Merge pull request #1288 from github/update-v1.1.27-80757836

Merge releases/v2 into releases/v1

.eslintignore

@@ -0,0 +1,5 @@
+**/webpack.config.js
+lib/**
+runner/dist/**
+src/testdata/**
+tests/**

.eslintrc.json

@@ -0,0 +1,59 @@
+
+{
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+        "project": "./tsconfig.json"
+    },
+    "plugins": ["@typescript-eslint", "filenames", "github", "import", "no-async-foreach"],
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/recommended",
+        "plugin:@typescript-eslint/recommended-requiring-type-checking",
+        "plugin:github/recommended",
+        "plugin:github/typescript",
+        "plugin:import/typescript"
+    ],
+    "rules": {
+        "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+        "i18n-text/no-en": "off",
+        "import/extensions": "error",
+        "import/no-amd": "error",
+        "import/no-commonjs": "error",
+        "import/no-dynamic-require": "error",
+        // Disable the rule that checks that devDependencies aren't imported since we use a single
+        // linting configuration file for both source and test code.
+        "import/no-extraneous-dependencies": ["error", {"devDependencies": true}],
+        "import/no-namespace": "off",
+        "import/no-unresolved": "error",
+        "import/no-webpack-loader-syntax": "error",
+        "import/order": ["error", {
+            "alphabetize": {"order": "asc"},
+            "newlines-between": "always"
+        }],
+        "no-async-foreach/no-async-foreach": "error",
+        "no-console": "off",
+        "no-sequences": "error",
+        "no-shadow": "off",
+        "@typescript-eslint/no-shadow": ["error"],
+        "one-var": ["error", "never"]
+    },
+    "overrides": [{
+        // "temporarily downgraded during transition to eslint
+        "files": "**",
+        "rules": {
+            "@typescript-eslint/ban-types": "off",
+            "@typescript-eslint/explicit-module-boundary-types": "off",
+            "@typescript-eslint/no-explicit-any": "off",
+            "@typescript-eslint/no-unsafe-assignment": "off",
+            "@typescript-eslint/no-unsafe-call": "off",
+            "@typescript-eslint/no-unsafe-member-access": "off",
+            "@typescript-eslint/no-unsafe-return": "off",
+            "@typescript-eslint/no-var-requires": "off",
+            "@typescript-eslint/prefer-regexp-exec": "off",
+            "@typescript-eslint/require-await": "off",
+            "@typescript-eslint/restrict-template-expressions": "off",
+            "func-style": "off",
+            "sort-imports": "off"
+        }
+    }]
+}

.git-blame-ignore-revs

@@ -1,3 +0,0 @@
-# .git-blame-ignore-revs
-# Added trailing commas to adhere to new eslint rules
-b16296be30e150034524d6dd0b0418fc6b184267

.github/actions/check-codescanning-config/action.yml

@@ -1,72 +0,0 @@
-name: Check Code-Scanning Config
-description: |
-    Checks the code scanning configuration file generated by the
-    action to ensure it contains the expected contents
-inputs:
-  languages:
-    required: false
-    description: The languages field passed to the init action.
-
-  packs:
-    required: false
-    description: The packs field passed to the init action.
-
-  queries:
-    required: false
-    description: The queries field passed to the init action.
-
-  config-file-test:
-    required: false
-    description: |
-      The location of the config file to use. If empty,
-      then no config file is used.
-
-  expected-config-file-contents:
-    required: true
-    description: |
-      A JSON string containing the exact contents of the config file.
-
-  tools:
-    required: true
-    description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
-
-runs:
-  using: composite
-  steps:
-    - uses: ./../action/init
-      with:
-        languages: ${{ inputs.languages }}
-        config-file: ${{ inputs.config-file-test }}
-        queries: ${{ inputs.queries }}
-        packs: ${{ inputs.packs }}
-        tools: ${{ inputs.tools }}
-        db-location: ${{ runner.temp }}/codescanning-config-cli-test
-      env:
-        CODEQL_ACTION_TEST_MODE: 'true'
-
-    - name: Install dependencies
-      shell: bash
-      run: npm install --location=global ts-node js-yaml
-
-    - name: Check config
-      working-directory: ${{ github.action_path }}
-      shell: bash
-      env:
-        EXPECTED_CONFIG_FILE_CONTENTS: '${{ inputs.expected-config-file-contents }}'
-      run: ts-node ./index.ts "$RUNNER_TEMP/user-config.yaml" "$EXPECTED_CONFIG_FILE_CONTENTS"
-    - name: Clean up
-      shell: bash
-      if: always()
-      run: |
-        rm -rf $RUNNER_TEMP/codescanning-config-cli-test
-        rm -rf $RUNNER_TEMP/user-config.yaml

.github/actions/check-codescanning-config/index.ts

@@ -1,39 +0,0 @@
-
-import * as core from '@actions/core'
-import * as yaml from 'js-yaml'
-import * as fs from 'fs'
-import * as assert from 'assert'
-
-const actualConfig = loadActualConfig()
-
-const rawExpectedConfig = process.argv[3].trim()
-if (!rawExpectedConfig) {
-  core.setFailed('No expected configuration provided')
-} else {
-  core.startGroup('Expected generated user config')
-  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
-  core.endGroup()
-}
-
-const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;
-
-assert.deepStrictEqual(
-  actualConfig,
-  expectedConfig,
-  'Expected configuration does not match actual configuration'
-);
-
-
-function loadActualConfig() {
-  if (!fs.existsSync(process.argv[2])) {
-    core.info('No configuration file found')
-    return undefined
-  } else {
-    const rawActualConfig = fs.readFileSync(process.argv[2], 'utf8')
-    core.startGroup('Actual generated user config')
-    core.info(rawActualConfig)
-    core.endGroup()
-
-    return yaml.load(rawActualConfig)
-  }
-}

.github/actions/check-sarif/action.yml

@@ -1,20 +0,0 @@
-name: Check SARIF
-description: Checks a SARIF file to see if certain queries were run and others were not run.
-inputs:
-  sarif-file:
-    required: true
-    description: The SARIF file to check
-
-  queries-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should be included in this SARIF file.
-
-  queries-not-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should NOT be included in this SARIF file.
-
-runs:
-  using: node20
-  main: index.js

.github/actions/prepare-test/action.yml

@@ -1,79 +0,0 @@
-name: "Prepare test"
-description: Performs some preparation to run tests
-inputs:
-  version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
-    required: true
-  use-all-platform-bundle:
-    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
-    default: 'false'
-    required: false
-  setup-kotlin:
-    description: "If true, we setup kotlin"
-    default: 'true'
-    required: true
-outputs:
-  tools-url:
-    description: "The value that should be passed as the 'tools' input of the 'init' step."
-    value: ${{ steps.get-url.outputs.tools-url }}
-runs:
-  using: composite
-  steps:
-    - name: Move codeql-action
-      shell: bash
-      run: |
-        mkdir ../action
-        mv * .github ../action/
-        mv ../action/tests/multi-language-repo/{*,.github} .
-        mv ../action/.github/workflows .github
-    - id: get-url
-      name: Determine URL
-      shell: bash
-      run: |
-        set -e # Fail this Action if `gh release list` fails.
-
-        if [[ ${{ inputs.version }} == "linked" ]]; then
-          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
-          exit 0
-        elif [[ ${{ inputs.version }} == "default" ]]; then
-          echo "tools-url=" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        if [[ ${{ inputs.version }} == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
-          extension="tar.zst"
-        else
-          extension="tar.gz"
-        fi
-
-        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
-          artifact_name="codeql-bundle.$extension"
-        elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.$extension"
-        elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.$extension"
-        elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.$extension"
-        else
-          echo "::error::Unrecognized OS $RUNNER_OS"
-          exit 1
-        fi
-
-        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
-          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        else
-          echo "::error::Unrecognized version specified!"
-          exit 1
-        fi
-
-    - uses: fwilhe2/setup-kotlin@9c245a6425255f5e98ba1ce6c15d31fce7eca9da
-      if: ${{ inputs.setup-kotlin == 'true' }}
-      with:
-        version: 1.8.21

.github/actions/query-filter-test/action.yml

@@ -1,62 +0,0 @@
-name: Query Filter Test
-description: Runs a test of query filters using the check SARIF action
-inputs:
-  sarif-file:
-    required: true
-    description: The SARIF file to check
-
-  queries-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should be included in this SARIF file.
-
-  queries-not-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should NOT be included in this SARIF file.
-
-  config-file:
-    required: true
-    description: |
-      The location of the codeql configuration file to use.
-
-  tools:
-    required: true
-    description: |
-      The version of CodeQL passed to the `tools` input of the init action.
-      This can be any of the following:
-
-      - A local path to a tarball containing the CodeQL tools, or
-      - A URL to a GitHub release assets containing the CodeQL tools, or
-      - A special value `linked` which is forcing the use of the CodeQL tools
-        that the action has been bundled with.
-
-      If not specified, the Action will check in several places until it finds
-      the CodeQL tools.
-
-runs:
-  using: composite
-  steps:
-    - uses: ./../action/init
-      with:
-        languages: javascript
-        config-file: ${{ inputs.config-file }}
-        tools: ${{ inputs.tools }}
-        db-location: ${{ runner.temp }}/query-filter-test
-      env:
-        CODEQL_ACTION_TEST_MODE: "true"
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
-        upload: never
-      env:
-        CODEQL_ACTION_TEST_MODE: "true"
-    - name: Check SARIF
-      uses: ./../action/.github/actions/check-sarif
-      with:
-        sarif-file:  ${{ inputs.sarif-file }}
-        queries-run: ${{ inputs.queries-run}}
-        queries-not-run: ${{ inputs.queries-not-run}}
-    - name: Cleanup after test
-      shell: bash
-      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP/query-filter-test"

.github/actions/release-branches/action.yml

@@ -1,25 +0,0 @@
-name: 'Release branches'
-description: 'Determine branches for release & backport'
-inputs:
-  major_version:
-    description: 'The version as extracted from the package.json file'
-    required: true
-  latest_tag:
-    description: 'The most recent tag published to the repository'
-    required: true
-outputs:
-  backport_source_branch:
-    description: "The release branch for the given tag"
-    value: ${{ steps.branches.outputs.backport_source_branch }}
-  backport_target_branches:
-    description: "JSON encoded list of branches to target with backports"
-    value: ${{ steps.branches.outputs.backport_target_branches }}
-runs:
-  using: "composite"
-  steps:
-    - id: branches
-      run: |
-        python ${{ github.action_path }}/release-branches.py \
-            --major-version ${{ inputs.major_version }} \
-            --latest-tag ${{ inputs.latest_tag }}
-      shell: bash

.github/actions/release-branches/release-branches.py

@@ -1,55 +0,0 @@
-import argparse
-import json
-import os
-import configparser
-
-# Name of the remote
-ORIGIN = 'origin'
-
-script_dir = os.path.dirname(os.path.realpath(__file__))
-grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
-
-config = configparser.ConfigParser()
-with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
-    config.read_string('[default]\n' + stream.read())
-
-OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
-
-def main():
-
-  parser = argparse.ArgumentParser()
-  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
-  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
-  args = parser.parse_args()
-
-  major_version = args.major_version
-  latest_tag = args.latest_tag
-
-  print("major_version: " + major_version)
-  print("latest_tag: " + latest_tag)
-
-  # If this is a primary release, we backport to all supported branches,
-  # so we check whether the major_version taken from the package.json
-  # is greater than or equal to the latest tag pulled from the repo.
-  # For example...
-  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
-  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
-  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
-  consider_backports = ( major_version >= latest_tag.split(".")[0] )
-
-  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
-
-    f.write(f"backport_source_branch=releases/{major_version}\n")
-
-    backport_target_branches = []
-
-    if consider_backports:
-      for i in range(int(major_version.strip("v"))-1, 0, -1):
-        branch_name = f"releases/v{i}"
-        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
-          backport_target_branches.append(branch_name)
-
-    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
-
-if __name__ == "__main__":
-  main()

.github/actions/release-initialise/action.yml

@@ -1,33 +0,0 @@
-name: 'Prepare release job'
-description: 'Prepare for updating a release branch'
-
-runs:
-  using: "composite"
-  steps:
-
-    - name: Dump environment
-      run: env
-      shell: bash
-
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: '${{ toJson(github) }}'
-      run: echo "$GITHUB_CONTEXT"
-      shell: bash
-
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: 3.12
-
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install PyGithub==2.3.0 requests
-      shell: bash
-
-    - name: Update git config
-      run: |
-        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-        git config --global user.name "github-actions[bot]"
-      shell: bash

