResult,
 } from "./dependency-caching";
 import { Feature } from "./feature-flags";
 import { KnownLanguage } from "./languages";
@@ -29,6 +32,7 @@ import {
   getRecordingLogger,
   checkExpectedLogMessages,
   LoggedMessage,
+  createTestConfig,
 } from "./testing-utils";
 import { withTmpDir } from "./util";
 
@@ -237,15 +241,17 @@ test("downloadDependencyCaches - does not restore caches with feature keys if no
     .resolves(CSHARP_BASE_PATTERNS);
   makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).resolves(undefined);
 
-  const results = await downloadDependencyCaches(
+  const result = await downloadDependencyCaches(
     codeql,
     createFeatures([]),
     [KnownLanguage.csharp],
     logger,
   );
-  t.is(results.length, 1);
-  t.is(results[0].language, KnownLanguage.csharp);
-  t.is(results[0].hit_kind, CacheHitKind.Miss);
+  const statusReport = result.statusReport;
+  t.is(statusReport.length, 1);
+  t.is(statusReport[0].language, KnownLanguage.csharp);
+  t.is(statusReport[0].hit_kind, CacheHitKind.Miss);
+  t.deepEqual(result.restoredKeys, []);
   t.assert(restoreCacheStub.calledOnce);
 });
 
@@ -257,7 +263,8 @@ test("downloadDependencyCaches - restores caches with feature keys if features a
   const logger = getRecordingLogger(messages);
   const features = createFeatures([Feature.CsharpNewCacheKey]);
 
-  sinon.stub(glob, "hashFiles").resolves("abcdef");
+  const mockHash = "abcdef";
+  sinon.stub(glob, "hashFiles").resolves(mockHash);
 
   const keyWithFeature = await cacheKey(
     codeql,
@@ -277,15 +284,28 @@ test("downloadDependencyCaches - restores caches with feature keys if features a
     .resolves(CSHARP_BASE_PATTERNS);
   makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).resolves(undefined);
 
-  const results = await downloadDependencyCaches(
+  const result = await downloadDependencyCaches(
     codeql,
     features,
     [KnownLanguage.csharp],
     logger,
   );
-  t.is(results.length, 1);
-  t.is(results[0].language, KnownLanguage.csharp);
-  t.is(results[0].hit_kind, CacheHitKind.Exact);
+
+  // Check that the status report for telemetry indicates that one cache was restored with an exact match.
+  const statusReport = result.statusReport;
+  t.is(statusReport.length, 1);
+  t.is(statusReport[0].language, KnownLanguage.csharp);
+  t.is(statusReport[0].hit_kind, CacheHitKind.Exact);
+
+  // Check that the restored key has been returned.
+  const restoredKeys = result.restoredKeys;
+  t.is(restoredKeys.length, 1);
+  t.assert(
+    restoredKeys[0].endsWith(mockHash),
+    "Expected restored key to end with hash returned by `hashFiles`",
+  );
+
+  // `restoreCache` should have been called exactly once.
   t.assert(restoreCacheStub.calledOnce);
 });
 
@@ -297,8 +317,14 @@ test("downloadDependencyCaches - restores caches with feature keys if features a
   const logger = getRecordingLogger(messages);
   const features = createFeatures([Feature.CsharpNewCacheKey]);
 
+  // We expect two calls to `hashFiles`: the first by the call to `cacheKey` below,
+  // and the second by `downloadDependencyCaches`. We use the result of the first
+  // call as part of the cache key that identifies a mock, existing cache. The result
+  // of the second call is for the primary restore key, which we don't want to match
+  // the first key so that we can test the restore keys logic.
+  const restoredHash = "abcdef";
   const hashFilesStub = sinon.stub(glob, "hashFiles");
-  hashFilesStub.onFirstCall().resolves("abcdef");
+  hashFilesStub.onFirstCall().resolves(restoredHash);
   hashFilesStub.onSecondCall().resolves("123456");
 
   const keyWithFeature = await cacheKey(
@@ -319,18 +345,230 @@ test("downloadDependencyCaches - restores caches with feature keys if features a
     .resolves(CSHARP_BASE_PATTERNS);
   makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).resolves(undefined);
 
