Refactor existing telemetry diagnostics to use makeTelemetryDiagnostic

Refactored bundle-download-telemetry and zstd-availability diagnostics
in init-action.ts to use the new makeTelemetryDiagnostic helper function.
Also added guard for empty languages array in logGitVersionTelemetry.

Co-authored-by: henrymercer <14129055+henrymercer@users.noreply.github.com>

.github/pull_request_template.md

@@ -34,7 +34,7 @@ Products:
 
 Environments:
 
-- **Dotcom** - Impacts CodeQL workflows on `github.com`.
+- **Dotcom** - Impacts CodeQL workflows on `github.com` and/or GitHub Enterprise Cloud with Data Residency.
 - **GHES** - Impacts CodeQL workflows on GitHub Enterprise Server.
 - **Testing/None** - This change does not impact any CodeQL workflows in production.
 

.github/workflows/__bundle-zstd.yml

@@ -79,7 +79,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.os }}-zstd-bundle.sarif
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-export.yml

@@ -67,7 +67,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__diagnostics-export.yml

@@ -78,7 +78,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__export-file-baseline-information.yml

@@ -99,7 +99,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__go.yml

@@ -8,9 +8,6 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
 on:
-  push:
-    paths:
-      - .github/workflows/__go.yml
   workflow_dispatch:
     inputs:
       go-version:

.github/workflows/__job-run-uuid-sarif.yml

@@ -64,7 +64,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__quality-queries.yml

@@ -83,7 +83,7 @@ jobs:
           post-processed-sarif-path: ${{ runner.temp }}/post-processed
       - name: Upload security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,14 +91,14 @@ jobs:
           retention-days: 7
       - name: Upload quality SARIF
         if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
       - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: |
             post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json

.github/workflows/__rubocop-multi-language.yml

@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
+        uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 # v1.270.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/codeql.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches: [main, releases/v*]
   pull_request:
-    branches: [main, releases/v*]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]

.github/workflows/codescanning-config-cli.yml

@@ -70,13 +70,33 @@ jobs:
       with:
         version: ${{ matrix.version }}
 
-    - name: Empty file
+    # On PRs, overlay analysis may change the config that is passed to the CLI.
+    # Therefore, we have two variants of the following test, one for PRs and one for other events.
+    - name: Empty file (non-PR)
+      if: github.event_name != 'pull_request'
       uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
+    - name: Empty file (PR)
+      if: github.event_name == 'pull_request'
+      uses: ./../action/.github/actions/check-codescanning-config
+      with:
+        expected-config-file-contents: |
+          {
+            "query-filters": [
+              {
+                "exclude": {
+                  "tags": "exclude-from-incremental"
+                }
+              }
+            ]
+          }
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
     - name: Packs from input
       if: success() || failure()
       uses: ./../action/.github/actions/check-codescanning-config

.github/workflows/debug-artifacts-failure-safe.yml

@@ -83,7 +83,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
       - name: Check expected artifacts exist
         run: |
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/debug-artifacts-safe.yml

@@ -77,7 +77,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
       - name: Check expected artifacts exist
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"

.github/workflows/post-release-mergeback.yml

@@ -142,7 +142,7 @@ jobs:
           token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Generate token
-        uses: actions/create-github-app-token@v2.2.0
+        uses: actions/create-github-app-token@v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/rollback-release.yml

@@ -137,7 +137,7 @@ jobs:
 
       - name: Generate token
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/create-github-app-token@v2.2.0
+        uses: actions/create-github-app-token@v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-release-branch.yml

@@ -93,7 +93,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v2.2.0
+      uses: actions/create-github-app-token@v2.2.1
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

CHANGELOG.md

@@ -6,6 +6,18 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
+## 4.31.8 - 11 Dec 2025
+
+- Update default CodeQL bundle version to 2.23.8. [#3354](https://github.com/github/codeql-action/pull/3354)
+
+## 4.31.7 - 05 Dec 2025
+
+- Update default CodeQL bundle version to 2.23.7. [#3343](https://github.com/github/codeql-action/pull/3343)
+
+## 4.31.6 - 01 Dec 2025
+
+No user facing changes.
+
 ## 4.31.5 - 24 Nov 2025
 
 - Update default CodeQL bundle version to 2.23.6. [#3321](https://github.com/github/codeql-action/pull/3321)

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.6",
-  "cliVersion": "2.23.6",
-  "priorBundleVersion": "codeql-bundle-v2.23.5",
-  "priorCliVersion": "2.23.5"
+  "bundleVersion": "codeql-bundle-v2.23.8",
+  "cliVersion": "2.23.8",
+  "priorBundleVersion": "codeql-bundle-v2.23.7",
+  "priorCliVersion": "2.23.7"
 }