.github/actions/setup-swift/action.yml

@@ -1,39 +0,0 @@
-name: "Set up Swift on Linux"
-description: Sets up an appropriate Swift version on Linux.
-inputs:
-  codeql-path:
-    description: Path to the CodeQL CLI executable.
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Get Swift version
-      id: get_swift_version
-      if: runner.os == 'Linux'
-      shell: bash
-      env:
-        CODEQL_PATH: ${{ inputs.codeql-path }}
-      run: |
-        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
-        if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
-          VERSION="null"
-        else
-          VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
-          if [ $VERSION = "5.7" ]; then
-            VERSION="5.7.0"
-          elif [ $VERSION = "5.8" ]; then
-            VERSION="5.8.0"
-          elif [ $VERSION = "5.9" ]; then
-            VERSION="5.9.0"
-          # setup-swift does not yet support v5.9.1 Remove this when it does.
-          elif [ $VERSION = "5.9.1" ]; then
-            VERSION="5.9.0"
-          fi
-        fi
-        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
-
-    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
-      if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
-      with:
-        swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/actions/update-bundle/action.yml

@@ -1,14 +0,0 @@
-name: Update default CodeQL bundle
-description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
-
-runs:
-  using: composite
-  steps:
-    - name: Install ts-node
-      shell: bash
-      run: npm install -g ts-node
-
-    - name: Run update script
-      working-directory: ${{ github.action_path }}
-      shell: bash
-      run: ts-node ./index.ts

.github/actions/update-bundle/index.ts

@@ -1,67 +0,0 @@
-import * as fs from 'fs';
-import * as github from '@actions/github';
-
-interface BundleInfo {
-  bundleVersion: string;
-  cliVersion: string;
-}
-
-interface Defaults {
-  bundleVersion: string;
-  cliVersion: string;
-  priorBundleVersion: string;
-  priorCliVersion: string;
-}
-
-function getCodeQLCliVersionForRelease(release): string {
-  // We do not currently tag CodeQL bundles based on the CLI version they contain.
-  // Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
-  // This marker file is uploaded as a release asset for all new CodeQL bundles.
-  const cliVersionsFromMarkerFiles = release.assets
-    .map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
-    .filter((v) => v)
-    .map((v) => v as string);
-  if (cliVersionsFromMarkerFiles.length > 1) {
-    throw new Error(
-      `Release ${release.tag_name} has multiple CLI version marker files.`
-    );
-  } else if (cliVersionsFromMarkerFiles.length === 0) {
-    throw new Error(
-      `Failed to find the CodeQL CLI version for release ${release.tag_name}.`
-    );
-  }
-  return cliVersionsFromMarkerFiles[0];
-}
-
-async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
-  return {
-    bundleVersion: release.tag_name,
-    cliVersion: getCodeQLCliVersionForRelease(release)
-  };
-}
-
-async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
-  const release = github.context.payload.release;
-  console.log('Updating default bundle as a result of the following release: ' +
-    `${JSON.stringify(release)}.`)
-
-  const bundleInfo = await getBundleInfoFromRelease(release);
-  return {
-    bundleVersion: bundleInfo.bundleVersion,
-    cliVersion: bundleInfo.cliVersion,
-    priorBundleVersion: currentDefaults.bundleVersion,
-    priorCliVersion: currentDefaults.cliVersion
-  };
-}
-
-async function main() {
-  const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
-  const newDefaults = await getNewDefaults(previousDefaults);
-  // Update the source file in the repository. Calling workflows should subsequently rebuild
-  // the Action to update `lib/defaults.json`.
-  fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
-}
-
-// Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
-// So instead we rely on the fact that Node won't exit until the event loop is empty.
-main();

.github/check-codescanning-config/action.yml

@@ -0,0 +1,60 @@
+name: Check Code-Scanning Config
+description: |
+    Checks the code scanning configuration file generated by the
+    action to ensure it contains the expected contents
+inputs:
+  languages:
+    required: false
+    description: The languages field passed to the init action.
+
+  packs:
+    required: false
+    description: The packs field passed to the init action.
+
+  queries:
+    required: false
+    description: The queries field passed to the init action.
+
+  config-file-test:
+    required: false
+    description: |
+      The location of the config file to use. If empty,
+      then no config file is used.
+
+  expected-config-file-contents:
+    required: true
+    description: |
+      A JSON string containing the exact contents of the config file.
+
+  tools:
+    required: true
+    description: |
+      The url of codeql to use.
+
+runs:
+  using: composite
+  steps:
+    - uses: ./../action/init
+      with:
+        languages: ${{ inputs.languages }}
+        config-file: ${{ inputs.config-file-test }}
+        queries: ${{ inputs.queries }}
+        packs: ${{ inputs.packs }}
+        tools: ${{ inputs.tools }}
+        db-location: ${{ runner.temp }}/codescanning-config-cli-test
+
+    - name: Install dependencies
+      shell: bash
+      run: npm install --location=global ts-node js-yaml
+
+    - name: Check config
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
+
+    - name: Clean up
+      shell: bash
+      if: always()
+      run: |
+        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
+        rm -rf ${{ runner.temp }}/user-config.yaml

.github/check-codescanning-config/index.ts

@@ -0,0 +1,39 @@
+
+import * as core from '@actions/core'
+import * as yaml from 'js-yaml'
+import * as fs from 'fs'
+import * as assert from 'assert'
+
+const actualConfig = loadActualConfig()
+
+const rawExpectedConfig = process.argv[3].trim()
+if (!rawExpectedConfig) {
+  core.info('No expected configuration provided')
+} else {
+  core.startGroup('Expected generated user config')
+  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
+  core.endGroup()
+}
+
+const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;
+
+assert.deepStrictEqual(
+  actualConfig,
+  expectedConfig,
+  'Expected configuration does not match actual configuration'
+);
+
+
+function loadActualConfig() {
+  if (!fs.existsSync(process.argv[2])) {
+    core.info('No configuration file found')
+    return undefined
+  } else {
+    const rawActualConfig = fs.readFileSync(process.argv[2], 'utf8')
+    core.startGroup('Actual generated user config')
+    core.info(rawActualConfig)
+    core.endGroup()
+
+    return yaml.load(rawActualConfig)
+  }
+}

.github/check-sarif/action.yml

@@ -0,0 +1,20 @@
+name: Check SARIF
+description: Checks a SARIF file to see if certain queries were run and others were not run.
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+runs:
+  using: node12
+  main: index.js

.github/codeql/codeql-actions-config.yml

@@ -1,4 +0,0 @@
-# Configuration for the CodeQL Actions Queries
-name: "CodeQL Actions Queries config"
-queries:
-  - uses: security-and-quality

.github/codeql/codeql-config.yml

@@ -7,7 +7,6 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
-  - uses: security-experimental
   - uses: security-extended
   - uses: security-and-quality
 paths-ignore:

.github/dependabot.yml

@@ -1,46 +1,20 @@
 version: 2
 updates:
-  - package-ecosystem: npm
+  - package-ecosystem: "npm"
     directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
     schedule:
-      interval: weekly
+      interval: "weekly"
+      day: "thursday" # Gives us a working day to merge this before our typical release
     labels:
-      - Update dependencies
-    # Ignore incompatible dependency updates
+      - "Update dependencies"
     ignore:
-      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
-      - dependency-name: "@octokit/plugin-retry"
-        versions: ["~6.0.0"]
-      # v7 requires ESM
-      - dependency-name: "del"
-        versions: ["^7.0.0"]
-      # This is broken due to the way configuration files have changed. 
-      # This might be fixed when we move to eslint v9.
-      - dependency-name: "eslint-plugin-import"
-        versions: [">=2.30.0"]
-    groups:
-      npm:
-        patterns:
-          - "*"
-  - package-ecosystem: github-actions
-    directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
+      - dependency-name: "*"
+        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+  - package-ecosystem: "npm"
+    directory: "/runner"
     schedule:
-      interval: weekly
-    groups:
-      actions:
-        patterns:
-          - "*"
-  - package-ecosystem: github-actions
-    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
-    reviewers:
-      - "github/codeql-production-shield"
-    schedule:
-      interval: weekly
-    groups:
-      actions-setup-swift:
-        patterns:
-          - "*"
+      interval: "weekly"
+      day: "thursday" # Gives us a working day to merge this before our typical release
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

.github/prepare-test/action.yml

@@ -0,0 +1,38 @@
+name: "Prepare test"
+description: Performs some preparation to run tests
+inputs:
+  version:
+    required: true
+outputs:
+  tools-url:
+    value: ${{ steps.get-url.outputs.tools-url }}
+runs:
+  using: composite
+  steps:
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
+        mv ../action/.github/workflows .github
+    - id: get-url
+      name: Determine URL
+      shell: bash
+      run: |
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+          export LATEST=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
+          echo "::set-output name=tools-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz"
+        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
+          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "::set-output name=tools-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$VERSION-manual/codeql-bundle.tar.gz"
+        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
+          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "::set-output name=tools-url::https://github.com/github/codeql-action/releases/download/codeql-bundle-$VERSION/codeql-bundle.tar.gz"
+        elif [[ ${{ inputs.version }} == "latest" ]]; then
+          echo "::set-output name=tools-url::latest"
+        elif [[ ${{ inputs.version }} == "cached" ]]; then
+          echo "::set-output name=tools-url::"
+        else
+          echo "::error Unrecognized version specified!"
+        fi

.github/query-filter-test/action.yml

@@ -0,0 +1,54 @@
+name: Query Filter Test
+description: Runs a test of query filters using the check SARIF action
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+  config-file:
+    required: true
+    description: |
+      The location of the codeql configuration file to use.
+
+  tools:
+    required: true
+    description: |
+      The url of codeql to use.
+
+runs:
+  using: composite
+  steps:
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ${{ inputs.config-file }}
+        tools: ${{ inputs.tools }}
+        db-location: ${{ runner.temp }}/query-filter-test
+      env:
+        TEST_MODE: "true"
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: "true"
+    - name: Check SARIF
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ inputs.sarif-file }}
+        queries-run: ${{ inputs.queries-run}}
+        queries-not-run: ${{ inputs.queries-not-run}}
+    - name: Cleanup after test
+      shell: bash
+      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP/query-filter-test"

.github/releases.ini

@@ -1 +0,0 @@
-OLDEST_SUPPORTED_MAJOR_VERSION=3

.github/update-release-branch.py

@@ -1,13 +1,11 @@
 import argparse
 import datetime
-import fileinput
-import re
 from github import Github
 import json
 import os
 import subprocess
 
-EMPTY_CHANGELOG = """# CodeQL Action Changelog
+EMPTY_CHANGELOG = """# CodeQL Action and CodeQL Runner Changelog
 
 ## [UNRELEASED]
 
@@ -15,9 +13,14 @@ No user facing changes.
 
 """
 
-# NB: This exact commit message is used to find commits for reverting during backports.
-# Changing it requires a transition period where both old and new versions are supported.
-BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'
+# Value of the mode flag for a v1 release
+V1_MODE = 'v1-release'
+
+# Value of the mode flag for a v2 release
+V2_MODE = 'v2-release'
+
+SOURCE_BRANCH_FOR_MODE = { V1_MODE: 'releases/v2', V2_MODE: 'main' }
+TARGET_BRANCH_FOR_MODE = { V1_MODE: 'releases/v1', V2_MODE: 'releases/v2' }
 
 # Name of the remote
 ORIGIN = 'origin'
@@ -29,7 +32,7 @@ def run_git(*args, allow_non_zero_exit_code=False):
   cmd = ['git', *args]
   p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
   if not allow_non_zero_exit_code and p.returncode != 0:
-    raise Exception(f'Call to {" ".join(cmd)} exited with code {p.returncode} stderr: {p.stderr.decode("ascii")}.')
+    raise Exception('Call to ' + ' '.join(cmd) + ' exited with code ' + str(p.returncode) + ' stderr:' + p.stderr.decode('ascii'))
   return p.stdout.decode('ascii')
 
 # Returns true if the given branch exists on the origin remote
@@ -39,21 +42,21 @@ def branch_exists_on_remote(branch_name):
 # Opens a PR from the given branch to the target branch
 def open_pr(
   repo, all_commits, source_branch_short_sha, new_branch_name, source_branch, target_branch,
-  conductor, is_primary_release, conflicted_files):
+  conductor, is_v2_release, labels, conflicted_files):
   # Sort the commits into the pull requests that introduced them,
   # and any commits that don't have a pull request
   pull_requests = []
   commits_without_pull_requests = []
   for commit in all_commits:
-    pr = get_pr_for_commit(commit)
+    pr = get_pr_for_commit(repo, commit)
 
     if pr is None:
       commits_without_pull_requests.append(commit)
     elif not any(p for p in pull_requests if p.number == pr.number):
       pull_requests.append(pr)
 
-  print(f'Found {len(pull_requests)} pull requests.')
-  print(f'Found {len(commits_without_pull_requests)} commits not in a pull request.')
+  print('Found ' + str(len(pull_requests)) + ' pull requests')
+  print('Found ' + str(len(commits_without_pull_requests)) + ' commits not in a pull request')
 
   # Sort PRs and commits by age
   pull_requests = sorted(pull_requests, key=lambda pr: pr.number)
@@ -61,7 +64,7 @@ def open_pr(
 
   # Start constructing the body text
   body = []
-  body.append(f'Merging {source_branch_short_sha} into `{target_branch}`.')
+  body.append('Merging ' + source_branch_short_sha + ' into ' + target_branch)
 
   body.append('')
   body.append(f'Conductor for this PR is @{conductor}.')
@@ -93,33 +96,32 @@ def open_pr(
       'branch to resolve the merge conflicts.')
   body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
   body.append(' - [ ] Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.')
-  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
+  body.append(' - [ ] Check that there are not any unexpected commits being merged into the ' + target_branch + ' branch.')
   body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')
 
-  if not is_primary_release:
+  if not is_v2_release:
     body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.')
     body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.')
+    body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
 
-  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
-  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
+  body.append(' - [ ] Approve and merge this PR.')
 