-  const results = await downloadDependencyCaches(
+  const result = await downloadDependencyCaches(
     codeql,
     features,
     [KnownLanguage.csharp],
     logger,
   );
-  t.is(results.length, 1);
-  t.is(results[0].language, KnownLanguage.csharp);
-  t.is(results[0].hit_kind, CacheHitKind.Partial);
+
+  // Check that the status report for telemetry indicates that one cache was restored with a partial match.
+  const statusReport = result.statusReport;
+  t.is(statusReport.length, 1);
+  t.is(statusReport[0].language, KnownLanguage.csharp);
+  t.is(statusReport[0].hit_kind, CacheHitKind.Partial);
+
+  // Check that the restored key has been returned.
+  const restoredKeys = result.restoredKeys;
+  t.is(restoredKeys.length, 1);
+  t.assert(
+    restoredKeys[0].endsWith(restoredHash),
+    "Expected restored key to end with hash returned by `hashFiles`",
+  );
+
   t.assert(restoreCacheStub.calledOnce);
 });
 
+test("uploadDependencyCaches - skips upload for a language with no cache config", async (t) => {
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([]);
+  const config = createTestConfig({
+    languages: [KnownLanguage.actions],
+  });
+
+  const result = await uploadDependencyCaches(codeql, features, config, logger);
+  t.is(result.length, 0);
+  checkExpectedLogMessages(t, messages, [
+    "Skipping upload of dependency cache for actions",
+  ]);
+});
+
+test("uploadDependencyCaches - skips upload if no files for the hash exist", async (t) => {
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([]);
+  const config = createTestConfig({
+    languages: [KnownLanguage.go],
+  });
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub.resolves(undefined);
+
+  const result = await uploadDependencyCaches(codeql, features, config, logger);
+  t.is(result.length, 1);
+  t.is(result[0].language, KnownLanguage.go);
+  t.is(result[0].result, CacheStoreResult.NoHash);
+});
+
+test("uploadDependencyCaches - skips upload if we know the cache already exists", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([]);
+
+  const mockHash = "abcdef";
+  sinon.stub(glob, "hashFiles").resolves(mockHash);
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+
+  const primaryCacheKey = await cacheKey(
+    codeql,
+    features,
+    KnownLanguage.csharp,
+    CSHARP_BASE_PATTERNS,
+  );
+
+  const config = createTestConfig({
+    languages: [KnownLanguage.csharp],
+    dependencyCachingRestoredKeys: [primaryCacheKey],
+  });
+
+  const result = await uploadDependencyCaches(codeql, features, config, logger);
+  t.is(result.length, 1);
+  t.is(result[0].language, KnownLanguage.csharp);
+  t.is(result[0].result, CacheStoreResult.Duplicate);
+});
+
+test("uploadDependencyCaches - skips upload if cache size is 0", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([]);
+
+  const mockHash = "abcdef";
+  sinon.stub(glob, "hashFiles").resolves(mockHash);
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+
+  sinon.stub(cachingUtils, "getTotalCacheSize").resolves(0);
+
+  const config = createTestConfig({
+    languages: [KnownLanguage.csharp],
+  });
+
+  const result = await uploadDependencyCaches(codeql, features, config, logger);
+  t.is(result.length, 1);
+  t.is(result[0].language, KnownLanguage.csharp);
+  t.is(result[0].result, CacheStoreResult.Empty);
+
+  checkExpectedLogMessages(t, messages, [
+    "Skipping upload of dependency cache",
+  ]);
+});
+
+test("uploadDependencyCaches - uploads caches when all requirements are met", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([]);
+
+  const mockHash = "abcdef";
+  sinon.stub(glob, "hashFiles").resolves(mockHash);
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+
+  sinon.stub(cachingUtils, "getTotalCacheSize").resolves(1024);
+  sinon.stub(actionsCache, "saveCache").resolves();
+
+  const config = createTestConfig({
+    languages: [KnownLanguage.csharp],
+  });
+
+  const result = await uploadDependencyCaches(codeql, features, config, logger);
+  t.is(result.length, 1);
+  t.is(result[0].language, KnownLanguage.csharp);
+  t.is(result[0].result, CacheStoreResult.Stored);
+  t.is(result[0].upload_size_bytes, 1024);
+
+  checkExpectedLogMessages(t, messages, ["Uploading cache of size"]);
+});
+
+test("uploadDependencyCaches - catches `ReserveCacheError` exceptions", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([]);
+
+  const mockHash = "abcdef";
+  sinon.stub(glob, "hashFiles").resolves(mockHash);
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+
+  sinon.stub(cachingUtils, "getTotalCacheSize").resolves(1024);
+  sinon
+    .stub(actionsCache, "saveCache")
+    .throws(new actionsCache.ReserveCacheError("Already in use"));
+
+  const config = createTestConfig({
+    languages: [KnownLanguage.csharp],
+  });
+
+  await t.notThrowsAsync(async () => {
+    const result = await uploadDependencyCaches(
+      codeql,
+      features,
+      config,
+      logger,
+    );
+    t.is(result.length, 1);
+    t.is(result[0].language, KnownLanguage.csharp);
+    t.is(result[0].result, CacheStoreResult.Duplicate);
+
+    checkExpectedLogMessages(t, messages, ["Not uploading cache for"]);
+  });
+});
+
+test("uploadDependencyCaches - throws other exceptions", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([]);
+
+  const mockHash = "abcdef";
+  sinon.stub(glob, "hashFiles").resolves(mockHash);
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+
+  sinon.stub(cachingUtils, "getTotalCacheSize").resolves(1024);
+  sinon.stub(actionsCache, "saveCache").throws();
+
+  const config = createTestConfig({
+    languages: [KnownLanguage.csharp],
+  });
+
+  await t.throwsAsync(async () => {
+    await uploadDependencyCaches(codeql, features, config, logger);
+  });
+});
+
 test("getFeaturePrefix - returns empty string if no features are enabled", async (t) => {
   const codeql = createStubCodeQL({});
   const features = createFeatures([]);

