Add changelog note

Update default bundle to codeql-bundle-v2.23.4
Merge pull request #3275 from github/mbg/checks/filter-ccr
2025-12-25 00:30:08 +08:00 · 2025-11-05 11:18:45 +00:00 · 2025-11-05 11:11:42 +00:00 · 2025-11-05 10:15:57 +00:00 · 2025-11-05 09:01:53 +00:00 · 2025-11-04 22:23:12 +00:00
97 changed files with 73982 additions and 78234 deletions
--- a/.github/actions/release-initialise/action.yml
+++ b/.github/actions/release-initialise/action.yml
@@ -16,9 +16,9 @@ runs:
      shell: bash

    - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
      with:
-        python-version: 3.12
+        python-version: '3.12'

    - name: Install dependencies
      run: |
--- a/.github/sizeup.yml
+++ b/.github/sizeup.yml
@@ -0,0 +1,55 @@
+labeling:
+  applyCategoryLabels: true
+  categoryLabelPrefix: "size/"
+
+commenting:
+  addCommentWhenScoreThresholdHasBeenExceeded: false
+
+sizeup:
+  categories:
+    - name: extra small
+      lte: 25
+      label:
+        name: XS
+        description: Should be very easy to review
+        color: 3cbf00
+    - name: small
+      lte: 100
+      label:
+        name: S
+        description: Should be easy to review
+        color: 5d9801
+    - name: medium
+      lte: 250
+      label:
+        name: M
+        description: Should be of average difficulty to review
+        color: 7f7203
+    - name: large
+      lte: 500
+      label:
+        name: L
+        description: May be hard to review
+        color: a14c05
+    - name: extra large
+      lte: 1000
+      label:
+        name: XL
+        description: May be very hard to review
+        color: c32607
+    - name: extra extra large
+      label:
+        name: XXL
+        description: May be extremely hard to review
+        color: e50009
+  ignoredFilePatterns:
+    - ".github/workflows/__*"
+    - "lib/**/*"
+    - "package-lock.json"
+  testFilePatterns:
+    - "**/*.test.ts"
+  scoring:
+    # This formula and the aliases below it are written in prefix notation.
+    # For an explanation of how this works, please see:
+    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
+    formula: "- - + additions deletions comments whitespace"
--- a/.github/workflows/__bundle-zstd.yml
+++ b/.github/workflows/__bundle-zstd.yml
@@ -79,7 +79,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: ${{ matrix.os }}-zstd-bundle.sarif
          path: ${{ runner.temp }}/results/javascript.sarif
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@@ -67,7 +67,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
--- a/.github/workflows/__config-input.yml
+++ b/.github/workflows/__config-input.yml
@@ -49,7 +49,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@@ -78,7 +78,7 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -85,7 +85,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
--- a/.github/workflows/__job-run-uuid-sarif.yml
+++ b/.github/workflows/__job-run-uuid-sarif.yml
@@ -64,7 +64,7 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
          path: ${{ runner.temp }}/results/javascript.sarif
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -73,7 +73,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -63,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -63,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -63,7 +63,7 @@ jobs:
      - name: Check out repository
        uses: actions/checkout@v5
      - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 20.x
          cache: npm
--- a/.github/workflows/__quality-queries.yml
+++ b/.github/workflows/__quality-queries.yml
@@ -80,9 +80,10 @@ jobs:
        with:
          output: ${{ runner.temp }}/results
          upload-database: false
+          post-processed-sarif-path: ${{ runner.temp }}/post-processed
      - name: Upload security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -90,12 +91,20 @@ jobs:
          retention-days: 7
      - name: Upload quality SARIF
        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: |
            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
          path: ${{ runner.temp }}/results/javascript.quality.sarif
          retention-days: 7
+      - name: Upload post-processed SARIF
+        uses: actions/upload-artifact@v5
+        with:
+          name: |
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+          path: ${{ runner.temp }}/post-processed
+          retention-days: 7
+          if-no-files-found: error
      - name: Check quality query does not appear in security SARIF
        if: contains(matrix.analysis-kinds, 'code-scanning')
        uses: actions/github-script@v8
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -56,7 +56,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
+        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -15,7 +15,7 @@ defaults:

 jobs:
  check-expected-release-files:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim

    permissions:
      contents: read
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -81,7 +81,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -56,7 +56,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Set up Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
      with:
        node-version: 24
        cache: 'npm'
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -79,7 +79,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -73,7 +73,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
      - name: Check expected artifacts exist
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
--- a/.github/workflows/label-pr-size.yml
+++ b/.github/workflows/label-pr-size.yml
@@ -0,0 +1,26 @@
+name: Label PR with size
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - edited
+      - ready_for_review
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  sizeup:
+    name: Label PR with size
+    runs-on: ubuntu-slim
+
+    steps:
+      - name: Run sizeup
+        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-file-path: ".github/sizeup.yml"
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -24,7 +24,7 @@ defaults:

 jobs:
  merge-back:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    environment: Automation
    if: github.repository == 'github/codeql-action'
    env:
@@ -47,7 +47,10 @@ jobs:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'

      - name: Update git config
        run: |
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -35,7 +35,7 @@ jobs:
      - uses: actions/checkout@v5

      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -29,7 +29,7 @@ defaults:
 jobs:
  prepare:
    name: "Prepare release"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    if: github.repository == 'github/codeql-action'

    permissions:
--- a/.github/workflows/publish-immutable-action.yml
+++ b/.github/workflows/publish-immutable-action.yml
@@ -1,8 +1,10 @@
 name: 'Publish Immutable Action Version'

 on:
-  release:
-    types: [published]
+  push:
+    tags:
+      # Match version tags, but not the major version tags.
+      - 'v[0-9]+.**'

 defaults:
  run:
@@ -10,30 +12,16 @@ defaults:

 jobs:
  publish:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    permissions:
      contents: read
      id-token: write
      packages: write

    steps:
-      - name: Check release name
-        id: check
-        env:
-          RELEASE_NAME: ${{ github.event.release.name }}
-        run: |
-          echo "Release name: ${{ github.event.release.name }}"
-          if [[ $RELEASE_NAME == v* ]]; then
-            echo "This is a CodeQL Action release. Create an Immutable Action"
-            echo "is-action-release=true" >> $GITHUB_OUTPUT
-          else
-            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
-            echo "is-action-release=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Checking out
-        if: steps.check.outputs.is-action-release == 'true'
+      - name: Checkout repository
        uses: actions/checkout@v5
-      - name: Publish
-        if: steps.check.outputs.is-action-release == 'true'
+
+      - name: Publish immutable release
        id: publish
        uses: actions/publish-immutable-action@v0.0.4
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -32,7 +32,7 @@ jobs:
      uses: actions/checkout@v5

    - name: Install Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
      with:
        node-version: 24
        cache: npm
--- a/.github/workflows/script/update-required-checks.sh
+++ b/.github/workflows/script/update-required-checks.sh
@@ -29,7 +29,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"

 # Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" | not)] | unique | sort')"

 echo "$CHECKS" | jq

--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -20,7 +20,7 @@ defaults:
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    permissions:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull requests
@@ -41,7 +41,7 @@ jobs:
          git config --global user.name "github-actions[bot]"

      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: 'npm'
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -26,7 +26,7 @@ jobs:

  update:
    timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    if: github.event_name == 'workflow_dispatch'
    needs: [prepare]
    env:
@@ -77,7 +77,7 @@ jobs:

  backport:
    timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -9,7 +9,7 @@ jobs:
  update-supported-enterprise-server-versions:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    if: github.repository == 'github/codeql-action'
    permissions:
      contents: write # needed to push commits
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,23 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

+- Update default CodeQL bundle version to 2.23.4. [#3276](https://github.com/github/codeql-action/pull/3276)
+
+## 4.31.2 - 30 Oct 2025
+
+No user facing changes.
+
+## 4.31.1 - 30 Oct 2025
+
+- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
+
+## 4.31.0 - 24 Oct 2025
+
+- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
+- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
+
+## 4.30.9 - 17 Oct 2025
+
 - Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
 - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)

--- a/analyze/action.yml
+++ b/analyze/action.yml
@@ -6,7 +6,7 @@ inputs:
    description: The name of the check run to add text to.
    required: false
  output:
-    description: The path of the directory in which to save the SARIF results
+    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
    required: false
    default: "../results"
  upload:
@@ -32,14 +32,10 @@ inputs:
      and 13GB for macOS).
    required: false
  add-snippets:
-    description: Specify whether or not to add code snippets to the output sarif file.
+    description: Does not have any effect.
    required: false
-    default: "false"
    deprecationMessage: >-
-      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
-      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
-      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
-      a no operation. No alternative is available.
+      The input "add-snippets" has been removed and no longer has any effect.
  skip-queries:
    description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
    required: false
@@ -70,6 +66,12 @@ inputs:
    description: Whether to upload the resulting CodeQL database
    required: false
    default: "true"
+  post-processed-sarif-path:
+    description: >-
+      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
+      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
+      argument for this input, they are written to the specified directory.
+    required: false
  wait-for-processing:
    description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
    required: true
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -131,6 +131,7 @@ export default [
      "no-sequences": "error",
      "no-shadow": "off",
      "@typescript-eslint/no-shadow": "error",
+      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
    },
  },
--- a/json-schemas.mjs
+++ b/json-schemas.mjs
@@ -1,29 +0,0 @@
-import fs from "node:fs";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-
-import { globSync } from "glob";
-import { compileFromFile } from 'json-schema-to-typescript';
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-const SRC_DIR = path.join(__dirname, "schemas");
-const OUT_DIR = path.join(__dirname, "src");
-
-async function generateTypings() {
-  const schemas = globSync(`${SRC_DIR}/*.json`);
-  for (const schema of schemas) {
-    const outPath = path.join(
-      OUT_DIR,
-      `${path.basename(schema, ".json")}.d.ts`,
-    );
-    const ts = await compileFromFile(schema, {
-      bannerComment:
-        "/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */",
-    });
-    fs.writeFileSync(outPath, ts, "utf-8");
-  }
-}
-
-await generateTypings();
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.4",
+  "cliVersion": "2.23.4",
+  "priorBundleVersion": "codeql-bundle-v2.23.3",
+  "priorCliVersion": "2.23.3"
 }
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
--- a/lib/init-action.js
+++ b/lib/init-action.js
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.30.9",
+  "version": "4.31.3",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -12,8 +12,7 @@
    "ava": "npm run transpile && ava --serial --verbose",
    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
-    "transpile": "npm run generate:schemas && tsc --build --verbose",
-    "generate:schemas": "node json-schemas.mjs"
+    "transpile": "tsc --build --verbose"
  },
  "ava": {
    "typescript": {
@@ -25,23 +24,20 @@
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "^2.3.1",
+    "@actions/artifact": "^4.0.0",
    "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
    "@actions/cache": "^4.1.0",
    "@actions/core": "^1.11.1",
    "@actions/exec": "^1.1.1",
    "@actions/github": "^6.0.0",
    "@actions/glob": "^0.5.0",
-    "@actions/http-client": "^2.2.3",
-    "@actions/io": "^1.1.3",
+    "@actions/http-client": "^3.0.0",
+    "@actions/io": "^2.0.0",
    "@actions/tool-cache": "^2.0.2",
    "@octokit/plugin-retry": "^6.0.0",
-    "@octokit/request-error": "^7.0.1",
+    "@octokit/request-error": "^7.0.2",
    "@schemastore/package": "0.0.10",
    "archiver": "^7.0.1",
-    "check-disk-space": "^3.4.0",
-    "console-log-level": "^1.4.1",
-    "del": "^8.0.0",
    "fast-deep-equal": "^3.1.3",
    "follow-redirects": "^1.15.11",
    "get-folder-size": "^5.0.0",
@@ -49,29 +45,28 @@
    "jsonschema": "1.4.1",
    "long": "^5.3.2",
    "node-forge": "^1.3.1",
-    "octokit": "^5.0.3",
+    "octokit": "^5.0.5",
    "semver": "^7.7.3",
    "uuid": "^13.0.0"
  },
  "devDependencies": {
    "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^1.4.0",
+    "@eslint/compat": "^1.4.1",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.37.0",
+    "@eslint/js": "^9.39.0",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^15.0.0",
-    "@types/archiver": "^6.0.3",
-    "@types/console-log-level": "^1.4.5",
+    "@octokit/types": "^16.0.0",
+    "@types/archiver": "^7.0.0",
    "@types/follow-redirects": "^1.14.4",
    "@types/js-yaml": "^4.0.9",
    "@types/node": "20.19.9",
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.0",
+    "@typescript-eslint/eslint-plugin": "^8.46.3",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.25.10",
+    "esbuild": "^0.25.12",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
@@ -79,7 +74,6 @@
    "eslint-plugin-import": "2.29.1",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.0.3",
-    "json-schema-to-typescript": "^15.0.4",
    "nock": "^14.0.10",
    "sinon": "^21.0.0",
    "typescript": "^5.9.3"
--- a/pr-checks/checks/bundle-zstd.yml
+++ b/pr-checks/checks/bundle-zstd.yml
@@ -27,7 +27,7 @@ steps:
      output: ${{ runner.temp }}/results
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
    with:
      name: ${{ matrix.os }}-zstd-bundle.sarif
      path: ${{ runner.temp }}/results/javascript.sarif
--- a/pr-checks/checks/config-export.yml
+++ b/pr-checks/checks/config-export.yml
@@ -12,7 +12,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
    with:
      name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
--- a/pr-checks/checks/diagnostics-export.yml
+++ b/pr-checks/checks/diagnostics-export.yml
@@ -25,7 +25,7 @@ steps:
      output: "${{ runner.temp }}/results"
      upload-database: false
  - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
    with:
      name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
--- a/pr-checks/checks/export-file-baseline-information.yml
+++ b/pr-checks/checks/export-file-baseline-information.yml
@@ -17,7 +17,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
    with:
      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
--- a/pr-checks/checks/job-run-uuid-sarif.yml
+++ b/pr-checks/checks/job-run-uuid-sarif.yml
@@ -11,7 +11,7 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
  - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
    with:
      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
      path: "${{ runner.temp }}/results/javascript.sarif"
--- a/pr-checks/checks/quality-queries.yml
+++ b/pr-checks/checks/quality-queries.yml
@@ -36,9 +36,10 @@ steps:
    with:
      output: "${{ runner.temp }}/results"
      upload-database: false
+      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
  - name: Upload security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -46,12 +47,20 @@ steps:
      retention-days: 7
  - name: Upload quality SARIF
    if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
    with:
      name: |
        quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
      path: "${{ runner.temp }}/results/javascript.quality.sarif"
      retention-days: 7
+  - name: Upload post-processed SARIF
+    uses: actions/upload-artifact@v5
+    with:
+      name: |
+        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+      path: "${{ runner.temp }}/post-processed"
+      retention-days: 7
+      if-no-files-found: error
  - name: Check quality query does not appear in security SARIF
    if: contains(matrix.analysis-kinds, 'code-scanning')
    uses: actions/github-script@v8
--- a/pr-checks/checks/rubocop-multi-language.yml
+++ b/pr-checks/checks/rubocop-multi-language.yml
@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
  - name: Set up Ruby
-    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
+    uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
    with:
      ruby-version: 2.6
  - name: Install Code Scanning integration
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
        steps.extend([
            {
                'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v5',
+                'uses': 'actions/setup-node@v6',
                'with': {
                    'node-version': '20.x',
                    'cache': 'npm',
--- a/scripts/check-node-modules.sh
+++ b/scripts/check-node-modules.sh
@@ -9,9 +9,15 @@ if [ "$GITHUB_ACTIONS" = "true" ]; then
 fi

