Merge pull request #3043 from github/mergeback/v3.29.10-to-main-96f518a3

Mergeback v3.29.10 refs/heads/releases/v3 into main
Update checked-in dependencies
2025-12-08 08:48:19 +08:00 · 2025-08-18 13:22:40 +01:00 · 2025-08-18 12:00:29 +00:00 · 2025-08-18 11:46:17 +00:00 · 2025-08-18 12:45:49 +01:00 · 2025-08-18 09:58:01 +00:00
5082 changed files with 656963 additions and 340076 deletions
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,21 @@
+# CodeQL Action - Copilot Instructions
+
+## Generated code
+
+The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` closely mirrors the TypeScript code it is generated from.
+
+GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that start with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores.
+
+## Release process
+
+- A release-PR is a PR which matches all of the following patterns:
+  - PR title starts with the exact prefix: `Merge main into releases/v`
+    - Equivalent regex: `^Merge main into releases\/v`
+  - AND head (source) branch matches the update-branch pattern:
+    - Regex: `^update-v[0-9]+(?:\.[0-9]+)*(?:-[a-f0-9]+)?` (e.g. `update-v3.29.9-cc722e476`)
+  - AND base (target) branch matches a release branch:
+    - Regex: `^releases\/v` (e.g. `releases/v3`)
+
+- Consider all files in release-PRs to have already been reviewed and do not review them, except for the following two files:
+    - `CHANGELOG.md`
+    - `package.json`
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,8 +2,6 @@ version: 2
 updates:
  - package-ecosystem: npm
    directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
    schedule:
      interval: weekly
    labels:
@@ -26,8 +24,6 @@ updates:
          - "*"
  - package-ecosystem: github-actions
    directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
    schedule:
      interval: weekly
    groups:
@@ -36,8 +32,6 @@ updates:
          - "*"
  - package-ecosystem: github-actions
    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
-    reviewers:
-      - "github/codeql-production-shield"
    schedule:
      interval: weekly
    groups:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,5 +1,14 @@
+
+
+### Risk assessment
+
+For internal use only. Please select the risk level of this change:
+
+- **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
+- **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.
+
 ### Merge / deployment checklist