src/dependency-caching.ts

@@ -55,7 +55,7 @@ export function getJavaTempDependencyDir(): string {
  * @returns The paths of directories on the runner that should be included in a dependency cache
  * for a Java analysis.
  */
-export function getJavaDependencyDirs(): string[] {
+function getJavaDependencyDirs(): string[] {
   return [
     // Maven
     join(os.homedir(), ".m2", "repository"),
@@ -193,6 +193,14 @@ export interface DependencyCacheRestoreStatus {
 /** An array of `DependencyCacheRestoreStatus` objects for each analysed language with a caching configuration. */
 export type DependencyCacheRestoreStatusReport = DependencyCacheRestoreStatus[];
 
+/** Represents the results of `downloadDependencyCaches`. */
+export interface DownloadDependencyCachesResult {
+  /** The status report for telemetry */
+  statusReport: DependencyCacheRestoreStatusReport;
+  /** An array of cache keys that we have restored and therefore know to exist. */
+  restoredKeys: string[];
+}
+
 /**
  * A wrapper around `cacheConfig.getHashPatterns` which logs when there are no files to calculate
  * a hash for the cache key from.
@@ -239,8 +247,9 @@ export async function downloadDependencyCaches(
   features: FeatureEnablement,
   languages: Language[],
   logger: Logger,
-): Promise<DependencyCacheRestoreStatusReport> {
+): Promise<DownloadDependencyCachesResult> {
   const status: DependencyCacheRestoreStatusReport = [];
+  const restoredKeys: string[] = [];
 
   for (const language of languages) {
     const cacheConfig = defaultCacheConfigs[language];
@@ -288,16 +297,27 @@ export async function downloadDependencyCaches(
 
     if (hitKey !== undefined) {
       logger.info(`Cache hit on key ${hitKey} for ${language}.`);
-      const hit_kind =
-        hitKey === primaryKey ? CacheHitKind.Exact : CacheHitKind.Partial;
-      status.push({ language, hit_kind, download_duration_ms });
+
+      // We have a partial cache hit, unless the key of the restored cache matches the
+      // primary restore key.
+      let hit_kind = CacheHitKind.Partial;
+      if (hitKey === primaryKey) {
+        hit_kind = CacheHitKind.Exact;
+      }
+
+      status.push({
+        language,
+        hit_kind,
+        download_duration_ms,
+      });
+      restoredKeys.push(hitKey);
     } else {
       status.push({ language, hit_kind: CacheHitKind.Miss });
       logger.info(`No suitable cache found for ${language}.`);
     }
   }
 