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.31.6",
+  "version": "4.31.9",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.31.6",
+      "version": "4.31.9",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^4.0.0",
@@ -28,14 +28,14 @@
         "js-yaml": "^4.1.1",
         "jsonschema": "1.4.1",
         "long": "^5.3.2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.3",
         "semver": "^7.7.3",
         "uuid": "^13.0.0"
       },
       "devDependencies": {
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^2.0.0",
-        "@eslint/eslintrc": "^3.3.1",
+        "@eslint/eslintrc": "^3.3.3",
         "@eslint/js": "^9.39.1",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^16.0.0",
@@ -46,16 +46,16 @@
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^21.0.0",
-        "@typescript-eslint/eslint-plugin": "^8.46.4",
-        "@typescript-eslint/parser": "^8.41.0",
+        "@typescript-eslint/eslint-plugin": "^8.48.1",
+        "@typescript-eslint/parser": "^8.48.0",
         "ava": "^6.4.1",
-        "esbuild": "^0.27.0",
+        "esbuild": "^0.27.1",
         "eslint": "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
         "eslint-plugin-github": "^5.1.8",
         "eslint-plugin-import": "2.29.1",
-        "eslint-plugin-jsdoc": "^61.2.1",
+        "eslint-plugin-jsdoc": "^61.5.0",
         "eslint-plugin-no-async-foreach": "^0.1.1",
         "glob": "^11.1.0",
         "nock": "^14.0.10",
@@ -947,9 +947,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.0.tgz",
-      "integrity": "sha512-KuZrd2hRjz01y5JK9mEBSD3Vj3mbCvemhT466rSuJYeE/hjuBrHfjjcjMdTm/sz7au+++sdbJZJmuBwQLuw68A==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.1.tgz",
+      "integrity": "sha512-HHB50pdsBX6k47S4u5g/CaLjqS3qwaOVE5ILsq64jyzgMhLuCuZ8rGzM9yhsAjfjkbgUPMzZEPa7DAp7yz6vuA==",
       "cpu": [
         "ppc64"
       ],
@@ -964,9 +964,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.0.tgz",
-      "integrity": "sha512-j67aezrPNYWJEOHUNLPj9maeJte7uSMM6gMoxfPC9hOg8N02JuQi/T7ewumf4tNvJadFkvLZMlAq73b9uwdMyQ==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.1.tgz",
+      "integrity": "sha512-kFqa6/UcaTbGm/NncN9kzVOODjhZW8e+FRdSeypWe6j33gzclHtwlANs26JrupOntlcWmB0u8+8HZo8s7thHvg==",
       "cpu": [
         "arm"
       ],
@@ -981,9 +981,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.0.tgz",
-      "integrity": "sha512-CC3vt4+1xZrs97/PKDkl0yN7w8edvU2vZvAFGD16n9F0Cvniy5qvzRXjfO1l94efczkkQE6g1x0i73Qf5uthOQ==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.1.tgz",
+      "integrity": "sha512-45fuKmAJpxnQWixOGCrS+ro4Uvb4Re9+UTieUY2f8AEc+t7d4AaZ6eUJ3Hva7dtrxAAWHtlEFsXFMAgNnGU9uQ==",
       "cpu": [
         "arm64"
       ],
@@ -998,9 +998,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.0.tgz",
-      "integrity": "sha512-wurMkF1nmQajBO1+0CJmcN17U4BP6GqNSROP8t0X/Jiw2ltYGLHpEksp9MpoBqkrFR3kv2/te6Sha26k3+yZ9Q==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.1.tgz",
+      "integrity": "sha512-LBEpOz0BsgMEeHgenf5aqmn/lLNTFXVfoWMUox8CtWWYK9X4jmQzWjoGoNb8lmAYml/tQ/Ysvm8q7szu7BoxRQ==",
       "cpu": [
         "x64"
       ],
@@ -1015,9 +1015,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.0.tgz",
-      "integrity": "sha512-uJOQKYCcHhg07DL7i8MzjvS2LaP7W7Pn/7uA0B5S1EnqAirJtbyw4yC5jQ5qcFjHK9l6o/MX9QisBg12kNkdHg==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.1.tgz",
+      "integrity": "sha512-veg7fL8eMSCVKL7IW4pxb54QERtedFDfY/ASrumK/SbFsXnRazxY4YykN/THYqFnFwJ0aVjiUrVG2PwcdAEqQQ==",
       "cpu": [
         "arm64"
       ],
@@ -1032,9 +1032,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.0.tgz",
-      "integrity": "sha512-8mG6arH3yB/4ZXiEnXof5MK72dE6zM9cDvUcPtxhUZsDjESl9JipZYW60C3JGreKCEP+p8P/72r69m4AZGJd5g==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.1.tgz",
+      "integrity": "sha512-+3ELd+nTzhfWb07Vol7EZ+5PTbJ/u74nC6iv4/lwIU99Ip5uuY6QoIf0Hn4m2HoV0qcnRivN3KSqc+FyCHjoVQ==",
       "cpu": [
         "x64"
       ],
@@ -1049,9 +1049,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.0.tgz",
-      "integrity": "sha512-9FHtyO988CwNMMOE3YIeci+UV+x5Zy8fI2qHNpsEtSF83YPBmE8UWmfYAQg6Ux7Gsmd4FejZqnEUZCMGaNQHQw==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.1.tgz",
+      "integrity": "sha512-/8Rfgns4XD9XOSXlzUDepG8PX+AVWHliYlUkFI3K3GB6tqbdjYqdhcb4BKRd7C0BhZSoaCxhv8kTcBrcZWP+xg==",
       "cpu": [
         "arm64"
       ],
@@ -1066,9 +1066,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.0.tgz",
-      "integrity": "sha512-zCMeMXI4HS/tXvJz8vWGexpZj2YVtRAihHLk1imZj4efx1BQzN76YFeKqlDr3bUWI26wHwLWPd3rwh6pe4EV7g==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.1.tgz",
+      "integrity": "sha512-GITpD8dK9C+r+5yRT/UKVT36h/DQLOHdwGVwwoHidlnA168oD3uxA878XloXebK4Ul3gDBBIvEdL7go9gCUFzQ==",
       "cpu": [
         "x64"
       ],
@@ -1083,9 +1083,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.0.tgz",
-      "integrity": "sha512-t76XLQDpxgmq2cNXKTVEB7O7YMb42atj2Re2Haf45HkaUpjM2J0UuJZDuaGbPbamzZ7bawyGFUkodL+zcE+jvQ==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.1.tgz",
+      "integrity": "sha512-ieMID0JRZY/ZeCrsFQ3Y3NlHNCqIhTprJfDgSB3/lv5jJZ8FX3hqPyXWhe+gvS5ARMBJ242PM+VNz/ctNj//eA==",
       "cpu": [
         "arm"
       ],
@@ -1100,9 +1100,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.0.tgz",
-      "integrity": "sha512-AS18v0V+vZiLJyi/4LphvBE+OIX682Pu7ZYNsdUHyUKSoRwdnOsMf6FDekwoAFKej14WAkOef3zAORJgAtXnlQ==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.1.tgz",
+      "integrity": "sha512-W9//kCrh/6in9rWIBdKaMtuTTzNj6jSeG/haWBADqLLa9P8O5YSRDzgD5y9QBok4AYlzS6ARHifAb75V6G670Q==",
       "cpu": [
         "arm64"
       ],
@@ -1117,9 +1117,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.0.tgz",
-      "integrity": "sha512-Mz1jxqm/kfgKkc/KLHC5qIujMvnnarD9ra1cEcrs7qshTUSksPihGrWHVG5+osAIQ68577Zpww7SGapmzSt4Nw==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.1.tgz",
+      "integrity": "sha512-VIUV4z8GD8rtSVMfAj1aXFahsi/+tcoXXNYmXgzISL+KB381vbSTNdeZHHHIYqFyXcoEhu9n5cT+05tRv13rlw==",
       "cpu": [
         "ia32"
       ],
@@ -1134,9 +1134,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.0.tgz",
-      "integrity": "sha512-QbEREjdJeIreIAbdG2hLU1yXm1uu+LTdzoq1KCo4G4pFOLlvIspBm36QrQOar9LFduavoWX2msNFAAAY9j4BDg==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.1.tgz",
+      "integrity": "sha512-l4rfiiJRN7sTNI//ff65zJ9z8U+k6zcCg0LALU5iEWzY+a1mVZ8iWC1k5EsNKThZ7XCQ6YWtsZ8EWYm7r1UEsg==",
       "cpu": [
         "loong64"
       ],
@@ -1151,9 +1151,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.0.tgz",
-      "integrity": "sha512-sJz3zRNe4tO2wxvDpH/HYJilb6+2YJxo/ZNbVdtFiKDufzWq4JmKAiHy9iGoLjAV7r/W32VgaHGkk35cUXlNOg==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.1.tgz",
+      "integrity": "sha512-U0bEuAOLvO/DWFdygTHWY8C067FXz+UbzKgxYhXC0fDieFa0kDIra1FAhsAARRJbvEyso8aAqvPdNxzWuStBnA==",
       "cpu": [
         "mips64el"
       ],
@@ -1168,9 +1168,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.0.tgz",
-      "integrity": "sha512-z9N10FBD0DCS2dmSABDBb5TLAyF1/ydVb+N4pi88T45efQ/w4ohr/F/QYCkxDPnkhkp6AIpIcQKQ8F0ANoA2JA==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.1.tgz",
+      "integrity": "sha512-NzdQ/Xwu6vPSf/GkdmRNsOfIeSGnh7muundsWItmBsVpMoNPVpM61qNzAVY3pZ1glzzAxLR40UyYM23eaDDbYQ==",
       "cpu": [
         "ppc64"
       ],
@@ -1185,9 +1185,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.0.tgz",
-      "integrity": "sha512-pQdyAIZ0BWIC5GyvVFn5awDiO14TkT/19FTmFcPdDec94KJ1uZcmFs21Fo8auMXzD4Tt+diXu1LW1gHus9fhFQ==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.1.tgz",
+      "integrity": "sha512-7zlw8p3IApcsN7mFw0O1Z1PyEk6PlKMu18roImfl3iQHTnr/yAfYv6s4hXPidbDoI2Q0pW+5xeoM4eTCC0UdrQ==",
       "cpu": [
         "riscv64"
       ],
@@ -1202,9 +1202,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.0.tgz",
-      "integrity": "sha512-hPlRWR4eIDDEci953RI1BLZitgi5uqcsjKMxwYfmi4LcwyWo2IcRP+lThVnKjNtk90pLS8nKdroXYOqW+QQH+w==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.1.tgz",
+      "integrity": "sha512-cGj5wli+G+nkVQdZo3+7FDKC25Uh4ZVwOAK6A06Hsvgr8WqBBuOy/1s+PUEd/6Je+vjfm6stX0kmib5b/O2Ykw==",
       "cpu": [
         "s390x"
       ],
@@ -1219,9 +1219,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.0.tgz",
-      "integrity": "sha512-1hBWx4OUJE2cab++aVZ7pObD6s+DK4mPGpemtnAORBvb5l/g5xFGk0vc0PjSkrDs0XaXj9yyob3d14XqvnQ4gw==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.1.tgz",
+      "integrity": "sha512-z3H/HYI9MM0HTv3hQZ81f+AKb+yEoCRlUby1F80vbQ5XdzEMyY/9iNlAmhqiBKw4MJXwfgsh7ERGEOhrM1niMA==",
       "cpu": [
         "x64"
       ],
@@ -1236,9 +1236,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.0.tgz",
-      "integrity": "sha512-6m0sfQfxfQfy1qRuecMkJlf1cIzTOgyaeXaiVaaki8/v+WB+U4hc6ik15ZW6TAllRlg/WuQXxWj1jx6C+dfy3w==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.1.tgz",
+      "integrity": "sha512-wzC24DxAvk8Em01YmVXyjl96Mr+ecTPyOuADAvjGg+fyBpGmxmcr2E5ttf7Im8D0sXZihpxzO1isus8MdjMCXQ==",
       "cpu": [
         "arm64"
       ],
@@ -1253,9 +1253,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.0.tgz",
-      "integrity": "sha512-xbbOdfn06FtcJ9d0ShxxvSn2iUsGd/lgPIO2V3VZIPDbEaIj1/3nBBe1AwuEZKXVXkMmpr6LUAgMkLD/4D2PPA==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.1.tgz",
+      "integrity": "sha512-1YQ8ybGi2yIXswu6eNzJsrYIGFpnlzEWRl6iR5gMgmsrR0FcNoV1m9k9sc3PuP5rUBLshOZylc9nqSgymI+TYg==",
       "cpu": [
         "x64"
       ],
@@ -1270,9 +1270,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.0.tgz",
-      "integrity": "sha512-fWgqR8uNbCQ/GGv0yhzttj6sU/9Z5/Sv/VGU3F5OuXK6J6SlriONKrQ7tNlwBrJZXRYk5jUhuWvF7GYzGguBZQ==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.1.tgz",
+      "integrity": "sha512-5Z+DzLCrq5wmU7RDaMDe2DVXMRm2tTDvX2KU14JJVBN2CT/qov7XVix85QoJqHltpvAOZUAc3ndU56HSMWrv8g==",
       "cpu": [
         "arm64"
       ],
@@ -1287,9 +1287,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.0.tgz",
-      "integrity": "sha512-aCwlRdSNMNxkGGqQajMUza6uXzR/U0dIl1QmLjPtRbLOx3Gy3otfFu/VjATy4yQzo9yFDGTxYDo1FfAD9oRD2A==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.1.tgz",
+      "integrity": "sha512-Q73ENzIdPF5jap4wqLtsfh8YbYSZ8Q0wnxplOlZUOyZy7B4ZKW8DXGWgTCZmF8VWD7Tciwv5F4NsRf6vYlZtqg==",
       "cpu": [
         "x64"
       ],
@@ -1304,9 +1304,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.0.tgz",
-      "integrity": "sha512-nyvsBccxNAsNYz2jVFYwEGuRRomqZ149A39SHWk4hV0jWxKM0hjBPm3AmdxcbHiFLbBSwG6SbpIcUbXjgyECfA==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.1.tgz",
+      "integrity": "sha512-ajbHrGM/XiK+sXM0JzEbJAen+0E+JMQZ2l4RR4VFwvV9JEERx+oxtgkpoKv1SevhjavK2z2ReHk32pjzktWbGg==",
       "cpu": [
         "arm64"
       ],
@@ -1321,9 +1321,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.0.tgz",
-      "integrity": "sha512-Q1KY1iJafM+UX6CFEL+F4HRTgygmEW568YMqDA5UV97AuZSm21b7SXIrRJDwXWPzr8MGr75fUZPV67FdtMHlHA==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.1.tgz",
+      "integrity": "sha512-IPUW+y4VIjuDVn+OMzHc5FV4GubIwPnsz6ubkvN8cuhEqH81NovB53IUlrlBkPMEPxvNnf79MGBoz8rZ2iW8HA==",
       "cpu": [
         "x64"
       ],
@@ -1338,9 +1338,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.0.tgz",
-      "integrity": "sha512-W1eyGNi6d+8kOmZIwi/EDjrL9nxQIQ0MiGqe/AWc6+IaHloxHSGoeRgDRKHFISThLmsewZ5nHFvGFWdBYlgKPg==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.1.tgz",
+      "integrity": "sha512-RIVRWiljWA6CdVu8zkWcRmGP7iRRIIwvhDKem8UMBjPql2TXM5PkDVvvrzMtj1V+WFPB4K7zkIGM7VzRtFkjdg==",
       "cpu": [
         "arm64"
       ],
@@ -1355,9 +1355,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.0.tgz",
-      "integrity": "sha512-30z1aKL9h22kQhilnYkORFYt+3wp7yZsHWus+wSKAJR8JtdfI76LJ4SBdMsCopTR3z/ORqVu5L1vtnHZWVj4cQ==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.1.tgz",
+      "integrity": "sha512-2BR5M8CPbptC1AK5JbJT1fWrHLvejwZidKx3UMSF0ecHMa+smhi16drIrCEggkgviBwLYd5nwrFLSl5Kho96RQ==",
       "cpu": [
         "ia32"
       ],
@@ -1372,9 +1372,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.0.tgz",
-      "integrity": "sha512-aIitBcjQeyOhMTImhLZmtxfdOcuNRpwlPNmlFKPcHQYPhEssw75Cl1TSXJXpMkzaua9FUetx/4OQKq7eJul5Cg==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.1.tgz",
+      "integrity": "sha512-d5X6RMYv6taIymSk8JBP+nxv8DQAMY6A51GPgusqLdK9wBz5wWIXy1KjTck6HnjE9hqJzJRdk+1p/t5soSbCtw==",
       "cpu": [
         "x64"
       ],
@@ -1449,10 +1449,11 @@
       }
     },
     "node_modules/@eslint/eslintrc": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.1.tgz",
-      "integrity": "sha512-gtF186CXhIl1p4pJNGZw8Yc6RlshoePRvE0X91oPGb3vZ8pM3qOS9W9NGPat9LziaBV7XrJWGylNQXkGcnM3IQ==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz",
+      "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
         "ajv": "^6.12.4",
         "debug": "^4.3.2",
@@ -1460,7 +1461,7 @@
         "globals": "^14.0.0",
         "ignore": "^5.2.0",
         "import-fresh": "^3.2.1",
-        "js-yaml": "^4.1.0",
+        "js-yaml": "^4.1.1",
         "minimatch": "^3.1.2",
         "strip-json-comments": "^3.1.1"
       },
@@ -1798,6 +1799,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.2.tgz",
       "integrity": "sha512-/g2d4sW9nUDJOMz3mabVQvOGhVa4e/BN/Um7yca9Bb2XTzPPnfTWHWQg+IsEYO7M3Vx+EXvaM/I2pJWIMun1bg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/auth-token": "^4.0.0",
         "@octokit/graphql": "^7.1.0",
@@ -2369,17 +2371,17 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.46.4.tgz",
-      "integrity": "sha512-R48VhmTJqplNyDxCyqqVkFSZIx1qX6PzwqgcXn1olLrzxcSBDlOsbtcnQuQhNtnNiJ4Xe5gREI1foajYaYU2Vg==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.48.1.tgz",
+      "integrity": "sha512-X63hI1bxl5ohelzr0LY5coufyl0LJNthld+abwxpCoo6Gq+hSqhKwci7MUWkXo67mzgUK6YFByhmaHmUcuBJmA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.10.0",
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/type-utils": "8.46.4",
-        "@typescript-eslint/utils": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/scope-manager": "8.48.1",
+        "@typescript-eslint/type-utils": "8.48.1",
+        "@typescript-eslint/utils": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1",
         "graphemer": "^1.4.0",
         "ignore": "^7.0.0",
         "natural-compare": "^1.4.0",
@@ -2393,20 +2395,20 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.46.4",
+        "@typescript-eslint/parser": "^8.48.1",
         "eslint": "^8.57.0 || ^9.0.0",
         "typescript": ">=4.8.4 <6.0.0"
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.4.tgz",
-      "integrity": "sha512-tMDbLGXb1wC+McN1M6QeDx7P7c0UWO5z9CXqp7J8E+xGcJuUuevWKxuG8j41FoweS3+L41SkyKKkia16jpX7CA==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.48.1.tgz",
+      "integrity": "sha512-rj4vWQsytQbLxC5Bf4XwZ0/CKd362DkWMUkviT7DCS057SK64D5lH74sSGzhI6PDD2HCEq02xAP9cX68dYyg1w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4"
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2417,9 +2419,9 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.1.tgz",
+      "integrity": "sha512-+fZ3LZNeiELGmimrujsDCT4CRIbq5oXdHe7chLiW8qzqyPMnn1puNstCrMNVAqwcl2FdIxkuJ4tOs/RFDBVc/Q==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2431,21 +2433,20 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.4.tgz",
-      "integrity": "sha512-7oV2qEOr1d4NWNmpXLR35LvCfOkTNymY9oyW+lUHkmCno7aOmIf/hMaydnJBUTBMRCOGZh8YjkFOc8dadEoNGA==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.48.1.tgz",
+      "integrity": "sha512-/9wQ4PqaefTK6POVTjJaYS0bynCgzh6ClJHGSBj06XEHjkfylzB+A3qvyaXnErEZSaxhIo4YdyBgq6j4RysxDg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.46.4",
-        "@typescript-eslint/tsconfig-utils": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/project-service": "8.48.1",
+        "@typescript-eslint/tsconfig-utils": "8.48.1",
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1",
         "debug": "^4.3.4",
-        "fast-glob": "^3.3.2",
-        "is-glob": "^4.0.3",
         "minimatch": "^9.0.4",
         "semver": "^7.6.0",
+        "tinyglobby": "^0.2.15",
         "ts-api-utils": "^2.1.0"
       },
       "engines": {
@@ -2460,16 +2461,16 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.4.tgz",
-      "integrity": "sha512-AbSv11fklGXV6T28dp2Me04Uw90R2iJ30g2bgLz529Koehrmkbs1r7paFqr1vPCZi7hHwYxYtxfyQMRC8QaVSg==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.48.1.tgz",
+      "integrity": "sha512-fAnhLrDjiVfey5wwFRwrweyRlCmdz5ZxXz2G/4cLn0YDLjTapmN4gcCsTBR1N2rWnZSDeWpYtgLDsJt+FpmcwA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4"
+        "@typescript-eslint/scope-manager": "8.48.1",