 # Check if npm install is likely needed before proceeding
-if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
+if [ ! -d node_modules ]; then
+  echo "Running 'npm install' because 'node_modules' directory is missing."
+  npm install
+elif [ package.json -nt package-lock.json ]; then
+  echo "Running 'npm install' because 'package-lock.json' appears to be outdated."
+  npm install
+elif [ package-lock.json -nt node_modules/.package-lock.json ]; then
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated."
  npm install
 else
-  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
+  echo "Skipping 'npm install' because everything appears to be up-to-date."
 fi
--- a/src/analyze-action-env.test.ts
+++ b/src/analyze-action-env.test.ts
@@ -24,6 +24,9 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from environment variables", async (t) => {
+  // This test frequently times out on Windows with the default timeout, so we bump
+  // it a bit to 20s.
+  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -75,7 +78,7 @@ test("analyze action with RAM & threads from environment variables", async (t) =
    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
  });
 });
--- a/src/analyze-action-input.test.ts
+++ b/src/analyze-action-input.test.ts
@@ -24,6 +24,7 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from action inputs", async (t) => {
+  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
@@ -75,7 +76,7 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
  });
 });
--- a/src/analyze-action.ts
+++ b/src/analyze-action.ts
@@ -52,6 +52,7 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
+import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";

 interface AnalysisStatusReport
@@ -211,7 +212,9 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {

 async function run() {
  const startedAt = new Date();
-  let uploadResult: UploadResult | undefined = undefined;
+  let uploadResults:
+    | Partial<Record<analyses.AnalysisKind, UploadResult>>
+    | undefined = undefined;
  let runStats: QueriesStatusReport | undefined = undefined;
  let config: Config | undefined = undefined;
  let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -321,10 +324,16 @@ async function run() {
    );

    if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
+      // Warn if the removed `add-snippets` input is used.
+      if (actionsUtil.getOptionalInput("add-snippets") !== undefined) {
+        logger.warning(
+          "The `add-snippets` input has been removed and no longer has any effect.",
+        );
+      }
+
      runStats = await runQueries(
        outputDir,
        memory,
-        util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
        threads,
        diffRangePackDir,
        actionsUtil.getOptionalInput("category"),
@@ -341,31 +350,67 @@ async function run() {
    }
    core.setOutput("db-locations", dbLocations);
    core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadInput = actionsUtil.getOptionalInput("upload");
-    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
-      if (isCodeScanningEnabled(config)) {
-        uploadResult = await uploadLib.uploadFiles(
-          outputDir,
-          actionsUtil.getRequiredInput("checkout_path"),
-          actionsUtil.getOptionalInput("category"),
-          features,
+    const uploadKind = actionsUtil.getUploadValue(
+      actionsUtil.getOptionalInput("upload"),
+    );
+    if (runStats) {
+      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
+      const category = actionsUtil.getOptionalInput("category");
+
+      if (await features.getValue(Feature.AnalyzeUseNewUpload)) {
+        uploadResults = await postProcessAndUploadSarif(
          logger,
-          analyses.CodeScanning,
+          features,
+          uploadKind,
+          checkoutPath,
+          outputDir,
+          category,
+          actionsUtil.getOptionalInput("post-processed-sarif-path"),
        );
-        core.setOutput("sarif-id", uploadResult.sarifID);
+      } else if (uploadKind === "always") {
+        uploadResults = {};
+
+        if (isCodeScanningEnabled(config)) {
+          uploadResults[analyses.AnalysisKind.CodeScanning] =
+            await uploadLib.uploadFiles(
+              outputDir,
+              checkoutPath,
+              category,
+              features,
+              logger,
+              analyses.CodeScanning,
+            );
+        }
+
+        if (isCodeQualityEnabled(config)) {
+          uploadResults[analyses.AnalysisKind.CodeQuality] =
+            await uploadLib.uploadFiles(
+              outputDir,
+              checkoutPath,
+              category,
+              features,
+              logger,
+              analyses.CodeQuality,
+            );
+        }
+      } else {
+        uploadResults = {};
+        logger.info("Not uploading results");
      }

-      if (isCodeQualityEnabled(config)) {
-        const analysis = analyses.CodeQuality;
-        const qualityUploadResult = await uploadLib.uploadFiles(
-          outputDir,
-          actionsUtil.getRequiredInput("checkout_path"),
-          actionsUtil.getOptionalInput("category"),
-          features,
-          logger,
-          analysis,
+      // Set the SARIF id outputs only if we have results for them, to avoid
+      // having keys with empty values in the action output.
+      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
+        core.setOutput(
+          "sarif-id",
+          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        );
+      }
+      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
+        core.setOutput(
+          "quality-sarif-id",
+          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
        );
-        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
      }
    } else {
      logger.info("Not uploading results");
@@ -408,12 +453,12 @@ async function run() {
    if (util.isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
    } else if (
-      uploadResult !== undefined &&
+      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
      actionsUtil.getRequiredInput("wait-for-processing") === "true"
    ) {
      await uploadLib.waitForProcessing(
        getRepositoryNwo(),
-        uploadResult.sarifID,
+        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
        getActionsLogger(),
      );
    }
@@ -450,13 +495,16 @@ async function run() {
    return;
  }

-  if (runStats && uploadResult) {
+  if (
+    runStats !== undefined &&
+    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
+  ) {
    await sendStatusReport(
      startedAt,
      config,
      {
        ...runStats,
-        ...uploadResult.statusReport,
+        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
      },
      undefined,
      trapCacheUploadTime,
@@ -466,7 +514,7 @@ async function run() {
      dependencyCacheResults,
      logger,
    );
-  } else if (runStats) {
+  } else if (runStats !== undefined) {
    await sendStatusReport(
      startedAt,
      config,
--- a/src/analyze.test.ts
+++ b/src/analyze.test.ts
@@ -4,10 +4,8 @@ import * as path from "path";
 import test from "ava";
 import * as sinon from "sinon";

-import * as actionsUtil from "./actions-util";
 import { CodeQuality, CodeScanning } from "./analyses";
 import {
-  exportedForTesting,
  runQueries,
  defaultSuites,
  resolveQuerySuiteAlias,
@@ -39,7 +37,6 @@ test("status report fields", async (t) => {
    setupActionsVars(tmpDir, tmpDir);

    const memoryFlag = "";
-    const addSnippetsFlag = "";
    const threadsFlag = "";
    sinon.stub(uploadLib, "validateSarifFileSchema");

@@ -105,7 +102,6 @@ test("status report fields", async (t) => {
      const statusReport = await runQueries(
        tmpDir,
        memoryFlag,
-        addSnippetsFlag,
        threadsFlag,
        undefined,
        undefined,
@@ -131,204 +127,6 @@ test("status report fields", async (t) => {
  });
 });

-function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
-  sinon
-    .stub(actionsUtil, "getRequiredInput")
-    .withArgs("checkout_path")
-    .returns("/checkout/path");
-  return exportedForTesting.getDiffRanges(
-    {
-      filename: "test.txt",
-      changes,
-      patch: patch?.join("\n"),
-    },
-    getRunnerLogger(true),
-  );
-}
-
-test("getDiffRanges: file unchanged", async (t) => {
-  const diffRanges = runGetDiffRanges(0, undefined);
-  t.deepEqual(diffRanges, []);
-});
-
-test("getDiffRanges: file diff too large", async (t) => {
-  const diffRanges = runGetDiffRanges(1000000, undefined);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 0,
-      endLine: 0,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with single addition range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,6 +50,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 54,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with single deletion range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,8 +50,6 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    "-2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, []);
-});
-
-test("getDiffRanges: diff thunk with single update range", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,7 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 53,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with addition ranges", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,9 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    " c",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 53,
-    },
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 55,
-      endLine: 55,
-    },
-  ]);
-});
-
-test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,7 +50,7 @@",
-    " a",
-    " b",
-    " c",
-    "-1",
-    " d",
-    "-2",
-    "+3",
-    " e",
-    " f",
-    "+4",
-    "+5",
-    " g",
-    " h",
-    " i",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 54,
-      endLine: 54,
-    },
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 57,
-      endLine: 58,
-    },
-  ]);
-});
-
-test("getDiffRanges: multiple diff thunks", async (t) => {
-  const diffRanges = runGetDiffRanges(2, [
-    "@@ -30,6 +50,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-    "@@ -130,6 +150,8 @@",
-    " a",
-    " b",
-    " c",
-    "+1",
-    "+2",
-    " d",
-    " e",
-    " f",
-  ]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 53,
-      endLine: 54,
-    },
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 153,
-      endLine: 154,
-    },
-  ]);
-});
-
-test("getDiffRanges: no diff context lines", async (t) => {
-  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
-  t.deepEqual(diffRanges, [
-    {
-      path: "/checkout/path/test.txt",
-      startLine: 50,
-      endLine: 51,
-    },
-  ]);
-});
-
-test("getDiffRanges: malformed thunk header", async (t) => {
-  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
-  t.deepEqual(diffRanges, undefined);
-});
-
 test("resolveQuerySuiteAlias", (t) => {
  // default query suite names should resolve to something language-specific ending in `.qls`.
  for (const suite of defaultSuites) {
--- a/src/analyze.ts
+++ b/src/analyze.ts
@@ -3,16 +3,10 @@ import * as path from "path";
 import { performance } from "perf_hooks";

 import * as io from "@actions/io";
-import * as del from "del";
 import * as yaml from "js-yaml";

-import {
-  getRequiredInput,
-  getTemporaryDirectory,
-  PullRequestBranches,
-} from "./actions-util";
+import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
 import * as analyses from "./analyses";
-import { getApiClient } from "./api-client";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
@@ -21,13 +15,13 @@ import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
  DiffThunkRange,
  writeDiffRangesJsonFile,
+  getPullRequestEditedDiffRanges,
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { OverlayDatabaseMode } from "./overlay-database-utils";
-import { getRepositoryNwoFromEnv } from "./repository";
 import { DatabaseCreationTimings, EventReport } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
 import * as util from "./util";
@@ -313,185 +307,6 @@ export async function setupDiffInformedQueryRun(
  );
 }