-  return status;
+  return { statusReport: status, restoredKeys };
 }
 
 /** Enumerates possible outcomes for storing caches. */
@@ -365,6 +385,18 @@ export async function uploadDependencyCaches(
       continue;
     }
 
+    // Now that we have verified that there are suitable files, compute the hash for the cache key.
+    const key = await cacheKey(codeql, features, language, patterns);
+
+    // Check that we haven't previously restored this exact key. If a cache with this key
+    // already exists in the Actions Cache, performing the next steps is pointless as the cache
+    // will not get overwritten. We can therefore skip the expensive work of measuring the size
+    // of the cache contents and attempting to upload it if we know that the cache already exists.
+    if (config.dependencyCachingRestoredKeys.includes(key)) {
+      status.push({ language, result: CacheStoreResult.Duplicate });
+      continue;
+    }
+
     // Calculate the size of the files that we would store in the cache. We use this to determine whether the
     // cache should be saved or not. For example, if there are no files to store, then we skip creating the
     // cache. In the future, we could also:
@@ -390,8 +422,6 @@ export async function uploadDependencyCaches(
       continue;
     }
 
-    const key = await cacheKey(codeql, features, language, patterns);
-
     logger.info(
       `Uploading cache of size ${size} for ${language} with key ${key}...`,
     );

src/environment.ts

@@ -20,12 +20,6 @@ export enum EnvVar {
   /** Whether the CodeQL Action has invoked the Go autobuilder. */
   DID_AUTOBUILD_GOLANG = "CODEQL_ACTION_DID_AUTOBUILD_GOLANG",
 
-  /**
-   * Whether to disable the SARIF post-processing in the Action that removes duplicate locations from
-   * notifications in the `run[].invocations[].toolExecutionNotifications` SARIF property.
-   */
-  DISABLE_DUPLICATE_LOCATION_FIX = "CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX",
-
   /**
    * Whether the CodeQL Action is using its own deprecated and non-standard way of scanning for
    * multiple languages.
@@ -56,20 +50,12 @@ export enum EnvVar {
   /** Whether the error for a deprecated version of the CodeQL Action was logged. */
   LOG_VERSION_DEPRECATION = "CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION",
 
-  /**
-   * For macOS. Result of `csrutil status` to determine whether System Integrity
-   * Protection is enabled.
-   */
-  IS_SIP_ENABLED = "CODEQL_ACTION_IS_SIP_ENABLED",
-
   /** UUID representing the current job run. */
   JOB_RUN_UUID = "JOB_RUN_UUID",
 
   /** Status for the entire job, submitted to the status report in `init-post` */
   JOB_STATUS = "CODEQL_ACTION_JOB_STATUS",
 
-  ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION",
-
   /** The value of the `output` input for the analyze action. */
   SARIF_RESULTS_OUTPUT_DIR = "CODEQL_ACTION_SARIF_RESULTS_OUTPUT_DIR",
 

src/feature-flags.ts

@@ -77,6 +77,7 @@ export enum Feature {
   OverlayAnalysisSwift = "overlay_analysis_swift",
   PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
   QaTelemetryEnabled = "qa_telemetry_enabled",
+  UploadOverlayDbToApi = "upload_overlay_db_to_api",
   UseRepositoryProperties = "use_repository_properties",
   ValidateDbConfig = "validate_db_config",
 }
@@ -166,6 +167,11 @@ export const featureConfig: Record<
     legacyApi: true,
     minimumVersion: undefined,
   },
+  [Feature.JavaMinimizeDependencyJars]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0",
+  },
   [Feature.OverlayAnalysis]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -277,21 +283,21 @@ export const featureConfig: Record<
     minimumVersion: undefined,
     toolsFeature: ToolsFeature.PythonDefaultIsToNotExtractStdlib,
   },
-  [Feature.UseRepositoryProperties]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
-    minimumVersion: undefined,
-  },
   [Feature.QaTelemetryEnabled]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_QA_TELEMETRY",
     legacyApi: true,
     minimumVersion: undefined,
   },
-  [Feature.JavaMinimizeDependencyJars]: {
+  [Feature.UploadOverlayDbToApi]: {
     defaultValue: false,
-    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
-    minimumVersion: "2.23.0",
+    envVar: "CODEQL_ACTION_UPLOAD_OVERLAY_DB_TO_API",
+    minimumVersion: undefined,
+  },
+  [Feature.UseRepositoryProperties]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_USE_REPOSITORY_PROPERTIES",
+    minimumVersion: undefined,
   },
   [Feature.ValidateDbConfig]: {
     defaultValue: false,