-  if is_primary_release:
+  if is_v2_release:
     body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.')
-    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')
+    body.append(' - [ ] Merge the v1 release PR that will automatically be created once this PR is merged.')
 
-  title = f'Merge {source_branch} into {target_branch}'
-  labels = ['Update dependencies'] if not is_primary_release else []
+  title = 'Merge ' + source_branch + ' into ' + target_branch
 
   # Create the pull request
   # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
   # a maintainer can take the PR out of draft, thereby triggering the PR checks.
   pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
   pr.add_to_labels(*labels)
-  print(f'Created PR #{str(pr.number)}')
+  print('Created PR #' + str(pr.number))
 
   # Assign the conductor
   pr.add_to_assignees(conductor)
-  print(f'Assigned PR to {conductor}')
+  print('Assigned PR to ' + conductor)
 
 # Gets a list of the SHAs of all commits that have happened on the source branch
 # since the last release to the target branch.
@@ -128,7 +130,7 @@ def open_pr(
 def get_commit_difference(repo, source_branch, target_branch):
   # Passing split nothing means that the empty string splits to nothing: compare `''.split() == []`
   # to `''.split('\n') == ['']`.
-  commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{target_branch}..{ORIGIN}/{source_branch}').strip().split()
+  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + target_branch + '..' + ORIGIN + '/' + source_branch).strip().split()
 
   # Convert to full-fledged commit objects
   commits = [repo.get_commit(c) for c in commits]
@@ -144,13 +146,13 @@ def is_pr_merge_commit(commit):
 def get_truncated_commit_message(commit):
   message = commit.commit.message.split('\n')[0]
   if len(message) > 60:
-    return f'{message[:57]}...'
+    return message[:57] + '...'
   else:
     return message
 
 # Converts a commit into the PR that introduced it to the source branch.
 # Returns the PR object, or None if no PR could be found.
-def get_pr_for_commit(commit):
+def get_pr_for_commit(repo, commit):
   prs = commit.get_pulls()
 
   if prs.totalCount > 0:
@@ -172,78 +174,10 @@ def get_current_version():
   with open('package.json', 'r') as f:
     return json.load(f)['version']
 
-# `npm version` doesn't always work because of merge conflicts, so we
-# replace the version in package.json textually.
-def replace_version_package_json(prev_version, new_version):
-  prev_line_is_codeql = False
-  for line in fileinput.input('package.json', inplace = True, encoding='utf-8'):
-    if prev_line_is_codeql and f'\"version\": \"{prev_version}\"' in line:
-      print(line.replace(prev_version, new_version), end='')
-    else:
-      prev_line_is_codeql = False
-      print(line, end='') 
-    if '\"name\": \"codeql\",' in line:
-        prev_line_is_codeql = True 
-
 def get_today_string():
   today = datetime.datetime.today()
   return '{:%d %b %Y}'.format(today)
 
-def process_changelog_for_backports(source_branch_major_version, target_branch_major_version):
-
-  # changelog entries can use the following format to indicate
-  # that they only apply to newer versions
-  some_versions_only_regex = re.compile(r'\[v(\d+)\+ only\]')
-
-  output = ''
-
-  with open('CHANGELOG.md', 'r') as f:
-
-    # until we find the first section, just duplicate all lines
-    found_first_section = False
-    while not found_first_section:
-      line = f.readline()
-      if not line:
-        raise Exception('Could not find any change sections in CHANGELOG.md') # EOF
-
-      if line.startswith('## '):
-        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
-        found_first_section = True
-
-      output += line
-
-    # found_content tracks whether we hit two headings in a row
-    found_content = False
-    output += '\n'
-    while True:
-      line = f.readline()
-      if not line:
-        break # EOF
-      line = line.rstrip('\n')
-
-      # filter out changenote entries that apply only to newer versions
-      match = some_versions_only_regex.search(line)
-      if match:
-        if int(target_branch_major_version) < int(match.group(1)):
-          continue
-
-      if line.startswith('## '):
-        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
-        if found_content == False:
-          # we have found two headings in a row, so we need to add the placeholder message.
-          output += 'No user facing changes.\n'
-        found_content = False
-        output += f'\n{line}\n\n'
-      else:
-        if line.strip() != '':
-          found_content = True
-          # we use the original line here, rather than the stripped version
-          # so that we preserve indentation
-          output += line + '\n'
-
-    with open('CHANGELOG.md', 'w') as f:
-      f.write(output)
-
 def update_changelog(version):
   if (os.path.exists('CHANGELOG.md')):
     content = ''
@@ -252,7 +186,7 @@ def update_changelog(version):
   else:
     content = EMPTY_CHANGELOG
 
-  newContent = content.replace('[UNRELEASED]', f'{version} - {get_today_string()}', 1)
+  newContent = content.replace('[UNRELEASED]', version + ' - ' + get_today_string(), 1)
 
   with open('CHANGELOG.md', 'w') as f:
     f.write(newContent)
@@ -274,22 +208,14 @@ def main():
     help='The nwo of the repository, for example github/codeql-action.'
   )
   parser.add_argument(
-    '--source-branch',
+    '--mode',
     type=str,
     required=True,
-    help='Source branch for release branch update.'
-  )
-  parser.add_argument(
-    '--target-branch',
-    type=str,
-    required=True,
-    help='Target branch for release branch update.'
-  )
-  parser.add_argument(
-    '--is-primary-release',
-    action='store_true',
-    default=False,
-    help='Whether this update is the primary release for the current major version.'
+    choices=[V2_MODE, V1_MODE],
+    help=f"Which release to perform. '{V2_MODE}' uses {SOURCE_BRANCH_FOR_MODE[V2_MODE]} as the source " +
+      f"branch and {TARGET_BRANCH_FOR_MODE[V2_MODE]} as the target branch. " +
+      f"'{V1_MODE}' uses {SOURCE_BRANCH_FOR_MODE[V1_MODE]} as the source branch and " +
+      f"{TARGET_BRANCH_FOR_MODE[V1_MODE]} as the target branch."
   )
   parser.add_argument(
     '--conductor',
@@ -300,76 +226,66 @@ def main():
 
   args = parser.parse_args()
 
-  source_branch = args.source_branch
-  target_branch = args.target_branch
-  is_primary_release = args.is_primary_release
+  source_branch = SOURCE_BRANCH_FOR_MODE[args.mode]
+  target_branch = TARGET_BRANCH_FOR_MODE[args.mode]
 
   repo = Github(args.github_token).get_repo(args.repository_nwo)
+  version = get_current_version()
 
-  # the target branch will be of the form releases/vN, where N is the major version number
-  target_branch_major_version = target_branch.strip('releases/v')
-
-  # split version into major, minor, patch
-  _, v_minor, v_patch = get_current_version().split('.')
-
-  version = f"{target_branch_major_version}.{v_minor}.{v_patch}"
+  if args.mode == V1_MODE:
+    # Change the version number to a v1 equivalent
+    version = get_current_version()
+    version = f'1{version[1:]}'
 
   # Print what we intend to go
-  print(f'Considering difference between {source_branch} and {target_branch}...')
-  source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{source_branch}').strip()
-  print(f'Current head of {source_branch} is {source_branch_short_sha}.')
+  print('Considering difference between ' + source_branch + ' and ' + target_branch)
+  source_branch_short_sha = run_git('rev-parse', '--short', ORIGIN + '/' + source_branch).strip()
+  print('Current head of ' + source_branch + ' is ' + source_branch_short_sha)
 
   # See if there are any commits to merge in
   commits = get_commit_difference(repo=repo, source_branch=source_branch, target_branch=target_branch)
   if len(commits) == 0:
-    print(f'No commits to merge from {source_branch} to {target_branch}.')
+    print('No commits to merge from ' + source_branch + ' to ' + target_branch)
     return
 
-  # define distinct prefix in order to support specific pr checks on backports
-  branch_prefix = 'update' if is_primary_release else 'backport'
-
   # The branch name is based off of the name of branch being merged into
   # and the SHA of the branch being merged from. Thus if the branch already
   # exists we can assume we don't need to recreate it.
-  new_branch_name = f'{branch_prefix}-v{version}-{source_branch_short_sha}'
-  print(f'Branch name is {new_branch_name}.')
+  new_branch_name = 'update-v' + version + '-' + source_branch_short_sha
+  print('Branch name is ' + new_branch_name)
 
   # Check if the branch already exists. If so we can abort as this script
   # has already run on this combination of branches.
   if branch_exists_on_remote(new_branch_name):
-    print(f'Branch {new_branch_name} already exists. Nothing to do.')
+    print('Branch ' + new_branch_name + ' already exists. Nothing to do.')
     return
 
   # Create the new branch and push it to the remote
-  print(f'Creating branch {new_branch_name}.')
+  print('Creating branch ' + new_branch_name)
 
-  # The process of creating the v{Older} release can run into merge conflicts. We commit the unresolved
+  # The process of creating the v1 release can run into merge conflicts. We commit the unresolved
   # conflicts so a maintainer can easily resolve them (vs erroring and requiring maintainers to
   # reconstruct the release manually)
   conflicted_files = []
 
-  if not is_primary_release:
-
-    # the source branch will be of the form releases/vN, where N is the major version number
-    source_branch_major_version = source_branch.strip('releases/v')
-
+  if args.mode == V1_MODE:
     # If we're performing a backport, start from the target branch
     print(f'Creating {new_branch_name} from the {ORIGIN}/{target_branch} branch')
     run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{target_branch}')
 
     # Revert the commit that we made as part of the last release that updated the version number and
-    # changelog to refer to {older}.x.x variants. This avoids merge conflicts in the changelog and
-    # package.json files when we merge in the v{latest} branch.
-    # This commit will not exist the first time we release the v{N-1} branch from the v{N} branch, so we
+    # changelog to refer to 1.x.x variants. This avoids merge conflicts in the changelog and
+    # package.json files when we merge in the v2 branch.
+    # This commit will not exist the first time we release the v1 branch from the v2 branch, so we
     # use `git log --grep` to conditionally revert the commit.
-    print('Reverting the version number and changelog updates from the last release to avoid conflicts')
-    vOlder_update_commits = run_git('log', '--grep', f'^{BACKPORT_COMMIT_MESSAGE}', '--format=%H').split()
+    print('Reverting the 1.x.x version number and changelog updates from the last release to avoid conflicts')
+    v1_update_commits = run_git('log', '--grep', '^Update version and changelog for v', '--format=%H').split()
 
-    if len(vOlder_update_commits) > 0:
-      print(f'  Reverting {vOlder_update_commits[0]}')
+    if len(v1_update_commits) > 0:
+      print(f'  Reverting {v1_update_commits[0]}')
       # Only revert the newest commit as older ones will already have been reverted in previous
       # releases.
-      run_git('revert', vOlder_update_commits[0], '--no-edit')
+      run_git('revert', v1_update_commits[0], '--no-edit')
 
       # Also revert the "Update checked-in dependencies" commit created by Actions.
       update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
@@ -387,18 +303,21 @@ def main():
       run_git('add', '.')
       run_git('commit', '--no-edit')
 