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/typescript-estree": "8.48.1"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2484,13 +2485,13 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.4.tgz",
-      "integrity": "sha512-/++5CYLQqsO9HFGLI7APrxBJYo+5OCMpViuhV8q5/Qa3o5mMrF//eQHks+PXcsAVaLdn817fMuS7zqoXNNZGaw==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.48.1.tgz",
+      "integrity": "sha512-BmxxndzEWhE4TIEEMBs8lP3MBWN3jFPs/p6gPm/wkv02o41hI6cq9AuSmGAaTTHPtA1FTi2jBre4A9rm5ZmX+Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
+        "@typescript-eslint/types": "8.48.1",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -2563,16 +2564,17 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.46.4.tgz",
-      "integrity": "sha512-tK3GPFWbirvNgsNKto+UmB/cRtn6TZfyw0D6IKrW55n6Vbs7KJoZtI//kpTKzE/DUmmnAFD8/Ca46s7Obs92/w==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.48.1.tgz",
+      "integrity": "sha512-PC0PDZfJg8sP7cmKe6L3QIL8GZwU5aRvUFedqSIpw3B+QjRSUZeeITC2M5XKeMXEzL6wccN196iy3JLwKNvDVA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/scope-manager": "8.48.1",
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/typescript-estree": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2588,14 +2590,14 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.4.tgz",
-      "integrity": "sha512-tMDbLGXb1wC+McN1M6QeDx7P7c0UWO5z9CXqp7J8E+xGcJuUuevWKxuG8j41FoweS3+L41SkyKKkia16jpX7CA==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.48.1.tgz",
+      "integrity": "sha512-rj4vWQsytQbLxC5Bf4XwZ0/CKd362DkWMUkviT7DCS057SK64D5lH74sSGzhI6PDD2HCEq02xAP9cX68dYyg1w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4"
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2606,9 +2608,9 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.1.tgz",
+      "integrity": "sha512-+fZ3LZNeiELGmimrujsDCT4CRIbq5oXdHe7chLiW8qzqyPMnn1puNstCrMNVAqwcl2FdIxkuJ4tOs/RFDBVc/Q==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2620,21 +2622,20 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.4.tgz",
-      "integrity": "sha512-7oV2qEOr1d4NWNmpXLR35LvCfOkTNymY9oyW+lUHkmCno7aOmIf/hMaydnJBUTBMRCOGZh8YjkFOc8dadEoNGA==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.48.1.tgz",
+      "integrity": "sha512-/9wQ4PqaefTK6POVTjJaYS0bynCgzh6ClJHGSBj06XEHjkfylzB+A3qvyaXnErEZSaxhIo4YdyBgq6j4RysxDg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.46.4",
-        "@typescript-eslint/tsconfig-utils": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/project-service": "8.48.1",
+        "@typescript-eslint/tsconfig-utils": "8.48.1",
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1",
         "debug": "^4.3.4",
-        "fast-glob": "^3.3.2",
-        "is-glob": "^4.0.3",
         "minimatch": "^9.0.4",
         "semver": "^7.6.0",
+        "tinyglobby": "^0.2.15",
         "ts-api-utils": "^2.1.0"
       },
       "engines": {
@@ -2649,13 +2650,13 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.4.tgz",
-      "integrity": "sha512-/++5CYLQqsO9HFGLI7APrxBJYo+5OCMpViuhV8q5/Qa3o5mMrF//eQHks+PXcsAVaLdn817fMuS7zqoXNNZGaw==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.48.1.tgz",
+      "integrity": "sha512-BmxxndzEWhE4TIEEMBs8lP3MBWN3jFPs/p6gPm/wkv02o41hI6cq9AuSmGAaTTHPtA1FTi2jBre4A9rm5ZmX+Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
+        "@typescript-eslint/types": "8.48.1",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -2719,14 +2720,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.46.4.tgz",
-      "integrity": "sha512-nPiRSKuvtTN+no/2N1kt2tUh/HoFzeEgOm9fQ6XQk4/ApGqjx0zFIIaLJ6wooR1HIoozvj2j6vTi/1fgAz7UYQ==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.48.1.tgz",
+      "integrity": "sha512-HQWSicah4s9z2/HifRPQ6b6R7G+SBx64JlFQpgSSHWPKdvCZX57XCbszg/bapbRsOEv42q5tayTYcEFpACcX1w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.46.4",
-        "@typescript-eslint/types": "^8.46.4",
+        "@typescript-eslint/tsconfig-utils": "^8.48.1",
+        "@typescript-eslint/types": "^8.48.1",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2741,9 +2742,9 @@
       }
     },
     "node_modules/@typescript-eslint/project-service/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.1.tgz",
+      "integrity": "sha512-+fZ3LZNeiELGmimrujsDCT4CRIbq5oXdHe7chLiW8qzqyPMnn1puNstCrMNVAqwcl2FdIxkuJ4tOs/RFDBVc/Q==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2773,9 +2774,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.46.4.tgz",
-      "integrity": "sha512-+/XqaZPIAk6Cjg7NWgSGe27X4zMGqrFqZ8atJsX3CWxH/jACqWnrWI68h7nHQld0y+k9eTTjb9r+KU4twLoo9A==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.48.1.tgz",
+      "integrity": "sha512-k0Jhs4CpEffIBm6wPaCXBAD7jxBtrHjrSgtfCjUvPp9AZ78lXKdTR8fxyZO5y4vWNlOvYXRtngSZNSn+H53Jkw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2790,15 +2791,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.46.4.tgz",
-      "integrity": "sha512-V4QC8h3fdT5Wro6vANk6eojqfbv5bpwHuMsBcJUJkqs2z5XnYhJzyz9Y02eUmF9u3PgXEUiOt4w4KHR3P+z0PQ==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.48.1.tgz",
+      "integrity": "sha512-1jEop81a3LrJQLTf/1VfPQdhIY4PlGDBc/i67EVWObrtvcziysbLN3oReexHOM6N3jyXgCrkBsZpqwH0hiDOQg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4",
-        "@typescript-eslint/utils": "8.46.4",
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/typescript-estree": "8.48.1",
+        "@typescript-eslint/utils": "8.48.1",
         "debug": "^4.3.4",
         "ts-api-utils": "^2.1.0"
       },
@@ -2815,14 +2816,14 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.4.tgz",
-      "integrity": "sha512-tMDbLGXb1wC+McN1M6QeDx7P7c0UWO5z9CXqp7J8E+xGcJuUuevWKxuG8j41FoweS3+L41SkyKKkia16jpX7CA==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.48.1.tgz",
+      "integrity": "sha512-rj4vWQsytQbLxC5Bf4XwZ0/CKd362DkWMUkviT7DCS057SK64D5lH74sSGzhI6PDD2HCEq02xAP9cX68dYyg1w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4"
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2833,9 +2834,9 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.4.tgz",
-      "integrity": "sha512-USjyxm3gQEePdUwJBFjjGNG18xY9A2grDVGuk7/9AkjIF1L+ZrVnwR5VAU5JXtUnBL/Nwt3H31KlRDaksnM7/w==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.48.1.tgz",
+      "integrity": "sha512-+fZ3LZNeiELGmimrujsDCT4CRIbq5oXdHe7chLiW8qzqyPMnn1puNstCrMNVAqwcl2FdIxkuJ4tOs/RFDBVc/Q==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2847,21 +2848,20 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.4.tgz",
-      "integrity": "sha512-7oV2qEOr1d4NWNmpXLR35LvCfOkTNymY9oyW+lUHkmCno7aOmIf/hMaydnJBUTBMRCOGZh8YjkFOc8dadEoNGA==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.48.1.tgz",
+      "integrity": "sha512-/9wQ4PqaefTK6POVTjJaYS0bynCgzh6ClJHGSBj06XEHjkfylzB+A3qvyaXnErEZSaxhIo4YdyBgq6j4RysxDg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.46.4",
-        "@typescript-eslint/tsconfig-utils": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/visitor-keys": "8.46.4",
+        "@typescript-eslint/project-service": "8.48.1",
+        "@typescript-eslint/tsconfig-utils": "8.48.1",
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/visitor-keys": "8.48.1",
         "debug": "^4.3.4",
-        "fast-glob": "^3.3.2",
-        "is-glob": "^4.0.3",
         "minimatch": "^9.0.4",
         "semver": "^7.6.0",
+        "tinyglobby": "^0.2.15",
         "ts-api-utils": "^2.1.0"
       },
       "engines": {
@@ -2876,16 +2876,16 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/utils": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.4.tgz",
-      "integrity": "sha512-AbSv11fklGXV6T28dp2Me04Uw90R2iJ30g2bgLz529Koehrmkbs1r7paFqr1vPCZi7hHwYxYtxfyQMRC8QaVSg==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.48.1.tgz",
+      "integrity": "sha512-fAnhLrDjiVfey5wwFRwrweyRlCmdz5ZxXz2G/4cLn0YDLjTapmN4gcCsTBR1N2rWnZSDeWpYtgLDsJt+FpmcwA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.46.4",
-        "@typescript-eslint/types": "8.46.4",
-        "@typescript-eslint/typescript-estree": "8.46.4"
+        "@typescript-eslint/scope-manager": "8.48.1",
+        "@typescript-eslint/types": "8.48.1",
+        "@typescript-eslint/typescript-estree": "8.48.1"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2900,13 +2900,13 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.46.4",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.4.tgz",
-      "integrity": "sha512-/++5CYLQqsO9HFGLI7APrxBJYo+5OCMpViuhV8q5/Qa3o5mMrF//eQHks+PXcsAVaLdn817fMuS7zqoXNNZGaw==",
+      "version": "8.48.1",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.48.1.tgz",
+      "integrity": "sha512-BmxxndzEWhE4TIEEMBs8lP3MBWN3jFPs/p6gPm/wkv02o41hI6cq9AuSmGAaTTHPtA1FTi2jBre4A9rm5ZmX+Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.4",
+        "@typescript-eslint/types": "8.48.1",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -3164,6 +3164,7 @@
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -3739,6 +3740,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001669",
         "electron-to-chromium": "^1.5.41",
@@ -4528,9 +4530,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.0",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.0.tgz",
-      "integrity": "sha512-jd0f4NHbD6cALCyGElNpGAOtWxSq46l9X/sWB0Nzd5er4Kz2YTm+Vl0qKFT9KUJvD8+fiO8AvoHhFvEatfVixA==",
+      "version": "0.27.1",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.1.tgz",
+      "integrity": "sha512-yY35KZckJJuVVPXpvjgxiCuVEJT67F6zDeVTv4rizyPrfGBUpZQsvmxnN+C371c2esD/hNMjj4tpBhuueLN7aA==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -4541,32 +4543,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.0",
-        "@esbuild/android-arm": "0.27.0",
-        "@esbuild/android-arm64": "0.27.0",
-        "@esbuild/android-x64": "0.27.0",
-        "@esbuild/darwin-arm64": "0.27.0",
-        "@esbuild/darwin-x64": "0.27.0",
-        "@esbuild/freebsd-arm64": "0.27.0",
-        "@esbuild/freebsd-x64": "0.27.0",
-        "@esbuild/linux-arm": "0.27.0",
-        "@esbuild/linux-arm64": "0.27.0",
-        "@esbuild/linux-ia32": "0.27.0",
-        "@esbuild/linux-loong64": "0.27.0",
-        "@esbuild/linux-mips64el": "0.27.0",
-        "@esbuild/linux-ppc64": "0.27.0",
-        "@esbuild/linux-riscv64": "0.27.0",
-        "@esbuild/linux-s390x": "0.27.0",
-        "@esbuild/linux-x64": "0.27.0",
-        "@esbuild/netbsd-arm64": "0.27.0",
-        "@esbuild/netbsd-x64": "0.27.0",
-        "@esbuild/openbsd-arm64": "0.27.0",
-        "@esbuild/openbsd-x64": "0.27.0",
-        "@esbuild/openharmony-arm64": "0.27.0",
-        "@esbuild/sunos-x64": "0.27.0",
-        "@esbuild/win32-arm64": "0.27.0",
-        "@esbuild/win32-ia32": "0.27.0",
-        "@esbuild/win32-x64": "0.27.0"
+        "@esbuild/aix-ppc64": "0.27.1",
+        "@esbuild/android-arm": "0.27.1",
+        "@esbuild/android-arm64": "0.27.1",
+        "@esbuild/android-x64": "0.27.1",
+        "@esbuild/darwin-arm64": "0.27.1",
+        "@esbuild/darwin-x64": "0.27.1",
+        "@esbuild/freebsd-arm64": "0.27.1",
+        "@esbuild/freebsd-x64": "0.27.1",
+        "@esbuild/linux-arm": "0.27.1",
+        "@esbuild/linux-arm64": "0.27.1",
+        "@esbuild/linux-ia32": "0.27.1",
+        "@esbuild/linux-loong64": "0.27.1",
+        "@esbuild/linux-mips64el": "0.27.1",
+        "@esbuild/linux-ppc64": "0.27.1",
+        "@esbuild/linux-riscv64": "0.27.1",
+        "@esbuild/linux-s390x": "0.27.1",
+        "@esbuild/linux-x64": "0.27.1",
+        "@esbuild/netbsd-arm64": "0.27.1",
+        "@esbuild/netbsd-x64": "0.27.1",
+        "@esbuild/openbsd-arm64": "0.27.1",
+        "@esbuild/openbsd-x64": "0.27.1",
+        "@esbuild/openharmony-arm64": "0.27.1",
+        "@esbuild/sunos-x64": "0.27.1",
+        "@esbuild/win32-arm64": "0.27.1",
+        "@esbuild/win32-ia32": "0.27.1",
+        "@esbuild/win32-x64": "0.27.1"
       }
     },
     "node_modules/escalade": {
@@ -4592,6 +4594,7 @@
       "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.1.tgz",
       "integrity": "sha512-ypowyDxpVSYpkXr9WPv2PAZCtNip1Mv5KTW0SCurXv/9iOpcrH9PaqUElksqEB6pChqHGDRCFTyrZlGhnLNGiA==",
       "dev": true,
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.6.1",
@@ -4646,6 +4649,7 @@
       "version": "8.3.0",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "eslint-config-prettier": "bin/cli.js"
       },
@@ -4917,6 +4921,7 @@
       "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.29.1.tgz",
       "integrity": "sha512-BbPC0cuExzhiMo4Ff1BTVwHpjjv28C5R+btTOGaCRC7UEz801up0JadwkeSk5Ued6TG34uaczuVuH6qyy5YUxw==",
       "dev": true,
+      "peer": true,
       "dependencies": {
         "array-includes": "^3.1.7",
         "array.prototype.findlastindex": "^1.2.3",
@@ -4952,9 +4957,9 @@
       }
     },
     "node_modules/eslint-plugin-jsdoc": {
-      "version": "61.2.1",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-61.2.1.tgz",
-      "integrity": "sha512-Htacti3dbkNm4rlp/Bk9lqhv+gi6US9jyN22yaJ42G6wbteiTbNLChQwi25jr/BN+NOzDWhZHvCDdrhX0F8dXQ==",
+      "version": "61.5.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-61.5.0.tgz",
+      "integrity": "sha512-PR81eOGq4S7diVnV9xzFSBE4CDENRQGP0Lckkek8AdHtbj+6Bm0cItwlFnxsLFriJHspiE3mpu8U20eODyToIg==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {
@@ -6972,9 +6977,10 @@
       }
     },
     "node_modules/node-forge": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz",
-      "integrity": "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==",
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.3.tgz",
+      "integrity": "sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==",
+      "license": "(BSD-3-Clause OR GPL-2.0)",
       "engines": {
         "node": ">= 6.13.0"
       }
@@ -7351,6 +7357,7 @@
       "integrity": "sha512-G+YdqtITVZmOJje6QkXQWzl3fSfMxFwm1tjTyo9exhkmWSqC4Yhd1+lug++IlR2mvRVAxEDDWYkQdeSztajqgg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "prettier": "bin/prettier.cjs"
       },
@@ -8304,14 +8311,14 @@
       }
     },
     "node_modules/tinyglobby": {
-      "version": "0.2.12",
-      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.12.tgz",
-      "integrity": "sha512-qkf4trmKSIiMTs/E63cxH+ojC2unam7rJ0WrauAzpT3ECNTxGRMlaXxVbfxMUC/w0LaYk6jQ4y/nGR9uBO3tww==",
+      "version": "0.2.15",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
+      "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "fdir": "^6.4.3",
-        "picomatch": "^4.0.2"
+        "fdir": "^6.5.0",
+        "picomatch": "^4.0.3"
       },
       "engines": {
         "node": ">=12.0.0"
@@ -8321,11 +8328,14 @@
       }
     },
     "node_modules/tinyglobby/node_modules/fdir": {
-      "version": "6.4.3",
-      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.3.tgz",
-      "integrity": "sha512-PMXmW2y1hDDfTSRc9gaXIuCCRpuoz3Kaz8cUelp3smouvfT632ozg2vrT6lJsHKKOF59YLbOGfAWGUcKEfRMQw==",
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
+      "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
       "dev": true,
       "license": "MIT",
+      "engines": {
+        "node": ">=12.0.0"
+      },
       "peerDependencies": {
         "picomatch": "^3 || ^4"
       },
@@ -8336,11 +8346,12 @@
       }
     },
     "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
-      "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -8549,6 +8560,7 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -8622,6 +8634,7 @@
       "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.17.0.tgz",
       "integrity": "sha512-Drp39TXuUlD49F7ilHHCG7TTg8IkA+hxCuULdmzWYICxGXvDXmDmWEjJYZQYgf6l/TFfYNE167m7isnc3xlIEg==",
       "dev": true,
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.17.0",
         "@typescript-eslint/types": "8.17.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.6",
+  "version": "4.31.9",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -43,14 +43,14 @@
     "js-yaml": "^4.1.1",
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
-    "node-forge": "^1.3.1",
+    "node-forge": "^1.3.3",
     "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^2.0.0",
-    "@eslint/eslintrc": "^3.3.1",
+    "@eslint/eslintrc": "^3.3.3",
     "@eslint/js": "^9.39.1",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^16.0.0",
@@ -61,16 +61,16 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.46.4",
-    "@typescript-eslint/parser": "^8.41.0",
+    "@typescript-eslint/eslint-plugin": "^8.48.1",
+    "@typescript-eslint/parser": "^8.48.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.27.1",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.2.1",
+    "eslint-plugin-jsdoc": "^61.5.0",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
     "nock": "^14.0.10",