- [ ] Confirm this change is backwards compatible with existing workflows.
- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
+- Confirm this change is backwards compatible with existing workflows.
+- Consider adding a [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) entry for this change.
+- Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) and docs have been updated if necessary.
--- a/.github/workflows/__all-platform-bundle.yml
+++ b/.github/workflows/__all-platform-bundle.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - All-platform bundle
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  all-platform-bundle:
    strategy:
@@ -37,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -45,6 +58,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'true'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - id: init
        uses: ./../action/init
        with:
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  analyze-ref-input:
    strategy:
@@ -41,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,6 +62,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - autobuild-action
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  autobuild-action:
    strategy:
@@ -41,7 +44,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
+++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Autobuild direct tracing (custom working directory)
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+  workflow_call:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -43,7 +56,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -51,6 +64,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Test setup
        shell: bash
        run: |
--- a/.github/workflows/__autobuild-direct-tracing.yml
+++ b/.github/workflows/__autobuild-direct-tracing.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Autobuild direct tracing
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
+  workflow_call:
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
 jobs:
  autobuild-direct-tracing:
    strategy:
@@ -43,7 +56,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -51,6 +64,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Set up Java test repo configuration
        shell: bash
        run: |
--- a/.github/workflows/__build-mode-autobuild.yml
+++ b/.github/workflows/__build-mode-autobuild.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode autobuild
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  build-mode-autobuild:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__build-mode-manual.yml
+++ b/.github/workflows/__build-mode-manual.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode manual
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  build-mode-manual:
    strategy:
@@ -37,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -45,6 +58,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__build-mode-none.yml
+++ b/.github/workflows/__build-mode-none.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode none
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  build-mode-none:
    strategy:
@@ -39,7 +42,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__build-mode-rollback.yml
+++ b/.github/workflows/__build-mode-rollback.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Build mode rollback
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  build-mode-rollback:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__bundle-toolcache.yml
+++ b/.github/workflows/__bundle-toolcache.yml
@@ -0,0 +1,98 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Bundle: Caching checks'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+jobs:
+  bundle-toolcache:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: 'Bundle: Caching checks'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - name: Install @actions/tool-cache
+        run: npm install @actions/tool-cache
+      - name: Check toolcache does not contain CodeQL
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            if (allCodeqlVersions.length !== 0) {
+              throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
+            }
+            console.log('No versions of CodeQL found in the toolcache');
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Check CodeQL is installed within the toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const toolcache = require('@actions/tool-cache');
+            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
+            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
+            if (allCodeqlVersions.length === 0) {
+              throw new Error('CodeQL not found in toolcache');
+            }
+            if (allCodeqlVersions.length > 1) {
+              throw new Error('Multiple CodeQL versions found in toolcache');
+            }
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__bundle-zstd.yml
+++ b/.github/workflows/__bundle-zstd.yml
@@ -0,0 +1,115 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Bundle: Zstandard checks'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+jobs:
+  bundle-zstd:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: 'Bundle: Zstandard checks'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            if (codeqlPath !== undefined) {
+              fs.rmdirSync(codeqlPath, { recursive: true });
+            }
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.os }}-zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check diagnostic with expected tools URL appears in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
+
+            if (!toolsUrl.endsWith(expectedExtension)) {
+              core.setFailed(
+                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__cleanup-db-cluster-dir.yml
+++ b/.github/workflows/__cleanup-db-cluster-dir.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Clean up database cluster directory
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  cleanup-db-cluster-dir:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Config export
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  config-export:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__config-input.yml
+++ b/.github/workflows/__config-input.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Config input
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  config-input:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__cpp-deptrace-disabled.yml
+++ b/.github/workflows/__cpp-deptrace-disabled.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -41,7 +44,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
+++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
@@ -20,13 +20,18 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
      fail-fast: false
      matrix:
        include:
+          - os: macos-latest
+            version: linked
          - os: macos-latest
            version: nightly-latest
    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
@@ -37,7 +42,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__cpp-deptrace-enabled.yml
+++ b/.github/workflows/__cpp-deptrace-enabled.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -41,7 +44,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Diagnostic export
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  diagnostics-export:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Export file baseline information
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  export-file-baseline-information:
    strategy:
@@ -41,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,6 +62,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__extract-direct-to-toolcache.yml
+++ b/.github/workflows/__extract-direct-to-toolcache.yml
@@ -1,96 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Extract directly to toolcache
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  extract-direct-to-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Extract directly to toolcache
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
-      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            if (allCodeqlVersions.length !== 0) {
-              throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
-            }
-            console.log('No versions of CodeQL found in the toolcache');
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
-            if (allCodeqlVersions.length === 0) {
-              throw new Error('CodeQL not found in toolcache');
-            }
-            if (allCodeqlVersions.length > 1) {
-              throw new Error('Multiple CodeQL versions found in toolcache');
-            }
-    env:
-      CODEQL_ACTION_EXTRACT_TOOLCACHE: true
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Extractor ram and threads options test
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  extractor-ram-threads:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: Custom queries'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-custom-queries:
    strategy:
@@ -39,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,9 +60,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
--- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: diagnostic when Go is changed after init step'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -37,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -45,10 +58,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
--- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: diagnostic when `file` is not installed'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -37,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -45,10 +58,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Remove `file` program
        run: |
          echo $(which file)
--- a/.github/workflows/__go-indirect-tracing-workaround.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: workaround for indirect tracing'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -37,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -45,10 +58,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          languages: go
--- a/.github/workflows/__go-tracing-autobuilder.yml
+++ b/.github/workflows/__go-tracing-autobuilder.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with autobuilder step'
@@ -20,21 +20,26 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-tracing-autobuilder:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
@@ -47,6 +52,14 @@ jobs:
            version: stable-v2.19.4
          - os: macos-latest
            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -67,7 +80,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -75,11 +88,10 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.24.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - uses: ./../action/init
        with:
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with custom build steps'
@@ -20,21 +20,26 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-tracing-custom-build-steps:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
@@ -47,6 +52,14 @@ jobs:
            version: stable-v2.19.4
          - os: macos-latest
            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -67,7 +80,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -75,11 +88,10 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.24.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - uses: ./../action/init
        with:
--- a/.github/workflows/__go-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-tracing-legacy-workflow.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Go: tracing with legacy workflow'
@@ -20,21 +20,26 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  go-tracing-legacy-workflow:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
          - os: ubuntu-latest
            version: stable-v2.17.6
          - os: macos-latest
@@ -47,6 +52,14 @@ jobs:
            version: stable-v2.19.4
          - os: macos-latest
            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: macos-latest
+            version: stable-v2.21.4
          - os: ubuntu-latest
            version: default
          - os: macos-latest
@@ -67,7 +80,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -75,11 +88,10 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ~1.24.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - uses: ./../action/init
        with:
--- a/.github/workflows/__go.yml
+++ b/.github/workflows/__go.yml
@@ -0,0 +1,77 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: Manual Check - go
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    paths:
+      - .github/workflows/__go.yml
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+jobs:
+  go-custom-queries:
+    name: 'Go: Custom queries'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-custom-queries.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-indirect-tracing-workaround-diagnostic:
+    name: 'Go: diagnostic when Go is changed after init step'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-indirect-tracing-workaround-no-file-program:
+    name: 'Go: diagnostic when `file` is not installed'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-indirect-tracing-workaround:
+    name: 'Go: workaround for indirect tracing'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-indirect-tracing-workaround.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-tracing-autobuilder:
+    name: 'Go: tracing with autobuilder step'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-tracing-autobuilder.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-tracing-custom-build-steps:
+    name: 'Go: tracing with custom build steps'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-tracing-custom-build-steps.yml
+    with:
+      go-version: ${{ inputs.go-version }}
+  go-tracing-legacy-workflow:
+    name: 'Go: tracing with legacy workflow'
+    permissions:
+      contents: read
+      security-events: read
+    uses: ./.github/workflows/__go-tracing-legacy-workflow.yml
+    with:
+      go-version: ${{ inputs.go-version }}
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Download using registries'
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  init-with-registries:
    strategy:
@@ -54,7 +57,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Custom source root
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  javascript-source-root:
    strategy:
@@ -41,7 +44,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__job-run-uuid-sarif.yml
+++ b/.github/workflows/__job-run-uuid-sarif.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Job run UUID added to SARIF
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__language-aliases.yml
+++ b/.github/workflows/__language-aliases.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Language aliases
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  language-aliases:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Multi-language repository
@@ -20,21 +20,26 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  multi-language-autodetect:
    strategy:
      fail-fast: false
      matrix:
        include:
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.16.6
          - os: macos-latest
            version: stable-v2.17.6
          - os: ubuntu-latest
@@ -47,6 +52,14 @@ jobs:
            version: stable-v2.19.4
          - os: ubuntu-latest
            version: stable-v2.19.4
+          - os: macos-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: macos-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.21.4
          - os: macos-latest
            version: default
          - os: ubuntu-latest
@@ -67,7 +80,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -75,10 +88,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
+      - name: Install Go
+        uses: actions/setup-go@v5
        with:
-          go-version: '>=1.21.0'
-
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__overlay-init-fallback.yml
+++ b/.github/workflows/__overlay-init-fallback.yml
@@ -0,0 +1,72 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Overlay database init fallback
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+jobs:
+  overlay-init-fallback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Overlay database init fallback
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: actions # Any language without overlay support will do
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+        env:
+          CODEQL_OVERLAY_DATABASE_MODE: overlay-base
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases/actions"
+          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
+            echo "This test needs to be updated to use a non-overlay language."
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input passed to the CLI'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -53,7 +66,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,6 +74,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config and input'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -53,7 +66,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,6 +74,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Config file'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  packaging-config-js:
    strategy:
@@ -53,7 +66,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,6 +74,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging.yml
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: 'PR Check - Packaging: Action input'
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  packaging-inputs-js:
    strategy:
@@ -53,7 +66,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -61,6 +74,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging2.yml
--- a/.github/workflows/__quality-queries.yml
+++ b/.github/workflows/__quality-queries.yml
@@ -0,0 +1,120 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - Quality queries input
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+jobs:
+  quality-queries:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Quality queries input
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: javascript
+          quality-queries: code-quality
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload security SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Upload quality SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          name: quality-queries-${{ matrix.os }}-${{ matrix.version }}.quality.sarif.json
+          path: ${{ runner.temp }}/results/javascript.quality.sarif
+          retention-days: 7
+      - name: Check quality query does not appear in security SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+          EXPECT_PRESENT: 'false'
+        with:
+          script: ${{ env.CHECK_SCRIPT }}
+      - name: Check quality query appears in quality SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif
+          EXPECT_PRESENT: 'true'
+        with:
+          script: ${{ env.CHECK_SCRIPT }}
+    env:
+      CHECK_SCRIPT: |
+        const fs = require('fs');
+
+        const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+        const expectPresent = JSON.parse(process.env['EXPECT_PRESENT']);
+        const run = sarif.runs[0];
+        const extensions = run.tool.extensions;
+
+        if (extensions === undefined) {
+          core.setFailed('`extensions` property not found in the SARIF run property bag.');
+        }
+
+        // ID of a query we want to check the presence for
+        const targetId = 'js/regex/always-matches';
+        const found = extensions.find(extension => extension.rules && extension.rules.find(rule => rule.id === targetId));
+
+        if (found && expectPresent) {
+          console.log(`Found rule with id '${targetId}'.`);
+        } else if (!found && !expectPresent) {
+          console.log(`Rule with id '${targetId}' was not found.`);
+        } else {
+          core.setFailed(`${ found ? "Found" : "Didn't find" } rule ${targetId}`);
+        }
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Remote config file
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  remote-config:
    strategy:
@@ -39,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,6 +60,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__resolve-environment-action.yml
+++ b/.github/workflows/__resolve-environment-action.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Resolve environment
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  resolve-environment-action:
    strategy:
@@ -53,7 +56,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - RuboCop multi-language
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  rubocop-multi-language:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -46,7 +49,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1.229.0
+        uses: ruby/setup-ruby@2a7b30092b0caf9c046252510f9273b4875f3db9 # v1.254.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
--- a/.github/workflows/__ruby.yml
+++ b/.github/workflows/__ruby.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Ruby analysis
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  ruby:
    strategy:
@@ -47,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__rust.yml
+++ b/.github/workflows/__rust.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Rust analysis
@@ -20,13 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  rust:
    strategy:
      fail-fast: false
      matrix:
        include:
+          - os: ubuntu-latest
+            version: stable-v2.19.3
+          - os: ubuntu-latest
+            version: stable-v2.22.1
          - os: ubuntu-latest
            version: linked
          - os: ubuntu-latest
@@ -41,7 +48,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -53,8 +60,6 @@ jobs:
        with:
          languages: rust
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-        env:
-          CODEQL_ACTION_RUST_ANALYSIS: true
      - uses: ./../action/analyze
        id: analysis
        with:
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Split workflow
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  split-workflow:
    strategy:
@@ -47,7 +60,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -55,6 +68,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
--- a/.github/workflows/__start-proxy.yml
+++ b/.github/workflows/__start-proxy.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Start proxy
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  start-proxy:
    strategy:
@@ -41,7 +44,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Submit SARIF after failure
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  submit-sarif-failure:
    strategy:
@@ -42,7 +45,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -50,7 +53,7 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: ./init
        with:
          languages: javascript
--- a/.github/workflows/__swift-autobuild.yml
+++ b/.github/workflows/__swift-autobuild.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Swift analysis using autobuild
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  swift-autobuild:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Swift analysis using a custom build command
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  swift-custom-build:
    strategy:
@@ -41,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,6 +62,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Autobuild working directory
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  test-autobuild-working-dir:
    strategy:
@@ -37,7 +40,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Local CodeQL bundle
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  test-local-codeql:
    strategy:
@@ -37,7 +50,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -45,6 +58,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Fetch a CodeQL bundle
        shell: bash
        env:
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Proxy test
@@ -20,7 +20,10 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
 jobs:
  test-proxy:
    strategy:
@@ -51,7 +54,7 @@ jobs:
          apt install -y gh
        env: {}
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Test unsetting environment variables
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  unset-environment:
    strategy:
@@ -39,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -47,6 +60,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        id: init
        with:
@@ -54,9 +72,6 @@ jobs:
      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
      - name: Build code
        shell: bash
        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
--- a/.github/workflows/__upload-quality-sarif.yml
+++ b/.github/workflows/__upload-quality-sarif.yml
@@ -0,0 +1,91 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: 'PR Check - Upload-sarif: code quality endpoint'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+jobs:
+  upload-quality-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+    name: 'Upload-sarif: code quality endpoint'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: cpp,csharp,java,javascript,python
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
+          quality-queries: code-quality
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+      - uses: ./../action/analyze
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          upload: never
+      - uses: ./../action/upload-sarif
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -41,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,6 +62,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pr-checks/sync.sh
 # to regenerate this file.