-    # Migrate the package version number from a vLatest version number to a vOlder version number
-    print(f'Setting version number to {version} in package.json')
-    replace_version_package_json(get_current_version(), version) # We rely on the `Update dependencies` workflow to update package-lock.json
-    run_git('add', 'package.json')
+    # Migrate the package version number from a v2 version number to a v1 version number
+    print(f'Setting version number to {version}')
+    subprocess.check_output(['npm', 'version', version, '--no-git-tag-version'])
+    run_git('add', 'package.json', 'package-lock.json')
 
-    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
-    print(f'Migrating changelog notes from v{source_branch_major_version} to v{target_branch_major_version}')
-    process_changelog_for_backports(source_branch_major_version, target_branch_major_version)
+    # Migrate the changelog notes from v2 version numbers to v1 version numbers
+    print('Migrating changelog notes from v2 to v1')
+    subprocess.check_output(['sed', '-i', 's/^## 2\./## 1./g', 'CHANGELOG.md'])
+
+    # Remove changelog notes from v2 that don't apply to v1
+    subprocess.check_output(['sed', '-i', '/^- \[v2+ only\]/d', 'CHANGELOG.md'])
 
     # Amend the commit generated by `npm version` to update the CHANGELOG
     run_git('add', 'CHANGELOG.md')
-    run_git('commit', '-m', f'{BACKPORT_COMMIT_MESSAGE}{version}')
+    run_git('commit', '-m', f'Update version and changelog for v{version}')
   else:
     # If we're performing a standard release, there won't be any new commits on the target branch,
     # as these will have already been merged back into the source branch. Therefore we can just
@@ -423,7 +342,8 @@ def main():
     source_branch=source_branch,
     target_branch=target_branch,
     conductor=args.conductor,
-    is_primary_release=is_primary_release,
+    is_v2_release=args.mode == V2_MODE,
+    labels=['Update dependencies'] if args.mode == V1_MODE else [],
     conflicted_files=conflicted_files
   )
 

.github/workflows/__all-platform-bundle.yml

@@ -1,59 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - All-platform bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  all-platform-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: All-platform bundle
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'true'
-          setup-kotlin: 'true'
-      - id: init
-        uses: ./../action/init
-        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__analyze-ref-input.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
@@ -10,57 +10,88 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   analyze-ref-input:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: "Analyze: 'ref' and 'sha' from inputs"
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      env:
+        TEST_MODE: true
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__autobuild-action.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - autobuild-action
@@ -10,66 +10,65 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   autobuild-action:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
     name: autobuild-action
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: csharp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        env:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: csharp
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/autobuild
+      env:
       # Explicitly disable the CLR tracer.
-          COR_ENABLE_PROFILING: ''
-          COR_PROFILER: ''
-          COR_PROFILER_PATH_64: ''
-          CORECLR_ENABLE_PROFILING: ''
-          CORECLR_PROFILER: ''
-          CORECLR_PROFILER_PATH_64: ''
-      - uses: ./../action/analyze
-      - name: Check database
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d csharp ]]; then
-            echo "Did not find a C# database"
-            exit 1
-          fi
+        COR_ENABLE_PROFILING: ''
+        COR_PROFILER: ''
+        COR_PROFILER_PATH_64: ''
+        CORECLR_ENABLE_PROFILING: ''
+        CORECLR_PROFILER: ''
+        CORECLR_PROFILER_PATH_64: ''
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+    - name: Check database
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d csharp ]]; then
+          echo "Did not find a C# database"
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -1,80 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing (custom working directory)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  autobuild-direct-tracing-with-working-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing (custom working directory)
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          build-mode: autobuild
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Check that indirect tracing is disabled
-        shell: bash
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-direct-tracing.yml

@@ -1,81 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  autobuild-direct-tracing:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        shell: bash
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Check that indirect tracing is disabled
-        shell: bash
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-autobuild.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode autobuild
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode autobuild
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "autobuild" ]]; then
-            echo "Expected build mode to be 'autobuild' but was $build_mode"
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-manual.yml

@@ -1,71 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode manual
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-manual:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode manual
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: manual
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "manual" ]]; then
-            echo "Expected build mode to be 'manual' but was $build_mode"
-            exit 1
-          fi
-
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-none.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode none
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-none:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode none
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "none" ]]; then
-            echo "Expected build mode to be 'none' but was $build_mode"
-            exit 1
-          fi
-
-  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
-      - uses: ./../action/autobuild
-        if: matrix.version != 'nightly-latest'
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-rollback.yml

@@ -1,74 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Build mode rollback
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  build-mode-rollback:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Build mode rollback
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Java test repo configuration
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate database build mode
-        run: |
-          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
-          build_mode=$(yq eval '.buildMode' "$metadata_path")
-          if [[ "$build_mode" != "autobuild" ]]; then
-            echo "Expected build mode to be 'autobuild' but was $build_mode"
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -1,69 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Clean up database cluster directory
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cleanup-db-cluster-dir:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Clean up database cluster directory
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Add a file to the database cluster directory
-        run: |
-          mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
-          touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: none
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Validate file cleaned up
-        run: |
-          if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
-            echo "File was not cleaned up"
-            exit 1
-          fi
-          echo "File was cleaned up"
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-export.yml

@@ -1,100 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Config export
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  config-export:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Config export
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          queries: security-extended
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check config properties appear in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-            const configSummary = run.properties.codeqlConfigSummary;
-
-            if (configSummary === undefined) {
-              core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
-            }
-            if (configSummary.disableDefaultQueries !== false) {
-              core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
-                `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
-            }
-            const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
-            // Use JSON.stringify to deep-equal the arrays.
-            if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
-              core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
-                `${JSON.stringify(configSummary.queries)}.`);
-            }
-            core.info('Finished config export tests.');
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-input.yml

@@ -1,77 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Config input
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  config-input:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Config input
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Copy queries into workspace
-        run: |
-          cp -a ../action/queries .
-
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: javascript
-          build-mode: none
-          config: |
-            disable-default-queries: true
-            queries:
-              - name: Run custom query
-                uses: ./queries/default-setup-environment-variables.ql
-            paths-ignore:
-              - tests
-              - lib
-
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-
-      - name: Check SARIF
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run: javascript/codeql-action/default-setup-env-vars
-          queries-not-run: javascript/codeql-action/default-setup-context-properties
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-disabled.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cpp-deptrace-disabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - shell: bash
-        run: |
-          if ls /usr/bin/errno; then
-            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -1,71 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cpp-deptrace-enabled-on-macos:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
-          if ! ls /usr/bin/errno; then
-            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
-          else
-            echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-enabled.yml

@@ -1,73 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  cpp-deptrace-enabled:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: 'C/C++: autoinstalling dependencies (Linux)'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          cp -a ../action/tests/cpp-autobuild autobuild-dir
-      - uses: ./../action/init
-        with:
-          languages: cpp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-        env:
-          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
-          if ! ls /usr/bin/errno; then
-            echo "Did not autoinstall errno"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__diagnostics-export.yml

@@ -1,137 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Diagnostic export
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  diagnostics-export:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Diagnostic export
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Add test diagnostics
-        shell: bash
-        env:
-          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
-        run: |
-          "$CODEQL_PATH" database add-diagnostic \
-            "$RUNNER_TEMP/codeql_databases/javascript" \
-            --file-path /path/to/file \
-            --plaintext-message "Plaintext message" \
-            --source-id "lang/diagnostics/example" \
-            --source-name "Diagnostic name" \
-            --ready-for-status-page
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostics appear in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            function checkStatusPageNotification(n) {
-              const expectedMessage = 'Plaintext message';
-              if (n.message.text !== expectedMessage) {
-                core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
-              }
-              if (n.locations.length !== 1) {
-                core.setFailed(`Expected the status page diagnostic to have exactly 1 location, but found ${n.locations.length}.`);
-              }
-            }
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'lang/diagnostics/example' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-            checkStatusPageNotification(statusPageNotifications[0]);
-
-            const notifications = run.tool.driver.notifications;
-            const diagnosticNotification = notifications.filter(n =>
-              n.id === 'lang/diagnostics/example' && n.name === 'lang/diagnostics/example' &&
-                n.fullDescription.text === 'Diagnostic name'
-            );
-            if (diagnosticNotification.length !== 1) {
-              core.setFailed(
-                'Expected exactly one notification for this diagnostic in the ' +
-                  `'runs[].tool.driver.notifications[]' SARIF property, but found ` +
-                  `${diagnosticNotification.length}. All notifications: ` +
-                  `${JSON.stringify(notifications)}.`
-              );
-            }
-
-            core.info('Finished diagnostic export test');
-    env:
-      CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__export-file-baseline-information.yml

@@ -1,95 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Export file baseline information
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  export-file-baseline-information:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Export file baseline information
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        if: runner.os == 'macOS'
-        with:
-          codeql-path: ${{ steps.init.outputs.codeql-path }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
-          if [[ $RUNNER_OS == "macOS" ]]; then
-            expected_baseline_languages+=" swift"
-          fi
-
-          for lang in ${expected_baseline_languages}; do
-            rule_name="cli/expected-extracted-files/${lang}"
-            found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
-              select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
-            if [[ "${found_notification}" != "true" ]]; then
-              echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
-              exit 1
-            else
-              echo "Found notification '${rule_name}'."
-            fi
-          done
-    env:
-      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__extract-direct-to-toolcache.yml

@@ -1,96 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Extract directly to toolcache
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  extract-direct-to-toolcache:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Extract directly to toolcache
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            fs.rmdirSync(codeqlPath, { recursive: true });
-      - name: Install @actions/tool-cache
-        run: npm install @actions/tool-cache
-      - name: Check toolcache does not contain CodeQL
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            if (allCodeqlVersions.length !== 0) {
-              throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
-            }
-            console.log('No versions of CodeQL found in the toolcache');
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check CodeQL is installed within the toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const toolcache = require('@actions/tool-cache');
-            const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
-            console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
-            if (allCodeqlVersions.length === 0) {
-              throw new Error('CodeQL not found in toolcache');
-            }
-            if (allCodeqlVersions.length > 1) {
-              throw new Error('Multiple CodeQL versions found in toolcache');
-            }
-    env:
-      CODEQL_ACTION_EXTRACT_TOOLCACHE: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__extractor-ram-threads.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Extractor ram and threads options test
@@ -10,64 +10,59 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   extractor-ram-threads:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
     name: Extractor ram and threads options test
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: java
-          ram: 230
-          threads: 1
-      - name: Assert Results
-        shell: bash
-        run: |
-          if [ "${CODEQL_RAM}" != "230" ]; then
-            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
-            exit 1
-          fi
-          if [ "${CODEQL_THREADS}" != "1" ]; then
-            echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
-            exit 1
-          fi
-          if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
-            echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: java
+        ram: 230
+        threads: 1
+      env:
+        TEST_MODE: true
+    - name: Assert Results
+      shell: bash
+      run: |
+        if [ "${CODEQL_RAM}" != "230" ]; then
+          echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
+          exit 1
+        fi
+        if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
+          echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
+          exit 1
+        fi
+        if [ "${CODEQL_THREADS}" != "1" ]; then
+          echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
+          exit 1
+        fi
+        if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
+          echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__go-custom-queries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: 'PR Check - Go: Custom queries'
@@ -10,55 +10,88 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   go-custom-queries:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: 'Go: Custom queries'
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-      - uses: ./../action/init
-        with:
-          languages: go
-          config-file: ./.github/codeql/custom-queries.yml
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        config-file: ./.github/codeql/custom-queries.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__go-custom-tracing-autobuild.yml

@@ -0,0 +1,86 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: 'PR Check - Go: Autobuild custom tracing'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-custom-tracing-autobuild:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: 'Go: Autobuild custom tracing'
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/autobuild
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+    - shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
+    env:
+      CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__go-custom-tracing.yml

@@ -0,0 +1,96 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: 'PR Check - Go: Custom tracing'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-custom-tracing:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
+    name: 'Go: Custom tracing'
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+    env:
+      CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -1,91 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Go: diagnostic when Go is changed after init step'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  go-indirect-tracing-workaround-diagnostic:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when Go is changed after init step'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-  # Deliberately change Go after the `init` step
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '1.20'
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -1,92 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Go: diagnostic when `file` is not installed'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  go-indirect-tracing-workaround-no-file-program:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: diagnostic when `file` is not installed'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
-      - name: Remove `file` program
-        run: |
-          echo $(which file)
-          sudo rm -rf $(which file)
-          echo $(which file)
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Check diagnostic appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const statusPageNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'go/workflow/file-program-unavailable' && n.properties?.visibility?.statusPage
-            );
-            if (statusPageNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -1,87 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Go: workaround for indirect tracing'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  go-indirect-tracing-workaround:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-    name: 'Go: workaround for indirect tracing'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-      # We need a Go version that ships with statically linked binaries on Linux
-          go-version: '>=1.21.0'
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
-            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
-              "CODEQL_ACTION_GO_BINARY environment variable is not set."
-            exit 1
-          fi
-          if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
-            echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
-            exit 1
-          fi
-
-
-          # Once we start running Bash 4.2 in all environments, we can replace the
-          # `! -z` flag with the more elegant `-v` which confirms that the variable
-          # is actually unset and not potentially set to a blank value.
-          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
-            echo "Expected the Go autobuilder not to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-reconciled-tracing-autobuilder.yml