pr-checks/checks/bundle-zstd.yml

@@ -27,7 +27,7 @@ steps:
       output: ${{ runner.temp }}/results
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: ${{ matrix.os }}-zstd-bundle.sarif
       path: ${{ runner.temp }}/results/javascript.sarif

pr-checks/checks/config-export.yml

@@ -12,7 +12,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/diagnostics-export.yml

@@ -25,7 +25,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/export-file-baseline-information.yml

@@ -18,7 +18,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/job-run-uuid-sarif.yml

@@ -11,7 +11,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/quality-queries.yml

@@ -39,7 +39,7 @@ steps:
       post-processed-sarif-path: "${{ runner.temp }}/post-processed"
   - name: Upload security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,14 +47,14 @@ steps:
       retention-days: 7
   - name: Upload quality SARIF
     if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
   - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@v6
     with:
       name: |
         post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # v1.268.0
+    uses: ruby/setup-ruby@ac793fdd38cc468a4dd57246fa9d0e868aba9085 # v1.270.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/sync.py

@@ -356,11 +356,6 @@ for collection_name in collections:
                 'GO111MODULE': 'auto'
             },
             'on': {
-                'push': {
-                    'paths': [
-                        f'.github/workflows/__{collection_name}.yml'
-                    ]
-                },
                 'workflow_dispatch': {
                     'inputs': combinedInputs
                 },

src/analyze-action-env.test.ts

@@ -74,11 +74,20 @@ test("analyze action with RAM & threads from environment variables", async (t) =
     // wait for the action promise to complete before starting verification.
     await analyzeAction.runPromise;
 
-    t.assert(runFinalizeStub.calledOnce);
-    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
-    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
-    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
-    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=4992",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=4992",
+        "--threads=-1",
+      ),
+    );
   });
 });

src/analyze-action-input.test.ts

@@ -72,11 +72,20 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
     // wait for the action promise to complete before starting verification.
     await analyzeAction.runPromise;
 
-    t.assert(runFinalizeStub.calledOnce);
-    t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
-    t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
-    t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
-    t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
+    t.assert(
+      runFinalizeStub.calledOnceWith(
+        sinon.match.any,
+        sinon.match.any,
+        "--threads=-1",
+        "--ram=3012",
+      ),
+    );
+    t.assert(
+      runQueriesStub.calledOnceWith(
+        sinon.match.any,
+        "--ram=3012",
+        "--threads=-1",
+      ),
+    );
   });
 });

src/analyze-action-post.ts

@@ -12,7 +12,10 @@ import { getGitHubVersion } from "./api-client";
 import { getCodeQL } from "./codeql";
 import { getConfig } from "./config-utils";
 import * as debugArtifacts from "./debug-artifacts";
-import { getJavaTempDependencyDir } from "./dependency-caching";
+import {
+  getCsharpTempDependencyDir,
+  getJavaTempDependencyDir,
+} from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
@@ -42,17 +45,22 @@ async function runWrapper() {
       }
     }
 
-    // If we analysed Java in build-mode: none, we may have downloaded dependencies
+    // If we analysed Java or C# in build-mode: none, we may have downloaded dependencies
     // to the temp directory. Clean these up so they don't persist unnecessarily
     // long on self-hosted runners.
-    const javaTempDependencyDir = getJavaTempDependencyDir();
-    if (fs.existsSync(javaTempDependencyDir)) {
-      try {
-        fs.rmSync(javaTempDependencyDir, { recursive: true });
-      } catch (error) {
-        logger.info(
-          `Failed to remove temporary Java dependencies directory: ${getErrorMessage(error)}`,
-        );
+    const tempDependencyDirs = [
+      getJavaTempDependencyDir(),
+      getCsharpTempDependencyDir(),
+    ];
+    for (const tempDependencyDir of tempDependencyDirs) {
+      if (fs.existsSync(tempDependencyDir)) {
+        try {
+          fs.rmSync(tempDependencyDir, { recursive: true });
+        } catch (error) {
+          logger.info(
+            `Failed to remove temporary dependencies directory: ${getErrorMessage(error)}`,
+          );
+        }
       }
     }
   } catch (error) {

src/analyze-action.ts

@@ -19,12 +19,7 @@ import { getApiDetails, getGitHubVersion } from "./api-client";
 import { runAutobuild } from "./autobuild";
 import { getTotalCacheSize, shouldStoreCache } from "./caching-utils";
 import { getCodeQL } from "./codeql";
-import {
-  Config,
-  getConfig,
-  isCodeQualityEnabled,
-  isCodeScanningEnabled,
-} from "./config-utils";
+import { Config, getConfig } from "./config-utils";
 import { cleanupAndUploadDatabases } from "./database-upload";
 import {
   DependencyCacheUploadStatusReport,
@@ -32,7 +27,7 @@ import {
 } from "./dependency-caching";
 import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
-import { Feature, Features } from "./feature-flags";
+import { Features } from "./feature-flags";
 import { KnownLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay-database-utils";
@@ -315,6 +310,7 @@ async function run() {
     await runAutobuildIfLegacyGoWorkflow(config, logger);
 
     dbCreationTimings = await runFinalize(
+      features,
       outputDir,
       threads,
       memory,
@@ -357,46 +353,15 @@ async function run() {
       const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
       const category = actionsUtil.getOptionalInput("category");
 
-      if (await features.getValue(Feature.AnalyzeUseNewUpload)) {
-        uploadResults = await postProcessAndUploadSarif(
-          logger,
-          features,
-          uploadKind,
-          checkoutPath,
-          outputDir,
-          category,
-          actionsUtil.getOptionalInput("post-processed-sarif-path"),
-        );
-      } else if (uploadKind === "always") {
-        uploadResults = {};
-
-        if (isCodeScanningEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeScanning] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeScanning,
-            );
-        }
-
-        if (isCodeQualityEnabled(config)) {
-          uploadResults[analyses.AnalysisKind.CodeQuality] =
-            await uploadLib.uploadFiles(
-              outputDir,
-              checkoutPath,
-              category,
-              features,
-              logger,
-              analyses.CodeQuality,
-            );
-        }
-      } else {
-        uploadResults = {};
-        logger.info("Not uploading results");
-      }
+      uploadResults = await postProcessAndUploadSarif(
+        logger,
+        features,
+        uploadKind,
+        checkoutPath,
+        outputDir,
+        category,
+        actionsUtil.getOptionalInput("post-processed-sarif-path"),
+      );
 
       // Set the SARIF id outputs only if we have results for them, to avoid
       // having keys with empty values in the action output.

src/analyze.ts

@@ -10,7 +10,10 @@ import * as analyses from "./analyses";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { getJavaTempDependencyDir } from "./dependency-caching";
+import {
+  getCsharpTempDependencyDir,
+  getJavaTempDependencyDir,
+} from "./dependency-caching";
 import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
   DiffThunkRange,
@@ -98,6 +101,7 @@ async function setupPythonExtractor(logger: Logger) {
 
 export async function runExtraction(
   codeql: CodeQL,
+  features: FeatureEnablement,
   config: configUtils.Config,
   logger: Logger,
 ) {
@@ -122,7 +126,7 @@ export async function runExtraction(
           await setupCppAutobuild(codeql, logger);
         }
 
-        // The Java `build-mode: none` extractor places dependencies (.jar files) in the
+        // The Java and C# `build-mode: none` extractors place dependencies in the
         // database scratch directory by default. For dependency caching purposes, we want
         // a stable path that caches can be restored into and that we can cache at the
         // end of the workflow (i.e. that does not get removed when the scratch directory is).
@@ -133,6 +137,15 @@ export async function runExtraction(
           process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] =
             getJavaTempDependencyDir();
         }
+        if (
+          language === KnownLanguage.csharp &&
+          config.buildMode === BuildMode.None &&
+          (await features.getValue(Feature.CsharpCacheBuildModeNone))
+        ) {
+          process.env[
+            "CODEQL_EXTRACTOR_CSHARP_OPTION_BUILDLESS_DEPENDENCY_DIR"
+          ] = getCsharpTempDependencyDir();
+        }
 
         await codeql.extractUsingBuildMode(config, language);
       } else {
@@ -177,13 +190,14 @@ export function dbIsFinalized(
 
 async function finalizeDatabaseCreation(
   codeql: CodeQL,
+  features: FeatureEnablement,
   config: configUtils.Config,
   threadsFlag: string,
   memoryFlag: string,
   logger: Logger,
 ): Promise<DatabaseCreationTimings> {
   const extractionStart = performance.now();
-  await runExtraction(codeql, config, logger);
+  await runExtraction(codeql, features, config, logger);
   const extractionTime = performance.now() - extractionStart;
 
   const trapImportStart = performance.now();
@@ -597,6 +611,7 @@ export async function runQueries(
 }
 
 export async function runFinalize(
+  features: FeatureEnablement,
   outputDir: string,
   threadsFlag: string,
   memoryFlag: string,
@@ -615,6 +630,7 @@ export async function runFinalize(
 
   const timings = await finalizeDatabaseCreation(
     codeql,
+    features,
     config,
     threadsFlag,
     memoryFlag,

src/api-client.test.ts

@@ -95,14 +95,14 @@ test("getGitHubVersion for different domain", async (t) => {
   t.deepEqual({ type: util.GitHubVariant.DOTCOM }, v3);
 });
 
-test("getGitHubVersion for GHE_DOTCOM", async (t) => {
+test("getGitHubVersion for GHEC-DR", async (t) => {
   mockGetMetaVersionHeader("ghe.com");
   const gheDotcom = await api.getGitHubVersionFromApi(api.getApiClient(), {
     auth: "",
     url: "https://foo.ghe.com",
     apiURL: undefined,
   });
-  t.deepEqual({ type: util.GitHubVariant.GHE_DOTCOM }, gheDotcom);
+  t.deepEqual({ type: util.GitHubVariant.GHEC_DR }, gheDotcom);
 });
 
 test("wrapApiConfigurationError correctly wraps specific configuration errors", (t) => {

src/api-client.ts

@@ -125,7 +125,7 @@ export async function getGitHubVersionFromApi(
   }
 
   if (response.headers[GITHUB_ENTERPRISE_VERSION_HEADER] === "ghe.com") {
-    return { type: GitHubVariant.GHE_DOTCOM };
+    return { type: GitHubVariant.GHEC_DR };
   }
 
   const version = response.headers[GITHUB_ENTERPRISE_VERSION_HEADER] as string;

src/api-compatibility.json

@@ -1 +1 @@
-{"maximumVersion": "3.19", "minimumVersion": "3.14"}
+{"maximumVersion": "3.20", "minimumVersion": "3.14"}

src/codeql.ts

@@ -206,6 +206,7 @@ export interface CodeQL {
    * Run 'codeql resolve queries --format=startingpacks'.
    */
   resolveQueriesStartingPacks(queries: string[]): Promise<string[]>;
+  resolveDatabase(databasePath: string): Promise<ResolveDatabaseOutput>;
   /**
    * Run 'codeql github merge-results'.
    */
@@ -230,6 +231,10 @@ export interface VersionInfo {
   overlayVersion?: number;
 }
 