 name: PR Check - Use a custom `checkout_path`
@@ -20,7 +20,20 @@ on:
      - ready_for_review
  schedule:
    - cron: '0 5 * * *'
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
+  workflow_call:
+    inputs:
+      go-version:
+        type: string
+        description: The version of Go to install
+        required: false
+        default: '>=1.21.0'
 jobs:
  with-checkout-path:
    strategy:
@@ -41,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -49,6 +62,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ inputs.go-version || '>=1.21.0' }}
+          cache: false
      - name: Delete original checkout
        shell: bash
        run: |
@@ -58,7 +76,7 @@ jobs:
          rm -rf ./* .github .git
  # Check out the actions repo again, but at a different location.
  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
          path: x/y/z/some-path
--- a/.github/workflows/__zstd-bundle-streaming.yml
+++ b/.github/workflows/__zstd-bundle-streaming.yml
@@ -1,110 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle (streaming)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle-streaming:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle (streaming)
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.zst')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__zstd-bundle.yml
+++ b/.github/workflows/__zstd-bundle.yml
@@ -1,113 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Zstandard bundle
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
-
-            if (!toolsUrl.endsWith(expectedExtension)) {
-              core.setFailed(
-                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -18,7 +18,7 @@ jobs:

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
      contents: read

    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
@@ -75,7 +75,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-22.04,ubuntu-24.04,windows-2019,windows-2022,macos-13,macos-14]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

@@ -85,7 +85,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
    - name: Initialize CodeQL
      uses: ./init
      id: init
@@ -114,7 +114,7 @@ jobs:

    steps:
    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
    - name: Initialize CodeQL
      uses: ./init
      with:
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -3,6 +3,9 @@
 name: Code-Scanning config CLI tests
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  # Diff informed queries add an additional query filter which is not yet
+  # taken into account by these tests.
+  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false

 on:
  push:
@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -39,7 +39,7 @@ jobs:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -73,7 +73,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        shell: bash
        run: |
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -35,7 +35,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
@@ -67,7 +67,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
        shell: bash
        run: |
--- a/.github/workflows/expected-queries-runs.yml
+++ b/.github/workflows/expected-queries-runs.yml
@@ -27,7 +27,7 @@ jobs:
      security-events: read
    steps:
    - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -40,7 +40,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0  # ensure we have all tags and can push commits
      - uses: actions/setup-node@v4
@@ -168,7 +168,7 @@ jobs:
            --draft

      - name: Generate token
-        uses: actions/create-github-app-token@v2.0.2
+        uses: actions/create-github-app-token@v2.1.1
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -22,7 +22,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Lint
        id: lint
@@ -46,7 +46,7 @@ jobs:
    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - name: Check node modules up to date
        run: .github/workflows/script/check-node-modules.sh

@@ -60,19 +60,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.11

-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          # When updating this, update the autogenerated code header in `sync.py` too.
-          pip install ruamel.yaml==0.17.31
-
      # Ensure the generated PR check workflows are up to date.
      - name: Verify PR checks up to date
        run: .github/workflows/script/verify-pr-checks.sh
@@ -91,7 +85,7 @@ jobs:
    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - name: npm test
        run: |
          # Run any commands referenced in package.json using Bash, otherwise
@@ -111,7 +105,7 @@ jobs:
      contents: read

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - id: head-version
        name: Verify all Actions use the same Node version
        run: |
@@ -126,7 +120,7 @@ jobs:
      - id: checkout-base
        name: 'Backport: Check out base ref'
        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          ref: ${{ env.BASE_REF }}

--- a/.github/workflows/publish-immutable-action.yml
+++ b/.github/workflows/publish-immutable-action.yml
@@ -28,7 +28,7 @@ jobs:
          fi
      - name: Checking out
        if: steps.check.outputs.is-action-release == 'true'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Publish
        if: steps.check.outputs.is-action-release == 'true'
        id: publish
--- a/.github/workflows/python312-windows.yml
+++ b/.github/workflows/python312-windows.yml
@@ -26,7 +26,7 @@ jobs:
      with:
        python-version: 3.12

-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5

    - name: Prepare test
      uses: ./.github/actions/prepare-test
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -24,7 +24,7 @@ jobs:
      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
--- a/.github/workflows/rebuild.yml
+++ b/.github/workflows/rebuild.yml
@@ -9,18 +9,20 @@ jobs:
  rebuild:
    name: Rebuild Action
    runs-on: ubuntu-latest
-    if: github.event.label.name == 'Rebuild'
+    if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch'

    permissions:
      contents: write # needed to push rebuilt commit
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref || github.event.ref }}

      - name: Remove label
+        if: github.event_name == 'pull_request'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -28,21 +30,35 @@ jobs:
          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
            --remove-label "Rebuild"

+      - name: Configure git
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
      - name: Merge in changes from base branch
+        id: merge
        env:
-          BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
+          BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}
        run: |
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected"
+          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
+          MERGE_RESULT=$?