src/git-utils.ts

@@ -122,67 +122,6 @@ export const determineBaseBranchHeadCommitOid = async function (
   }
 };
 
-/**
- * Deepen the git history of HEAD by one level. Errors are logged.
- *
- * This function uses the `checkout_path` to determine the repository path and
- * works only when called from `analyze` or `upload-sarif`.
- */
-export const deepenGitHistory = async function () {
-  try {
-    await runGitCommand(
-      getOptionalInput("checkout_path"),
-      [
-        "fetch",
-        "origin",
-        "HEAD",
-        "--no-tags",
-        "--no-recurse-submodules",
-        "--deepen=1",
-      ],
-      "Cannot deepen the shallow repository.",
-    );
-  } catch {
-    // Errors are already logged by runGitCommand()
-  }
-};
-
-/**
- * Fetch the given remote branch. Errors are logged.
- *
- * This function uses the `checkout_path` to determine the repository path and
- * works only when called from `analyze` or `upload-sarif`.
- */
-export const gitFetch = async function (branch: string, extraFlags: string[]) {
-  try {
-    await runGitCommand(
-      getOptionalInput("checkout_path"),
-      ["fetch", "--no-tags", ...extraFlags, "origin", `${branch}:${branch}`],
-      `Cannot fetch ${branch}.`,
-    );
-  } catch {
-    // Errors are already logged by runGitCommand()
-  }
-};
-
-/**
- * Repack the git repository, using with the given flags. Errors are logged.
- *
- * This function uses the `checkout_path` to determine the repository path and
- * works only when called from `analyze` or `upload-sarif`.
- */
-export const gitRepack = async function (flags: string[]) {
-  try {
-    await runGitCommand(
-      getOptionalInput("checkout_path"),
-      ["repack", ...flags],
-      "Cannot repack the repository.",
-    );
-  } catch {
-    // Errors are already logged by runGitCommand()
-  }
-};
-
 /**
  * Decode, if necessary, a file path produced by Git. See
  * https://git-scm.com/docs/git-config#Documentation/git-config.txt-corequotePath

src/init-action.ts

@@ -371,7 +371,7 @@ async function run() {
   }
 
   let overlayBaseDatabaseStats: OverlayBaseDatabaseDownloadStats | undefined;
-  let dependencyCachingResults: DependencyCacheRestoreStatusReport | undefined;
+  let dependencyCachingStatus: DependencyCacheRestoreStatusReport | undefined;
   try {
     if (
       config.overlayDatabaseMode === OverlayDatabaseMode.Overlay &&
@@ -579,12 +579,15 @@ async function run() {
 
     // Restore dependency cache(s), if they exist.
     if (shouldRestoreCache(config.dependencyCachingEnabled)) {
-      dependencyCachingResults = await downloadDependencyCaches(
+      const dependencyCachingResult = await downloadDependencyCaches(
         codeql,
         features,
         config.languages,
         logger,
       );
+      dependencyCachingStatus = dependencyCachingResult.statusReport;
+      config.dependencyCachingRestoredKeys =
+        dependencyCachingResult.restoredKeys;
     }
 