@@ -0,0 +1,91 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: 'PR Check - Go: Reconciled tracing with autobuilder'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-reconciled-tracing-autobuilder:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: 'Go: Reconciled tracing with autobuilder'
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/autobuild
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+    - shell: bash
+      run: |
+        if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
+          echo "Expected the Go autobuilder to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
+    env:
+      CODEQL_ACTION_RECONCILE_GO_EXTRACTION: 'true'
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__go-reconciled-tracing-custom-build-steps.yml

@@ -0,0 +1,112 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: 'PR Check - Go: Reconciled tracing with custom build steps'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-reconciled-tracing-custom-build-steps:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
+    name: 'Go: Reconciled tracing with custom build steps'
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+    - shell: bash
+      run: |
+        # Once we start running Bash 4.2 in all environments, we can replace the
+        # `! -z` flag with the more elegant `-v` which confirms that the variable
+        # is actually unset and not potentially set to a blank value.
+        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+          echo "Expected the Go autobuilder not to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
+    env:
+  # Enable reconciled Go tracing beta functionality
+      CODEQL_ACTION_RECONCILE_GO_EXTRACTION: 'true'
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__go-reconciled-tracing-legacy-workflow.yml

@@ -0,0 +1,86 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: 'PR Check - Go: Reconciled tracing with legacy workflow'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-reconciled-tracing-legacy-workflow:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: 'Go: Reconciled tracing with legacy workflow'
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/setup-go@v3
+      with:
+        go-version: ^1.13.1
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+    - shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
+    env:
+  # Enable reconciled Go tracing beta functionality
+      CODEQL_ACTION_RECONCILE_GO_EXTRACTION: 'true'
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__go-tracing-autobuilder.yml

@@ -1,104 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Go: tracing with autobuilder step'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  go-tracing-autobuilder:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: 'Go: tracing with autobuilder step'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
-            echo "Expected the Go autobuilder to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -1,108 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Go: tracing with custom build steps'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  go-tracing-custom-build-steps:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: 'Go: tracing with custom build steps'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: go build main.go
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          # Once we start running Bash 4.2 in all environments, we can replace the
-          # `! -z` flag with the more elegant `-v` which confirms that the variable
-          # is actually unset and not potentially set to a blank value.
-          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
-            echo "Expected the Go autobuilder not to be run, but the" \
-              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
-            exit 1
-          fi
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -1,98 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: 'PR Check - Go: tracing with legacy workflow'
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  go-tracing-legacy-workflow:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: 'Go: tracing with legacy workflow'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ~1.24.0
-      # to avoid potentially misleading autobuilder results where we expect it to download
-      # dependencies successfully, but they actually come from a warm cache
-          cache: false
-      - uses: ./../action/init
-        with:
-          languages: go
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-      - shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d go ]]; then
-            echo "Did not find a Go database"
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__init-with-registries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Download using registries'
@@ -10,120 +10,74 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   init-with-registries:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: 'Packaging: Download using registries'
-    permissions:
-      contents: read
-      packages: read
-
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Init with registries
-        uses: ./../action/init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          config-file: ./.github/codeql/codeql-config-registries.yml
-          languages: javascript
-          registries: |
-            - url: "https://ghcr.io/v2/"
-              packages: "*/*"
-              token: "${{ secrets.GITHUB_TOKEN }}"
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Init with registries
+      uses: ./../action/init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        config-file: ./.github/codeql/codeql-config-registries.yml
+        languages: javascript
+        registries: |
+          - url: "https://ghcr.io/v2/"
+            packages: "*/*"
+            token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Verify packages installed
-        shell: bash
-        run: |
-          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
-          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
+      env:
+        TEST_MODE: true
+    - name: Verify packages installed
+      shell: bash
+      run: |
+        PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
+        CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
 
-          if [[ -d $PRIVATE_PACK ]]
-          then
-              echo "$PRIVATE_PACK was installed."
-          else
-              echo "::error $PRIVATE_PACK pack was not installed."
-              exit 1
-          fi
+        if [[ -d $PRIVATE_PACK ]]
+        then
+            echo "$PRIVATE_PACK was installed."
+        else
+            echo "::error $PRIVATE_PACK pack was not installed."
+            exit 1
+        fi
 
-          if [[ -d $CODEQL_PACK1 ]]
-          then
-              echo "$CODEQL_PACK1 was installed."
-          else
-              echo "::error $CODEQL_PACK1 pack was not installed."
-              exit 1
-          fi
-
-      - name: Verify qlconfig.yml file was created
-        shell: bash
-        run: |
-          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
-          if [[ -f $QLCONFIG_PATH ]]
-          then
-              echo "qlconfig.yml file was created."
-          else
-              echo "::error qlconfig.yml file was not created."
-              exit 1
-          fi
-
-      - name: Verify contents of qlconfig.yml
-    # yq is not available on windows
-        if: runner.os != 'Windows'
-        shell: bash
-        run: |
-          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
-          if [[ $? -eq 0 ]]
-          then
-              echo "Registry was added to qlconfig.yml file."
-          else
-              echo "::error Registry was not added to qlconfig.yml file."
-              echo "Contents of qlconfig.yml file:"
-              cat $QLCONFIG_PATH
-              exit 1
-          fi
+        if [[ -d $CODEQL_PACK1 ]]
+        then
+            echo "$CODEQL_PACK1 was installed."
+        else
+            echo "::error $CODEQL_PACK1 pack was not installed."
+            exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__javascript-source-root.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Custom source root
@@ -10,65 +10,61 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   javascript-source-root:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
     name: Custom source root
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Move codeql-action
-        shell: bash
-        run: |
-          mkdir ../new-source-root
-          mv * ../new-source-root
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          source-root: ../new-source-root
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          skip-queries: true
-      - name: Assert database exists
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d javascript ]]; then
-            echo "Did not find a JavaScript database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../new-source-root
+        mv * ../new-source-root
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        source-root: ../new-source-root
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/analyze
+      with:
+        skip-queries: true
+        upload: false
+    - name: Assert database exists
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d javascript ]]; then
+          echo "Did not find a JavaScript database"
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__job-run-uuid-sarif.yml

@@ -1,74 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Job run UUID added to SARIF
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  job-run-uuid-sarif:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Job run UUID added to SARIF
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
-          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
-            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
-            exit 1
-          else
-            echo "Found job run UUID '$actual'."
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__language-aliases.yml

@@ -1,64 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Language aliases
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  language-aliases:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-    name: Language aliases
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: C#,java-kotlin,swift,typescript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Check languages
-        run: |
-          expected_languages="csharp,java,swift,javascript"
-          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
-
-          if [ "$expected_languages" != "$actual_languages" ]; then
-            echo "Resolved languages did not match expected list. " \
-              "Expected languages: $expected_languages. Actual languages: $actual_languages."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__ml-powered-queries.yml

@@ -0,0 +1,140 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - ML-powered queries
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  ml-powered-queries:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: ML-powered queries
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        queries: security-extended
+        source-root: ./../action/tests/ml-powered-queries-repo
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+      env:
+        TEST_MODE: true
+
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+
+    - name: Check sarif
+      uses: ./../action/.github/check-sarif
+      if: matrix.os != 'windows-latest' || matrix.version == 'latest' || matrix.version
+        == 'nightly-latest'
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
+        queries-not-run: foo,bar
+
+    - name: Check results
+    # Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks
+    # against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the
+    # test starting to fail when the cached CodeQL Bundle gets updated. Once the CodeQL Bundle
+    # containing CodeQL CLI 2.9.0 has been fully released, we can drop this line and start running
+    # these checks on Windows and `cached`.
+      if: matrix.os != 'windows-latest' || matrix.version != 'cached'
+      env:
+      # Running on Windows requires CodeQL CLI 2.9.0+, which has so far only made it to 'latest'.
+        SHOULD_RUN_ML_POWERED_QUERIES: ${{ matrix.os != 'windows-latest' || matrix.version
+          == 'latest' || matrix.version == 'nightly-latest' }}
+      shell: bash
+      run: |
+        echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
+
+        cd "$RUNNER_TEMP/results"
+        # We should run at least the ML-powered queries in `expected_rules`.
+        expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
+
+        for rule in ${expected_rules}; do
+          found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
+            flatten | .[].id] | any(. == $rule)' javascript.sarif)
+          echo "Did find rule '${rule}': ${found_rule}"
+          if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
+            echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
+            exit 1
+          elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
+            echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
+            exit 1
+          fi
+        done
+
+        # We should have at least one alert from an ML-powered query.
+        num_alerts=$(jq '[.runs[0].results[] |
+          select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
+          javascript.sarif)
+        echo "Found ${num_alerts} alerts from ML-powered queries.";
+        if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
+          echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
+          exit 1
+        elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
+          echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
+          exit 1
+        fi
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__multi-language-autodetect.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Multi-language repository
@@ -10,144 +10,100 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   multi-language-autodetect:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.18.4
-          - os: ubuntu-latest
-            version: stable-v2.18.4
-          - os: macos-latest
-            version: stable-v2.19.4
-          - os: ubuntu-latest
-            version: stable-v2.19.4
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: nightly-latest
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Multi-language repository
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-
-      - uses: ./../action/init
-        id: init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
-            || '' }}
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - uses: ./../action/.github/actions/setup-swift
-        if: runner.os == 'macOS'
-        with:
-          codeql-path: ${{ steps.init.outputs.codeql-path }}
-
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-
-      - name: Check language autodetect for all languages excluding Swift
-        shell: bash
-        run: |
-          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
-          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for CPP, or created it in the wrong location."
-            exit 1
-          fi
-          CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
-          if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for C Sharp, or created it in the wrong location."
-            exit 1
-          fi
-          GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
-          if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Go, or created it in the wrong location."
-            exit 1
-          fi
-          JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
-          if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Java, or created it in the wrong location."
-            exit 1
-          fi
-          JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
-          if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Javascript, or created it in the wrong location."
-            exit 1
-          fi
-          PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
-          if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Python, or created it in the wrong location."
-            exit 1
-          fi
-          RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
-          if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Ruby, or created it in the wrong location."
-            exit 1
-          fi
-
-      - name: Check language autodetect for Swift on macOS
-        if: runner.os == 'macOS'
-        shell: bash
-        run: |
-          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
-          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-            echo "Did not create a database for Swift, or created it in the wrong location."
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        db-location: ${{ runner.temp }}/customDbLocation
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      id: analysis
+      env:
+        TEST_MODE: true
+    - shell: bash
+      run: |
+        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
+        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for CPP, or created it in the wrong location."
+          exit 1
+        fi
+        CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
+        if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for C Sharp, or created it in the wrong location."
+          exit 1
+        fi
+        GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
+        if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Go, or created it in the wrong location."
+          exit 1
+        fi
+        JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
+        if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Java, or created it in the wrong location."
+          exit 1
+        fi
+        JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
+        if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Javascript, or created it in the wrong location."
+          exit 1
+        fi
+        PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
+        if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+          echo "Did not create a database for Python, or created it in the wrong location."
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input passed to the CLI'
@@ -10,92 +10,93 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-codescanning-config-inputs-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +dsp-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        TEST_MODE: true
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      CODEQL_PASS_CONFIG_TO_CLI: true
+
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__packaging-config-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input'
@@ -10,92 +10,91 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-config-inputs-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: 'Packaging: Config and input'
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +dsp-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        TEST_MODE: true
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__packaging-config-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config file'
@@ -10,91 +10,90 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-config-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: 'Packaging: Config file'
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging.yml
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging.yml
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        TEST_MODE: true
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__packaging-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Action input'
@@ -10,91 +10,91 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   packaging-inputs-js:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: 'Packaging: Action input'
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging2.yml
-          languages: javascript
-          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging2.yml
+        languages: javascript
+        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        TEST_MODE: true
 
-      - name: Check results
-        uses: ./../action/.github/actions/check-sarif
-        with:
-          sarif-file: ${{ runner.temp }}/results/javascript.sarif
-          queries-run:
-            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-          queries-not-run: foo,bar
+    - name: Check results
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+        queries-not-run: foo,bar
 