-/**
- * Return the file line ranges that were added or modified in the pull request.
- *
- * @param branches The base and head branches of the pull request.
- * @param logger
- * @returns An array of tuples, where each tuple contains the absolute path of a
- * file, the start line and the end line (both 1-based and inclusive) of an
- * added or modified range in that file. Returns `undefined` if the action was
- * not triggered by a pull request or if there was an error.
- */
-async function getPullRequestEditedDiffRanges(
-  branches: PullRequestBranches,
-  logger: Logger,
-): Promise<DiffThunkRange[] | undefined> {
-  const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
-  if (fileDiffs === undefined) {
-    return undefined;
-  }
-  if (fileDiffs.length >= 300) {
-    // The "compare two commits" API returns a maximum of 300 changed files. If
-    // we see that many changed files, it is possible that there could be more,
-    // with the rest being truncated. In this case, we should not attempt to
-    // compute the diff ranges, as the result would be incomplete.
-    logger.warning(
-      `Cannot retrieve the full diff because there are too many ` +
-        `(${fileDiffs.length}) changed files in the pull request.`,
-    );
-    return undefined;
-  }
-  const results: DiffThunkRange[] = [];
-  for (const filediff of fileDiffs) {
-    const diffRanges = getDiffRanges(filediff, logger);
-    if (diffRanges === undefined) {
-      return undefined;
-    }
-    results.push(...diffRanges);
-  }
-  return results;
-}
-
-/**
- * This interface is an abbreviated version of the file diff object returned by
- * the GitHub API.
- */
-interface FileDiff {
-  filename: string;
-  changes: number;
-  // A patch may be absent if the file is binary, if the file diff is too large,
-  // or if the file is unchanged.
-  patch?: string | undefined;
-}
-
-async function getFileDiffsWithBasehead(
-  branches: PullRequestBranches,
-  logger: Logger,
-): Promise<FileDiff[] | undefined> {
-  // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
-  // to GITHUB_REPOSITORY.
-  const repositoryNwo = getRepositoryNwoFromEnv(
-    "CODE_SCANNING_REPOSITORY",
-    "GITHUB_REPOSITORY",
-  );
-  const basehead = `${branches.base}...${branches.head}`;
-  try {
-    const response = await getApiClient().rest.repos.compareCommitsWithBasehead(
-      {
-        owner: repositoryNwo.owner,
-        repo: repositoryNwo.repo,
-        basehead,
-        per_page: 1,
-      },
-    );
-    logger.debug(
-      `Response from compareCommitsWithBasehead(${basehead}):` +
-        `\n${JSON.stringify(response, null, 2)}`,
-    );
-    return response.data.files;
-  } catch (error: any) {
-    if (error.status) {
-      logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
-      logger.debug(
-        `Error running compareCommitsWithBasehead(${basehead}):` +
-          `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
-          `\nError Response: ${JSON.stringify(error.response, null, 2)}`,
-      );
-      return undefined;
-    } else {
-      throw error;
-    }
-  }
-}
-
-function getDiffRanges(
-  fileDiff: FileDiff,
-  logger: Logger,
-): DiffThunkRange[] | undefined {
-  // Diff-informed queries expect the file path to be absolute. CodeQL always
-  // uses forward slashes as the path separator, so on Windows we need to
-  // replace any backslashes with forward slashes.
-  const filename = path
-    .join(getRequiredInput("checkout_path"), fileDiff.filename)
-    .replaceAll(path.sep, "/");
-
-  if (fileDiff.patch === undefined) {
-    if (fileDiff.changes === 0) {
-      // There are situations where a changed file legitimately has no diff.
-      // For example, the file may be a binary file, or that the file may have
-      // been renamed with no changes to its contents. In these cases, the
-      // file would be reported as having 0 changes, and we can return an empty
-      // array to indicate no diff range in this file.
-      return [];
-    }
-    // If a file is reported to have nonzero changes but no patch, that may be
-    // due to the file diff being too large. In this case, we should fall back
-    // to a special diff range that covers the entire file.
-    return [
-      {
-        path: filename,
-        startLine: 0,
-        endLine: 0,
-      },
-    ];
-  }
-
-  // The 1-based file line number of the current line
-  let currentLine = 0;
-  // The 1-based file line number that starts the current range of added lines
-  let additionRangeStartLine: number | undefined = undefined;
-  const diffRanges: DiffThunkRange[] = [];
-
-  const diffLines = fileDiff.patch.split("\n");
-  // Adding a fake context line at the end ensures that the following loop will
-  // always terminate the last range of added lines.
-  diffLines.push(" ");
-
-  for (const diffLine of diffLines) {
-    if (diffLine.startsWith("-")) {
-      // Ignore deletions completely -- we do not even want to consider them when
-      // calculating consecutive ranges of added lines.
-      continue;
-    }
-    if (diffLine.startsWith("+")) {
-      if (additionRangeStartLine === undefined) {
-        additionRangeStartLine = currentLine;
-      }
-      currentLine++;
-      continue;
-    }
-    if (additionRangeStartLine !== undefined) {
-      // Any line that does not start with a "+" or "-" terminates the current
-      // range of added lines.
-      diffRanges.push({
-        path: filename,
-        startLine: additionRangeStartLine,
-        endLine: currentLine - 1,
-      });
-      additionRangeStartLine = undefined;
-    }
-    if (diffLine.startsWith("@@ ")) {
-      // A new hunk header line resets the current line number.
-      const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
-      if (match === null) {
-        logger.warning(
-          `Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`,
-        );
-        return undefined;
-      }
-      currentLine = parseInt(match[1], 10);
-      continue;
-    }
-    if (diffLine.startsWith(" ")) {
-      // An unchanged context line advances the current line number.
-      currentLine++;
-      continue;
-    }
-  }
-  return diffRanges;
-}
-
 /**
 * Create an extension pack in the temporary directory that contains the file
 * line ranges that were added or modified in the pull request.
@@ -621,7 +436,6 @@ export function addSarifExtension(
 export async function runQueries(
  sarifFolder: string,
  memoryFlag: string,
-  addSnippetsFlag: string,
  threadsFlag: string,
  diffRangePackDir: string | undefined,
  automationDetailsId: string | undefined,
@@ -811,7 +625,6 @@ export async function runQueries(
      databasePath,
      queries,
      sarifFile,
-      addSnippetsFlag,
      threadsFlag,
      enableDebugLogging ? "-vv" : "-v",
      sarifRunPropertyFlag,
@@ -855,7 +668,7 @@ export async function runFinalize(
  logger: Logger,
 ): Promise<DatabaseCreationTimings> {
  try {
-    await del.deleteAsync(outputDir, { force: true });
+    await fs.promises.rm(outputDir, { force: true, recursive: true });
  } catch (error: any) {
    if (error?.code !== "ENOENT") {
      throw error;
@@ -922,7 +735,3 @@ export async function warnIfGoInstalledAfterInit(
    }
  }
 }
-
-export const exportedForTesting = {
-  getDiffRanges,
-};
--- a/src/api-client.test.ts
+++ b/src/api-client.test.ts
@@ -169,4 +169,32 @@ test("wrapApiConfigurationError correctly wraps specific configuration errors",
    res,
    new util.ConfigurationError("Resource not accessible by integration"),
  );
+
+  // Enablement errors.
+  const enablementErrorMessages = [
+    "Code Security must be enabled for this repository to use code scanning",
+    "Advanced Security must be enabled for this repository to use code scanning",
+    "Code Scanning is not enabled for this repository. Please enable code scanning in the repository settings.",
+  ];
+  const transforms = [
+    (msg: string) => msg,
+    (msg: string) => msg.toLowerCase(),
+    (msg: string) => msg.toLocaleUpperCase(),
+  ];
+
+  for (const enablementErrorMessage of enablementErrorMessages) {
+    for (const transform of transforms) {
+      const enablementError = new util.HTTPError(
+        transform(enablementErrorMessage),
+        403,
+      );
+      res = api.wrapApiConfigurationError(enablementError);
+      t.deepEqual(
+        res,
+        new util.ConfigurationError(
+          api.getFeatureEnablementError(enablementError.message),
+        ),
+      );
+    }
+  }
 });
--- a/src/api-client.ts
+++ b/src/api-client.ts
@@ -1,18 +1,17 @@
 import * as core from "@actions/core";
 import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
-import consoleLogLevel from "console-log-level";

 import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
+  asHTTPError,
  ConfigurationError,
  getRequiredEnvParam,
  GITHUB_DOTCOM_URL,
  GitHubVariant,
  GitHubVersion,
-  isHTTPError,
  parseGitHubUrl,
  parseMatrixInput,
 } from "./util";
@@ -50,7 +49,12 @@ function createApiClientWithDetails(
    githubUtils.getOctokitOptions(auth, {
      baseUrl: apiDetails.apiURL,
      userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: consoleLogLevel({ level: "debug" }),
+      log: {
+        debug: core.debug,
+        info: core.info,
+        warn: core.warning,
+        error: core.error,
+      },
    }),
  );
 }
@@ -279,23 +283,49 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
  });
 }

+function isEnablementError(msg: string) {
+  return [
+    /Code Security must be enabled/i,
+    /Advanced Security must be enabled/i,
+    /Code Scanning is not enabled/i,
+  ].some((pattern) => pattern.test(msg));
+}
+
+// TODO: Move to `error-messages.ts` after refactoring import order to avoid cycle
+// since `error-messages.ts` currently depends on this file.
+export function getFeatureEnablementError(message: string): string {
+  return `Please verify that the necessary features are enabled: ${message}`;
+}
+
 export function wrapApiConfigurationError(e: unknown) {
-  if (isHTTPError(e)) {
+  const httpError = asHTTPError(e);
+  if (httpError !== undefined) {
    if (
-      e.message.includes("API rate limit exceeded for installation") ||
-      e.message.includes("commit not found") ||
-      e.message.includes("Resource not accessible by integration") ||
-      /ref .* not found in this repository/.test(e.message)
+      [
+        /API rate limit exceeded/,
+        /commit not found/,
+        /Resource not accessible by integration/,
+        /ref .* not found in this repository/,
+      ].some((pattern) => pattern.test(httpError.message))
    ) {
-      return new ConfigurationError(e.message);
-    } else if (
-      e.message.includes("Bad credentials") ||
-      e.message.includes("Not Found")
+      return new ConfigurationError(httpError.message);
+    }
+    if (
+      httpError.message.includes("Bad credentials") ||
+      httpError.message.includes("Not Found")
    ) {
      return new ConfigurationError(
        "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
      );
    }
+    if (httpError.status === 403 && isEnablementError(httpError.message)) {
+      return new ConfigurationError(
+        getFeatureEnablementError(httpError.message),
+      );
+    }
+    if (httpError.status === 429) {
+      return new ConfigurationError("API rate limit exceeded");
+    }
  }
  return e;
 }
--- a/src/codeql.test.ts
+++ b/src/codeql.test.ts
@@ -5,7 +5,6 @@ import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
 import * as toolcache from "@actions/tool-cache";
 import test, { ExecutionContext } from "ava";
-import * as del from "del";
 import * as yaml from "js-yaml";
 import nock from "nock";
 import * as sinon from "sinon";
@@ -36,7 +35,6 @@ import {
  createTestConfig,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
-import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import { initializeEnvironment } from "./util";

@@ -558,7 +556,7 @@ const injectedConfigMacro = test.macro({
      const augmentedConfig = yaml.load(fs.readFileSync(configFile, "utf8"));
      t.deepEqual(augmentedConfig, expectedConfig);

-      await del.deleteAsync(configFile, { force: true });
+      await fs.promises.rm(configFile, { force: true });
    });
  },

@@ -870,84 +868,6 @@ test("does not pass a qlconfig to the CLI when it is undefined", async (t: Execu
  });
 });

-const NEW_ANALYSIS_SUMMARY_TEST_CASES = [
-  {
-    codeqlVersion: makeVersionInfo("2.15.0", {
-      [ToolsFeature.AnalysisSummaryV2IsDefault]: true,
-    }),
-    githubVersion: {
-      type: util.GitHubVariant.DOTCOM,
-    },
-    flagPassed: false,
-    negativeFlagPassed: false,
-  },
-  {
-    codeqlVersion: makeVersionInfo("2.15.0"),
-    githubVersion: {
-      type: util.GitHubVariant.DOTCOM,
-    },
-    flagPassed: true,
-    negativeFlagPassed: false,
-  },
-  {
-    codeqlVersion: makeVersionInfo("2.15.0"),
-    githubVersion: {
-      type: util.GitHubVariant.GHES,
-      version: "3.10.0",
-    },
-    flagPassed: true,
-    negativeFlagPassed: false,
-  },
-];
-
-for (const {
-  codeqlVersion,
-  flagPassed,
-  githubVersion,
-  negativeFlagPassed,
-} of NEW_ANALYSIS_SUMMARY_TEST_CASES) {
-  test(`database interpret-results passes ${
-    flagPassed
-      ? "--new-analysis-summary"
-      : negativeFlagPassed
-        ? "--no-new-analysis-summary"
-        : "nothing"
-  } for CodeQL version ${JSON.stringify(codeqlVersion)} and ${
-    util.GitHubVariant[githubVersion.type]
-  } ${githubVersion.version ? ` ${githubVersion.version}` : ""}`, async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves(codeqlVersion);
-    // io throws because of the test CodeQL object.
-    sinon.stub(io, "which").resolves("");
-    await codeqlObject.databaseInterpretResults(
-      "",
-      [],
-      "",
-      "",
-      "",
-      "-v",
-      undefined,
-      "",
-      Object.assign({}, stubConfig, { gitHubVersion: githubVersion }),
-      createFeatures([]),
-    );
-    const actualArgs = runnerConstructorStub.firstCall.args[1] as string[];
-    t.is(
-      actualArgs.includes("--new-analysis-summary"),
-      flagPassed,
-      `--new-analysis-summary should${flagPassed ? "" : "n't"} be passed`,
-    );
-    t.is(
-      actualArgs.includes("--no-new-analysis-summary"),
-      negativeFlagPassed,
-      `--no-new-analysis-summary should${
-        negativeFlagPassed ? "" : "n't"
-      } be passed`,
-    );
-  });
-}
-
 test("runTool summarizes several fatal errors", async (t) => {
  const heapError =
    "A fatal error occurred: Evaluator heap must be at least 384.00 MiB";
@@ -1125,7 +1045,7 @@ test("Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OP
  );
  t.truthy(configArg, "Should have injected a codescanning config");
  const configFile = configArg!.split("=")[1];
-  await del.deleteAsync(configFile, { force: true });
+  await fs.promises.rm(configFile, { force: true });
 });

 export function stubToolRunnerConstructor(
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -3,7 +3,6 @@ import * as path from "path";