     // Suppress warnings about disabled Python library extraction.
@@ -732,7 +735,7 @@ async function run() {
       toolsSource,
       toolsVersion,
       overlayBaseDatabaseStats,
-      dependencyCachingResults,
+      dependencyCachingStatus,
       logger,
       error,
     );
@@ -755,7 +758,7 @@ async function run() {
     toolsSource,
     toolsVersion,
     overlayBaseDatabaseStats,
-    dependencyCachingResults,
+    dependencyCachingStatus,
     logger,
   );
 }

src/overlay-database-utils.ts

@@ -16,6 +16,7 @@ import { type Config } from "./config-utils";
 import { getCommitOid, getFileOidsUnderPath } from "./git-utils";
 import { Logger, withGroupAsync } from "./logging";
 import {
+  CleanupLevel,
   getErrorMessage,
   isInTestMode,
   tryGetFolderBytes,
@@ -28,7 +29,7 @@ export enum OverlayDatabaseMode {
   None = "none",
 }
 
-export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
+export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.5";
 
 /**
  * The maximum (uncompressed) size of the overlay base database that we will
@@ -175,7 +176,7 @@ const MAX_CACHE_OPERATION_MS = 600_000;
  * @param warningPrefix Prefix for the check failure warning message
  * @returns True if the verification succeeded, false otherwise
  */
-export function checkOverlayBaseDatabase(
+function checkOverlayBaseDatabase(
   config: Config,
   logger: Logger,
   warningPrefix: string,
@@ -204,7 +205,7 @@ export function checkOverlayBaseDatabase(
  * @returns A promise that resolves to true if the upload was performed and
  * successfully completed, or false otherwise
  */
-export async function uploadOverlayBaseDatabaseToCache(
+export async function cleanupAndUploadOverlayBaseDatabaseToCache(
   codeql: CodeQL,
   config: Config,
   logger: Logger,
@@ -242,7 +243,7 @@ export async function uploadOverlayBaseDatabaseToCache(
 
   // Clean up the database using the overlay cleanup level.
   await withGroupAsync("Cleaning up databases", async () => {
-    await codeql.databaseCleanupCluster(config, "overlay");
+    await codeql.databaseCleanupCluster(config, CleanupLevel.Overlay);
   });
 
   const dbLocation = config.dbLocation;

src/setup-codeql.ts

@@ -34,7 +34,7 @@ export enum ToolsSource {
   Download = "DOWNLOAD",
 }
 
-export const CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+const CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 const CODEQL_NIGHTLIES_REPOSITORY_OWNER = "dsp-testing";
 const CODEQL_NIGHTLIES_REPOSITORY_NAME = "codeql-cli-nightlies";
 
@@ -180,17 +180,6 @@ export function tryGetTagNameFromUrl(
   return match[1];
 }
 
-export function tryGetBundleVersionFromUrl(
-  url: string,
-  logger: Logger,
-): string | undefined {
-  const tagName = tryGetTagNameFromUrl(url, logger);
-  if (tagName === undefined) {
-    return undefined;
-  }
-  return tryGetBundleVersionFromTagName(tagName, logger);
-}
-
 export function convertToSemVer(version: string, logger: Logger): string {
   if (!semver.valid(version)) {
     logger.debug(
@@ -580,7 +569,7 @@ export async function getCodeQLSource(
  * Gets a fallback version number to use when looking for CodeQL in the toolcache if we didn't find
  * the `x.y.z` version. This is to support old versions of the toolcache.
  */
-export async function tryGetFallbackToolcacheVersion(
+async function tryGetFallbackToolcacheVersion(
   cliVersion: string | undefined,
   tagName: string,
   logger: Logger,
@@ -729,7 +718,7 @@ function getCanonicalToolcacheVersion(
   return cliVersion;
 }
 
-export interface SetupCodeQLResult {
+interface SetupCodeQLResult {
   codeqlFolder: string;
   toolsDownloadStatusReport?: ToolsDownloadStatusReport;
   toolsSource: ToolsSource;
@@ -750,7 +739,7 @@ export async function setupCodeQLBundle(
   defaultCliVersion: CodeQLDefaultVersionInfo,
   features: FeatureEnablement,
   logger: Logger,
-) {
+): Promise<SetupCodeQLResult> {
   if (!(await util.isBinaryAccessible("tar", logger))) {
     throw new util.ConfigurationError(
       "Could not find tar in PATH, so unable to extract CodeQL bundle.",

src/start-proxy.ts

@@ -8,7 +8,7 @@ import { ConfigurationError, getErrorMessage, isDefined } from "./util";
 