+export interface ResolveDatabaseOutput {
+  overlayBaseSpecifier?: string;
+}
+
 export interface ResolveLanguagesOutput {
   [language: string]: [string];
 }
@@ -493,6 +498,7 @@ export function createStubCodeQL(partialCodeql: Partial<CodeQL>): CodeQL {
       partialCodeql,
       "resolveQueriesStartingPacks",
     ),
+    resolveDatabase: resolveFunction(partialCodeql, "resolveDatabase"),
     mergeResults: resolveFunction(partialCodeql, "mergeResults"),
   };
 }
@@ -1003,6 +1009,26 @@ async function getCodeQLForCmd(
         );
       }
     },
+    async resolveDatabase(
+      databasePath: string,
+    ): Promise<ResolveDatabaseOutput> {
+      const codeqlArgs = [
+        "resolve",
+        "database",
+        databasePath,
+        "--format=json",
+        ...getExtraOptionsFromEnv(["resolve", "database"]),
+      ];
+      const output = await runCli(cmd, codeqlArgs, { noStreamStdout: true });
+
+      try {
+        return JSON.parse(output) as ResolveDatabaseOutput;
+      } catch (e) {
+        throw new Error(
+          `Unexpected output from codeql resolve database --format=json: ${e}`,
+        );
+      }
+    },
     async mergeResults(
       sarifFiles: string[],
       outputFile: string,

src/config-utils.test.ts

@@ -4,6 +4,7 @@ import * as path from "path";
 import * as github from "@actions/github";
 import test, { ExecutionContext } from "ava";
 import * as yaml from "js-yaml";
+import * as semver from "semver";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
@@ -59,6 +60,7 @@ function createTestInitConfigInputs(
       dbLocation: undefined,
       configInput: undefined,
       buildModeInput: undefined,
+      ramInput: undefined,
       trapCachingEnabled: false,
       dependencyCachingEnabled: CachingKind.None,
       debugMode: false,
@@ -977,8 +979,10 @@ interface OverlayDatabaseModeTestSetup {
   languages: Language[];
   codeqlVersion: string;
   gitRoot: string | undefined;
+  gitVersion: string | undefined;
   codeScanningConfig: configUtils.UserConfig;
   diskUsage: DiskUsage | undefined;
+  memoryFlagValue: number;
 }
 
 const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
@@ -990,11 +994,13 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
   languages: [KnownLanguage.javascript],
   codeqlVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
   gitRoot: "/some/git/root",
+  gitVersion: "2.40.0", // Default to a version that supports overlay analysis
   codeScanningConfig: {},
   diskUsage: {
     numAvailableBytes: 50_000_000_000,
     numTotalBytes: 100_000_000_000,
   },
+  memoryFlagValue: 6920,
 };
 
 const getOverlayDatabaseModeMacro = test.macro({
@@ -1037,6 +1043,8 @@ const getOverlayDatabaseModeMacro = test.macro({
           .stub(actionsUtil, "isAnalyzingPullRequest")
           .returns(setup.isPullRequest);
 
+        sinon.stub(util, "getCodeQLMemoryLimit").returns(setup.memoryFlagValue);
+
         // Set up CodeQL mock
         const codeql = mockCodeQLVersion(setup.codeqlVersion);
 
@@ -1052,6 +1060,19 @@ const getOverlayDatabaseModeMacro = test.macro({
           sinon.stub(gitUtils, "getGitRoot").resolves(setup.gitRoot);
         }
 
+        // Mock git version detection - stub gitVersionAtLeast directly
+        // since internal calls to getGitVersion won't be stubbed
+        if (setup.gitVersion !== undefined) {
+          sinon
+            .stub(gitUtils, "gitVersionAtLeast")
+            .callsFake(async (requiredVersion: string) => {
+              return semver.gte(setup.gitVersion!, requiredVersion);
+            });
+        } else {
+          // When git version is undefined, gitVersionAtLeast should return false
+          sinon.stub(gitUtils, "gitVersionAtLeast").resolves(false);
+        }
+
         // Mock default branch detection
         sinon
           .stub(gitUtils, "isAnalyzingDefaultBranch")
@@ -1063,6 +1084,7 @@ const getOverlayDatabaseModeMacro = test.macro({
           setup.languages,
           tempDir, // sourceRoot
           setup.buildMode,
+          undefined,
           setup.codeScanningConfig,
           logger,
         );
@@ -1225,6 +1247,65 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isDefaultBranch: true,
+    diskUsage: {
+      numAvailableBytes: 1_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay-base database on default branch if memory flag is too low",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isDefaultBranch: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isDefaultBranch: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries",
@@ -1416,6 +1497,28 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isPullRequest: true,
+    diskUsage: {
+      numAvailableBytes: 1_000_000_000,
+      numTotalBytes: 100_000_000_000,
+    },
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay analysis on PR if we can't determine runner disk space",
@@ -1434,6 +1537,43 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "No overlay analysis on PR if memory flag is too low",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+    ],
+    isPullRequest: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled",
+  {
+    languages: [KnownLanguage.javascript],
+    features: [
+      Feature.OverlayAnalysis,
+      Feature.OverlayAnalysisCodeScanningJavascript,
+      Feature.OverlayAnalysisSkipResourceChecks,
+    ],
+    isPullRequest: true,
+    memoryFlagValue: 3072,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.Overlay,
+    useOverlayDatabaseCaching: true,
+  },
+);
+
 test(
   getOverlayDatabaseModeMacro,
   "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries",
@@ -1649,6 +1789,32 @@ test(
   },
 );
 
+test(
+  getOverlayDatabaseModeMacro,
+  "Fallback due to old git version",
+  {
+    overlayDatabaseEnvVar: "overlay",
+    gitVersion: "2.30.0", // Version below required 2.38.0
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
+test(
+  getOverlayDatabaseModeMacro,
+  "Fallback when git version cannot be determined",
+  {
+    overlayDatabaseEnvVar: "overlay",
+    gitVersion: undefined,
+  },
+  {
+    overlayDatabaseMode: OverlayDatabaseMode.None,
+    useOverlayDatabaseCaching: false,
+  },
+);
+
 // Exercise language-specific overlay analysis features code paths
 for (const language in KnownLanguage) {
   test(

src/config-utils.ts

@@ -26,7 +26,12 @@ import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-util
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
-import { getGitRoot, isAnalyzingDefaultBranch } from "./git-utils";
+import {
+  getGitRoot,
+  GIT_MINIMUM_VERSION_FOR_OVERLAY,
+  gitVersionAtLeast,
+  isAnalyzingDefaultBranch,
+} from "./git-utils";
 import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import {
@@ -44,6 +49,7 @@ import {
   cloneObject,
   isDefined,
   checkDiskUsage,
+  getCodeQLMemoryLimit,
 } from "./util";
 
 export * from "./config/db-config";
@@ -59,6 +65,14 @@ const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 20000;
 const OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES =
   OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1_000_000;
 
+/**
+ * The minimum memory (in MB) that must be available for CodeQL to perform overlay
+ * analysis. If CodeQL will be given less memory than this threshold, then the
+ * action will not perform overlay analysis unless overlay analysis has been
+ * explicitly enabled via environment variable.
+ */
+const OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
+
 export type RegistryConfigWithCredentials = RegistryConfigNoCredentials & {
   // Token to use when downloading packs from this registry.
   token: string;
@@ -393,6 +407,7 @@ export interface InitConfigInputs {
   dbLocation: string | undefined;
   configInput: string | undefined;
   buildModeInput: string | undefined;
+  ramInput: string | undefined;
   trapCachingEnabled: boolean;
   dependencyCachingEnabled: string | undefined;
   debugMode: boolean;
@@ -634,6 +649,42 @@ async function isOverlayAnalysisFeatureEnabled(
   return true;
 }
 
+/**
+ * Checks if the runner supports overlay analysis based on available disk space
+ * and the maximum memory CodeQL will be allowed to use.
+ */
+async function runnerSupportsOverlayAnalysis(
+  ramInput: string | undefined,
+  logger: Logger,
+): Promise<boolean> {
+  const diskUsage = await checkDiskUsage(logger);
+  if (
+    diskUsage === undefined ||
+    diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES
+  ) {
+    const diskSpaceMb =
+      diskUsage === undefined
+        ? 0
+        : Math.round(diskUsage.numAvailableBytes / 1_000_000);
+    logger.info(
+      `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
+        `due to insufficient disk space (${diskSpaceMb} MB).`,
+    );
+    return false;
+  }
+
+  const memoryFlagValue = getCodeQLMemoryLimit(ramInput, logger);
+  if (memoryFlagValue < OVERLAY_MINIMUM_MEMORY_MB) {
+    logger.info(
+      `Setting overlay database mode to ${OverlayDatabaseMode.None} ` +
+        `due to insufficient memory for CodeQL analysis (${memoryFlagValue} MB).`,
+    );
+    return false;
+  }
+
+  return true;
+}
+
 /**
  * Calculate and validate the overlay database mode and caching to use.
  *
@@ -661,6 +712,7 @@ export async function getOverlayDatabaseMode(
   languages: Language[],
   sourceRoot: string,
   buildMode: BuildMode | undefined,
+  ramInput: string | undefined,
   codeScanningConfig: UserConfig,
   logger: Logger,
 ): Promise<{
@@ -691,37 +743,29 @@ export async function getOverlayDatabaseMode(
       codeScanningConfig,
     )
   ) {
-    const diskUsage = await checkDiskUsage(logger);
+    const performResourceChecks = !(await features.getValue(
+      Feature.OverlayAnalysisSkipResourceChecks,
+      codeql,
+    ));
     if (
-      diskUsage === undefined ||
-      diskUsage.numAvailableBytes < OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES
+      performResourceChecks &&
+      !(await runnerSupportsOverlayAnalysis(ramInput, logger))
     ) {
-      const diskSpaceMb =
-        diskUsage === undefined
-          ? 0
-          : Math.round(diskUsage.numAvailableBytes / 1_000_000);
       overlayDatabaseMode = OverlayDatabaseMode.None;
-      useOverlayDatabaseCaching = false;
+    } else if (isAnalyzingPullRequest()) {
+      overlayDatabaseMode = OverlayDatabaseMode.Overlay;
+      useOverlayDatabaseCaching = true;
       logger.info(
         `Setting overlay database mode to ${overlayDatabaseMode} ` +
-          `due to insufficient disk space (${diskSpaceMb} MB).`,
+          "with caching because we are analyzing a pull request.",
+      );
+    } else if (await isAnalyzingDefaultBranch()) {
+      overlayDatabaseMode = OverlayDatabaseMode.OverlayBase;
+      useOverlayDatabaseCaching = true;
+      logger.info(
+        `Setting overlay database mode to ${overlayDatabaseMode} ` +
+          "with caching because we are analyzing the default branch.",
       );
-    } else {
-      if (isAnalyzingPullRequest()) {
-        overlayDatabaseMode = OverlayDatabaseMode.Overlay;
-        useOverlayDatabaseCaching = true;
-        logger.info(
-          `Setting overlay database mode to ${overlayDatabaseMode} ` +
-            "with caching because we are analyzing a pull request.",
-        );
-      } else if (await isAnalyzingDefaultBranch()) {
-        overlayDatabaseMode = OverlayDatabaseMode.OverlayBase;
-        useOverlayDatabaseCaching = true;
-        logger.info(
-          `Setting overlay database mode to ${overlayDatabaseMode} ` +
-            "with caching because we are analyzing the default branch.",
-        );
-      }
     }
   }
 
@@ -772,6 +816,14 @@ export async function getOverlayDatabaseMode(
     );
     return nonOverlayAnalysis;
   }
+  if (!(await gitVersionAtLeast(GIT_MINIMUM_VERSION_FOR_OVERLAY, logger))) {
+    logger.warning(
+      `Cannot build an ${overlayDatabaseMode} database because ` +
+        `the installed Git version is older than ${GIT_MINIMUM_VERSION_FOR_OVERLAY}. ` +
+        "Falling back to creating a normal full database instead.",
+    );
+    return nonOverlayAnalysis;
+  }
 
   return {
     overlayDatabaseMode,
@@ -875,6 +927,7 @@ export async function initConfig(
       config.languages,
       inputs.sourceRoot,
       config.buildMode,
+      inputs.ramInput,
       config.computedConfig,
       logger,
     );

src/database-upload.ts

@@ -41,7 +41,7 @@ export async function cleanupAndUploadDatabases(
   // Do nothing when not running against github.com
   if (
     config.gitHubVersion.type !== util.GitHubVariant.DOTCOM &&
-    config.gitHubVersion.type !== util.GitHubVariant.GHE_DOTCOM
+    config.gitHubVersion.type !== util.GitHubVariant.GHEC_DR
   ) {
     logger.debug("Not running against github.com or GHEC-DR. Skipping upload.");
     return;

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.6",
-  "cliVersion": "2.23.6",
-  "priorBundleVersion": "codeql-bundle-v2.23.5",
-  "priorCliVersion": "2.23.5"
+  "bundleVersion": "codeql-bundle-v2.23.8",
+  "cliVersion": "2.23.8",
+  "priorBundleVersion": "codeql-bundle-v2.23.7",
+  "priorCliVersion": "2.23.7"
 }

src/dependency-caching.test.ts

@@ -21,6 +21,8 @@ import {
   downloadDependencyCaches,
   CacheHitKind,
   cacheKey,
+  getCsharpDependencyDirs,
+  getCsharpTempDependencyDir,
   uploadDependencyCaches,
   CacheStoreResult,
 } from "./dependency-caching";
@@ -42,6 +44,28 @@ function makeAbsolutePatterns(tmpDir: string, patterns: string[]): string[] {
   return patterns.map((pattern) => path.join(tmpDir, pattern));
 }
 