-          # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
-          # since `node_modules/@types/semver/README.md` fails it.
-          if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
-            echo "Merge conflicts detected outside of lib/ directory. Please resolve them manually."
-            git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
-            exit 1
+          if [ "$MERGE_RESULT" -ne 0 ]; then
+            echo "merge-in-progress=true" >> $GITHUB_OUTPUT
+
+            # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
+            # since `node_modules/@types/semver/README.md` fails it.
+            if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
+              echo "Merge conflicts were detected outside of the lib directory. Please resolve them manually."
+              git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
+              exit 1
+            fi
+
+            echo "No merge conflicts found outside the lib directory. We should be able to resolve all of" \
+              "these by rebuilding the Action."
          fi

      - name: Compile TypeScript
@@ -63,20 +79,49 @@ jobs:
          pip install ruamel.yaml==0.17.31
          python3 sync.py

-      - name: Check for changes and push
+      - name: "Merge in progress: Finish merge and push"
+        if: steps.merge.outputs.merge-in-progress == 'true'
+        run: |
+          echo "Finishing merge and pushing changes."
+          git add --all
+          git commit --no-edit
+          git push
+
+      - name: "No merge in progress: Check for changes and push"
+        if: steps.merge.outputs.merge-in-progress != 'true'
+        id: push
+        run: |
+          if [ ! -z "$(git status --porcelain)" ]; then
+            echo "Changes detected, committing and pushing."
+            git add --all
+            # If the merge originally had conflicts, finish the merge.
+            # Otherwise, just commit the changes.
+            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
+              echo "In progress merge detected, finishing it up."
+              git merge --continue
+            else
+              echo "No in-progress merge detected, committing changes."
+              git commit -m "Rebuild"
+            fi
+            echo "Pushing changes"
+            git push
+            echo "changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "No changes detected, nothing to commit."
+          fi
+
+      - name: Notify about rebuild
+        if: >-
+          github.event_name == 'pull_request' &&
+            (
+              steps.merge.outputs.merge-in-progress == 'true' ||
+              steps.push.outputs.changes == 'true'
+            )
        env:
-          BRANCH: ${{ github.event.pull_request.head.ref }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
-          if [ ! -z "$(git status --porcelain)" ]; then
-            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-            git config --global user.name "github-actions[bot]"
-            git add --all
-            git commit -m "Rebuild"
-            git push origin "HEAD:$BRANCH"
-            echo "Pushed a commit to rebuild the Action." \
-              "Please mark the PR as ready for review to trigger PR checks." |
-              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
-            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
-          fi
+          echo "Pushed a commit to rebuild the Action." \
+            "Please mark the PR as ready for review to trigger PR checks." |
+            gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
+          gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
--- a/.github/workflows/script/verify-pr-checks.sh
+++ b/.github/workflows/script/verify-pr-checks.sh
@@ -12,7 +12,7 @@ fi
 rm -rf .github/workflows/__*

 # Generate the PR checks
-cd pr-checks && python3 sync.py
+pr-checks/sync.sh

 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
--- a/.github/workflows/test-codeql-bundle-all.yml
+++ b/.github/workflows/test-codeql-bundle-all.yml
@@ -32,7 +32,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
    - name: Prepare test
      id: prepare-test
      uses: ./.github/actions/prepare-test
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -29,7 +29,7 @@ jobs:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - name: Update git config
        run: |
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write # needed to comment on the PR
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5

    - name: Remove PR label
      env:
--- a/.github/workflows/update-proxy-release.yml
+++ b/.github/workflows/update-proxy-release.yml
@@ -0,0 +1,101 @@
+name: Update dependency proxy release assets
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
+        type: string
+        required: true
+
+jobs:
+  update:
+    name: Update code and create PR
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to push the updated files
+      pull-requests: write # needed to create the PR
+    env:
+      RELEASE_TAG: ${{ inputs.tag }}
+    steps:
+      - name: Check release tag format
+        id: checks
+        shell: bash
+        run: |
+          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
+            exit 1
+          fi
+
+          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Check that the release exists
+        shell: bash
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        run: |
+          (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1
+
+      - name: Install Node
+        uses: actions/setup-node@v4
+
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0  # ensure we have all tags and can push commits
+          ref: main
+
+      - name: Update git config
+        shell: bash
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Update release tag and version
+        shell: bash
+        run: |
+          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
+          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
+          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
+
+      - name: Compile TypeScript and commit changes
+        shell: bash
+        env:
+          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
+        run: |
+          set -exu
+          git checkout -b "$TARGET_BRANCH"
+
+          npm run build
+          git add ./src/start-proxy-action.ts
+          git add ./lib
+          git commit -m "Update release used by \`start-proxy\` action"
+
+      - name: Push changes and open PR
+        shell: bash
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
+          PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }}
+        run: |
+          set -exu
+          pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`"
+          pr_body=$(cat << EOF
+            This PR updates the \`start-proxy\` action to use the private registry proxy binaries that
+            are attached as release assets to the \`$RELEASE_TAG\` release.
+
+
+            Please do the following before merging:
+
+            - [ ] Verify that the changes to the code are correct.
+            - [ ] Mark the PR as ready for review to trigger the CI.
+          EOF
+          )
+
+          git push origin "$TARGET_BRANCH"
+          gh pr create \
+            --head "$TARGET_BRANCH" \
+            --base "main" \
+            --title "${pr_title}" \
+            --body "${pr_body}" \
+            $PR_FLAG
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -25,7 +25,7 @@ jobs:
    permissions:
      contents: read
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -69,7 +69,7 @@ jobs:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull request
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise
@@ -124,14 +124,14 @@ jobs:
      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@v2.0.2
+      uses: actions/create-github-app-token@v2.1.1
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
        token: ${{ steps.app-token.outputs.token }}
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -21,9 +21,9 @@ jobs:
        with:
          python-version: "3.13"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,79 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