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__remote-config.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Remote config file
@@ -10,52 +10,85 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   remote-config:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: Remote config file
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__resolve-environment-action.yml

@@ -1,90 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Resolve environment
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  resolve-environment-action:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Resolve environment
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: go,javascript-typescript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Resolve environment for Go
-        uses: ./../action/resolve-environment
-        id: resolve-environment-go
-        with:
-          language: go
-
-      - name: Fail if Go configuration missing
-        if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
-        run: exit 1
-
-      - name: Resolve environment for JavaScript/TypeScript
-        uses: ./../action/resolve-environment
-        id: resolve-environment-js
-        with:
-          language: javascript-typescript
-
-      - name: Fail if JavaScript/TypeScript configuration present
-        if:
-          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__rubocop-multi-language.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - RuboCop multi-language
@@ -10,60 +10,65 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   rubocop-multi-language:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
     name: RuboCop multi-language
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Set up Ruby
-        uses: ruby/setup-ruby@32110d4e311bd8996b2a82bf2a43b714ccc91777 # v1.221.0
-        with:
-          ruby-version: 2.6
-      - name: Install Code Scanning integration
-        shell: bash
-        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
-      - name: Install dependencies
-        shell: bash
-        run: bundle install
-      - name: RuboCop run
-        shell: bash
-        run: |
-          bash -c "
-            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
-            [[ $? -ne 2 ]]
-          "
-      - uses: ./../action/upload-sarif
-        with:
-          sarif_file: rubocop.sarif
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    - name: Install Code Scanning integration
+      shell: bash
+      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+    - name: Install dependencies
+      shell: bash
+      run: bundle install
+    - name: RuboCop run
+      shell: bash
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+    - uses: ./../action/upload-sarif
+      with:
+        sarif_file: rubocop.sarif
+      env:
+        TEST_MODE: true
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__ruby.yml

@@ -1,75 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Ruby analysis
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  ruby:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-    name: Ruby analysis
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
-          if [[ ! -d "$RUBY_DB" ]]; then
-            echo "Did not create a database for Ruby."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__rust.yml

@@ -1,71 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Rust analysis
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  rust:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Rust analysis
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: rust
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-        env:
-          CODEQL_ACTION_RUST_ANALYSIS: true
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
-          if [[ ! -d "$RUST_DB" ]]; then
-            echo "Did not create a database for Rust."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__split-workflow.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Split workflow
@@ -10,90 +10,88 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   split-workflow:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Split workflow
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          config-file: .github/codeql/codeql-config-packaging3.yml
-          packs: +codeql-testing/codeql-pack1@1.0.0
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        with:
-          skip-queries: true
-          output: ${{ runner.temp }}/results
-          upload-database: false
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        config-file: .github/codeql/codeql-config-packaging3.yml
+        packs: +dsp-testing/codeql-pack1@1.0.0
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        skip-queries: true
+        output: ${{ runner.temp }}/results
+      env:
+        TEST_MODE: true
 
-      - name: Assert No Results
-        shell: bash
-        run: |
-          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
-            echo "Expected results directory to be empty after skipping query execution!"
-            exit 1
-          fi
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Assert Results
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/results"
-          # We should have 4 hits from these rules
-          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+    - name: Assert No Results
+      shell: bash
+      run: |
+        if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
+          echo "Expected results directory to be empty after skipping query execution!"
+          exit 1
+        fi
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+      env:
+        TEST_MODE: true
+    - name: Assert Results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should have 4 hits from these rules
+        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-          echo "Found matching rules '$RULES'"
-          if [ "$RULES" != "$EXPECTED_RULES" ]; then
-            echo "Did not match expected rules '$EXPECTED_RULES'."
-            exit 1
-          fi
+        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+        echo "Found matching rules '$RULES'"
+        if [ "$RULES" != "$EXPECTED_RULES" ]; then
+          echo "Did not match expected rules '$EXPECTED_RULES'."
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__start-proxy.yml

@@ -1,75 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Start proxy
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  start-proxy:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Start proxy
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          languages: csharp
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Setup proxy for registries
-        id: proxy
-        uses: ./../action/start-proxy
-        with:
-          registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
-            }]'
-
-      - name: Print proxy outputs
-        run: |
-          echo "${{ steps.proxy.outputs.proxy_host }}"
-          echo "${{ steps.proxy.outputs.proxy_port }}"
-          echo "${{ steps.proxy.outputs.proxy_urls }}"
-
-      - name: Fail if proxy outputs are not set
-        if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
-          || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
-        run: exit 1
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__submit-sarif-failure.yml

@@ -1,81 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Submit SARIF after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  submit-sarif-failure:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: default
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Submit SARIF after failure
-    permissions:
-      contents: read
-      security-events: write # needed to upload the SARIF file
-
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: actions/checkout@v4
-      - uses: ./init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - name: Fail
-    # We want this job to pass if the Action correctly uploads the SARIF file for
-    # the failed run.
-    # Setting this step to continue on error means that it is marked as completing
-    # successfully, so will not fail the job.
-        continue-on-error: true
-        run: exit 1
-      - uses: ./analyze
-    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
-    # above, we manually disable it with an `if` condition.
-        if: false
-        with:
-          category: /test-codeql-version:${{ matrix.version }}
-    env:
-  # Internal-only environment variable used to indicate that the post-init Action
-  # should expect to upload a SARIF file for the failed run.
-      CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
-  # Make sure the uploading SARIF files feature is enabled.
-      CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
-  # Upload the failed SARIF file as an integration test of the API endpoint.
-      CODEQL_ACTION_TEST_MODE: false
-  # Mark telemetry for this workflow so it can be treated separately.
-      CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
-

.github/workflows/__swift-autobuild.yml

@@ -1,75 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Swift analysis using autobuild
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  swift-autobuild:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: nightly-latest
-    name: Swift analysis using autobuild
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: swift
-          build-mode: autobuild
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{steps.init.outputs.codeql-path}}
-      - name: Check working directory
-        shell: bash
-        run: pwd
-      - uses: ./../action/autobuild
-        timeout-minutes: 30
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-          if [[ ! -d "$SWIFT_DB" ]]; then
-            echo "Did not create a database for Swift."
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__swift-custom-build.yml

@@ -1,80 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Swift analysis using a custom build command
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  swift-custom-build:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: macos-latest
-            version: default
-          - os: macos-latest
-            version: nightly-latest
-    name: Swift analysis using a custom build command
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          languages: swift
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/.github/actions/setup-swift
-        with:
-          codeql-path: ${{steps.init.outputs.codeql-path}}
-      - name: Check working directory
-        shell: bash
-        run: pwd
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - name: Check database
-        shell: bash
-        run: |
-          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-          if [[ ! -d "$SWIFT_DB" ]]; then
-            echo "Did not create a database for Swift."
-            exit 1
-          fi
-    env:
-      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-autobuild-working-dir.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Autobuild working directory
@@ -10,63 +10,60 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   test-autobuild-working-dir:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
+        - os: ubuntu-latest
+          version: latest
     name: Autobuild working directory
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Test setup
-        shell: bash
-        run: |
-          # Make sure that Gradle build succeeds in autobuild-dir ...
-          cp -a ../action/tests/java-repo autobuild-dir
-          # ... and fails if attempted in the current directory
-          echo > build.gradle
-      - uses: ./../action/init
-        with:
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/autobuild
-        with:
-          working-directory: autobuild-dir
-      - uses: ./../action/analyze
-      - name: Check database
-        shell: bash
-        run: |
-          cd "$RUNNER_TEMP/codeql_databases"
-          if [[ ! -d java ]]; then
-            echo "Did not find a Java database"
-            exit 1
-          fi
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Test setup
+      shell: bash
+      run: |
+        # Make sure that Gradle build succeeds in autobuild-dir ...
+        cp -a ../action/tests/java-repo autobuild-dir
+        # ... and fails if attempted in the current directory
+        echo > build.gradle
+    - uses: ./../action/init
+      with:
+        languages: java
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/autobuild
+      with:
+        working-directory: autobuild-dir
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+    - name: Check database
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d java ]]; then
+          echo "Did not find a Java database"
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__test-local-codeql.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Local CodeQL bundle
@@ -10,56 +10,50 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   test-local-codeql:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: nightly-latest
     name: Local CodeQL bundle
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Fetch a CodeQL bundle
-        shell: bash
-        env:
-          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
-        run: |
-          wget "$CODEQL_URL"
-      - id: init
-        uses: ./../action/init
-        with:
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.zst
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - name: Fetch a CodeQL bundle
+      shell: bash
+      env:
+        CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+      run: |
+        wget "$CODEQL_URL"
+    - uses: ./../action/init
+      with:
+        tools: ./codeql-bundle.tar.gz
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__test-proxy.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Proxy test
@@ -10,67 +10,51 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   test-proxy:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
+        - os: ubuntu-latest
+          version: latest
     name: Proxy test
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-  # These steps are required to initialise the `gh` cli in a container that doesn't
-  # come pre-installed with it. The reason for that is that this is later
-  # needed by the `prepare-test` workflow to find the latest release of CodeQL.
-      - name: Set up GitHub CLI
-        run: |
-          apt update
-          apt install -y curl libreadline8 gnupg2 software-properties-common zstd
-          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
-          apt-add-repository https://cli.github.com/packages
-          apt install -y gh
-        env: {}
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'false'
-      - uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
     env:
       https_proxy: http://squid-proxy:3128
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
     container:
-      image: ubuntu:22.04
+      image: ubuntu:18.04
+      options: --dns 127.0.0.1
     services:
       squid-proxy:
-        image: ubuntu/squid:latest
+        image: datadog/squid:latest
         ports:
-          - 3128:3128
+        - 3128:3128

.github/workflows/__test-ruby.yml

@@ -0,0 +1,71 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Ruby analysis
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  test-ruby:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+    name: Ruby analysis
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: ruby
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
+    - uses: ./../action/analyze
+      id: analysis
+      env:
+        TEST_MODE: true
+    - name: Check database
+      shell: bash
+      run: |
+        RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
+        if [[ ! -d "$RUBY_DB" ]]; then
+          echo "Did not create a database for Ruby."
+          exit 1
+        fi
+    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES: 'true'
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__unset-environment.yml

@@ -1,106 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Test unsetting environment variables
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  unset-environment:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-    name: Test unsetting environment variables
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        id: init
-        with:
-          db-location: ${{ runner.temp }}/customDbLocation
-      # Swift is not supported on Ubuntu so we manually exclude it from the list here
-          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: '>=1.21.0'
-      - name: Build code
-        shell: bash
-        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        with:
-          upload-database: false
-      - shell: bash
-        run: |
-          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
-          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
-            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
-            exit 1
-          fi
-          CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
-          if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
-            echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
-            exit 1
-          fi
-          GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
-          if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
-            echo "::error::Did not create a database for Go, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
-            exit 1
-          fi
-          JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
-          if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
-            echo "::error::Did not create a database for Java, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
-            exit 1
-          fi
-          JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
-          if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
-            echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
-            exit 1
-          fi
-          PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
-          if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
-            echo "::error::Did not create a database for Python, or created it in the wrong location." \
-              "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
-            exit 1
-          fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__upload-ref-sha-input.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
@@ -10,63 +10,95 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   upload-ref-sha-input:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          languages: cpp,csharp,java,javascript,python
-          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-            github.sha }}
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-  # Generate some SARIF we can upload with the upload-sarif step
-      - uses: ./../action/analyze
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-          upload: never
-      - uses: ./../action/upload-sarif
-        with:
-          ref: refs/heads/main
-          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+      env:
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+        upload: false
+      env:
+        TEST_MODE: true
+    - uses: ./../action/upload-sarif
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      env:
+        TEST_MODE: true
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__with-checkout-path.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+#     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 
 name: PR Check - Use a custom `checkout_path`
@@ -10,105 +10,139 @@ env:
 on:
   push:
     branches:
-      - main
-      - releases/v*
+    - main
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
   workflow_dispatch: {}
 jobs:
   with-checkout-path:
     strategy:
-      fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
     name: Use a custom `checkout_path`
-    permissions:
-      contents: read
-      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Delete original checkout
-        shell: bash
-        run: |
-          # delete the original checkout so we don't accidentally use it.
-          # Actions does not support deleting the current working directory, so we
-          # delete the contents of the directory instead.
-          rm -rf ./* .github .git
-  # Check out the actions repo again, but at a different location.
-  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-      - uses: actions/checkout@v4
-        with:
-          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-          path: x/y/z/some-path
-
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/checkout@v3
+      with:
+        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        path: x/y/z/some-path
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
       # it's enough to test one compiled language and one interpreted language
-          languages: csharp,javascript
-          source-root: x/y/z/some-path/tests/multi-language-repo
+        languages: csharp,javascript
+        source-path: x/y/z/some-path/tests/multi-language-repo
+        debug: true
+      env:
+        TEST_MODE: true
+    - name: Build code (non-windows)
+      shell: bash
+      if: ${{ runner.os != 'Windows' }}
+      run: |
+        $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
+    - name: Build code (windows)
+      shell: bash
+      if: ${{ runner.os == 'Windows' }}
+      run: |
+        x/y/z/some-path/tests/multi-language-repo/build.sh
+    - uses: ./../action/analyze
+      with:
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        upload: false
+      env:
+        TEST_MODE: true
 