+test("getCsharpDependencyDirs - does not include BMN dir if FF is enabled", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    process.env["RUNNER_TEMP"] = tmpDir;
+    const codeql = createStubCodeQL({});
+    const features = createFeatures([]);
+
+    const results = await getCsharpDependencyDirs(codeql, features);
+    t.false(results.includes(getCsharpTempDependencyDir()));
+  });
+});
+
+test("getCsharpDependencyDirs - includes BMN dir if FF is enabled", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    process.env["RUNNER_TEMP"] = tmpDir;
+    const codeql = createStubCodeQL({});
+    const features = createFeatures([Feature.CsharpCacheBuildModeNone]);
+
+    const results = await getCsharpDependencyDirs(codeql, features);
+    t.assert(results.includes(getCsharpTempDependencyDir()));
+  });
+});
+
 test("makePatternCheck - returns undefined if no patterns match", async (t) => {
   await withTmpDir(async (tmpDir) => {
     fs.writeFileSync(path.join(tmpDir, "test.java"), "");
@@ -130,7 +154,7 @@ test("checkHashPatterns - logs when no patterns match", async (t) => {
   const features = createFeatures([]);
   const messages: LoggedMessage[] = [];
   const config: CacheConfig = {
-    getDependencyPaths: () => [],
+    getDependencyPaths: async () => [],
     getHashPatterns: async () => undefined,
   };
 
@@ -159,7 +183,7 @@ test("checkHashPatterns - returns patterns when patterns match", async (t) => {
     fs.writeFileSync(path.join(tmpDir, "test.java"), "");
 
     const config: CacheConfig = {
-      getDependencyPaths: () => [],
+      getDependencyPaths: async () => [],
       getHashPatterns: async () => makePatternCheck(patterns),
     };
 
@@ -625,3 +649,28 @@ test("getFeaturePrefix - non-C# - returns '' if CsharpNewCacheKey is enabled", a
     t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
   }
 });
+
+test("getFeaturePrefix - C# - returns prefix if CsharpCacheBuildModeNone is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpCacheBuildModeNone]);
+
+  const result = await getFeaturePrefix(codeql, features, KnownLanguage.csharp);
+  t.notDeepEqual(result, "");
+  t.assert(result.endsWith("-"));
+  // Check the length of the prefix, which should correspond to `cacheKeyHashLength` + 1 for the trailing `-`.
+  t.is(result.length, cacheKeyHashLength + 1);
+});
+
+test("getFeaturePrefix - non-C# - returns '' if CsharpCacheBuildModeNone is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpCacheBuildModeNone]);
+
+  for (const knownLanguage of Object.values(KnownLanguage)) {
+    // Skip C# since we expect a result for it, which is tested in the previous test.
+    if (knownLanguage === KnownLanguage.csharp) {
+      continue;
+    }
+    const result = await getFeaturePrefix(codeql, features, knownLanguage);
+    t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
+  }
+});

src/dependency-caching.ts

@@ -20,7 +20,10 @@ import { getErrorMessage, getRequiredEnvParam } from "./util";
  */
 export interface CacheConfig {
   /** Gets the paths of directories on the runner that should be included in the cache. */
-  getDependencyPaths: () => string[];
+  getDependencyPaths: (
+    codeql: CodeQL,
+    features: FeatureEnablement,
+  ) => Promise<string[]>;
   /**
    * Gets an array of glob patterns for the paths of files whose contents affect which dependencies are used
    * by a project. This function also checks whether there are any matching files and returns
@@ -55,7 +58,7 @@ export function getJavaTempDependencyDir(): string {
  * @returns The paths of directories on the runner that should be included in a dependency cache
  * for a Java analysis.
  */
-function getJavaDependencyDirs(): string[] {
+export async function getJavaDependencyDirs(): Promise<string[]> {
   return [
     // Maven
     join(os.homedir(), ".m2", "repository"),
@@ -66,6 +69,38 @@ function getJavaDependencyDirs(): string[] {
   ];
 }
 
+/**
+ * Returns a path to a directory intended to be used to store dependencies
+ * for the C# `build-mode: none` extractor.
+ * @returns The path to the directory that should be used by the `build-mode: none` extractor.
+ */
+export function getCsharpTempDependencyDir(): string {
+  return join(getTemporaryDirectory(), "codeql_csharp", "repository");
+}
+
+/**
+ * Returns an array of paths of directories on the runner that should be included in a dependency cache
+ * for a C# analysis.
+ *
+ * @returns The paths of directories on the runner that should be included in a dependency cache
+ * for a C# analysis.
+ */
+export async function getCsharpDependencyDirs(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+): Promise<string[]> {
+  const dirs = [
+    // Nuget
+    join(os.homedir(), ".nuget", "packages"),
+  ];
+
+  if (await features.getValue(Feature.CsharpCacheBuildModeNone, codeql)) {
+    dirs.push(getCsharpTempDependencyDir());
+  }
+
+  return dirs;
+}
+
 /**
  * Checks that there are files which match `patterns`. If there are matching files for any of the patterns,
  * this function returns all `patterns`. Otherwise, `undefined` is returned.
@@ -158,11 +193,11 @@ const defaultCacheConfigs: { [language: string]: CacheConfig } = {
       ]),
   },
   csharp: {
-    getDependencyPaths: () => [join(os.homedir(), ".nuget", "packages")],
+    getDependencyPaths: getCsharpDependencyDirs,
     getHashPatterns: getCsharpHashPatterns,
   },
   go: {
-    getDependencyPaths: () => [join(os.homedir(), "go", "pkg", "mod")],
+    getDependencyPaths: async () => [join(os.homedir(), "go", "pkg", "mod")],
     getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"]),
   },
 };
@@ -289,7 +324,7 @@ export async function downloadDependencyCaches(
 
     const start = performance.now();
     const hitKey = await actionsCache.restoreCache(
-      cacheConfig.getDependencyPaths(),
+      await cacheConfig.getDependencyPaths(codeql, features),
       primaryKey,
       restoreKeys,
     );
@@ -408,7 +443,7 @@ export async function uploadDependencyCaches(
     //   with the dependency caches. For this, we could use the Cache API to check whether other workflows
     //   are using the quota and how full it is.
     const size = await getTotalCacheSize(
-      cacheConfig.getDependencyPaths(),
+      await cacheConfig.getDependencyPaths(codeql, features),
       logger,
       true,
     );
@@ -428,7 +463,10 @@ export async function uploadDependencyCaches(
 
     try {
       const start = performance.now();
-      await actionsCache.saveCache(cacheConfig.getDependencyPaths(), key);
+      await actionsCache.saveCache(
+        await cacheConfig.getDependencyPaths(codeql, features),
+        key,
+      );
       const upload_duration_ms = Math.round(performance.now() - start);
 
       status.push({
@@ -516,6 +554,7 @@ export async function getFeaturePrefix(
     }
   } else if (language === KnownLanguage.csharp) {
     await addFeatureIfEnabled(Feature.CsharpNewCacheKey);
+    await addFeatureIfEnabled(Feature.CsharpCacheBuildModeNone);
   }
 
   // If any features that affect the cache are enabled, return a feature prefix by

src/diagnostics.ts

@@ -185,3 +185,28 @@ export function flushDiagnostics(config: Config) {
   // Reset the unwritten diagnostics array.
   unwrittenDiagnostics = [];
 }
+
+/**
+ * Creates a telemetry-only diagnostic message. This is a convenience function
+ * for creating diagnostics that should only be sent to telemetry and not
+ * displayed on the status page or CLI summary table.
+ *
+ * @param id An identifier under which it makes sense to group this diagnostic message.
+ * @param name Display name for the ID.
+ * @param attributes Structured metadata about the diagnostic message.
+ * @returns Returns the new telemetry diagnostic message.
+ */
+export function makeTelemetryDiagnostic(
+  id: string,
+  name: string,
+  attributes: { [key: string]: any },
+): DiagnosticMessage {
+  return makeDiagnostic(id, name, {
+    attributes,
+    visibility: {
+      cliSummaryTable: false,
+      statusPage: false,
+      telemetry: true,
+    },
+  });
+}

src/feature-flags.test.ts

@@ -62,13 +62,13 @@ test(`All features are disabled if running against GHES`, async (t) => {
   });
 });
 
-test(`Feature flags are requested in Proxima`, async (t) => {
+test(`Feature flags are requested in GHEC-DR`, async (t) => {
   await withTmpDir(async (tmpDir) => {
     const loggedMessages = [];
     const features = setUpFeatureFlagTests(
       tmpDir,
       getRecordingLogger(loggedMessages),
-      { type: GitHubVariant.GHE_DOTCOM },
+      { type: GitHubVariant.GHEC_DR },
     );
 
     mockFeatureFlagApiEndpoint(200, initializeFeatures(true));
@@ -436,97 +436,79 @@ test(`selects CLI from defaults.json on GHES`, async (t) => {
   });
 });
 
-test("selects CLI v2.20.1 on Dotcom when feature flags enable v2.20.0 and v2.20.1", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    const features = setUpFeatureFlagTests(tmpDir);
-    const expectedFeatureEnablement = initializeFeatures(true);
-    expectedFeatureEnablement["default_codeql_version_2_20_0_enabled"] = true;
-    expectedFeatureEnablement["default_codeql_version_2_20_1_enabled"] = true;
-    expectedFeatureEnablement["default_codeql_version_2_20_2_enabled"] = false;
-    expectedFeatureEnablement["default_codeql_version_2_20_3_enabled"] = false;
-    expectedFeatureEnablement["default_codeql_version_2_20_4_enabled"] = false;
-    expectedFeatureEnablement["default_codeql_version_2_20_5_enabled"] = false;
-    mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
+for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) {
+  test(`selects CLI v2.20.1 on ${variant} when feature flags enable v2.20.0 and v2.20.1`, async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      const features = setUpFeatureFlagTests(tmpDir);
+      const expectedFeatureEnablement = initializeFeatures(true);
+      expectedFeatureEnablement["default_codeql_version_2_20_0_enabled"] = true;
+      expectedFeatureEnablement["default_codeql_version_2_20_1_enabled"] = true;
+      expectedFeatureEnablement["default_codeql_version_2_20_2_enabled"] =
+        false;
+      expectedFeatureEnablement["default_codeql_version_2_20_3_enabled"] =
+        false;
+      expectedFeatureEnablement["default_codeql_version_2_20_4_enabled"] =
+        false;
+      expectedFeatureEnablement["default_codeql_version_2_20_5_enabled"] =
+        false;
+      mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
 
-    const defaultCliVersion = await features.getDefaultCliVersion(
-      GitHubVariant.DOTCOM,
-    );
-    t.deepEqual(defaultCliVersion, {
-      cliVersion: "2.20.1",
-      tagName: "codeql-bundle-v2.20.1",
-      toolsFeatureFlagsValid: true,
+      const defaultCliVersion = await features.getDefaultCliVersion(variant);
+      t.deepEqual(defaultCliVersion, {
+        cliVersion: "2.20.1",
+        tagName: "codeql-bundle-v2.20.1",
+        toolsFeatureFlagsValid: true,
+      });
     });
   });
-});
 
-test("includes tag name", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    const features = setUpFeatureFlagTests(tmpDir);
-    const expectedFeatureEnablement = initializeFeatures(true);
-    expectedFeatureEnablement["default_codeql_version_2_20_0_enabled"] = true;
-    mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
+  test(`selects CLI from defaults.json on ${variant} when no default version feature flags are enabled`, async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      const features = setUpFeatureFlagTests(tmpDir);
+      const expectedFeatureEnablement = initializeFeatures(true);
+      mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
 
-    const defaultCliVersion = await features.getDefaultCliVersion(
-      GitHubVariant.DOTCOM,
-    );
-    t.deepEqual(defaultCliVersion, {
-      cliVersion: "2.20.0",
-      tagName: "codeql-bundle-v2.20.0",
-      toolsFeatureFlagsValid: true,
+      const defaultCliVersion = await features.getDefaultCliVersion(variant);
+      t.deepEqual(defaultCliVersion, {
+        cliVersion: defaults.cliVersion,
+        tagName: defaults.bundleVersion,
+        toolsFeatureFlagsValid: false,
+      });
     });
   });
-});
 
-test(`selects CLI from defaults.json on Dotcom when no default version feature flags are enabled`, async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    const features = setUpFeatureFlagTests(tmpDir);
-    const expectedFeatureEnablement = initializeFeatures(true);
-    mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
+  test(`ignores invalid version numbers in default version feature flags on ${variant}`, async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      const loggedMessages = [];
+      const features = setUpFeatureFlagTests(
+        tmpDir,
+        getRecordingLogger(loggedMessages),
+      );
+      const expectedFeatureEnablement = initializeFeatures(true);
+      expectedFeatureEnablement["default_codeql_version_2_20_0_enabled"] = true;
+      expectedFeatureEnablement["default_codeql_version_2_20_1_enabled"] = true;
+      expectedFeatureEnablement["default_codeql_version_2_20_invalid_enabled"] =
+        true;
+      mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
 