+## 3.29.10 - 18 Aug 2025
+
+No user facing changes.
+
+## 3.29.9 - 12 Aug 2025
+
+No user facing changes.
+
+## 3.29.8 - 08 Aug 2025
+
+- Fix an issue where the Action would autodetect unsupported languages such as HTML. [#3015](https://github.com/github/codeql-action/pull/3015)
+
+## 3.29.7 - 07 Aug 2025
+
+This release rolls back 3.29.6 to address issues with language autodetection. It is identical to 3.29.5.
+
+## 3.29.6 - 07 Aug 2025
+
+- The `cleanup-level` input to the `analyze` Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. [#2999](https://github.com/github/codeql-action/pull/2999)
+- Update default CodeQL bundle version to 2.22.3. [#3000](https://github.com/github/codeql-action/pull/3000)
+
+## 3.29.5 - 29 Jul 2025
+
+- Update default CodeQL bundle version to 2.22.2. [#2986](https://github.com/github/codeql-action/pull/2986)
+
+## 3.29.4 - 23 Jul 2025
+
+No user facing changes.
+
+## 3.29.3 - 21 Jul 2025
+
+No user facing changes.
+
+## 3.29.2 - 30 Jun 2025
+
+- Experimental: When the `quality-queries` input for the `init` action is provided with an argument, separate `.quality.sarif` files are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#2935](https://github.com/github/codeql-action/pull/2935)
+
+## 3.29.1 - 27 Jun 2025
+
+- Fix bug in PR analysis where user-provided `include` query filter fails to exclude non-included queries. [#2938](https://github.com/github/codeql-action/pull/2938)
+- Update default CodeQL bundle version to 2.22.1. [#2950](https://github.com/github/codeql-action/pull/2950)
+
+## 3.29.0 - 11 Jun 2025
+
+- Update default CodeQL bundle version to 2.22.0. [#2925](https://github.com/github/codeql-action/pull/2925)
+- Bump minimum CodeQL bundle version to 2.16.6. [#2912](https://github.com/github/codeql-action/pull/2912)
+
+## 3.28.21 - 28 July 2025
+
+No user facing changes.
+
+## 3.28.20 - 21 July 2025
+
+- Remove support for combining SARIF files from a single upload for GHES 3.18, see [the changelog post](https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload/). [#2959](https://github.com/github/codeql-action/pull/2959)
+
+## 3.28.19 - 03 Jun 2025
+
+- The CodeQL Action no longer includes its own copy of the extractor for the `actions` language, which is currently in public preview.
+  The `actions` extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the `actions` language _and_ you have pinned
+  your `tools:` property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable
+  `actions` analysis.
+- Update default CodeQL bundle version to 2.21.4. [#2910](https://github.com/github/codeql-action/pull/2910)
+
+## 3.28.18 - 16 May 2025
+
+- Update default CodeQL bundle version to 2.21.3. [#2893](https://github.com/github/codeql-action/pull/2893)
+- Skip validating SARIF produced by CodeQL for improved performance. [#2894](https://github.com/github/codeql-action/pull/2894)
+- The number of threads and amount of RAM used by CodeQL can now be set via the `CODEQL_THREADS` and `CODEQL_RAM` runner environment variables. If set, these environment variables override the `threads` and `ram` inputs respectively. [#2891](https://github.com/github/codeql-action/pull/2891)
+
+## 3.28.17 - 02 May 2025
+
+- Update default CodeQL bundle version to 2.21.2. [#2872](https://github.com/github/codeql-action/pull/2872)
+
 ## 3.28.16 - 23 Apr 2025

 - Update default CodeQL bundle version to 2.21.1. [#2863](https://github.com/github/codeql-action/pull/2863)
--- a/README.md
+++ b/README.md
@@ -55,7 +55,7 @@ For compiled languages:

 - `manual` build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.
 - `autobuild` build mode is simpler to set up, but will only work for projects with generic build steps that can be guessed by the heuristics of the autobuild scripts. If `autobuild` fails, then you must switch to `manual` or `none`. If `autobuild` succeeds, then the results and run time will be the same as `manual` mode.
- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by C/C++, Swift, Go, or Kotlin.
+- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by Swift, Go, or Kotlin. It is in public preview for C/C++.


 ## Supported versions of the CodeQL Action
@@ -70,10 +70,11 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n

 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.26.6`  | `2.18.4` | Enterprise Server 3.15 | |
-| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
-| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
-| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
+| `v3.28.21`  | `2.21.3` | Enterprise Server 3.18 | |
+| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |

 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

--- a/actions-extractor/codeql-extractor.yml
+++ b/actions-extractor/codeql-extractor.yml
@@ -1,44 +0,0 @@
-name: "actions"
-aliases: []
-display_name: "GitHub Actions"
-version: 0.0.1
-column_kind: "utf16"
-unicode_newlines: true
-build_modes:
-  - none
-file_coverage_languages: []
-github_api_languages: []
-scc_languages: []
-file_types:
-  - name: workflow
-    display_name: GitHub Actions workflow files
-    extensions:
-      - .yml
-      - .yaml
-forwarded_extractor_name: javascript
-options:
-  trap:
-    title: TRAP options
-    description: Options about how the extractor handles TRAP files
-    type: object
-    visibility: 3
-    properties:
-      cache:
-        title: TRAP cache options
-        description: Options about how the extractor handles its TRAP cache
-        type: object
-        properties:
-          dir:
-            title: TRAP cache directory
-            description: The directory of the TRAP cache to use
-            type: string
-          bound:
-            title: TRAP cache bound
-            description: A soft limit (in MB) on the size of the TRAP cache
-            type: string
-            pattern: "[0-9]+"
-          write:
-            title: TRAP cache writeable
-            description: Whether to write to the TRAP cache as well as reading it
-            type: string
-            pattern: "(true|TRUE|false|FALSE)"
--- a/actions-extractor/tools/autobuild-impl.ps1
+++ b/actions-extractor/tools/autobuild-impl.ps1
@@ -1,40 +0,0 @@
-if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
-    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
-} else {
-    Write-Output 'No path filters set. Using the default filters.'
-    $DefaultPathFilters = @(
-        'exclude:**/*',
-        'include:.github/workflows/**/*.yml',
-        'include:.github/workflows/**/*.yaml',
-        'include:**/action.yml',
-        'include:**/action.yaml'
-    )
-
-    $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
-}
-
-# Find the JavaScript extractor directory via `codeql resolve extractor`.
-$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
-if ($LASTEXITCODE -ne 0) {
-    throw 'Failed to resolve JavaScript extractor.'
-}
-
-Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
-
-# Run the JavaScript autobuilder.
-$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
-Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
-
-# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
-
-&$JavaScriptAutoBuild
-if ($LASTEXITCODE -ne 0) {
-    throw "JavaScript autobuilder failed."
-}
--- a/actions-extractor/tools/autobuild.cmd
+++ b/actions-extractor/tools/autobuild.cmd
@@ -1,3 +0,0 @@
-@echo off
-rem All of the work is done in the PowerShell script
-powershell.exe %~dp0autobuild-impl.ps1
--- a/actions-extractor/tools/autobuild.sh
+++ b/actions-extractor/tools/autobuild.sh
@@ -1,39 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-DEFAULT_PATH_FILTERS=$(cat << END
-exclude:**/*
-include:.github/workflows/**/*.yml
-include:.github/workflows/**/*.yaml
-include:**/action.yml
-include:**/action.yaml
-END
-)
-
-if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
-    echo "Path filters set. Passing them through to the JavaScript extractor."
-else
-    echo "No path filters set. Using the default filters."
-    LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
-    export LGTM_INDEX_FILTERS
-fi
-
-# Find the JavaScript extractor directory via `codeql resolve extractor`.
-CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
-export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
-
-echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
-
-# Run the JavaScript autobuilder
-JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
-echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
-
-# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
-env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
-    ${JAVASCRIPT_AUTO_BUILD}
--- a/analyze/action.yml
+++ b/analyze/action.yml
@@ -19,9 +19,10 @@ inputs:
    # If changing this, make sure to update workflow.ts accordingly.
    default: "always"
  cleanup-level:
-    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --cache-cleanup flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
+    description: >-
+      DEPRECATED. This option is ignored since, for performance reasons, the CodeQL Action automatically
+      manages cleanup of intermediate results.
    required: false
-    default: "brutal"
  ram:
    description: >-
      The amount of memory in MB that can be used by CodeQL for database finalization and query execution.
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -138,6 +138,7 @@ export default [
    rules: {
      "@typescript-eslint/no-explicit-any": "off",
      "@typescript-eslint/no-unsafe-assignment": "off",
+      "@typescript-eslint/no-unsafe-enum-comparison": "off",
      "@typescript-eslint/no-unsafe-member-access": "off",
      "@typescript-eslint/no-var-requires": "off",
      "@typescript-eslint/prefer-regexp-exec": "off",
--- a/init/action.yml
+++ b/init/action.yml
@@ -83,6 +83,9 @@ inputs:
  queries:
    description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to use both sets of queries.
    required: false
+  quality-queries:
+    description: '[Internal] Comma-separated list of code quality queries to run.'
+    required: false
  packs:
    description: >-
      Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not
--- a/lib/actions-util.js
+++ b/lib/actions-util.js
@@ -49,10 +49,14 @@ exports.isDefaultSetup = isDefaultSetup;
 exports.prettyPrintInvocation = prettyPrintInvocation;
 exports.ensureEndsInPeriod = ensureEndsInPeriod;
 exports.runTool = runTool;
+exports.getPullRequestBranches = getPullRequestBranches;
+exports.isAnalyzingPullRequest = isAnalyzingPullRequest;
+exports.fixCodeQualityCategory = fixCodeQualityCategory;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
+const github = __importStar(require("@actions/github"));
 const io = __importStar(require("@actions/io"));
 const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs, @typescript-eslint/no-require-imports
@@ -261,7 +265,7 @@ function prettyPrintInvocation(cmd, args) {
 * An error from a tool invocation, with associated exit code, stderr, etc.
 */
 class CommandInvocationError extends Error {
-    constructor(cmd, args, exitCode, stderr, stdout) {
+    constructor(cmd, args, exitCode, stderr, stdout = "") {
        const prettyCommand = prettyPrintInvocation(cmd, args);
        const lastLine = ensureEndsInPeriod(stderr.trim().split("\n").pop()?.trim() || "n/a");
        super(`Failed to run "${prettyCommand}". ` +
@@ -352,4 +356,75 @@ const restoreInputs = function () {
    }
 };
 exports.restoreInputs = restoreInputs;
+/**
+ * Returns the base and head branches of the pull request being analyzed.
+ *
+ * @returns the base and head branches of the pull request, or undefined if
+ * we are not analyzing a pull request.
+ */
+function getPullRequestBranches() {
+    const pullRequest = github.context.payload.pull_request;
+    if (pullRequest) {
+        return {
+            base: pullRequest.base.ref,
+            // We use the head label instead of the head ref here, because the head
+            // ref lacks owner information and by itself does not uniquely identify
+            // the head branch (which may be in a forked repository).
+            head: pullRequest.head.label,
+        };
+    }
+    // PR analysis under Default Setup does not have the pull_request context,
+    // but it should set CODE_SCANNING_REF and CODE_SCANNING_BASE_BRANCH.
+    const codeScanningRef = process.env.CODE_SCANNING_REF;
+    const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH;
+    if (codeScanningRef && codeScanningBaseBranch) {
+        return {
+            base: codeScanningBaseBranch,
+            // PR analysis under Default Setup analyzes the PR head commit instead of
+            // the merge commit, so we can use the provided ref directly.
+            head: codeScanningRef,
+        };
+    }
+    return undefined;
+}
+/**
+ * Returns whether we are analyzing a pull request.
+ */
+function isAnalyzingPullRequest() {
+    return getPullRequestBranches() !== undefined;
+}
+/**
+ * A workaround for code quality to map category names from old default setup workflows
+ * to ones that the code quality service expects.
+ */
+const qualityCategoryMapping = {
+    "c#": "csharp",
+    cpp: "c-cpp",
+    c: "c-cpp",
+    "c++": "c-cpp",
+    java: "java-kotlin",
+    javascript: "javascript-typescript",
+    typescript: "javascript-typescript",
+    kotlin: "java-kotlin",
+};
+/** Adjusts the category string for a Code Quality SARIF file if an "old"
+ * category identifier is used by Default Setup.
+ */
+function fixCodeQualityCategory(logger, category) {
+    // The `category` should always be set by Default Setup. We perform this check