 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
-import { RequestError } from "@octokit/request-error";
 import * as yaml from "js-yaml";

 import {
@@ -168,7 +167,6 @@ export interface CodeQL {
    databasePath: string,
    querySuitePaths: string[] | undefined,
    sarifFile: string,
-    addSnippetsFlag: string,
    threadsFlag: string,
    verbosityFlag: string | undefined,
    sarifRunPropertyFlag: string | undefined,
@@ -268,7 +266,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
 * The version flags below can be used to conditionally enable certain features
 * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.16.6";
+const CODEQL_MINIMUM_VERSION = "2.17.6";

 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -371,11 +369,11 @@ export async function setupCodeQL(
      toolsVersion,
      zstdAvailability,
    };
-  } catch (e) {
+  } catch (rawError) {
+    const e = api.wrapApiConfigurationError(rawError);
    const ErrorClass =
      e instanceof util.ConfigurationError ||
-      (e instanceof Error && e.message.includes("ENOSPC")) || // out of disk space
-      (e instanceof RequestError && e.status === 429) // rate limited
+      (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
        ? util.ConfigurationError
        : Error;

@@ -818,7 +816,6 @@ export async function getCodeQLForCmd(
      databasePath: string,
      querySuitePaths: string[] | undefined,
      sarifFile: string,
-      addSnippetsFlag: string,
      threadsFlag: string,
      verbosityFlag: string,
      sarifRunPropertyFlag: string | undefined,
@@ -837,7 +834,6 @@ export async function getCodeQLForCmd(
        "--format=sarif-latest",
        verbosityFlag,
        `--output=${sarifFile}`,
-        addSnippetsFlag,
        "--print-diagnostics-summary",
        "--print-metrics-summary",
        "--sarif-add-baseline-file-info",
@@ -861,14 +857,6 @@ export async function getCodeQLForCmd(
      } else {
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
-      if (
-        !isSupportedToolsFeature(
-          await this.getVersion(),
-          ToolsFeature.AnalysisSummaryV2IsDefault,
-        )
-      ) {
-        codeqlArgs.push("--new-analysis-summary");
-      }
      codeqlArgs.push(databasePath);
      if (querySuitePaths) {
        codeqlArgs.push(...querySuitePaths);
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -943,7 +943,7 @@ async function getRemoteConfig(
  );
  const pieces = format.exec(configFile);
  // 5 = 4 groups + the whole expression
-  if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
+  if (pieces?.groups === undefined || pieces.length < 5) {
    throw new ConfigurationError(
      errorMessages.getConfigFileRepoFormatInvalidMessage(configFile),
    );
--- a/src/config/db-config.ts
+++ b/src/config/db-config.ts
@@ -4,7 +4,6 @@ import * as yaml from "js-yaml";
 import * as jsonschema from "jsonschema";
 import * as semver from "semver";

-import type { UserConfig as DbConfig, QuerySpec } from "../db-config-schema";
 import * as errorMessages from "../error-messages";
 import {
  RepositoryProperties,
@@ -14,8 +13,6 @@ import { Language } from "../languages";
 import { Logger } from "../logging";
 import { cloneObject, ConfigurationError, prettyPrintPack } from "../util";

-export type { QuerySpec } from "../db-config-schema";
-
 export interface ExcludeQueryFilter {
  exclude: Record<string, string[] | string>;
 }
@@ -26,14 +23,30 @@ export interface IncludeQueryFilter {

 export type QueryFilter = ExcludeQueryFilter | IncludeQueryFilter;

+export interface QuerySpec {
+  name?: string;
+  uses: string;
+}
+
 /**
 * Format of the config file supplied by the user.
 */
-export type UserConfig = DbConfig & {
+export interface UserConfig {
+  name?: string;
+  "disable-default-queries"?: boolean;
+  queries?: QuerySpec[];
+  "paths-ignore"?: string[];
+  paths?: string[];
+
+  // If this is a multi-language analysis, then the packages must be split by
+  // language. If this is a single language analysis, then no split by
+  // language is necessary.
+  packs?: Record<string, string[]> | string[];
+
  // Set of query filters to include and exclude extra queries based on
  // codeql query suite `include` and `exclude` properties
  "query-filters"?: QueryFilter[];
-};
+}

 /**
 * Represents additional configuration data from a source other than
@@ -367,10 +380,7 @@ function combineQueries(
  const result: QuerySpec[] = [];

  // Query settings obtained from the repository properties have the highest precedence.
-  if (
-    augmentationProperties.repoPropertyQueries &&
-    augmentationProperties.repoPropertyQueries.input
-  ) {
+  if (augmentationProperties.repoPropertyQueries?.input) {
    logger.info(
      `Found query configuration in the repository properties (${RepositoryPropertyName.EXTRA_QUERIES}): ` +
        `${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}`,
@@ -483,7 +493,7 @@ export function parseUserConfig(
  try {
    const schema =
      // eslint-disable-next-line @typescript-eslint/no-require-imports
-      require("../../schemas/db-config-schema.json") as jsonschema.Schema;
+      require("../../src/db-config-schema.json") as jsonschema.Schema;

    const doc = yaml.load(contents);

--- a/src/database-upload.test.ts
+++ b/src/database-upload.test.ts
@@ -5,6 +5,7 @@ import test from "ava";
 import * as sinon from "sinon";

 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import { GitHubApiDetails } from "./api-client";
 import * as apiClient from "./api-client";
 import { createStubCodeQL } from "./codeql";
@@ -108,6 +109,39 @@ test("Abort database upload if 'upload-database' input set to false", async (t)
  });
 });

+test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(actionsUtil, "getRequiredInput")
+      .withArgs("upload-database")
+      .returns("true");
+    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+
+    await mockHttpRequests(201);
+
+    const loggedMessages = [];
+    await uploadDatabases(
+      testRepoName,
+      getCodeQL(),
+      {
+        ...getTestConfig(tmpDir),
+        analysisKinds: [AnalysisKind.CodeQuality],
+      },
+      testApiDetails,
+      getRecordingLogger(loggedMessages),
+    );
+    t.assert(
+      loggedMessages.find(
+        (v: LoggedMessage) =>
+          v.type === "debug" &&
+          v.message ===
+            "Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
+      ) !== undefined,
+    );
+  });
+});
+
 test("Abort database upload if running against GHES", async (t) => {
  await withTmpDir(async (tmpDir) => {
    setupActionsVars(tmpDir, tmpDir);
--- a/src/database-upload.ts
+++ b/src/database-upload.ts
@@ -1,6 +1,7 @@
 import * as fs from "fs";

 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import { getApiClient, GitHubApiDetails } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
@@ -22,6 +23,13 @@ export async function uploadDatabases(
    return;
  }

+  if (!config.analysisKinds.includes(AnalysisKind.CodeScanning)) {
+    logger.debug(
+      `Not uploading database because 'analysis-kinds: ${AnalysisKind.CodeScanning}' is not enabled.`,
+    );
+    return;
+  }
+
  if (util.isInTestMode()) {
    logger.debug("In test mode. Skipping database upload.");
    return;
--- a/src/db-config-schema.d.ts
+++ b/src/db-config-schema.d.ts
@@ -1,53 +0,0 @@
-/* This file was automatically generated by `npm run generate:schemas`. Do not edit by hand. */
-
-/**
- * Format of the config file supplied by the user for CodeQL analysis
- */
-export interface UserConfig {
-  /**
-   * Name of the configuration
-   */
-  name?: string;
-  /**
-   * Whether to disable default queries
-   */
-  "disable-default-queries"?: boolean;
-  /**
-   * List of additional queries to run
-   */
-  queries?: QuerySpec[];
-  /**
-   * Paths to ignore during analysis
-   */
-  "paths-ignore"?: string[];
-  /**
-   * Paths to include in analysis
-   */
-  paths?: string[];
-  /**
-   * Query packs to include. Can be a simple array for single-language analysis or an object with language-specific arrays for multi-language analysis
-   */
-  packs?:
-    | string[]
-    | {
-        [k: string]: string[];
-      };
-  /**
-   * Set of query filters to include and exclude extra queries based on CodeQL query suite include and exclude properties
-   */
-  "query-filters"?: unknown[];
-  [k: string]: unknown;
-}
-/**
- * Detailed query specification object
- */
-export interface QuerySpec {
-  /**
-   * Optional name for the query
-   */
-  name?: string;
-  /**
-   * The query or query suite to use
-   */
-  uses: string;
-}
--- a/schemas/db-config-schema.json
+++ b/schemas/db-config-schema.json
@@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "title": "UserConfig",
+  "title": "CodeQL Database Configuration",
  "description": "Format of the config file supplied by the user for CodeQL analysis",
  "type": "object",
  "properties": {
--- a/src/debug-artifacts.ts
+++ b/src/debug-artifacts.ts
@@ -5,7 +5,6 @@ import * as artifact from "@actions/artifact";
 import * as artifactLegacy from "@actions/artifact-legacy";
 import * as core from "@actions/core";
 import archiver from "archiver";
-import * as del from "del";

 import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
@@ -345,7 +344,7 @@ async function createPartialDatabaseBundle(
  );
  // See `bundleDb` for explanation behind deleting existing db bundle.
  if (fs.existsSync(databaseBundlePath)) {
-    await del.deleteAsync(databaseBundlePath, { force: true });
+    await fs.promises.rm(databaseBundlePath, { force: true });
  }
  const output = fs.createWriteStream(databaseBundlePath);
  const zip = archiver("zip");
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.4",
+  "cliVersion": "2.23.4",
+  "priorBundleVersion": "codeql-bundle-v2.23.3",
+  "priorCliVersion": "2.23.3"
 }
--- a/src/diff-informed-analysis-utils.test.ts
+++ b/src/diff-informed-analysis-utils.test.ts
@@ -4,7 +4,10 @@ import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
 import * as apiClient from "./api-client";
-import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
+import {
+  shouldPerformDiffInformedAnalysis,
+  exportedForTesting,
+} from "./diff-informed-analysis-utils";
 import { Feature, Features } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
@@ -183,3 +186,201 @@ test(
  },
  false,
 );
+
+function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
+  return exportedForTesting.getDiffRanges(
+    {
+      filename: "test.txt",
+      changes,
+      patch: patch?.join("\n"),
+    },
+    getRunnerLogger(true),
+  );
+}
+
+test("getDiffRanges: file unchanged", async (t) => {
+  const diffRanges = runGetDiffRanges(0, undefined);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: file diff too large", async (t) => {
+  const diffRanges = runGetDiffRanges(1000000, undefined);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 0,
+      endLine: 0,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single addition range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with single deletion range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,8 +50,6 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "-2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, []);
+});
+
+test("getDiffRanges: diff thunk with single update range", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with addition ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,9 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    " c",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 53,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 55,
+      endLine: 55,
+    },
+  ]);
+});
+
+test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,7 +50,7 @@",
+    " a",
+    " b",
+    " c",
+    "-1",
+    " d",
+    "-2",
+    "+3",
+    " e",
+    " f",
+    "+4",
+    "+5",
+    " g",
+    " h",
+    " i",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 54,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 57,
+      endLine: 58,
+    },
+  ]);
+});
+
+test("getDiffRanges: multiple diff thunks", async (t) => {
+  const diffRanges = runGetDiffRanges(2, [
+    "@@ -30,6 +50,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+    "@@ -130,6 +150,8 @@",
+    " a",
+    " b",
+    " c",
+    "+1",
+    "+2",
+    " d",
+    " e",
+    " f",
+  ]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 53,
+      endLine: 54,
+    },
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 153,
+      endLine: 154,
+    },
+  ]);
+});
+
+test("getDiffRanges: no diff context lines", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, [
+    {
+      path: "/checkout/path/test.txt",
+      startLine: 50,
+      endLine: 51,
+    },
+  ]);
+});
+
+test("getDiffRanges: malformed thunk header", async (t) => {
+  const diffRanges = runGetDiffRanges(2, ["@@ 30 +50,2 @@", "+1", "+2"]);
+  t.deepEqual(diffRanges, undefined);
+});
--- a/src/diff-informed-analysis-utils.ts
+++ b/src/diff-informed-analysis-utils.ts
@@ -3,12 +3,25 @@ import * as path from "path";

 import * as actionsUtil from "./actions-util";
 import type { PullRequestBranches } from "./actions-util";
-import { getGitHubVersion } from "./api-client";
+import { getApiClient, getGitHubVersion } from "./api-client";
 import type { CodeQL } from "./codeql";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
+import { getRepositoryNwoFromEnv } from "./repository";
 import { GitHubVariant, satisfiesGHESVersion } from "./util";