-    const defaultCliVersion = await features.getDefaultCliVersion(
-      GitHubVariant.DOTCOM,
-    );
-    t.deepEqual(defaultCliVersion, {
-      cliVersion: defaults.cliVersion,
-      tagName: defaults.bundleVersion,
-      toolsFeatureFlagsValid: false,
+      const defaultCliVersion = await features.getDefaultCliVersion(variant);
+      t.deepEqual(defaultCliVersion, {
+        cliVersion: "2.20.1",
+        tagName: "codeql-bundle-v2.20.1",
+        toolsFeatureFlagsValid: true,
+      });
+
+      t.assert(
+        loggedMessages.find(
+          (v: LoggedMessage) =>
+            v.type === "warning" &&
+            v.message ===
+              "Ignoring feature flag default_codeql_version_2_20_invalid_enabled as it does not specify a valid CodeQL version.",
+        ) !== undefined,
+      );
     });
   });
-});
-
-test("ignores invalid version numbers in default version feature flags", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    const loggedMessages = [];
-    const features = setUpFeatureFlagTests(
-      tmpDir,
-      getRecordingLogger(loggedMessages),
-    );
-    const expectedFeatureEnablement = initializeFeatures(true);
-    expectedFeatureEnablement["default_codeql_version_2_20_0_enabled"] = true;
-    expectedFeatureEnablement["default_codeql_version_2_20_1_enabled"] = true;
-    expectedFeatureEnablement["default_codeql_version_2_20_invalid_enabled"] =
-      true;
-    mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement);
-
-    const defaultCliVersion = await features.getDefaultCliVersion(
-      GitHubVariant.DOTCOM,
-    );
-    t.deepEqual(defaultCliVersion, {
-      cliVersion: "2.20.1",
-      tagName: "codeql-bundle-v2.20.1",
-      toolsFeatureFlagsValid: true,
-    });
-
-    t.assert(
-      loggedMessages.find(
-        (v: LoggedMessage) =>
-          v.type === "warning" &&
-          v.message ===
-            "Ignoring feature flag default_codeql_version_2_20_invalid_enabled as it does not specify a valid CodeQL version.",
-      ) !== undefined,
-    );
-  });
-});
+}
 
 test("legacy feature flags should end with _enabled", async (t) => {
   for (const [feature, config] of Object.entries(featureConfig)) {

src/feature-flags.ts

@@ -44,9 +44,9 @@ export interface FeatureEnablement {
  */
 export enum Feature {
   AllowToolcacheInput = "allow_toolcache_input",
-  AnalyzeUseNewUpload = "analyze_use_new_upload",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
+  CsharpCacheBuildModeNone = "csharp_cache_bmn",
   CsharpNewCacheKey = "csharp_new_cache_key",
   DiffInformedQueries = "diff_informed_queries",
   DisableCsharpBuildless = "disable_csharp_buildless",
@@ -74,6 +74,7 @@ export enum Feature {
   OverlayAnalysisPython = "overlay_analysis_python",
   OverlayAnalysisRuby = "overlay_analysis_ruby",
   OverlayAnalysisRust = "overlay_analysis_rust",
+  OverlayAnalysisSkipResourceChecks = "overlay_analysis_skip_resource_checks",
   OverlayAnalysisSwift = "overlay_analysis_swift",
   PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
   QaTelemetryEnabled = "qa_telemetry_enabled",
@@ -118,11 +119,6 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
     minimumVersion: undefined,
   },
-  [Feature.AnalyzeUseNewUpload]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
-    minimumVersion: undefined,
-  },
   [Feature.CleanupTrapCaches]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -134,6 +130,11 @@ export const featureConfig: Record<
     legacyApi: true,
     minimumVersion: "2.15.0",
   },
+  [Feature.CsharpCacheBuildModeNone]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN",
+    minimumVersion: undefined,
+  },
   [Feature.CsharpNewCacheKey]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
@@ -272,6 +273,11 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
     minimumVersion: undefined,
   },
+  [Feature.OverlayAnalysisSkipResourceChecks]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
+    minimumVersion: undefined,
+  },
   [Feature.OverlayAnalysisSwift]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
@@ -486,8 +492,8 @@ class GitHubFeatureFlags {
   async getDefaultCliVersion(
     variant: util.GitHubVariant,
   ): Promise<CodeQLDefaultVersionInfo> {
-    if (variant === util.GitHubVariant.DOTCOM) {
-      return await this.getDefaultDotcomCliVersion();
+    if (supportsFeatureFlags(variant)) {
+      return await this.getDefaultCliVersionFromFlags();
     }
     return {
       cliVersion: defaults.cliVersion,
@@ -495,7 +501,7 @@ class GitHubFeatureFlags {
     };
   }
 
-  async getDefaultDotcomCliVersion(): Promise<CodeQLDefaultVersionInfo> {
+  async getDefaultCliVersionFromFlags(): Promise<CodeQLDefaultVersionInfo> {
     const response = await this.getAllFeatures();
 
     const enabledFeatureFlagCliVersions = Object.entries(response)
@@ -621,10 +627,7 @@ class GitHubFeatureFlags {
 
   private async loadApiResponse(): Promise<GitHubFeatureFlagsApiResponse> {
     // Do nothing when not running against github.com
-    if (
-      this.gitHubVersion.type !== util.GitHubVariant.DOTCOM &&
-      this.gitHubVersion.type !== util.GitHubVariant.GHE_DOTCOM
-    ) {
+    if (!supportsFeatureFlags(this.gitHubVersion.type)) {
       this.logger.debug(
         "Not running against github.com. Disabling all toggleable features.",
       );
@@ -690,3 +693,10 @@ class GitHubFeatureFlags {
     }
   }
 }
+
+function supportsFeatureFlags(githubVariant: util.GitHubVariant): boolean {
+  return (
+    githubVariant === util.GitHubVariant.DOTCOM ||
+    githubVariant === util.GitHubVariant.GHEC_DR
+  );
+}

src/git-utils.test.ts

@@ -7,7 +7,12 @@ import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
 import * as gitUtils from "./git-utils";
-import { setupActionsVars, setupTests } from "./testing-utils";
+import {
+  getRecordingLogger,
+  LoggedMessage,
+  setupActionsVars,
+  setupTests,
+} from "./testing-utils";
 import { withTmpDir } from "./util";
 
 setupTests(test);
@@ -392,3 +397,190 @@ test("getFileOidsUnderPath throws on unexpected output format", async (t) => {
     runGitCommandStub.restore();
   }
 });
+
+test("getGitVersionOrThrow returns version for valid git output", async (t) => {
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .resolves("git version 2.40.0\n");
+
+  try {
+    const version = await gitUtils.getGitVersionOrThrow();
+    t.is(version, "2.40.0");
+  } finally {
+    runGitCommandStub.restore();
+  }
+});
+
+test("getGitVersionOrThrow throws for invalid git output", async (t) => {
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .resolves("invalid output");
+
+  try {
+    await t.throwsAsync(
+      async () => {
+        await gitUtils.getGitVersionOrThrow();
+      },
+      {
+        instanceOf: Error,
+        message: "Could not parse Git version from output: invalid output",
+      },
+    );
+  } finally {
+    runGitCommandStub.restore();
+  }
+});
+
+test("getGitVersionOrThrow handles Windows-style git output", async (t) => {
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .resolves("git version 2.40.0.windows.1\n");
+
+  try {
+    const version = await gitUtils.getGitVersionOrThrow();
+    // Should extract just the major.minor.patch portion
+    t.is(version, "2.40.0");
+  } finally {
+    runGitCommandStub.restore();
+  }
+});
+
+test("getGitVersionOrThrow throws when git command fails", async (t) => {
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .rejects(new Error("git not found"));
+
+  try {
+    await t.throwsAsync(
+      async () => {
+        await gitUtils.getGitVersionOrThrow();
+      },
+      {
+        instanceOf: Error,
+        message: "git not found",
+      },
+    );
+  } finally {
+    runGitCommandStub.restore();
+  }
+});
+
+test("getGitVersion returns version and caches it", async (t) => {
+  gitUtils.resetCachedGitVersion();
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .resolves("git version 2.40.0\n");
+
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  try {
+    // First call should fetch and cache
+    const version1 = await gitUtils.getGitVersion(logger);
+    t.is(version1, "2.40.0");
+    t.is(runGitCommandStub.callCount, 1);
+
+    // Second call should use cache
+    const version2 = await gitUtils.getGitVersion(logger);
+    t.is(version2, "2.40.0");
+    t.is(runGitCommandStub.callCount, 1); // Should still be 1
+  } finally {
+    runGitCommandStub.restore();
+    gitUtils.resetCachedGitVersion();
+  }
+});
+
+test("getGitVersion returns undefined when version cannot be determined", async (t) => {
+  gitUtils.resetCachedGitVersion();
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .rejects(new Error("git not found"));
+
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  try {
+    const version = await gitUtils.getGitVersion(logger);
+    t.is(version, undefined);
+    t.true(
+      messages.some(
+        (m) =>
+          m.type === "debug" &&
+          typeof m.message === "string" &&
+          m.message.includes("Could not determine Git version"),
+      ),
+    );
+  } finally {
+    runGitCommandStub.restore();
+    gitUtils.resetCachedGitVersion();
+  }
+});
+
+test("gitVersionAtLeast returns true for version meeting requirement", async (t) => {
+  gitUtils.resetCachedGitVersion();
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .resolves("git version 2.40.0\n");
+
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  try {
+    const result = await gitUtils.gitVersionAtLeast("2.38.0", logger);
+    t.true(result);
+    t.true(
+      messages.some(
+        (m) =>
+          m.type === "debug" &&
+          m.message === "Installed Git version is 2.40.0.",
+      ),
+    );
+  } finally {
+    runGitCommandStub.restore();
+    gitUtils.resetCachedGitVersion();
+  }
+});
+
+test("gitVersionAtLeast returns false for version not meeting requirement", async (t) => {
+  gitUtils.resetCachedGitVersion();
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .resolves("git version 2.30.0\n");
+
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  try {
+    const result = await gitUtils.gitVersionAtLeast("2.38.0", logger);
+    t.false(result);
+  } finally {
+    runGitCommandStub.restore();
+    gitUtils.resetCachedGitVersion();
+  }
+});
+
+test("gitVersionAtLeast returns false when version cannot be determined", async (t) => {
+  gitUtils.resetCachedGitVersion();
+  const runGitCommandStub = sinon
+    .stub(gitUtils as any, "runGitCommand")
+    .rejects(new Error("git not found"));
+
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  try {
+    const result = await gitUtils.gitVersionAtLeast("2.38.0", logger);
+    t.false(result);
+    t.true(
+      messages.some(
+        (m) =>
+          m.type === "debug" &&
+          typeof m.message === "string" &&
+          m.message.includes("Could not determine Git version"),
+      ),
+    );
+  } finally {
+    runGitCommandStub.restore();
+    gitUtils.resetCachedGitVersion();
+  }
+});

src/git-utils.ts

@@ -1,13 +1,127 @@
 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
+import * as semver from "semver";
 
 import {
   getOptionalInput,
   getWorkflowEvent,
   getWorkflowEventName,
 } from "./actions-util";
-import { ConfigurationError, getRequiredEnvParam } from "./util";
+import type { Config } from "./config-utils";
+import { addDiagnostic, makeTelemetryDiagnostic } from "./diagnostics";
+import { Logger } from "./logging";
+import {
+  ConfigurationError,
+  getErrorMessage,
+  getRequiredEnvParam,
+} from "./util";
+
+/**
+ * Minimum Git version required for overlay analysis. The `git ls-files --format`
+ * option, which is used by `getFileOidsUnderPath`, was introduced in Git 2.38.0.
+ */
+export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.38.0";
+
+/** Cached git version to avoid recomputing it multiple times. */
+let cachedGitVersion: string | undefined;
+
+/**
+ * Resets the cached git version. This is intended for use in tests only.
+ */
+export function resetCachedGitVersion(): void {
+  cachedGitVersion = undefined;
+}
+
+/**
+ * Gets the version of Git installed on the system and throws an error if
+ * the version cannot be determined.
+ *
+ * @returns The Git version string (e.g., "2.40.0").
+ * @throws {Error} if the version could not be determined.
+ */
+export async function getGitVersionOrThrow(): Promise<string> {
+  const stdout = await runGitCommand(
+    undefined,
+    ["--version"],
+    "Failed to get git version.",
+  );
+  // Git version output can vary: "git version 2.40.0" or "git version 2.40.0.windows.1"
+  // We capture just the major.minor.patch portion to ensure semver compatibility.
+  const match = stdout.match(/git version (\d+\.\d+\.\d+)/);
+  if (match?.[1]) {
+    return match[1];
+  }
+  throw new Error(`Could not parse Git version from output: ${stdout.trim()}`);
+}
+
+/**
+ * Gets the cached Git version, or fetches and caches it if not yet cached.
+ *
+ * @param logger A logger to use for logging errors.
+ * @returns The cached Git version, or undefined if the version could not be determined.
+ */
+export async function getGitVersion(
+  logger: Logger,
+): Promise<string | undefined> {
+  if (cachedGitVersion !== undefined) {
+    return cachedGitVersion;
+  }
+  try {
+    cachedGitVersion = await getGitVersionOrThrow();
+    return cachedGitVersion;
+  } catch (e) {
+    logger.debug(`Could not determine Git version: ${getErrorMessage(e)}`);
+    return undefined;
+  }
+}
+
+/**
+ * Logs the Git version as a telemetry diagnostic. Should be called once during
+ * initialization after the config is available.
+ *
+ * @param config The configuration that tells us where to store the diagnostic.
+ * @param logger A logger to use for logging errors.
+ */
+export async function logGitVersionTelemetry(
+  config: Config,
+  logger: Logger,
+): Promise<void> {
+  const version = await getGitVersion(logger);
+  if (version !== undefined && config.languages.length > 0) {
+    addDiagnostic(
+      config,
+      // Arbitrarily choose the first language. We could also choose all languages, but that
+      // increases the risk of misinterpreting the data.
+      config.languages[0],
+      makeTelemetryDiagnostic(
+        "codeql-action/git-version-telemetry",
+        "Git version telemetry",
+        { gitVersion: version },
+      ),
+    );
+  }
+}
+
+/**
+ * Checks if the installed Git version is at least the given required version.
+ *
+ * @param requiredVersion The minimum required Git version.
+ * @param logger A logger to use for logging.
+ * @returns `true` if the installed Git version is at least the required version,
+ *          `false` otherwise.
+ */
+export async function gitVersionAtLeast(
+  requiredVersion: string,
+  logger: Logger,
+): Promise<boolean> {
+  const version = await getGitVersion(logger);
+  if (version === undefined) {
+    return false;
+  }
+  logger.debug(`Installed Git version is ${version}.`);
+  return semver.gte(version, requiredVersion);
+}
 