+    // to avoid potential issues if Code Quality supports Advanced Setup in the future
+    // and before this workaround is removed.
+    if (category !== undefined &&
+        isDefaultSetup() &&
+        category.startsWith("/language:")) {
+        const language = category.substring("/language:".length);
+        const mappedLanguage = qualityCategoryMapping[language];
+        if (mappedLanguage) {
+            const newCategory = `/language:${mappedLanguage}`;
+            logger.info(`Adjusted category for Code Quality from '${category}' to '${newCategory}'.`);
+            return newCategory;
+        }
+    }
+    return category;
+}
 //# sourceMappingURL=actions-util.js.map
--- a/lib/actions-util.js.map
+++ b/lib/actions-util.js.map
--- a/lib/actions-util.test.js
+++ b/lib/actions-util.test.js
@@ -1,14 +1,79 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const github = __importStar(require("@actions/github"));
 const ava_1 = __importDefault(require("ava"));
+const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
 const environment_1 = require("./environment");
+const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
+function withMockedContext(mockPayload, testFn) {
+    const originalPayload = github.context.payload;
+    github.context.payload = mockPayload;
+    try {
+        return testFn();
+    }
+    finally {
+        github.context.payload = originalPayload;
+    }
+}
+function withMockedEnv(envVars, testFn) {
+    const originalEnv = { ...process.env };
+    // Apply environment changes
+    for (const [key, value] of Object.entries(envVars)) {
+        if (value === undefined) {
+            delete process.env[key];
+        }
+        else {
+            process.env[key] = value;
+        }
+    }
+    try {
+        return testFn();
+    }
+    finally {
+        // Restore original environment
+        process.env = originalEnv;
+    }
+}
 (0, ava_1.default)("computeAutomationID()", async (t) => {
    let actualAutomationID = (0, api_client_1.computeAutomationID)(".github/workflows/codeql-analysis.yml:analyze", '{"language": "javascript", "os": "linux"}');
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/");
@@ -25,8 +90,103 @@ const util_1 = require("./util");
    actualAutomationID = (0, api_client_1.computeAutomationID)(".github/workflows/codeql-analysis.yml:analyze", undefined);
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/");
 });
+(0, ava_1.default)("getPullRequestBranches() with pull request context", (t) => {
+    withMockedContext({
+        pull_request: {
+            number: 123,
+            base: { ref: "main" },
+            head: { label: "user:feature-branch" },
+        },
+    }, () => {
+        t.deepEqual((0, actions_util_1.getPullRequestBranches)(), {
+            base: "main",
+            head: "user:feature-branch",
+        });
+        t.is((0, actions_util_1.isAnalyzingPullRequest)(), true);
+    });
+});
+(0, ava_1.default)("getPullRequestBranches() returns undefined with push context", (t) => {
+    withMockedContext({
+        push: {
+            ref: "refs/heads/main",
+        },
+    }, () => {
+        t.is((0, actions_util_1.getPullRequestBranches)(), undefined);
+        t.is((0, actions_util_1.isAnalyzingPullRequest)(), false);
+    });
+});
+(0, ava_1.default)("getPullRequestBranches() with Default Setup environment variables", (t) => {
+    withMockedContext({}, () => {
+        withMockedEnv({
+            CODE_SCANNING_REF: "refs/heads/feature-branch",
+            CODE_SCANNING_BASE_BRANCH: "main",
+        }, () => {
+            t.deepEqual((0, actions_util_1.getPullRequestBranches)(), {
+                base: "main",
+                head: "refs/heads/feature-branch",
+            });
+            t.is((0, actions_util_1.isAnalyzingPullRequest)(), true);
+        });
+    });
+});
+(0, ava_1.default)("getPullRequestBranches() returns undefined when only CODE_SCANNING_REF is set", (t) => {
+    withMockedContext({}, () => {
+        withMockedEnv({
+            CODE_SCANNING_REF: "refs/heads/feature-branch",
+            CODE_SCANNING_BASE_BRANCH: undefined,
+        }, () => {
+            t.is((0, actions_util_1.getPullRequestBranches)(), undefined);
+            t.is((0, actions_util_1.isAnalyzingPullRequest)(), false);
+        });
+    });
+});
+(0, ava_1.default)("getPullRequestBranches() returns undefined when only CODE_SCANNING_BASE_BRANCH is set", (t) => {
+    withMockedContext({}, () => {
+        withMockedEnv({
+            CODE_SCANNING_REF: undefined,
+            CODE_SCANNING_BASE_BRANCH: "main",
+        }, () => {
+            t.is((0, actions_util_1.getPullRequestBranches)(), undefined);
+            t.is((0, actions_util_1.isAnalyzingPullRequest)(), false);
+        });
+    });
+});
+(0, ava_1.default)("getPullRequestBranches() returns undefined when no PR context", (t) => {
+    withMockedContext({}, () => {
+        withMockedEnv({
+            CODE_SCANNING_REF: undefined,
+            CODE_SCANNING_BASE_BRANCH: undefined,
+        }, () => {
+            t.is((0, actions_util_1.getPullRequestBranches)(), undefined);
+            t.is((0, actions_util_1.isAnalyzingPullRequest)(), false);
+        });
+    });
+});
 (0, ava_1.default)("initializeEnvironment", (t) => {
    (0, util_1.initializeEnvironment)("1.2.3");
    t.deepEqual(process.env[environment_1.EnvVar.VERSION], "1.2.3");
 });
+(0, ava_1.default)("fixCodeQualityCategory", (t) => {
+    withMockedEnv({
+        GITHUB_EVENT_NAME: "dynamic",
+    }, () => {
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        // Categories that should get adjusted.
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:c#"), "/language:csharp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:cpp"), "/language:c-cpp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:c"), "/language:c-cpp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:java"), "/language:java-kotlin");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:javascript"), "/language:javascript-typescript");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:typescript"), "/language:javascript-typescript");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:kotlin"), "/language:java-kotlin");
+        // Categories that should not get adjusted.
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:csharp"), "/language:csharp");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:go"), "/language:go");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "/language:actions"), "/language:actions");
+        // Other cases.
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, undefined), undefined);
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "random string"), "random string");
+        t.is((0, actions_util_1.fixCodeQualityCategory)(logger, "kotlin"), "kotlin");
+    });
+});
 //# sourceMappingURL=actions-util.test.js.map
--- a/lib/actions-util.test.js.map
+++ b/lib/actions-util.test.js.map
--- a/lib/analyze-action-env.test.js
+++ b/lib/analyze-action-env.test.js
@@ -68,6 +68,7 @@ const util = __importStar(require("./util"));
        };
        sinon.stub(configUtils, "getConfig").resolves({
            gitHubVersion,
+            augmentationProperties: {},
            languages: [],
            packs: [],
            trapCaches: {},
@@ -75,8 +76,8 @@ const util = __importStar(require("./util"));
        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
        requiredInputStub.withArgs("token").returns("fake-token");
        requiredInputStub.withArgs("upload-database").returns("false");
+        requiredInputStub.withArgs("output").returns("out");
        const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -95,8 +96,10 @@ const util = __importStar(require("./util"));
        // runFinalize and runQueries are correctly captured by spies, we explicitly
        // wait for the action promise to complete before starting verification.
        await analyzeAction.runPromise;
+        t.assert(runFinalizeStub.calledOnce);
        t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
        t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
+        t.assert(runQueriesStub.calledOnce);
        t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
        t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
    });
--- a/lib/analyze-action-env.test.js.map
+++ b/lib/analyze-action-env.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEhE,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEhE,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,sBAAsB,EAAE,EAAE;YAC1B,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action-input.test.js
+++ b/lib/analyze-action-input.test.js
@@ -67,6 +67,7 @@ const util = __importStar(require("./util"));
        };
        sinon.stub(configUtils, "getConfig").resolves({
            gitHubVersion,
+            augmentationProperties: {},
            languages: [],
            packs: [],
            trapCaches: {},
@@ -74,8 +75,8 @@ const util = __importStar(require("./util"));