-      - name: Build code
-        shell: bash
-        working-directory: x/y/z/some-path/tests/multi-language-repo
-        run: |
-          ./build.sh
+    - uses: ./../action/upload-sarif
+      with:
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+      env:
+        TEST_MODE: true
 
-      - uses: ./../action/analyze
-        with:
-          checkout_path: x/y/z/some-path/tests/multi-language-repo
-          ref: v1.1.0
-          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+    - name: Verify SARIF after upload
+      shell: bash
+      run: |
+        EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+        EXPECTED_REF="v1.1.0"
+        EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
 
-      - name: Verify SARIF after upload
-        shell: bash
-        run: |
-          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
-          EXPECTED_REF="v1.1.0"
-          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+        ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+        ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+        ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
 
-          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+        if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+          echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
 
-          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
-            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-            echo "$RUNNER_TEMP/payload.json"
-            exit 1
-          fi
+        if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+          echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
 
-          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
-            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-            echo "$RUNNER_TEMP/payload.json"
-            exit 1
-          fi
-
-          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
-            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-            echo "$RUNNER_TEMP/payload.json"
-            exit 1
-          fi
+        if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+          echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
     env:
-      CODEQL_ACTION_TEST_MODE: true
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__zstd-bundle-streaming.yml

@@ -1,110 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle (streaming)
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle-streaming:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-    name: Zstandard bundle (streaming)
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            if (!toolsUrl.endsWith('.tar.zst')) {
-              core.setFailed(
-                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle.yml

@@ -1,113 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
-# to regenerate this file.
-
-name: PR Check - Zstandard bundle
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  zstd-bundle:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: macos-latest
-            version: linked
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-    name: Zstandard bundle
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Remove CodeQL from toolcache
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const fs = require('fs');
-            const path = require('path');
-            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
-            if (codeqlPath !== undefined) {
-              fs.rmdirSync(codeqlPath, { recursive: true });
-            }
-      - id: init
-        uses: ./../action/init
-        with:
-          languages: javascript
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-      - uses: ./../action/analyze
-        with:
-          output: ${{ runner.temp }}/results
-          upload-database: false
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os }}-zstd-bundle.sarif
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Check diagnostic with expected tools URL appears in SARIF
-        uses: actions/github-script@v7
-        env:
-          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
-        with:
-          script: |
-            const fs = require('fs');
-
-            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
-            const run = sarif.runs[0];
-
-            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
-            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
-              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
-            );
-            if (downloadTelemetryNotifications.length !== 1) {
-              core.setFailed(
-                'Expected exactly one reporting descriptor in the ' +
-                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
-                  `${JSON.stringify(toolExecutionNotifications)}.`
-              );
-            }
-
-            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
-            console.log(`Found tools URL: ${toolsUrl}`);
-
-            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
-
-            if (!toolsUrl.endsWith(expectedExtension)) {
-              core.setFailed(
-                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
-              );
-            }
-    env:
-      CODEQL_ACTION_ZSTD_BUNDLE: true
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/check-expected-release-files.yml

@@ -13,12 +13,9 @@ jobs:
   check-expected-release-files:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: Check Expected Release Files
         run: |
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"

.github/workflows/codeql.yml

@@ -2,19 +2,12 @@ name: "CodeQL action"
 
 on:
   push:
-    branches: [main, releases/v*]
+    branches: [main, releases/v1, releases/v2]
   pull_request:
-    branches: [main, releases/v*]
+    branches: [main, releases/v1, releases/v2]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
-  schedule:
-    # Weekly on Sunday.
-    - cron: '30 1 * * 0'
-  workflow_dispatch:
-
-env:
-  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
 
 jobs:
   # Identify the CodeQL tool versions to use in the analysis job.
@@ -24,10 +17,10 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      contents: read
+      security-events: write
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: Init with default CodeQL bundle from the VM image
       id: init-default
       uses: ./init
@@ -41,7 +34,7 @@ jobs:
       id: init-latest
       uses: ./init
       with:
-        tools: linked
+        tools: latest
         languages: javascript
     - name: Compare default and latest CodeQL bundle versions
       id: compare
@@ -54,40 +47,36 @@ jobs:
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
         echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
 
-        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
+        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
         # be the same as `tools: null`. This allows us to make the job for each of the bundles a
         # required status check.
         #
-        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
+        # If we're running on push, then we can skip running with `tools: latest` when it would be
         # the same as running with `tools: null`.
         if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
-          VERSIONS_JSON='[null, "linked"]'
+          VERSIONS_JSON='[null, "latest"]'
         fi
 
         # Output a JSON-encoded list with the distinct versions to test against.
         echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
-        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
+        echo "::set-output name=versions::${VERSIONS_JSON}"
 
-  analyze-javascript:
+  build:
     needs: [check-codeql-versions]
     strategy:
-      fail-fast: false
       matrix:
-        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-13,macos-14]
+        os: [ubuntu-latest,windows-latest,macos-latest]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
     permissions:
-      contents: read
       security-events: write
 
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Initialize CodeQL
-      uses: ./init
+    - uses: actions/checkout@v3
+    - uses: ./init
       id: init
       with:
         languages: javascript
@@ -96,31 +85,4 @@ jobs:
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
       run: ${{steps.init.outputs.codeql-path}} version --format=json
-    - name: Perform CodeQL Analysis
-      uses: ./analyze
-      with:
-        category: "/language:javascript"
-
-
-  analyze-actions:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Initialize CodeQL
-      uses: ./init
-      with:
-        languages: actions
-        config-file: ./.github/codeql/codeql-actions-config.yml
-    - name: Perform CodeQL Analysis
-      uses: ./analyze
-      with:
-        category: "/language:actions"
+    - uses: ./analyze

.github/workflows/codescanning-config-cli.yml

@@ -3,43 +3,38 @@
 name: Code-Scanning config CLI tests
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CODEQL_PASS_CONFIG_TO_CLI: true
 
 on:
   push:
     branches:
     - main
-    - releases/v*
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
   code-scanning-config-tests:
     continue-on-error: true
 
-    permissions:
-      contents: read
-      packages: read
-      security-events: read
-
     strategy:
-      fail-fast: false
+      fail-fast: true
       matrix:
         include:
         - os: ubuntu-latest
-          version: linked
+          version: latest
         - os: macos-latest
-          version: linked
+          version: latest
         - os: ubuntu-latest
-          version: default
+          version: cached
         - os: macos-latest
-          version: default
+          version: cached
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
@@ -51,15 +46,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/actions/prepare-test
+      uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
 
     - name: Empty file
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
@@ -67,31 +62,31 @@ jobs:
 
     - name: Packs from input
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
+        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
+        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries from input
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -103,7 +98,7 @@ jobs:
 
     - name: Queries from input with +
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -115,27 +110,27 @@ jobs:
 
     - name: Queries and packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
-            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
           }
         languages: javascript
         queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
-        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
+        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries and packs from config
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
             "packs": {
-              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
+              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
             }
           }
         languages: javascript
@@ -144,7 +139,7 @@ jobs:
 
     - name: Queries and packs from config overriden by input
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -159,7 +154,7 @@ jobs:
 
     - name: Queries and packs from config merging with input
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -168,7 +163,7 @@ jobs:
               { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
             ],
             "packs": {
-              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
+              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
             }
           }
         languages: javascript
@@ -179,12 +174,12 @@ jobs:
 
     - name: Multi-language packs from config
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "packs": {
-              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
+              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
               "ruby": ["codeql/ruby-queries"]
             },
             "queries": [
@@ -197,7 +192,7 @@ jobs:
 
     - name: Other config properties
       if: success() || failure()
-      uses: ./../action/.github/actions/check-codescanning-config
+      uses: ./../action/.github/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -211,3 +206,15 @@ jobs:
         packs: + codeql/javascript-queries
         config-file-test: .github/codeql/other-config-properties.yml
         tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+    - name: Config not generated when env var is not set
+      if: success() || failure()
+      env:
+        CODEQL_PASS_CONFIG_TO_CLI: false
+      uses: ./../action/.github/check-codescanning-config
+      with:
+        expected-config-file-contents: ""
+        languages: javascript
+        packs: + codeql/javascript-queries
+        config-file-test: .github/codeql/other-config-properties.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/debug-artifacts-failure-safe.yml

@@ -1,102 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist
-# when the analyze step fails.
-name: PR Check - Debug artifacts after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts after failure in analyze
-    continue-on-error: true
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    permissions:
-      contents: read
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump GitHub event
-        run: cat "${GITHUB_EVENT_PATH}"
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        env:
-          # Forces a failure in this step.
-          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
-        with:
-          expect-error: true
-  download-and-check-artifacts:
-    name: Download and check debug artifacts after failure in analyze
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            echo "Artifacts from version $version:"
-            pushd "./my-debug-artifacts-${version//./}"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-                echo "Missing a partial database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "log" ]] ; then
-                echo "Missing database initialization logs"
-                exit 1
-              fi
-              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto

.github/workflows/debug-artifacts-failure.yml

@@ -0,0 +1,90 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist
+# when the analyze step fails.
+name: PR Check - Debug artifacts after failure
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    name: Upload debug artifacts after failure in analyze
+    continue-on-error: true
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Dump GitHub event
+        run: cat "${GITHUB_EVENT_PATH}"
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/prepare-test
+        with:
+          version: latest
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+        env:
+          TEST_MODE: true
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis  
+        with:
+          expect-error: true
+          ram: 1
+        env:
+          TEST_MODE: true
+  download-and-check-artifacts:
+    name: Download and check debug artifacts after failure in analyze
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for os in $OPERATING_SYSTEMS; do
+            pushd "./my-debug-artifacts-$os"
+            echo "Artifacts from run on $os:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+                echo "Missing a partial database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "log" ]] ; then
+                echo "Missing database initialization logs"
+                exit 1
+              fi
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/debug-artifacts-safe.yml

@@ -1,97 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist.
-name: PR Check - Debug artifact upload
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.20.3
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.20.3 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto

.github/workflows/debug-artifacts.yml

@@ -0,0 +1,87 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist.
+name: PR Check - Debug artifact upload
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        version: [stable-20210308, stable-20210319, stable-20210809, cached, latest, nightly-latest]
+    name: Upload debug artifacts
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+        env:
+          TEST_MODE: true
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis  
+        env:
+          TEST_MODE: true
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
+          VERSIONS="stable-20210308 stable-20210319 stable-20210809 cached latest nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for os in $OPERATING_SYSTEMS; do
+            for version in $VERSIONS; do
+              pushd "./my-debug-artifacts-$os-$version"
+              echo "Artifacts from version $version on $os:"
+              for language in $LANGUAGES; do
+                echo "- Checking $language"
+                if [[ ! -f "$language.sarif" ]] ; then
+                  echo "Missing a SARIF file for $language"
+                  exit 1
+                fi
+                if [[ ! -f "my-db-$language.zip" ]] ; then
+                  echo "Missing a database bundle for $language"
+                  exit 1
+                fi
+                if [[ ! -d "$language/log" ]] ; then
+                  echo "Missing logs for $language"
+                  exit 1
+                fi
+              done
+              popd
+            done
+          done
+        env:
+          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/expected-queries-runs.yml

@@ -4,45 +4,45 @@ on:
   push:
     branches:
     - main
-    - releases/v*
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
   expected-queries:
     name: Expected Queries Tests
-    env:
-      CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: read
     steps:
     - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/actions/prepare-test
+      uses: ./.github/prepare-test
       with:
-        version: linked
+        version: latest
     - uses: ./../action/init
       with:
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        TEST_MODE: true
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
 
     - name: Check Sarif
-      uses: ./../action/.github/actions/check-sarif
+      uses: ./../action/.github/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/incomplete-hostname-regexp,js/path-injection