 export const runGitCommand = async function (
   workingDirectory: string | undefined,

src/init-action.ts

@@ -33,10 +33,12 @@ import {
   flushDiagnostics,
   logUnwrittenDiagnostics,
   makeDiagnostic,
+  makeTelemetryDiagnostic,
 } from "./diagnostics";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { loadPropertiesFromApi } from "./feature-flags/properties";
+import { logGitVersionTelemetry } from "./git-utils";
 import {
   checkInstallPython311,
   checkPacksForOverlayCompatibility,
@@ -75,7 +77,7 @@ import {
   codeQlVersionAtLeast,
   DEFAULT_DEBUG_ARTIFACT_NAME,
   DEFAULT_DEBUG_DATABASE_NAME,
-  getMemoryFlagValue,
+  getCodeQLMemoryLimit,
   getRequiredEnvParam,
   getThreadsFlagValue,
   initializeEnvironment,
@@ -324,6 +326,7 @@ async function run() {
       queriesInput: getOptionalInput("queries"),
       packsInput: getOptionalInput("packs"),
       buildModeInput: getOptionalInput("build-mode"),
+      ramInput: getOptionalInput("ram"),
       configFile,
       dbLocation: getOptionalInput("db-location"),
       configInput: getOptionalInput("config"),
@@ -417,21 +420,17 @@ async function run() {
         // Arbitrarily choose the first language. We could also choose all languages, but that
         // increases the risk of misinterpreting the data.
         config.languages[0],
-        makeDiagnostic(
+        makeTelemetryDiagnostic(
           "codeql-action/bundle-download-telemetry",
           "CodeQL bundle download telemetry",
-          {
-            attributes: toolsDownloadStatusReport,
-            visibility: {
-              cliSummaryTable: false,
-              statusPage: false,
-              telemetry: true,
-            },
-          },
+          toolsDownloadStatusReport,
         ),
       );
     }
 
+    // Log Git version telemetry
+    await logGitVersionTelemetry(config, logger);
+
     // Forward Go flags
     const goFlags = process.env["GOFLAGS"];
     if (goFlags) {
@@ -537,7 +536,7 @@ async function run() {
     core.exportVariable(
       "CODEQL_RAM",
       process.env["CODEQL_RAM"] ||
-        getMemoryFlagValue(getOptionalInput("ram"), logger).toString(),
+        getCodeQLMemoryLimit(getOptionalInput("ram"), logger).toString(),
     );
     core.exportVariable(
       "CODEQL_THREADS",
@@ -784,17 +783,10 @@ async function recordZstdAvailability(
     // Arbitrarily choose the first language. We could also choose all languages, but that
     // increases the risk of misinterpreting the data.
     config.languages[0],
-    makeDiagnostic(
+    makeTelemetryDiagnostic(
       "codeql-action/zstd-availability",
       "Zstandard availability",
-      {
-        attributes: zstdAvailability,
-        visibility: {
-          cliSummaryTable: false,
-          statusPage: false,
-          telemetry: true,
-        },
-      },
+      zstdAvailability,
     ),
   );
 }

src/overlay-database-utils.test.ts

@@ -7,7 +7,9 @@ import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
 import * as apiClient from "./api-client";
+import { ResolveDatabaseOutput } from "./codeql";
 import * as gitUtils from "./git-utils";
+import { KnownLanguage } from "./languages";
 import { getRunnerLogger } from "./logging";
 import {
   downloadOverlayBaseDatabaseFromCache,
@@ -95,6 +97,7 @@ interface DownloadOverlayBaseDatabaseTestCase {
   hasBaseDatabaseOidsFile: boolean;
   tryGetFolderBytesSucceeds: boolean;
   codeQLVersion: string;
+  resolveDatabaseOutput: ResolveDatabaseOutput | Error;
 }
 
 const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
@@ -105,6 +108,7 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
   hasBaseDatabaseOidsFile: true,
   tryGetFolderBytesSucceeds: true,
   codeQLVersion: "2.20.5",
+  resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" },
 };
 
 const testDownloadOverlayBaseDatabaseFromCache = test.macro({
@@ -119,9 +123,11 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({
       await fs.promises.mkdir(dbLocation, { recursive: true });
 
       const logger = getRunnerLogger(true);
-      const config = createTestConfig({ dbLocation });
-
       const testCase = { ...defaultDownloadTestCase, ...partialTestCase };
+      const config = createTestConfig({
+        dbLocation,
+        languages: [KnownLanguage.java],
+      });
 
       config.overlayDatabaseMode = testCase.overlayDatabaseMode;
       config.useOverlayDatabaseCaching = testCase.useOverlayDatabaseCaching;
@@ -163,9 +169,23 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({
         .resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined);
       stubs.push(tryGetFolderBytesStub);
 
+      const codeql = mockCodeQLVersion(testCase.codeQLVersion);
+
+      if (testCase.resolveDatabaseOutput instanceof Error) {
+        const resolveDatabaseStub = sinon
+          .stub(codeql, "resolveDatabase")
+          .rejects(testCase.resolveDatabaseOutput);
+        stubs.push(resolveDatabaseStub);
+      } else {
+        const resolveDatabaseStub = sinon
+          .stub(codeql, "resolveDatabase")
+          .resolves(testCase.resolveDatabaseOutput);
+        stubs.push(resolveDatabaseStub);
+      }
+
       try {
         const result = await downloadOverlayBaseDatabaseFromCache(
-          mockCodeQLVersion(testCase.codeQLVersion),
+          codeql,
           config,
           logger,
         );
@@ -255,6 +275,24 @@ test(
   false,
 );
 
+test(
+  testDownloadOverlayBaseDatabaseFromCache,
+  "returns undefined when downloaded database doesn't have an overlayBaseSpecifier",
+  {
+    resolveDatabaseOutput: {},
+  },
+  false,
+);
+
+test(
+  testDownloadOverlayBaseDatabaseFromCache,
+  "returns undefined when resolving database metadata fails",
+  {
+    resolveDatabaseOutput: new Error("Failed to resolve database metadata"),
+  },
+  false,
+);
+
 test(
   testDownloadOverlayBaseDatabaseFromCache,
   "returns undefined when filesystem error occurs",

src/overlay-database-utils.ts

@@ -17,6 +17,7 @@ import { getCommitOid, getFileOidsUnderPath } from "./git-utils";
 import { Logger, withGroupAsync } from "./logging";
 import {
   CleanupLevel,
+  getCodeQLDatabasePath,
   getErrorMessage,
   isInTestMode,
   tryGetFolderBytes,
@@ -176,11 +177,12 @@ const MAX_CACHE_OPERATION_MS = 600_000;
  * @param warningPrefix Prefix for the check failure warning message
  * @returns True if the verification succeeded, false otherwise
  */
-function checkOverlayBaseDatabase(
+async function checkOverlayBaseDatabase(
+  codeql: CodeQL,
   config: Config,
   logger: Logger,
   warningPrefix: string,
-): boolean {
+): Promise<boolean> {
   // An overlay-base database should contain the base database OIDs file.
   const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
   if (!fs.existsSync(baseDatabaseOidsFilePath)) {
@@ -189,6 +191,29 @@ function checkOverlayBaseDatabase(
     );
     return false;
   }
+
+  for (const language of config.languages) {
+    const dbPath = getCodeQLDatabasePath(config, language);
+    try {
+      const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath);
+      if (
+        resolveDatabaseOutput === undefined ||
+        !("overlayBaseSpecifier" in resolveDatabaseOutput)
+      ) {
+        logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`);
+        return false;
+      } else {
+        logger.debug(
+          `Overlay base specifier for ${language} overlay-base database found: ` +
+            `${resolveDatabaseOutput.overlayBaseSpecifier}`,
+        );
+      }
+    } catch (e) {
+      logger.warning(`${warningPrefix}: failed to resolve database: ${e}`);
+      return false;
+    }
+  }
+
   return true;
 }
 
@@ -232,7 +257,8 @@ export async function cleanupAndUploadOverlayBaseDatabaseToCache(
     return false;
   }
 
-  const databaseIsValid = checkOverlayBaseDatabase(
+  const databaseIsValid = await checkOverlayBaseDatabase(
+    codeql,
     config,
     logger,
     "Abort uploading overlay-base database to cache",
@@ -415,7 +441,8 @@ export async function downloadOverlayBaseDatabaseFromCache(
     return undefined;
   }
 
-  const databaseIsValid = checkOverlayBaseDatabase(
+  const databaseIsValid = await checkOverlayBaseDatabase(
+    codeql,
     config,
     logger,
     "Downloaded overlay-base database is invalid",

src/setup-codeql.ts

@@ -511,7 +511,7 @@ export async function getCodeQLSource(
   // different version to save download time if the version hasn't been
   // specified explicitly (in which case we always honor it).
   if (
-    variant !== util.GitHubVariant.DOTCOM &&
+    variant === util.GitHubVariant.GHES &&
     !forceShippedTools &&
     !toolsInput
   ) {

src/util.test.ts

@@ -433,8 +433,8 @@ function formatGitHubVersion(version: util.GitHubVersion): string {
   switch (version.type) {
     case util.GitHubVariant.DOTCOM:
       return "dotcom";
-    case util.GitHubVariant.GHE_DOTCOM:
-      return "GHE dotcom";
+    case util.GitHubVariant.GHEC_DR:
+      return "GHEC-DR";
     case util.GitHubVariant.GHES:
       return `GHES ${version.version}`;
     default:
@@ -445,12 +445,12 @@ function formatGitHubVersion(version: util.GitHubVersion): string {
 const CHECK_ACTION_VERSION_TESTS: Array<[string, util.GitHubVersion, boolean]> =
   [
     ["2.2.1", { type: util.GitHubVariant.DOTCOM }, true],
-    ["2.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, true],
+    ["2.2.1", { type: util.GitHubVariant.GHEC_DR }, true],
     ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.10" }, false],
     ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, false],
     ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, false],
     ["3.2.1", { type: util.GitHubVariant.DOTCOM }, true],
-    ["3.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, true],
+    ["3.2.1", { type: util.GitHubVariant.GHEC_DR }, true],
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.10" }, false],
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, false],
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, false],
@@ -458,7 +458,7 @@ const CHECK_ACTION_VERSION_TESTS: Array<[string, util.GitHubVersion, boolean]> =
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.20" }, true],
     ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.21" }, true],
     ["4.2.1", { type: util.GitHubVariant.DOTCOM }, false],
-    ["4.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHEC_DR }, false],
     ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.19" }, false],
     ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.20" }, false],
     ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.21" }, false],

src/util.ts

@@ -309,13 +309,13 @@ function getCgroupMemoryLimitBytes(
 }
 
 /**
- * Get the value of the codeql `--ram` flag as configured by the `ram` input.
- * If no value was specified, the total available memory will be used minus a
+ * Get the maximum amount of memory CodeQL is allowed to use. If no limit has been
+ * configured by the user, then the total available memory will be used minus a
  * threshold reserved for the OS.
  *
- * @returns {number} the amount of RAM to use, in megabytes
+ * @returns {number} the amount of RAM CodeQL is allowed to use, in megabytes
  */
-export function getMemoryFlagValue(
+export function getCodeQLMemoryLimit(
   userInput: string | undefined,
   logger: Logger,
 ): number {
@@ -337,7 +337,7 @@ export function getMemoryFlag(
   userInput: string | undefined,
   logger: Logger,
 ): string {
-  const megabytes = getMemoryFlagValue(userInput, logger);
+  const megabytes = getCodeQLMemoryLimit(userInput, logger);
   return `--ram=${megabytes}`;
 }
 
@@ -556,13 +556,17 @@ const CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR =
 let hasBeenWarnedAboutVersion = false;
 
 export enum GitHubVariant {
-  DOTCOM,
-  GHES,
-  GHE_DOTCOM,
+  /** [GitHub.com](https://github.com) */
+  DOTCOM = "GitHub.com",
+  /** [GitHub Enterprise Server](https://docs.github.com/en/enterprise-server@latest/admin/overview/about-github-enterprise-server) */
+  GHES = "GitHub Enterprise Server",
+  /** [GitHub Enterprise Cloud with data residency](https://docs.github.com/en/enterprise-cloud@latest/admin/data-residency/about-github-enterprise-cloud-with-data-residency) */
+  GHEC_DR = "GitHub Enterprise Cloud with data residency",
 }
+
 export type GitHubVersion =
   | { type: GitHubVariant.DOTCOM }
-  | { type: GitHubVariant.GHE_DOTCOM }
+  | { type: GitHubVariant.GHEC_DR }
   | { type: GitHubVariant.GHES; version: string };
 
 export function checkGitHubVersionInRange(
@@ -1105,7 +1109,7 @@ export function checkActionVersion(
     // and should update to CodeQL Action v4.
     if (
       githubVersion.type === GitHubVariant.DOTCOM ||
-      githubVersion.type === GitHubVariant.GHE_DOTCOM ||
+      githubVersion.type === GitHubVariant.GHEC_DR ||
       (githubVersion.type === GitHubVariant.GHES &&
         semver.satisfies(
           semver.coerce(githubVersion.version) ?? "0.0.0",