 export const UPDATEJOB_PROXY = "update-job-proxy";
 export const UPDATEJOB_PROXY_VERSION = "v2.0.20250624110901";
-export const UPDATEJOB_PROXY_URL_PREFIX =
+const UPDATEJOB_PROXY_URL_PREFIX =
   "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.0/";
 
 export type Credential = {
@@ -202,7 +202,7 @@ export function getFallbackUrl(proxyPackage: string): string {
  *
  * @returns The response from the GitHub API.
  */
-export async function getLinkedRelease() {
+async function getLinkedRelease() {
   return getApiClient().rest.repos.getReleaseByTag({
     owner: "github",
     repo: "codeql-action",

src/status-report.ts

@@ -54,7 +54,7 @@ export enum ActionName {
  * considered to be a third party analysis and is treated differently when calculating SLOs. To ensure
  * misconfigured workflows are not treated as third party, only the upload-sarif action can return false.
  */
-export function isFirstPartyAnalysis(actionName: ActionName): boolean {
+function isFirstPartyAnalysis(actionName: ActionName): boolean {
   if (actionName !== ActionName.UploadSarif) {
     return true;
   }

src/testing-utils.ts

@@ -392,6 +392,7 @@ export function createTestConfig(overrides: Partial<Config>): Config {
       trapCaches: {},
       trapCacheDownloadTime: 0,
       dependencyCachingEnabled: CachingKind.None,
+      dependencyCachingRestoredKeys: [],
       extraQueryExclusions: [],
       overlayDatabaseMode: OverlayDatabaseMode.None,
       useOverlayDatabaseCaching: false,

src/tools-download.ts

@@ -17,7 +17,7 @@ import { cleanUpPath, getErrorMessage, getRequiredEnvParam } from "./util";
 /**
  * High watermark to use when streaming the download and extraction of the CodeQL tools.
  */
-export const STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // 4 MiB
+const STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // 4 MiB
 
 /**
  * The name of the tool cache directory for the CodeQL tools.

src/tracer-config.ts

@@ -76,7 +76,7 @@ export async function endTracingForCluster(
   }
 }
 
-export async function getTracerConfigForCluster(
+async function getTracerConfigForCluster(
   config: Config,
 ): Promise<TracerConfig> {
   const tracingEnvVariables = JSON.parse(

src/upload-lib.ts

@@ -412,7 +412,7 @@ export function findSarifFilesInDir(
   return sarifFiles;
 }
 
-export function getSarifFilePaths(
+function getSarifFilePaths(
   sarifPath: string,
   isSarif: (name: string) => boolean,
 ) {

src/util.test.ts

@@ -476,7 +476,7 @@ for (const [
     githubVersion,
   )}`;
   test(`checkActionVersion ${reportErrorDescription} for ${versionsDescription}`, async (t) => {
-    const warningSpy = sinon.spy(core, "error");
+    const warningSpy = sinon.spy(core, "warning");
     const versionStub = sinon
       .stub(api, "getGitHubVersion")
       .resolves(githubVersion);

src/util.ts

@@ -4,7 +4,6 @@ import * as os from "os";
 import * as path from "path";
 
 import * as core from "@actions/core";
-import * as exec from "@actions/exec/lib/exec";
 import * as io from "@actions/io";
 import getFolderSize from "get-folder-size";
 import * as yaml from "js-yaml";
@@ -1026,34 +1025,6 @@ export function fixInvalidNotifications(
   return newSarif;
 }
 