        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
        requiredInputStub.withArgs("token").returns("fake-token");
        requiredInputStub.withArgs("upload-database").returns("false");
+        requiredInputStub.withArgs("output").returns("out");
        const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
-        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion);
        sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
@@ -95,8 +96,10 @@ const util = __importStar(require("./util"));
        // runFinalize and runQueries are correctly captured by spies, we explicitly
        // wait for the action promise to complete before starting verification.
        await analyzeAction.runPromise;
+        t.assert(runFinalizeStub.calledOnce);
        t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
        t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
+        t.assert(runQueriesStub.calledOnce);
        t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
        t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
    });
--- a/lib/analyze-action-input.test.js.map
+++ b/lib/analyze-action-input.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChE,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,kDAAoC;AACpC,4DAA8C;AAC9C,sDAAwC;AACxC,8DAAgD;AAChD,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,YAAY,EAAE,wBAAwB,CAAC;aAC5C,QAAQ,CAAC,EAAmC,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,sBAAsB,EAAE,EAAE;YAC1B,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;YACT,UAAU,EAAE,EAAE;SACkB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChE,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,iEAAiE;QACjE,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -55,6 +55,7 @@ const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const overlay_database_utils_1 = require("./overlay-database-utils");
 const repository_1 = require("./repository");
 const statusReport = __importStar(require("./status-report"));
 const status_report_1 = require("./status-report");
@@ -94,8 +95,8 @@ function hasBadExpectErrorInput() {
 * indicating whether Go extraction has extracted at least one file.
 */
 function doesGoExtractionOutputExist(config) {
-    const golangDbDirectory = util.getCodeQLDatabasePath(config, languages_1.Language.go);
-    const trapDirectory = path_1.default.join(golangDbDirectory, "trap", languages_1.Language.go);
+    const golangDbDirectory = util.getCodeQLDatabasePath(config, languages_1.KnownLanguage.go);
+    const trapDirectory = path_1.default.join(golangDbDirectory, "trap", languages_1.KnownLanguage.go);
    return (fs.existsSync(trapDirectory) &&
        fs
            .readdirSync(trapDirectory)
@@ -122,7 +123,7 @@ function doesGoExtractionOutputExist(config) {
 * whether any extraction output already exists for Go.
 */
 async function runAutobuildIfLegacyGoWorkflow(config, logger) {
-    if (!config.languages.includes(languages_1.Language.go)) {
+    if (!config.languages.includes(languages_1.KnownLanguage.go)) {
        return;
    }
    if (config.buildMode) {
@@ -133,7 +134,7 @@ async function runAutobuildIfLegacyGoWorkflow(config, logger) {
        logger.debug("Won't run Go autobuild since it has already been run.");
        return;
    }
-    if ((0, analyze_1.dbIsFinalized)(config, languages_1.Language.go, logger)) {
+    if ((0, analyze_1.dbIsFinalized)(config, languages_1.KnownLanguage.go, logger)) {
        logger.debug("Won't run Go autobuild since there is already a finalized database for Go.");
        return;
    }
@@ -148,7 +149,7 @@ async function runAutobuildIfLegacyGoWorkflow(config, logger) {
        return;
    }
    logger.debug("Running Go autobuild because extraction output (TRAP files) for Go code has not been found.");
-    await (0, autobuild_1.runAutobuild)(config, languages_1.Language.go, logger);
+    await (0, autobuild_1.runAutobuild)(config, languages_1.KnownLanguage.go, logger);
 }
 async function run() {
    const startedAt = new Date();
@@ -160,14 +161,6 @@ async function run() {
    let dbCreationTimings = undefined;
    let didUploadTrapCaches = false;
    util.initializeEnvironment(actionsUtil.getActionVersion());
-    // Unset the CODEQL_PROXY_* environment variables, as they are not needed
-    // and can cause issues with the CodeQL CLI
-    // Check for CODEQL_PROXY_HOST: and if it is empty but set, unset it
-    if (process.env.CODEQL_PROXY_HOST === "") {
-        delete process.env.CODEQL_PROXY_HOST;
-        delete process.env.CODEQL_PROXY_PORT;
-        delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
-    }
    // Make inputs accessible in the `post` step, details at
    // https://github.com/github/codeql-action/issues/2553
    actionsUtil.persistInputs();
@@ -185,6 +178,18 @@ async function run() {
        if (hasBadExpectErrorInput()) {
            throw new util.ConfigurationError("`expect-error` input parameter is for internal use only. It should only be set by codeql-action or a fork.");
        }
+        // Unset the CODEQL_PROXY_* environment variables when using older CodeQL
+        // CLIs, as they are not needed and can cause issues.
+        if (process.env.CODEQL_PROXY_HOST === "" &&
+            !(await util.codeQlVersionAtLeast(codeql, "2.20.7"))) {
+            delete process.env.CODEQL_PROXY_HOST;
+            delete process.env.CODEQL_PROXY_PORT;
+            delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
+        }
+        if (actionsUtil.getOptionalInput("cleanup-level")) {
+            logger.info("The 'cleanup-level' input is ignored since the CodeQL Action now automatically " +
+                "manages database cleanup. This input can safely be removed from your workflow.");
+        }
        const apiDetails = (0, api_client_1.getApiDetails)();
        const outputDir = actionsUtil.getRequiredInput("output");
        core.exportVariable(environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
@@ -201,12 +206,8 @@ async function run() {
        await (0, analyze_1.warnIfGoInstalledAfterInit)(config, logger);
        await runAutobuildIfLegacyGoWorkflow(config, logger);
        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, codeql, config, logger);
-        const cleanupLevel = actionsUtil.getOptionalInput("cleanup-level") || "brutal";
        if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, cleanupLevel, diffRangePackDir, actionsUtil.getOptionalInput("category"), config, logger, features);
-        }
-        if (cleanupLevel !== "none") {
-            await (0, analyze_1.runCleanup)(config, cleanupLevel, logger);
+            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, diffRangePackDir, actionsUtil.getOptionalInput("category"), codeql, config, logger, features);
        }
        const dbLocations = {};
        for (const language of config.languages) {
@@ -216,14 +217,22 @@ async function run() {
        core.setOutput("sarif-output", path_1.default.resolve(outputDir));
        const uploadInput = actionsUtil.getOptionalInput("upload");
        if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
-            uploadResult = await uploadLib.uploadFiles(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), features, logger);
+            uploadResult = await uploadLib.uploadFiles(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), features, logger, uploadLib.CodeScanningTarget);
            core.setOutput("sarif-id", uploadResult.sarifID);
+            if (config.augmentationProperties.qualityQueriesInput !== undefined) {
+                const qualityUploadResult = await uploadLib.uploadFiles(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.fixCodeQualityCategory(logger, actionsUtil.getOptionalInput("category")), features, logger, uploadLib.CodeQualityTarget);
+                core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
+            }
        }
        else {
            logger.info("Not uploading results");
        }
-        // Possibly upload the database bundles for remote queries
-        await (0, database_upload_1.uploadDatabases)(repositoryNwo, config, apiDetails, logger);
+        // Possibly upload the overlay-base database to actions cache.
+        // If databases are to be uploaded, they will first be cleaned up at the overlay level.
+        await (0, overlay_database_utils_1.uploadOverlayBaseDatabaseToCache)(codeql, config, logger);
+        // Possibly upload the database bundles for remote queries.
+        // If databases are to be uploaded, they will first be cleaned up at the clear level.
+        await (0, database_upload_1.uploadDatabases)(repositoryNwo, codeql, config, apiDetails, logger);
        // Possibly upload the TRAP caches for later re-use
        const trapCacheUploadStartTime = perf_hooks_1.performance.now();
        didUploadTrapCaches = await (0, trap_caching_1.uploadTrapCaches)(codeql, config, logger);
--- a/lib/analyze-action.js.map
+++ b/lib/analyze-action.js.map
--- a/Show More
+++ b/Show More