+/**
+ * This interface is an abbreviated version of the file diff object returned by
+ * the GitHub API.
+ */
+interface FileDiff {
+  filename: string;
+  changes: number;
+  // A patch may be absent if the file is binary, if the file diff is too large,
+  // or if the file is unchanged.
+  patch?: string | undefined;
+}
+
 /**
 * Check if the action should perform diff-informed analysis.
 */
@@ -93,3 +106,174 @@ export function readDiffRangesJsonFile(
  );
  return JSON.parse(jsonContents) as DiffThunkRange[];
 }
+
+/**
+ * Return the file line ranges that were added or modified in the pull request.
+ *
+ * @param branches The base and head branches of the pull request.
+ * @param logger
+ * @returns An array of tuples, where each tuple contains the absolute path of a
+ * file, the start line and the end line (both 1-based and inclusive) of an
+ * added or modified range in that file. Returns `undefined` if the action was
+ * not triggered by a pull request or if there was an error.
+ */
+export async function getPullRequestEditedDiffRanges(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<DiffThunkRange[] | undefined> {
+  const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
+  if (fileDiffs === undefined) {
+    return undefined;
+  }
+  if (fileDiffs.length >= 300) {
+    // The "compare two commits" API returns a maximum of 300 changed files. If
+    // we see that many changed files, it is possible that there could be more,
+    // with the rest being truncated. In this case, we should not attempt to
+    // compute the diff ranges, as the result would be incomplete.
+    logger.warning(
+      `Cannot retrieve the full diff because there are too many ` +
+        `(${fileDiffs.length}) changed files in the pull request.`,
+    );
+    return undefined;
+  }
+  const results: DiffThunkRange[] = [];
+  for (const filediff of fileDiffs) {
+    const diffRanges = getDiffRanges(filediff, logger);
+    if (diffRanges === undefined) {
+      return undefined;
+    }
+    results.push(...diffRanges);
+  }
+  return results;
+}
+
+async function getFileDiffsWithBasehead(
+  branches: PullRequestBranches,
+  logger: Logger,
+): Promise<FileDiff[] | undefined> {
+  // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
+  // to GITHUB_REPOSITORY.
+  const repositoryNwo = getRepositoryNwoFromEnv(
+    "CODE_SCANNING_REPOSITORY",
+    "GITHUB_REPOSITORY",
+  );
+  const basehead = `${branches.base}...${branches.head}`;
+  try {
+    const response = await getApiClient().rest.repos.compareCommitsWithBasehead(
+      {
+        owner: repositoryNwo.owner,
+        repo: repositoryNwo.repo,
+        basehead,
+        per_page: 1,
+      },
+    );
+    logger.debug(
+      `Response from compareCommitsWithBasehead(${basehead}):` +
+        `\n${JSON.stringify(response, null, 2)}`,
+    );
+    return response.data.files;
+  } catch (error: any) {
+    if (error.status) {
+      logger.warning(`Error retrieving diff ${basehead}: ${error.message}`);
+      logger.debug(
+        `Error running compareCommitsWithBasehead(${basehead}):` +
+          `\nRequest: ${JSON.stringify(error.request, null, 2)}` +
+          `\nError Response: ${JSON.stringify(error.response, null, 2)}`,
+      );
+      return undefined;
+    } else {
+      throw error;
+    }
+  }
+}
+
+function getDiffRanges(
+  fileDiff: FileDiff,
+  logger: Logger,
+): DiffThunkRange[] | undefined {
+  // Diff-informed queries expect the file path to be absolute. CodeQL always
+  // uses forward slashes as the path separator, so on Windows we need to
+  // replace any backslashes with forward slashes.
+  const filename = path
+    .join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
+    .replaceAll(path.sep, "/");
+
+  if (fileDiff.patch === undefined) {
+    if (fileDiff.changes === 0) {
+      // There are situations where a changed file legitimately has no diff.
+      // For example, the file may be a binary file, or that the file may have
+      // been renamed with no changes to its contents. In these cases, the
+      // file would be reported as having 0 changes, and we can return an empty
+      // array to indicate no diff range in this file.
+      return [];
+    }
+    // If a file is reported to have nonzero changes but no patch, that may be
+    // due to the file diff being too large. In this case, we should fall back
+    // to a special diff range that covers the entire file.
+    return [
+      {
+        path: filename,
+        startLine: 0,
+        endLine: 0,
+      },
+    ];
+  }
+
+  // The 1-based file line number of the current line
+  let currentLine = 0;
+  // The 1-based file line number that starts the current range of added lines
+  let additionRangeStartLine: number | undefined = undefined;
+  const diffRanges: DiffThunkRange[] = [];
+
+  const diffLines = fileDiff.patch.split("\n");
+  // Adding a fake context line at the end ensures that the following loop will
+  // always terminate the last range of added lines.
+  diffLines.push(" ");
+
+  for (const diffLine of diffLines) {
+    if (diffLine.startsWith("-")) {
+      // Ignore deletions completely -- we do not even want to consider them when
+      // calculating consecutive ranges of added lines.
+      continue;
+    }
+    if (diffLine.startsWith("+")) {
+      if (additionRangeStartLine === undefined) {
+        additionRangeStartLine = currentLine;
+      }
+      currentLine++;
+      continue;
+    }
+    if (additionRangeStartLine !== undefined) {
+      // Any line that does not start with a "+" or "-" terminates the current
+      // range of added lines.
+      diffRanges.push({
+        path: filename,
+        startLine: additionRangeStartLine,
+        endLine: currentLine - 1,
+      });
+      additionRangeStartLine = undefined;
+    }
+    if (diffLine.startsWith("@@ ")) {
+      // A new hunk header line resets the current line number.
+      const match = diffLine.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+      if (match === null) {
+        logger.warning(
+          `Cannot parse diff hunk header for ${fileDiff.filename}: ${diffLine}`,
+        );
+        return undefined;
+      }
+      currentLine = parseInt(match[1], 10);
+      continue;
+    }
+    if (diffLine.startsWith(" ")) {
+      // An unchanged context line advances the current line number.
+      currentLine++;
+      continue;
+    }
+  }
+  return diffRanges;
+}
+
+export const exportedForTesting = {
+  getDiffRanges,
+};
--- a/src/environment.ts
+++ b/src/environment.ts
@@ -137,4 +137,10 @@ export enum EnvVar {
   * This setting is more specific than `CODEQL_ACTION_TEST_MODE`, which implies this option.
   */
  SKIP_SARIF_UPLOAD = "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
+
+  /**
+   * Whether to skip workflow validation. Intended for internal use, where we know that
+   * the workflow is valid and validation is not necessary.
+   */
+  SKIP_WORKFLOW_VALIDATION = "CODEQL_ACTION_SKIP_WORKFLOW_VALIDATION",
 }
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -44,6 +44,7 @@ export interface FeatureEnablement {
 */
 export enum Feature {
  AllowToolcacheInput = "allow_toolcache_input",
+  AnalyzeUseNewUpload = "analyze_use_new_upload",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
  DiffInformedQueries = "diff_informed_queries",
@@ -116,6 +117,11 @@ export const featureConfig: Record<
    envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
    minimumVersion: undefined,
  },
+  [Feature.AnalyzeUseNewUpload]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
+    minimumVersion: undefined,
+  },
  [Feature.CleanupTrapCaches]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -647,7 +653,7 @@ class GitHubFeatureFlags {
      }

      this.logger.debug(
-        "Loaded the following default values for the feature flags from the Code Scanning API:",
+        "Loaded the following default values for the feature flags from the CodeQL Action API:",
      );
      for (const [feature, value] of Object.entries(remoteFlags).sort(
        ([nameA], [nameB]) => nameA.localeCompare(nameB),
@@ -657,12 +663,13 @@ class GitHubFeatureFlags {
      this.hasAccessedRemoteFeatureFlags = true;
      return remoteFlags;
    } catch (e) {
-      if (util.isHTTPError(e) && e.status === 403) {
+      const httpError = util.asHTTPError(e);
+      if (httpError?.status === 403) {
        this.logger.warning(
-          "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
+          "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
            "As a result, it will not be opted into any experimental features. " +
            "This could be because the Action is running on a pull request from a fork. If not, " +
-            `please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`,
+            `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
        );
        this.hasAccessedRemoteFeatureFlags = false;
        return {};
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -86,7 +86,7 @@ import {
  getErrorMessage,
  BuildMode,
 } from "./util";
-import { validateWorkflow } from "./workflow";
+import { checkWorkflow } from "./workflow";

 /**
 * Sends a status report indicating that the `init` Action is starting.
@@ -288,16 +288,9 @@ async function run() {
    toolsSource = initCodeQLResult.toolsSource;
    zstdAvailability = initCodeQLResult.zstdAvailability;

-    core.startGroup("Validating workflow");
-    const validateWorkflowResult = await validateWorkflow(codeql, logger);
-    if (validateWorkflowResult === undefined) {
-      logger.info("Detected no issues with the code scanning workflow.");
-    } else {
-      logger.warning(
-        `Unable to validate code scanning workflow: ${validateWorkflowResult}`,
-      );
-    }
-    core.endGroup();
+    // Check the workflow for problems. If there are any problems, they are reported
+    // to the workflow log. No exceptions are thrown.
+    await checkWorkflow(logger, codeql);

    // Set CODEQL_ENABLE_EXPERIMENTAL_FEATURES for Rust if between 2.19.3 (included) and 2.22.1 (excluded)
    // We need to set this environment variable before initializing the config, otherwise Rust
--- a/src/logging.ts
+++ b/src/logging.ts
@@ -13,7 +13,15 @@ export interface Logger {
 }

 export function getActionsLogger(): Logger {
-  return core;
+  return {
+    debug: core.debug,
+    info: core.info,
+    warning: core.warning,
+    error: core.error,
+    isDebug: core.isDebug,
+    startGroup: core.startGroup,
+    endGroup: core.endGroup,
+  };
 }

 export function getRunnerLogger(debugMode: boolean): Logger {
--- a/src/overlay-database-utils.test.ts
+++ b/src/overlay-database-utils.test.ts
@@ -11,6 +11,8 @@ import * as gitUtils from "./git-utils";
 import { getRunnerLogger } from "./logging";
 import {
  downloadOverlayBaseDatabaseFromCache,
+  getCacheRestoreKeyPrefix,
+  getCacheSaveKey,
  OverlayDatabaseMode,
  writeBaseDatabaseOidsFile,
  writeOverlayChangesFile,
@@ -261,3 +263,48 @@ test(
  },
  false,
 );
+
+test("overlay-base database cache keys remain stable", async (t) => {
+  const logger = getRunnerLogger(true);
+  const config = createTestConfig({ languages: ["python", "javascript"] });
+  const codeQlVersion = "2.23.0";
+  const commitOid = "abc123def456";
+
+  sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
+  sinon.stub(gitUtils, "getCommitOid").resolves(commitOid);
+  sinon.stub(actionsUtil, "getWorkflowRunID").returns(12345);
+  sinon.stub(actionsUtil, "getWorkflowRunAttempt").returns(1);
+
+  const saveKey = await getCacheSaveKey(
+    config,
+    codeQlVersion,
+    "checkout-path",
+    logger,
+  );
+  const expectedSaveKey =
+    "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-abc123def456-12345-1";
+  t.is(
+    saveKey,
+    expectedSaveKey,
+    "Cache save key changed unexpectedly. " +
+      "This may indicate breaking changes in the cache key generation logic.",
+  );
+
+  const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
+    config,
+    codeQlVersion,
+  );
+  const expectedRestoreKeyPrefix =
+    "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-";
+  t.is(
+    restoreKeyPrefix,
+    expectedRestoreKeyPrefix,
+    "Cache restore key prefix changed unexpectedly. " +
+      "This may indicate breaking changes in the cache key generation logic.",
+  );
+
+  t.true(
+    saveKey.startsWith(restoreKeyPrefix),
+    `Expected save key "${saveKey}" to start with restore key prefix "${restoreKeyPrefix}"`,
+  );
+});
--- a/src/overlay-database-utils.ts
+++ b/src/overlay-database-utils.ts
@@ -4,13 +4,19 @@ import * as path from "path";

 import * as actionsCache from "@actions/cache";

-import { getRequiredInput, getTemporaryDirectory } from "./actions-util";
+import {
+  getRequiredInput,
+  getTemporaryDirectory,
+  getWorkflowRunAttempt,
+  getWorkflowRunID,
+} from "./actions-util";
 import { getAutomationID } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { type Config } from "./config-utils";
 import { getCommitOid, getFileOidsUnderPath } from "./git-utils";
 import { Logger, withGroupAsync } from "./logging";
 import {
+  getErrorMessage,
  isInTestMode,
  tryGetFolderBytes,
  waitForResultWithTimeLimit,
@@ -34,15 +40,10 @@ export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
 * Actions Cache client library. Instead we place a limit on the uncompressed
 * size of the overlay-base database.
 *
- * Assuming 2.5:1 compression ratio, the 15 GB limit on uncompressed data would
- * translate to a limit of around 6 GB after compression. This is a high limit
- * compared to the default 10GB Actions Cache capacity, but enforcement of Actions
- * Cache quotas is not immediate.
- *
- * TODO: revisit this limit before removing the restriction for overlay analysis
- * to the `github` and `dsp-testing` orgs.
+ * Assuming 2.5:1 compression ratio, the 7.5 GB limit on uncompressed data would
+ * translate to a limit of around 3 GB after compression.
 */
-const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15000;
+const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES =
  OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1_000_000;

@@ -271,6 +272,7 @@ export async function uploadOverlayBaseDatabaseToCache(
    config,
    codeQlVersion,
    checkoutPath,
+    logger,
  );
  logger.info(
    `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`,
@@ -448,17 +450,28 @@ export async function downloadOverlayBaseDatabaseFromCache(
 * The key consists of the restore key prefix (which does not include the
 * commit SHA) and the commit SHA of the current checkout.
 */
-async function getCacheSaveKey(
+export async function getCacheSaveKey(
  config: Config,
  codeQlVersion: string,
  checkoutPath: string,
+  logger: Logger,
 ): Promise<string> {
+  let runId = 1;
+  let attemptId = 1;
+  try {
+    runId = getWorkflowRunID();
+    attemptId = getWorkflowRunAttempt();
+  } catch (e) {
+    logger.warning(
+      `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}`,
+    );
+  }
  const sha = await getCommitOid(checkoutPath);
  const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
    config,
    codeQlVersion,
  );
-  return `${restoreKeyPrefix}${sha}`;
+  return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`;
 }