-/**
- * Removes duplicates from the sarif file.
- *
- * When `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX` is set to true, this will
- * simply rename the input file to the output file. Otherwise, it will parse the
- * input file as JSON, remove duplicate locations from the SARIF notification
- * objects, and write the result to the output file.
- *
- * For context, see documentation of:
- * `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX`. */
-export function fixInvalidNotificationsInFile(
-  inputPath: string,
-  outputPath: string,
-  logger: Logger,
-): void {
-  if (process.env[EnvVar.DISABLE_DUPLICATE_LOCATION_FIX] === "true") {
-    logger.info(
-      "SARIF notification object duplicate location fix disabled by the " +
-        `${EnvVar.DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`,
-    );
-    fs.renameSync(inputPath, outputPath);
-  } else {
-    let sarif = JSON.parse(fs.readFileSync(inputPath, "utf8")) as SarifFile;
-    sarif = fixInvalidNotifications(sarif, logger);
-    fs.writeFileSync(outputPath, JSON.stringify(sarif));
-  }
-}
-
 export function wrapError(error: unknown): Error {
   return error instanceof Error ? error : new Error(String(error));
 }
@@ -1141,7 +1112,7 @@ export function checkActionVersion(
           ">=3.20",
         ))
     ) {
-      core.error(
+      core.warning(
         "CodeQL Action v3 will be deprecated in December 2026. " +
           "Please update all occurrences of the CodeQL Action in your workflow files to v4. " +
           "For more information, see " +
@@ -1197,49 +1168,6 @@ export function cloneObject<T>(obj: T): T {
   return JSON.parse(JSON.stringify(obj)) as T;
 }
 
-// The first time this function is called, it runs `csrutil status` to determine
-// whether System Integrity Protection is enabled; and saves the result in an
-// environment variable. Afterwards, simply return the value of the environment
-// variable.
-export async function checkSipEnablement(
-  logger: Logger,
-): Promise<boolean | undefined> {
-  if (
-    process.env[EnvVar.IS_SIP_ENABLED] !== undefined &&
-    ["true", "false"].includes(process.env[EnvVar.IS_SIP_ENABLED])
-  ) {
-    return process.env[EnvVar.IS_SIP_ENABLED] === "true";
-  }
-
-  try {
-    const sipStatusOutput = await exec.getExecOutput("csrutil status");
-    if (sipStatusOutput.exitCode === 0) {
-      if (
-        sipStatusOutput.stdout.includes(
-          "System Integrity Protection status: enabled.",
-        )
-      ) {
-        core.exportVariable(EnvVar.IS_SIP_ENABLED, "true");
-        return true;
-      }
-      if (
-        sipStatusOutput.stdout.includes(
-          "System Integrity Protection status: disabled.",
-        )
-      ) {
-        core.exportVariable(EnvVar.IS_SIP_ENABLED, "false");
-        return false;
-      }
-    }
-    return undefined;
-  } catch (e) {
-    logger.warning(
-      `Failed to determine if System Integrity Protection was enabled: ${e}`,
-    );
-    return undefined;
-  }
-}
-
 export async function cleanUpPath(file: string, name: string, logger: Logger) {
   logger.debug(`Cleaning up ${name}.`);
   try {
@@ -1291,17 +1219,6 @@ export function isDefined<T>(value: T | null | undefined): value is T {
   return value !== undefined && value !== null;
 }
 
-/** Like `Object.keys`, but typed so that the elements of the resulting array have the
- * same type as the keys of the input object. Note that this may not be sound if the input
- * object has been cast to `T` from a subtype of `T` and contains additional keys that
- * are not represented by `keyof T`.
- */
-export function unsafeKeysInvariant<T extends Record<string, any>>(
-  object: T,
-): Array<keyof T> {
-  return Object.keys(object) as Array<keyof T>;
-}
-
 /** Like `Object.entries`, but typed so that the key elements of the result have the
  * same type as the keys of the input object. Note that this may not be sound if the input
  * object has been cast to `T` from a subtype of `T` and contains additional keys that
@@ -1314,3 +1231,8 @@ export function unsafeEntriesInvariant<T extends Record<string, any>>(
     ([_, val]) => val !== undefined,
   ) as Array<[keyof T, Exclude<T[keyof T], undefined>]>;
 }
+
+export enum CleanupLevel {
+  Clear = "clear",
+  Overlay = "overlay",
+}

start-proxy/action.yml

@@ -29,6 +29,6 @@ outputs:
   proxy_urls:
     description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
-  using: node24
+  using: node20
   main: "../lib/start-proxy-action.js"
   post: "../lib/start-proxy-action-post.js"

upload-sarif/action.yml

@@ -41,6 +41,6 @@ outputs:
 
       { "code-scanning": "some-id", "code-quality": "some-other-id" }
 runs:
-  using: node24
+  using: node20
   main: '../lib/upload-sarif-action.js'
   post: '../lib/upload-sarif-action-post.js'