 /**
@@ -475,7 +488,7 @@ async function getCacheSaveKey(
 * not include the commit SHA. This allows us to restore the most recent
 * compatible overlay-base database.
 */
-async function getCacheRestoreKeyPrefix(
+export async function getCacheRestoreKeyPrefix(
  config: Config,
  codeQlVersion: string,
 ): Promise<string> {
--- a/src/setup-codeql.ts
+++ b/src/setup-codeql.ts
@@ -168,7 +168,7 @@ export function tryGetTagNameFromUrl(
  // assumes less about the structure of the URL.
  const match = matches[matches.length - 1];

-  if (match === null || match.length !== 2) {
+  if (match?.length !== 2) {
    logger.debug(
      `Could not determine tag name for URL ${url}. Matched ${JSON.stringify(
        match,
--- a/src/start-proxy-action-post.ts
+++ b/src/start-proxy-action-post.ts
@@ -30,7 +30,7 @@ async function runWrapper() {
      logger,
    );

-    if ((config && config.debugMode) || core.isDebug()) {
+    if (config?.debugMode || core.isDebug()) {
      const logFilePath = core.getState("proxy-log-file");
      logger.info(
        "Debug mode is on. Uploading proxy log as Actions debugging artifact...",
--- a/src/status-report.ts
+++ b/src/status-report.ts
@@ -23,7 +23,6 @@ import { getRepositoryNwo } from "./repository";
 import { ToolsSource } from "./setup-codeql";
 import {
  ConfigurationError,
-  isHTTPError,
  getRequiredEnvParam,
  getCachedCodeQlVersion,
  isInTestMode,
@@ -33,6 +32,7 @@ import {
  BuildMode,
  getErrorMessage,
  getTestingEnvironment,
+  asHTTPError,
 } from "./util";

 export enum ActionName {
@@ -387,9 +387,9 @@ export async function createStatusReportBase(
 }

 const OUT_OF_DATE_MSG =
-  "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+  "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
 const INCOMPATIBLE_MSG =
-  "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
+  "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";

 /**
 * Send a status report to the code_scanning/analysis/status endpoint.
@@ -429,8 +429,9 @@ export async function sendStatusReport<S extends StatusReportBase>(
      },
    );
  } catch (e) {
-    if (isHTTPError(e)) {
-      switch (e.status) {
+    const httpError = asHTTPError(e);
+    if (httpError !== undefined) {
+      switch (httpError.status) {
        case 403:
          if (
            getWorkflowEventName() === "push" &&
@@ -438,16 +439,20 @@ export async function sendStatusReport<S extends StatusReportBase>(
          ) {
            core.warning(
              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
-                "Uploading Code Scanning results requires write access. " +
-                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "Uploading CodeQL results requires write access. " +
+                'To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
                `See ${DocUrl.SCANNING_ON_PUSH} for more information on how to configure these events.`,
            );
          } else {
-            core.warning(e.message);
+            core.warning(
+              "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
+                "This could be because the Action is running on a pull request from a fork. If not, " +
+                `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
+            );
          }
          return;
        case 404:
-          core.warning(e.message);
+          core.warning(httpError.message);
          return;
        case 422:
          // schema incompatibility when reporting status
@@ -465,7 +470,7 @@ export async function sendStatusReport<S extends StatusReportBase>(
    // something else has gone wrong and the request/response will be logged by octokit
    // it's possible this is a transient error and we should continue scanning
    core.warning(
-      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
+      `An unexpected error occurred when sending a status report: ${getErrorMessage(
        e,
      )}`,
    );
--- a/src/tar.ts
+++ b/src/tar.ts
@@ -9,7 +9,7 @@ import * as semver from "semver";

 import { CommandInvocationError } from "./actions-util";
 import { Logger } from "./logging";
-import { assertNever, cleanUpGlob, isBinaryAccessible } from "./util";
+import { assertNever, cleanUpPath, isBinaryAccessible } from "./util";

 const MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 const MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
@@ -35,14 +35,14 @@ async function getTarVersion(): Promise<TarVersion> {
  // Return whether this is GNU tar or BSD tar, and the version number
  if (stdout.includes("GNU tar")) {
    const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }

    return { type: "gnu", version: match[1] };
  } else if (stdout.includes("bsdtar")) {
    const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
      throw new Error("Failed to parse output of tar --version.");
    }

@@ -217,7 +217,7 @@ export async function extractTarZst(
      });
    });
  } catch (e) {
-    await cleanUpGlob(dest, "extraction destination directory", logger);
+    await cleanUpPath(dest, "extraction destination directory", logger);
    throw e;
  }
 }
--- a/src/tools-download.ts
+++ b/src/tools-download.ts
@@ -12,7 +12,7 @@ import * as semver from "semver";

 import { formatDuration, Logger } from "./logging";
 import * as tar from "./tar";
-import { cleanUpGlob, getErrorMessage, getRequiredEnvParam } from "./util";
+import { cleanUpPath, getErrorMessage, getRequiredEnvParam } from "./util";

 /**
 * High watermark to use when streaming the download and extraction of the CodeQL tools.
@@ -130,7 +130,7 @@ export async function downloadAndExtract(

    // If we failed during processing, we want to clean up the destination directory
    // before we try again.
-    await cleanUpGlob(dest, "CodeQL bundle", logger);
+    await cleanUpPath(dest, "CodeQL bundle", logger);
  }

  const toolsDownloadStart = performance.now();
@@ -167,7 +167,7 @@ export async function downloadAndExtract(
      )}).`,
    );
  } finally {
-    await cleanUpGlob(archivedBundlePath, "CodeQL bundle archive", logger);
+    await cleanUpPath(archivedBundlePath, "CodeQL bundle archive", logger);
  }

  return {
--- a/src/tools-features.ts
+++ b/src/tools-features.ts
@@ -3,13 +3,11 @@ import * as semver from "semver";
 import type { VersionInfo } from "./codeql";

 export enum ToolsFeature {
-  AnalysisSummaryV2IsDefault = "analysisSummaryV2Default",
  BuiltinExtractorsSpecifyDefaultQueries = "builtinExtractorsSpecifyDefaultQueries",
  DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
  ForceOverwrite = "forceOverwrite",
  IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
  PythonDefaultIsToNotExtractStdlib = "pythonDefaultIsToNotExtractStdlib",
-  SarifMergeRunsFromEqualCategory = "sarifMergeRunsFromEqualCategory",
 }

 /**
--- a/src/trap-caching.ts
+++ b/src/trap-caching.ts
@@ -13,8 +13,8 @@ import * as gitUtils from "./git-utils";
 import { Language } from "./languages";
 import { Logger } from "./logging";
 import {
+  asHTTPError,
  getErrorMessage,
-  isHTTPError,
  tryGetFolderBytes,
  waitForResultWithTimeLimit,
 } from "./util";
@@ -236,7 +236,7 @@ export async function cleanupTrapCaches(
    }
    return { trap_cache_cleanup_size_bytes: totalBytesCleanedUp };
  } catch (e) {
-    if (isHTTPError(e) && e.status === 403) {
+    if (asHTTPError(e)?.status === 403) {
      logger.warning(
        "Could not cleanup TRAP caches as the token did not have the required permissions. " +
          'To clean up TRAP caches, ensure the token has the "actions:write" permission. ' +
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -21,7 +21,6 @@ import * as gitUtils from "./git-utils";
 import { initCodeQL } from "./init";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
-import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import {
  ConfigurationError,
@@ -269,32 +268,6 @@ async function combineSarifFilesUsingCLI(
    codeQL = initCodeQLResult.codeql;
  }

-  if (
-    !(await codeQL.supportsFeature(
-      ToolsFeature.SarifMergeRunsFromEqualCategory,
-    ))
-  ) {
-    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
-
-    logger.warning(
-      "The CodeQL CLI does not support merging SARIF files. Merging files in the action.",
-    );
-
-    if (
-      await shouldShowCombineSarifFilesDeprecationWarning(
-        sarifObjects,
-        gitHubVersion,
-      )
-    ) {
-      logger.warning(
-        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`,
-      );
-      core.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
-    }
-
-    return combineSarifFiles(sarifFiles, logger);
-  }
-
  const baseTempDir = path.resolve(tempDir, "combined-sarif");
  fs.mkdirSync(baseTempDir, { recursive: true });
  const outputDirectory = fs.mkdtempSync(path.resolve(baseTempDir, "output-"));
@@ -386,16 +359,17 @@ export async function uploadPayload(
    logger.info("Successfully uploaded results");
    return response.data.id as string;
  } catch (e) {
-    if (util.isHTTPError(e)) {
-      switch (e.status) {
+    const httpError = util.asHTTPError(e);
+    if (httpError !== undefined) {
+      switch (httpError.status) {
        case 403:
-          core.warning(e.message || GENERIC_403_MSG);
+          core.warning(httpError.message || GENERIC_403_MSG);
          break;
        case 404:
-          core.warning(e.message || GENERIC_404_MSG);
+          core.warning(httpError.message || GENERIC_404_MSG);
          break;
        default:
-          core.warning(e.message);
+          core.warning(httpError.message);
          break;
      }
    }
@@ -687,51 +661,39 @@ export function buildPayload(
  return payloadObj;
 }

-/**
- * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
- * to.
- */
-export async function uploadFiles(
-  inputSarifPath: string,
-  checkoutPath: string,
-  category: string | undefined,
-  features: FeatureEnablement,
-  logger: Logger,
-  uploadTarget: analyses.AnalysisConfig,
-): Promise<UploadResult> {
-  const sarifPaths = getSarifFilePaths(
-    inputSarifPath,
-    uploadTarget.sarifPredicate,
-  );
-
-  return uploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-  );
+export interface PostProcessingResults {
+  sarif: util.SarifFile;
+  analysisKey: string;
+  environment: string;
 }

 /**
- * Uploads the given array of SARIF files.
+ * Performs post-processing of the SARIF files given by `sarifPaths`.
+ *
+ * @param logger The logger to use.
+ * @param features Information about enabled features.
+ * @param checkoutPath The path where the repo was checked out at.
+ * @param sarifPaths The paths of the SARIF files to post-process.
+ * @param category The analysis category.
+ * @param analysis The analysis configuration.
+ *
+ * @returns Returns the results of post-processing the SARIF files,
+ *          including the resulting SARIF file.
 */
-export async function uploadSpecifiedFiles(
-  sarifPaths: string[],
-  checkoutPath: string,
-  category: string | undefined,
-  features: FeatureEnablement,
+export async function postProcessSarifFiles(
  logger: Logger,
-  uploadTarget: analyses.AnalysisConfig,
-): Promise<UploadResult> {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  features: FeatureEnablement,
+  checkoutPath: string,
+  sarifPaths: string[],
+  category: string | undefined,
+  analysis: analyses.AnalysisConfig,
+): Promise<PostProcessingResults> {
+  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);

  const gitHubVersion = await getGitHubVersion();

  let sarif: SarifFile;
-  category = uploadTarget.fixCategory(logger, category);
+  category = analysis.fixCategory(logger, category);

  if (sarifPaths.length > 1) {
    // Validate that the files we were asked to upload are all valid SARIF files
@@ -767,6 +729,113 @@ export async function uploadSpecifiedFiles(
    environment,
  );

+  return { sarif, analysisKey, environment };
+}
+
+/**
+ * Writes the post-processed SARIF file to disk, if needed based on `pathInput` or the `SARIF_DUMP_DIR`.
+ *
+ * @param logger The logger to use.
+ * @param pathInput The input provided for `post-processed-sarif-path`.
+ * @param uploadTarget The upload target.
+ * @param processingResults The results of post-processing SARIF files.
+ */
+export async function writePostProcessedFiles(
+  logger: Logger,
+  pathInput: string | undefined,
+  uploadTarget: analyses.AnalysisConfig,
+  postProcessingResults: PostProcessingResults,
+) {
+  // If there's an explicit input, use that. Otherwise, use the value from the environment variable.
+  const outputPath = pathInput || util.getOptionalEnvVar(EnvVar.SARIF_DUMP_DIR);
+
+  // If we have a non-empty output path, write the SARIF file to it.
+  if (outputPath !== undefined) {
+    dumpSarifFile(
+      JSON.stringify(postProcessingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget,
+    );
+  } else {
+    logger.debug(`Not writing post-processed SARIF files.`);
+  }
+}
+
+/**
+ * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
+ * to.
+ */
+export async function uploadFiles(
+  inputSarifPath: string,
+  checkoutPath: string,
+  category: string | undefined,
+  features: FeatureEnablement,
+  logger: Logger,
+  uploadTarget: analyses.AnalysisConfig,
+): Promise<UploadResult> {
+  const sarifPaths = getSarifFilePaths(
+    inputSarifPath,
+    uploadTarget.sarifPredicate,
+  );
+
+  return uploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+  );
+}
+
+/**
+ * Uploads the given array of SARIF files.
+ */
+async function uploadSpecifiedFiles(
+  sarifPaths: string[],
+  checkoutPath: string,
+  category: string | undefined,
+  features: FeatureEnablement,
+  logger: Logger,
+  uploadTarget: analyses.AnalysisConfig,
+): Promise<UploadResult> {
+  const processingResults: PostProcessingResults = await postProcessSarifFiles(
+    logger,
+    features,
+    checkoutPath,
+    sarifPaths,
+    category,
+    uploadTarget,
+  );
+
+  return uploadPostProcessedFiles(
+    logger,
+    checkoutPath,
+    uploadTarget,
+    processingResults,
+  );
+}
+
+/**
+ * Uploads the results of post-processing SARIF files to the specified upload target.
+ *
+ * @param logger The logger to use.
+ * @param checkoutPath The path at which the repository was checked out.
+ * @param uploadTarget The analysis configuration.
+ * @param postProcessingResults The results of post-processing SARIF files.
+ *
+ * @returns The results of uploading the `postProcessingResults` to `uploadTarget`.
+ */
+export async function uploadPostProcessedFiles(
+  logger: Logger,
+  checkoutPath: string,
+  uploadTarget: analyses.AnalysisConfig,
+  postProcessingResults: PostProcessingResults,
+): Promise<UploadResult> {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+
+  const sarif = postProcessingResults.sarif;
  const toolNames = util.getToolNames(sarif);

  logger.debug(`Validating that each SARIF run has a unique category`);
@@ -774,11 +843,6 @@ export async function uploadSpecifiedFiles(
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);

-  const dumpDir = process.env[EnvVar.SARIF_DUMP_DIR];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
-
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -786,13 +850,13 @@ export async function uploadSpecifiedFiles(
  const payload = buildPayload(
    await gitUtils.getCommitOid(checkoutPath),
    await gitUtils.getRef(),
-    analysisKey,
+    postProcessingResults.analysisKey,
    util.getRequiredEnvParam("GITHUB_WORKFLOW"),
    zippedSarif,
    actionsUtil.getWorkflowRunID(),
    actionsUtil.getWorkflowRunAttempt(),
    checkoutURI,
-    environment,
+    postProcessingResults.environment,
    toolNames,
    await gitUtils.determineBaseBranchHeadCommitOid(),
  );
@@ -838,14 +902,14 @@ function dumpSarifFile(
    fs.mkdirSync(outputDir, { recursive: true });
  } else if (!fs.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path specified by the ${EnvVar.SARIF_DUMP_DIR} environment variable exists and is not a directory: ${outputDir}`,
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`,
    );
  }
  const outputFile = path.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`,
  );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
  fs.writeFileSync(outputFile, sarifPayload);
 }

--- a/src/upload-sarif-action.ts
+++ b/src/upload-sarif-action.ts
@@ -16,7 +16,7 @@ import {
  isThirdPartyAnalysis,
 } from "./status-report";
 import * as upload_lib from "./upload-lib";
-import { uploadSarif } from "./upload-sarif";
+import { postProcessAndUploadSarif } from "./upload-sarif";
 import {
  ConfigurationError,
  checkActionVersion,
@@ -90,9 +90,10 @@ async function run() {
    const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
    const category = actionsUtil.getOptionalInput("category");

-    const uploadResults = await uploadSarif(
+    const uploadResults = await postProcessAndUploadSarif(
      logger,
      features,
+      "always",
      checkoutPath,
      sarifPath,
      category,
--- a/src/upload-sarif.test.ts
+++ b/src/upload-sarif.test.ts
@@ -9,7 +9,7 @@ import { getRunnerLogger } from "./logging";
 import { createFeatures, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
-import { uploadSarif } from "./upload-sarif";
+import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";

 setupTests(test);
@@ -19,7 +19,27 @@ interface UploadSarifExpectedResult {
  expectedFiles?: string[];
 }

-const uploadSarifMacro = test.macro({
+function mockPostProcessSarifFiles() {
+  const postProcessSarifFiles = sinon.stub(uploadLib, "postProcessSarifFiles");
+
+  for (const analysisKind of Object.values(AnalysisKind)) {
+    const analysisConfig = getAnalysisConfig(analysisKind);
+    postProcessSarifFiles
+      .withArgs(
+        sinon.match.any,
+        sinon.match.any,
+        sinon.match.any,
+        sinon.match.any,
+        sinon.match.any,
+        analysisConfig,
+      )
+      .resolves({ sarif: { runs: [] }, analysisKey: "", environment: "" });
+  }
+
+  return postProcessSarifFiles;
+}
+
+const postProcessAndUploadSarifMacro = test.macro({
  exec: async (
    t: ExecutionContext<unknown>,
    sarifFiles: string[],
@@ -33,21 +53,16 @@ const uploadSarifMacro = test.macro({

      const toFullPath = (filename: string) => path.join(tempDir, filename);

-      const uploadSpecifiedFiles = sinon.stub(
+      const postProcessSarifFiles = mockPostProcessSarifFiles();
+      const uploadPostProcessedFiles = sinon.stub(
        uploadLib,
-        "uploadSpecifiedFiles",
+        "uploadPostProcessedFiles",
      );

      for (const analysisKind of Object.values(AnalysisKind)) {
-        uploadSpecifiedFiles
-          .withArgs(
-            sinon.match.any,
-            sinon.match.any,
-            sinon.match.any,
-            features,
-            logger,
-            getAnalysisConfig(analysisKind),
-          )
+        const analysisConfig = getAnalysisConfig(analysisKind);
+        uploadPostProcessedFiles
+          .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
          .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
      }

@@ -56,53 +71,57 @@ const uploadSarifMacro = test.macro({
        fs.writeFileSync(sarifFile, "");
      }

-      const actual = await uploadSarif(logger, features, "", testPath);
+      const actual = await postProcessAndUploadSarif(
+        logger,
+        features,
+        "always",
+        "",
+        testPath,
+      );

      for (const analysisKind of Object.values(AnalysisKind)) {
        const analysisKindResult = expectedResult[analysisKind];
        if (analysisKindResult) {
          // We are expecting a result for this analysis kind, check that we have it.
          t.deepEqual(actual[analysisKind], analysisKindResult.uploadResult);
-          // Additionally, check that the mocked `uploadSpecifiedFiles` was called with only the file paths
+          // Additionally, check that the mocked `postProcessSarifFiles` was called with only the file paths
          // that we expected it to be called with.
          t.assert(
-            uploadSpecifiedFiles.calledWith(
+            postProcessSarifFiles.calledWith(
+              logger,
+              features,
+              sinon.match.any,
              analysisKindResult.expectedFiles?.map(toFullPath) ??
                fullSarifPaths,
              sinon.match.any,
-              sinon.match.any,
-              features,
-              logger,
              getAnalysisConfig(analysisKind),
            ),
          );
        } else {
          // Otherwise, we are not expecting a result for this analysis kind. However, note that `undefined`
-          // is also returned by our mocked `uploadSpecifiedFiles` when there is no expected result for this
+          // is also returned by our mocked `uploadProcessedFiles` when there is no expected result for this
          // analysis kind.
          t.is(actual[analysisKind], undefined);
-          // Therefore, we also check that the mocked `uploadSpecifiedFiles` was not called for this analysis kind.
+          // Therefore, we also check that the mocked `uploadProcessedFiles` was not called for this analysis kind.
          t.assert(
-            !uploadSpecifiedFiles.calledWith(
-              sinon.match.any,
-              sinon.match.any,
-              sinon.match.any,
-              features,
+            !uploadPostProcessedFiles.calledWith(
              logger,
+              sinon.match.any,
              getAnalysisConfig(analysisKind),
+              sinon.match.any,
            ),
-            `uploadSpecifiedFiles was called for ${analysisKind}, but should not have been.`,
+            `uploadProcessedFiles was called for ${analysisKind}, but should not have been.`,
          );
        }
      }
    });
  },
-  title: (providedTitle = "") => `uploadSarif - ${providedTitle}`,
+  title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`,
 });

 test(
  "SARIF file",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
  ["test.sarif"],
  (tempDir) => path.join(tempDir, "test.sarif"),
  {
@@ -117,7 +136,7 @@ test(

 test(
  "JSON file",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
  ["test.json"],
  (tempDir) => path.join(tempDir, "test.json"),
  {
@@ -132,7 +151,7 @@ test(

 test(
  "Code Scanning files",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
  ["test.json", "test.sarif"],
  undefined,
  {
@@ -148,7 +167,7 @@ test(

 test(
  "Code Quality file",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
  ["test.quality.sarif"],
  (tempDir) => path.join(tempDir, "test.quality.sarif"),
  {
@@ -163,7 +182,7 @@ test(

 test(
  "Mixed files",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
  ["test.sarif", "test.quality.sarif"],
  undefined,
  {
@@ -183,3 +202,65 @@ test(
    },
  },
 );
+
+test("postProcessAndUploadSarif doesn't upload if upload is disabled", async (t) => {
+  await util.withTmpDir(async (tempDir) => {
+    const logger = getRunnerLogger(true);
+    const features = createFeatures([]);
+
+    const toFullPath = (filename: string) => path.join(tempDir, filename);
+
+    const postProcessSarifFiles = mockPostProcessSarifFiles();
+    const uploadPostProcessedFiles = sinon.stub(
+      uploadLib,
+      "uploadPostProcessedFiles",
+    );
+
+    fs.writeFileSync(toFullPath("test.sarif"), "");
+    fs.writeFileSync(toFullPath("test.quality.sarif"), "");
+
+    const actual = await postProcessAndUploadSarif(
+      logger,
+      features,
+      "never",
+      "",
+      tempDir,
+    );
+
+    t.truthy(actual);
+    t.assert(postProcessSarifFiles.calledTwice);
+    t.assert(uploadPostProcessedFiles.notCalled);
+  });
+});
+
+test("postProcessAndUploadSarif writes post-processed SARIF files if output directory is provided", async (t) => {
+  await util.withTmpDir(async (tempDir) => {
+    const logger = getRunnerLogger(true);
+    const features = createFeatures([]);
+
+    const toFullPath = (filename: string) => path.join(tempDir, filename);
+
+    const postProcessSarifFiles = mockPostProcessSarifFiles();
+
+    fs.writeFileSync(toFullPath("test.sarif"), "");
+    fs.writeFileSync(toFullPath("test.quality.sarif"), "");
+
+    const postProcessedOutPath = path.join(tempDir, "post-processed");
+    const actual = await postProcessAndUploadSarif(
+      logger,
+      features,
+      "never",
+      "",
+      tempDir,
+      "",
+      postProcessedOutPath,
+    );
+
+    t.truthy(actual);
+    t.assert(postProcessSarifFiles.calledTwice);
+    t.assert(fs.existsSync(path.join(postProcessedOutPath, "upload.sarif")));
+    t.assert(
+      fs.existsSync(path.join(postProcessedOutPath, "upload.quality.sarif")),
+    );
+  });
+});
--- a/src/upload-sarif.ts
+++ b/src/upload-sarif.ts
@@ -1,3 +1,4 @@
+import { UploadKind } from "./actions-util";
 import * as analyses from "./analyses";
 import { FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
@@ -10,22 +11,26 @@ export type UploadSarifResults = Partial<
 >;

 /**
- * Finds SARIF files in `sarifPath` and uploads them to the appropriate services.
+ * Finds SARIF files in `sarifPath`, post-processes them, and uploads them to the appropriate services.
 *
 * @param logger The logger to use.
 * @param features Information about enabled features.
+ * @param uploadKind The kind of upload that is requested.
 * @param checkoutPath The path where the repository was checked out at.
 * @param sarifPath The path to the file or directory to upload.
 * @param category The analysis category.
+ * @param postProcessedOutputPath The path to a directory to which the post-processed SARIF files should be written to.
 *
 * @returns A partial mapping from analysis kinds to the upload results.
 */
-export async function uploadSarif(
+export async function postProcessAndUploadSarif(
  logger: Logger,
  features: FeatureEnablement,
+  uploadKind: UploadKind,
  checkoutPath: string,
  sarifPath: string,
  category?: string,
+  postProcessedOutputPath?: string,
 ): Promise<UploadSarifResults> {
  const sarifGroups = await upload_lib.getGroupedSarifFilePaths(
    logger,
@@ -37,14 +42,33 @@ export async function uploadSarif(
    sarifGroups,
  )) {
    const analysisConfig = analyses.getAnalysisConfig(analysisKind);
-    uploadResults[analysisKind] = await upload_lib.uploadSpecifiedFiles(
-      sarifFiles,
-      checkoutPath,
-      category,
-      features,
+    const postProcessingResults = await upload_lib.postProcessSarifFiles(
      logger,
+      features,
+      checkoutPath,
+      sarifFiles,
+      category,
      analysisConfig,
    );
+
+    // Write the post-processed SARIF files to disk. This will only write them if needed based on user inputs
+    // or environment variables.
+    await upload_lib.writePostProcessedFiles(
+      logger,
+      postProcessedOutputPath,
+      analysisConfig,
+      postProcessingResults,
+    );
+
+    // Only perform the actual upload of the post-processed files if `uploadKind` is `always`.
+    if (uploadKind === "always") {
+      uploadResults[analysisKind] = await upload_lib.uploadPostProcessedFiles(
+        logger,
+        checkoutPath,
+        analysisConfig,
+        postProcessingResults,
+      );
+    }
  }

  return uploadResults;
--- a/src/util.test.ts
+++ b/src/util.test.ts
@@ -101,16 +101,6 @@ test("getMemoryFlag() throws if the ram input is < 0 or NaN", async (t) => {
  }
 });

-test("getAddSnippetsFlag() should return the correct flag", (t) => {
-  t.deepEqual(util.getAddSnippetsFlag(true), "--sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag("true"), "--sarif-add-snippets");
-
-  t.deepEqual(util.getAddSnippetsFlag(false), "--no-sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag(undefined), "--no-sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag("false"), "--no-sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag("foo bar"), "--no-sarif-add-snippets");
-});
-
 test("getThreadsFlag() should return the correct --threads flag", (t) => {
  const numCpus = os.cpus().length;

@@ -252,6 +242,35 @@ test("allowed API versions", async (t) => {
  );
 });

+test("getRequiredEnvParam - gets environment variables", (t) => {
+  process.env.SOME_UNIT_TEST_VAR = "foo";
+  const result = util.getRequiredEnvParam("SOME_UNIT_TEST_VAR");
+  t.is(result, "foo");
+});
+
+test("getRequiredEnvParam - throws if an environment variable isn't set", (t) => {
+  t.throws(() => util.getRequiredEnvParam("SOME_UNIT_TEST_VAR"));
+});
+
+test("getOptionalEnvVar - gets environment variables", (t) => {
+  process.env.SOME_UNIT_TEST_VAR = "foo";
+  const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
+  t.is(result, "foo");
+});
+
+test("getOptionalEnvVar - gets undefined for empty environment variables", (t) => {
+  process.env.SOME_UNIT_TEST_VAR = "";
+  const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
+  t.is(result, undefined);
+});
+
+test("getOptionalEnvVar - doesn't throw for undefined environment variables", (t) => {
+  t.notThrows(() => {
+    const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
+    t.is(result, undefined);
+  });
+});
+
 test("doesDirectoryExist", async (t) => {
  // Returns false if no file/dir of this name exists
  t.false(util.doesDirectoryExist("non-existent-file.txt"));
@@ -505,3 +524,12 @@ test("getCgroupCpuCountFromCpus returns undefined if the CPU file exists but is
    );
  });
 });
+
+test("checkDiskUsage succeeds and produces positive numbers", async (t) => {
+  process.env["GITHUB_WORKSPACE"] = os.tmpdir();
+  const diskUsage = await util.checkDiskUsage(getRunnerLogger(true));
+  if (t.truthy(diskUsage)) {
+    t.true(diskUsage.numAvailableBytes > 0);
+    t.true(diskUsage.numTotalBytes > 0);
+  }
+});
--- a/src/util.ts
+++ b/src/util.ts
@@ -1,12 +1,11 @@
 import * as fs from "fs";
+import * as fsPromises from "fs/promises";
 import * as os from "os";
 import * as path from "path";

 import * as core from "@actions/core";
 import * as exec from "@actions/exec/lib/exec";
 import * as io from "@actions/io";
-import checkDiskSpace from "check-disk-space";
-import * as del from "del";
 import getFolderSize from "get-folder-size";
 import * as yaml from "js-yaml";
 import * as semver from "semver";
@@ -167,7 +166,7 @@ export async function withTmpDir<T>(
 ): Promise<T> {
  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "codeql-action-"));
  const result = await body(tmpDir);
-  await del.deleteAsync(tmpDir, { force: true });
+  await fs.promises.rm(tmpDir, { force: true, recursive: true });
  return result;
 }

@@ -343,21 +342,6 @@ export function getMemoryFlag(
  return `--ram=${megabytes}`;
 }

-/**
- * Get the codeql flag to specify whether to add code snippets to the sarif file.
- *
- * @returns string
- */
-export function getAddSnippetsFlag(
-  userInput: string | boolean | undefined,
-): string {
-  if (typeof userInput === "string") {
-    // have to process specifically because any non-empty string is truthy
-    userInput = userInput.toLowerCase() === "true";
-  }
-  return userInput ? "--sarif-add-snippets" : "--no-sarif-add-snippets";
-}
-
 /**
 * Get the value of the codeql `--threads` flag specified for the `threads`
 * input. If no value was specified, all available threads will be used.
@@ -673,6 +657,17 @@ export function getRequiredEnvParam(paramName: string): string {
  return value;
 }

+/**
+ * Get an environment variable, but return `undefined` if it is not set or empty.
+ */
+export function getOptionalEnvVar(paramName: string): string | undefined {
+  const value = process.env[paramName];
+  if (value?.trim().length === 0) {
+    return undefined;
+  }
+  return value;
+}
+
 export class HTTPError extends Error {
  public status: number;

@@ -692,8 +687,22 @@ export class ConfigurationError extends Error {
  }
 }

-export function isHTTPError(arg: any): arg is HTTPError {
-  return arg?.status !== undefined && Number.isInteger(arg.status);
+export function asHTTPError(arg: any): HTTPError | undefined {
+  if (
+    typeof arg !== "object" ||
+    arg === null ||
+    typeof arg.message !== "string"
+  ) {
+    return undefined;
+  }
+  if (Number.isInteger(arg.status)) {
+    return new HTTPError(arg.message as string, arg.status as number);
+  }
+  // See https://github.com/actions/toolkit/blob/acb230b99a46ed33a3f04a758cd68b47b9a82908/packages/tool-cache/src/tool-cache.ts#L19
+  if (Number.isInteger(arg.httpStatusCode)) {
+    return new HTTPError(arg.message as string, arg.httpStatusCode as number);
+  }
+  return undefined;
 }

 let cachedCodeQlVersion: undefined | VersionInfo = undefined;
@@ -731,7 +740,7 @@ export async function bundleDb(
  // from somewhere else or someone trying to make the action upload a
  // non-database file.
  if (fs.existsSync(databaseBundlePath)) {
-    await del.deleteAsync(databaseBundlePath, { force: true });
+    await fs.promises.rm(databaseBundlePath, { force: true });
  }
  await codeql.databaseBundle(databasePath, databaseBundlePath, dbName);
  return databaseBundlePath;
@@ -1074,24 +1083,17 @@ export async function checkDiskUsage(
  logger: Logger,
 ): Promise<DiskUsage | undefined> {
  try {
-    // We avoid running the `df` binary under the hood for macOS ARM runners with SIP disabled.
-    if (
-      process.platform === "darwin" &&
-      (process.arch === "arm" || process.arch === "arm64") &&
-      !(await checkSipEnablement(logger))
-    ) {
-      return undefined;
-    }
-
-    const diskUsage = await checkDiskSpace(
+    const diskUsage = await fsPromises.statfs(
      getRequiredEnvParam("GITHUB_WORKSPACE"),
    );
-    const mbInBytes = 1024 * 1024;
-    const gbInBytes = 1024 * 1024 * 1024;
-    if (diskUsage.free < 2 * gbInBytes) {
+
+    const blockSizeInBytes = diskUsage.bsize;
+    const numBlocksPerMb = (1024 * 1024) / blockSizeInBytes;
+    const numBlocksPerGb = (1024 * 1024 * 1024) / blockSizeInBytes;
+    if (diskUsage.bavail < 2 * numBlocksPerGb) {
      const message =
        "The Actions runner is running low on disk space " +
-        `(${(diskUsage.free / mbInBytes).toPrecision(4)} MB available).`;
+        `(${(diskUsage.bavail / numBlocksPerMb).toPrecision(4)} MB available).`;
      if (process.env[EnvVar.HAS_WARNED_ABOUT_DISK_SPACE] !== "true") {
        logger.warning(message);
      } else {
@@ -1100,8 +1102,8 @@ export async function checkDiskUsage(
      core.exportVariable(EnvVar.HAS_WARNED_ABOUT_DISK_SPACE, "true");
    }
    return {
-      numAvailableBytes: diskUsage.free,
-      numTotalBytes: diskUsage.size,
+      numAvailableBytes: diskUsage.bavail * blockSizeInBytes,
+      numTotalBytes: diskUsage.blocks * blockSizeInBytes,
    };
  } catch (error) {
    logger.warning(
@@ -1238,19 +1240,13 @@ export async function checkSipEnablement(
  }
 }

-export async function cleanUpGlob(glob: string, name: string, logger: Logger) {
+export async function cleanUpPath(file: string, name: string, logger: Logger) {
  logger.debug(`Cleaning up ${name}.`);
  try {
-    const deletedPaths = await del.deleteAsync(glob, { force: true });
-    if (deletedPaths.length === 0) {
-      logger.warning(
-        `Failed to clean up ${name}: no files found matching ${glob}.`,
-      );
-    } else if (deletedPaths.length === 1) {
-      logger.debug(`Cleaned up ${name}.`);
-    } else {
-      logger.debug(`Cleaned up ${name} (${deletedPaths.length} files).`);
-    }
+    await fs.promises.rm(file, {
+      force: true,
+      recursive: true,
+    });
  } catch (e) {
    logger.warning(`Failed to clean up ${name}: ${e}.`);
  }
--- a/src/workflow.test.ts
+++ b/src/workflow.test.ts
@@ -2,9 +2,17 @@ import test, { ExecutionContext } from "ava";
 import * as yaml from "js-yaml";
 import * as sinon from "sinon";

-import { getCodeQLForTesting } from "./codeql";
-import { setupTests } from "./testing-utils";
+import * as actionsUtil from "./actions-util";
+import { createStubCodeQL, getCodeQLForTesting } from "./codeql";
+import { EnvVar } from "./environment";
 import {
+  checkExpectedLogMessages,
+  getRecordingLogger,
+  LoggedMessage,
+  setupTests,
+} from "./testing-utils";
+import {
+  checkWorkflow,
  CodedError,
  formatWorkflowCause,
  formatWorkflowErrors,
@@ -13,6 +21,7 @@ import {
  Workflow,
  WorkflowErrors,
 } from "./workflow";
+import * as workflow from "./workflow";

 function errorCodes(
  actual: CodedError[],
@@ -870,3 +879,78 @@ test("getCategoryInputOrThrow throws error for workflow with multiple calls to a
    },
  );
 });
+
+test("checkWorkflow - validates workflow if `SKIP_WORKFLOW_VALIDATION` is not set", async (t) => {
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  sinon.stub(actionsUtil, "isDynamicWorkflow").returns(false);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+  validateWorkflow.resolves(undefined);
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(
+    validateWorkflow.calledOnce,
+    "`checkWorkflow` unexpectedly did not call `validateWorkflow`",
+  );
+  checkExpectedLogMessages(t, messages, [
+    "Detected no issues with the code scanning workflow.",
+  ]);
+});
+
+test("checkWorkflow - logs problems with workflow validation", async (t) => {
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  sinon.stub(actionsUtil, "isDynamicWorkflow").returns(false);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+  validateWorkflow.resolves("problem");
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(
+    validateWorkflow.calledOnce,
+    "`checkWorkflow` unexpectedly did not call `validateWorkflow`",
+  );
+  checkExpectedLogMessages(t, messages, [
+    "Unable to validate code scanning workflow: problem",
+  ]);
+});
+
+test("checkWorkflow - skips validation if `SKIP_WORKFLOW_VALIDATION` is `true`", async (t) => {
+  process.env[EnvVar.SKIP_WORKFLOW_VALIDATION] = "true";
+
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  sinon.stub(actionsUtil, "isDynamicWorkflow").returns(false);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(
+    validateWorkflow.notCalled,
+    "`checkWorkflow` called `validateWorkflow` unexpectedly",
+  );
+  t.is(messages.length, 0);
+});
+
+test("checkWorkflow - skips validation for `dynamic` workflows", async (t) => {
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  const isDynamicWorkflow = sinon
+    .stub(actionsUtil, "isDynamicWorkflow")
+    .returns(true);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(isDynamicWorkflow.calledOnce);
+  t.assert(
+    validateWorkflow.notCalled,
+    "`checkWorkflow` called `validateWorkflow` unexpectedly",
+  );
+  t.is(messages.length, 0);
+});
--- a/src/workflow.ts
+++ b/src/workflow.ts
@@ -5,8 +5,10 @@ import zlib from "zlib";
 import * as core from "@actions/core";
 import * as yaml from "js-yaml";

+import { isDynamicWorkflow } from "./actions-util";
 import * as api from "./api-client";
 import { CodeQL } from "./codeql";
+import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import {
  getRequiredEnvParam,
@@ -216,7 +218,7 @@ function hasWorkflowTrigger(triggerName: string, doc: Workflow): boolean {
  return Object.prototype.hasOwnProperty.call(doc.on, triggerName);
 }

-export async function validateWorkflow(
+async function validateWorkflow(
  codeql: CodeQL,
  logger: Logger,
 ): Promise<undefined | string> {
@@ -371,7 +373,7 @@ function getInputOrThrow(
      input = input.replace(`\${{matrix.${key}}}`, value);
    }
  }
-  if (input !== undefined && input.includes("${{")) {
+  if (input?.includes("${{")) {
    throw new Error(
      `Could not get ${inputName} input to ${actionName} since it contained an unrecognized dynamic value.`,
    );
@@ -462,3 +464,36 @@ export function getCheckoutPathInputOrThrow(
    ) || getRequiredEnvParam("GITHUB_WORKSPACE") // if unspecified, checkout_path defaults to ${{ github.workspace }}
  );
 }
+
+/**
+ * A wrapper around `validateWorkflow` which reports the outcome.
+ *
+ * @param logger The logger to use.
+ * @param codeql The CodeQL instance.
+ */
+export async function checkWorkflow(logger: Logger, codeql: CodeQL) {
+  // Check the workflow for problems, unless `SKIP_WORKFLOW_VALIDATION` is `true`
+  // or the workflow trigger is `dynamic`.
+  if (
+    !isDynamicWorkflow() &&
+    process.env[EnvVar.SKIP_WORKFLOW_VALIDATION] !== "true"
+  ) {
+    core.startGroup("Validating workflow");
+    const validateWorkflowResult = await internal.validateWorkflow(
+      codeql,
+      logger,
+    );
+    if (validateWorkflowResult === undefined) {
+      logger.info("Detected no issues with the code scanning workflow.");
+    } else {
+      logger.debug(
+        `Unable to validate code scanning workflow: ${validateWorkflowResult}`,
+      );
+    }
+    core.endGroup();
+  }
+}
+
+export const internal = {
+  validateWorkflow,
+};