.github/workflows/post-release-mergeback.yml

@@ -1,9 +1,8 @@
-# This workflow runs after a merge to any release branch of the action. It:
-# 1. Tags the merge commit on the release branch that represents the new release with an `vN.x.y`
-#    tag
-# 2. Updates the `vN` tag to refer to this merge commit.
-# 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
-#    Typically, this is two commits – one to update the version number and one to update dependencies.
+# This workflow runs after a release of the action. For v2 releases, it merges any changes from the
+# release back into the main branch. Typically, this is just a single commit that updates the
+# changelog. For v2 and v1 releases, it then (a) tags the merge commit on the release branch that
+# represents the new release with an `vx.y.z` tag and (b) updates the `vx` tag to refer to this
+# commit.
 name: Tag release and merge back
 
 on:
@@ -16,21 +15,17 @@ on:
 
   push:
     branches:
-      - releases/v*
+      - releases/v1
+      - releases/v2
 
 jobs:
   merge-back:
     runs-on: ubuntu-latest
-    environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
       BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
       HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
 
-    permissions:
-      contents: write # needed to create tags and push commits
-      pull-requests: write
-
     steps:
       - name: Dump environment
         run: env
@@ -40,26 +35,23 @@ jobs:
           GITHUB_CONTEXT: '${{ toJson(github) }}'
         run: echo "${GITHUB_CONTEXT}"
 
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
 
       - name: Update git config
         run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.email "github-actions@github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Get version and new branch
         id: getVersion
         run: |
           VERSION="v$(jq '.version' -r 'package.json')"
-          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "::set-output name=version::${VERSION}"
           short_sha="${GITHUB_SHA:0:8}"
           NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
-          echo "newBranch=${NEW_BRANCH}" >> $GITHUB_OUTPUT
-          LATEST_RELEASE_BRANCH=$(git branch -r | grep -E "origin/releases/v[0-9]+$" | sed 's/origin\///g' | sort -V | tail -1 | xargs)
-          echo "latest_release_branch=${LATEST_RELEASE_BRANCH}" >> $GITHUB_OUTPUT
+          echo "::set-output name=newBranch::${NEW_BRANCH}"
+
 
       - name: Dump branches
         env:
@@ -68,8 +60,6 @@ jobs:
           echo "BASE_BRANCH ${BASE_BRANCH}"
           echo "HEAD_BRANCH ${HEAD_BRANCH}"
           echo "NEW_BRANCH ${NEW_BRANCH}"
-          echo "LATEST_RELEASE_BRANCH ${LATEST_RELEASE_BRANCH}"
-          echo "GITHUB_REF ${GITHUB_REF}"
 
       - name: Create mergeback branch
         env:
@@ -87,7 +77,7 @@ jobs:
           exists="$?"
           if [ "${exists}" -eq 0 ]; then
             echo "Tag ${VERSION} exists. Not going to re-release."
-            echo "exists=true" >> $GITHUB_OUTPUT
+            echo "::set-output name=exists::true"
           else
             echo "Tag ${VERSION} does not exist yet."
           fi
@@ -100,6 +90,8 @@ jobs:
         env:
           VERSION: ${{ steps.getVersion.outputs.version }}
         run: |
+          # Unshallow the repo in order to allow pushes
+          git fetch --unshallow
           # Create the `vx.y.z` tag
           git tag --annotate "${VERSION}" --message "${VERSION}"
           # Update the `vx` tag
@@ -108,24 +100,13 @@ jobs:
           git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force
           # Push the tags, using:
           # - `--atomic` to make sure we either update both tags or neither (an intermediate state,
-          #   e.g. where we update the vN.x.y tag on the remote but not the vN tag, could result in
-          #   unwanted Dependabot updates, e.g. from vN to vN.x.y)
-          # - `--force` since we're overwriting the `vN` tag
+          #   e.g. where we update the v2.x.y tag on the remote but not the v2 tag, could result in
+          #   unwanted Dependabot updates, e.g. from v2 to v2.x.y)
+          # - `--force` since we're overwriting the `vx` tag
           git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"
 
-      - name: Prepare partial Changelog
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-        run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
-
-          echo "::group::Partial CHANGELOG"
-          cat $PARTIAL_CHANGELOG
-          echo "::endgroup::"
-
       - name: Create mergeback branch
-        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
+        if: steps.check.outputs.exists != 'true' && contains(github.ref, 'releases/v2')
         env:
           VERSION: "${{ steps.getVersion.outputs.version }}"
           NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
@@ -141,16 +122,15 @@ jobs:
             - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
             - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
             - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
-            - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
-                  selected rather than "Squash and merge" or "Rebase and merge".
+            - [ ] Approve and merge the PR.
           EOF
           )
 
           # Update the version number ready for the next release
           npm version patch --no-git-tag-version
 
-          # Update the changelog, adding a new version heading directly above the most recent existing one
-          awk '!f && /##/{print "'"## [UNRELEASED]\n\nNo user facing changes.\n"'"; f=1}1' CHANGELOG.md > temp && mv temp CHANGELOG.md
+          # Update the changelog
+          perl -i -pe 's/^/## \[UNRELEASED\]\n\nNo user facing changes.\n\n/ if($.==3)' CHANGELOG.md
           git add .
           git commit -m "Update changelog and version after ${VERSION}"
 
@@ -166,23 +146,3 @@ jobs:
             --body "${pr_body}" \
             --assignee "${GITHUB_ACTOR}" \
             --draft
-
-      - name: Generate token
-        uses: actions/create-github-app-token@v1.11.6
-        id: app-token
-        with:
-          app-id: ${{ vars.AUTOMATION_APP_ID }}
-          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-
-      - name: Create the GitHub release
-        env:
-          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: |
-          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
-          gh release create \
-            "$VERSION" \
-            --latest=false \
-            --title "$VERSION" \
-            --notes-file "$PARTIAL_CHANGELOG"

.github/workflows/pr-checks.yml

@@ -2,6 +2,7 @@ name: PR Checks
 
 on:
   push:
+    branches: [main, releases/v1, releases/v2]
   pull_request:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
@@ -13,132 +14,108 @@ jobs:
     name: Check JS
     runs-on: ubuntu-latest
     timeout-minutes: 45
-    permissions:
-      contents: read
-      security-events: write # needed to upload ESLint results
 
     strategy:
-      fail-fast: false
+      fail-fast: true
+      matrix:
+        node-types-version: [12.12, current]
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Lint
-        id: lint
-        run: npm run-script lint-ci
+        run: npm run-script lint
 
-      - name: Upload sarif
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: eslint.sarif
-          category: eslint
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
 
       - name: Check generated JS
         run: .github/workflows/script/check-js.sh
 
   check-node-modules:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check modules up to date
-    permissions:
-      contents: read
     runs-on: macos-latest
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Check node modules up to date
         run: .github/workflows/script/check-node-modules.sh
 
   check-file-contents:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check file contents
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
+
+      # Checks for any conflict markers created by git. This check is primarily intended to validate that
+      # any merge conflicts in the v2 -> v1 backport PR are fixed before the PR is merged.
+      - name: Check for merge conflicts
+        run: |
+          # Use `|| true` since grep returns exit code 1 if there are no matches, and we don't want
+          # this to fail the workflow.
+          FILES_WITH_CONFLICTS=$(grep --extended-regexp --ignore-case --line-number --recursive \
+            '^(<<<<<<<|>>>>>>>)' . || true)
+          if [[ "${FILES_WITH_CONFLICTS}" ]]; then
+            echo "Fail: Found merge conflict markers in the following files:"
+            echo ""
+            echo "${FILES_WITH_CONFLICTS}"
+            exit 1
+          else
+            echo "Success: Found no merge conflict markers."
+          fi
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v3
         with:
-          python-version: 3.11
+          python-version: 3.8
 
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          # When updating this, update the autogenerated code header in `sync.py` too.
-          pip install ruamel.yaml==0.17.31
+          pip install ruamel.yaml
 
       # Ensure the generated PR check workflows are up to date.
       - name: Verify PR checks up to date
         run: .github/workflows/script/verify-pr-checks.sh
 
   npm-test:
-    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Unit Test
     needs: [check-js, check-node-modules]
     strategy:
-      fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-    permissions:
-      contents: read
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: npm test
         run: |
           # Run any commands referenced in package.json using Bash, otherwise
           # we won't be able to find them on Windows.
           npm config set script-shell bash
           npm test
-
-  check-node-version:
-    if: github.event.pull_request
-    name: Check Action Node versions
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    env:
-      BASE_REF: ${{ github.base_ref }}
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v4
-      - id: head-version
-        name: Verify all Actions use the same Node version
-        run: |
-          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
-          echo "NODE_VERSION: ${NODE_VERSION}"
-          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
-            echo "::error::More than one node version used in 'action.yml' files."
-            exit 1
-          fi
-          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
-
-      - id: checkout-base
-        name: 'Backport: Check out base ref'
-        if: ${{ startsWith(github.head_ref, 'backport-') }}
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ env.BASE_REF }}
-
-      - name: 'Backport: Verify Node versions unchanged'
-        if: steps.checkout-base.outcome == 'success'
-        env:
-          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
-        run: |
-          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
-          echo "HEAD_VERSION: ${HEAD_VERSION}"
-          echo "BASE_VERSION: ${BASE_VERSION}"
-          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
-            echo "::error::Cannot change the Node version of an Action in a backport PR."
-            exit 1
-          fi

.github/workflows/publish-immutable-action.yml

@@ -1,35 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Check release name
-        id: check
-        env:
-          RELEASE_NAME: ${{ github.event.release.name }}
-        run: |
-          echo "Release name: ${{ github.event.release.name }}"
-          if [[ $RELEASE_NAME == v* ]]; then
-            echo "This is a CodeQL Action release. Create an Immutable Action"
-            echo "is-action-release=true" >> $GITHUB_OUTPUT
-          else
-            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
-            echo "is-action-release=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Checking out
-        if: steps.check.outputs.is-action-release == 'true'
-        uses: actions/checkout@v4
-      - name: Publish
-        if: steps.check.outputs.is-action-release == 'true'
-        id: publish
-        uses: actions/publish-immutable-action@v0.0.4

.github/workflows/python-deps.yml

@@ -0,0 +1,191 @@
+name: Test Python Package Installation on Linux and Mac
+
+on:
+  push:
+    branches: [main, releases/v1, releases/v2]
+  pull_request:
+    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
+    # by other workflows.
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      # Changes to this workflow.
+      - '.github/workflows/python-deps.yml'
+      # Changes to the Python package installation scripts and their tests.
+      - 'python-setup/**'
+      # Changes to the default CodeQL bundle version.
+      - '**/defaults.json'
+  schedule:
+    # Weekly on Monday.
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  test-setup-python-scripts:
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-latest, ubuntu-22.04, macos-latest]
+          python_deps_type: [pipenv, poetry, requirements, setup_py]
+          python_version: [2, 3]
+          exclude:
+            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
+            - python_version: 2
+              python_deps_type: poetry
+            # Python2 and pipenv are not supported since pipenv v2021.11.5
+            - python_version: 2
+              python_deps_type: pipenv
+            # Python2 is not available on ubuntu-22.04 by default -- see https://github.com/github/codeql-action/pull/1257
+            - python_version: 2
+              os: ubuntu-22.04
+
+
+    env:
+      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: ./init
+      id: init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      run: |
+        set -x
+        $GITHUB_WORKSPACE/python-setup/install_tools.sh
+
+        cd $GITHUB_WORKSPACE/python-setup/tests/${PYTHON_DEPS_TYPE}/requests-${PYTHON_VERSION}
+
+        case ${{ matrix.os }} in
+            ubuntu-latest*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
+            macos-latest*)    basePath="/Users/runner";;
+        esac
+        echo ${basePath}
+
+        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
+    - name: Setup for extractor
+      run: |
+        echo $CODEQL_PYTHON
+        # only run if $CODEQL_PYTHON is set
+        if [ ! -z $CODEQL_PYTHON ]; then
+            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
+        fi
+
+    - name: Verify packages installed
+      run: |
+        $GITHUB_WORKSPACE/python-setup/tests/check_requests_2_26_0.sh ${PYTHON_VERSION}
+
+  # This one shouldn't fail, but also won't install packages
+  test-setup-python-scripts-non-standard-location:
+    runs-on: ${{ matrix.os }}
+    strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-latest, ubuntu-22.04, macos-latest]
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: ./init
+      id: init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+
+    - name: Test Auto Package Installation
+      run: |
+        set -x
+        $GITHUB_WORKSPACE/python-setup/install_tools.sh
+
+        cd $GITHUB_WORKSPACE/python-setup/tests/requirements/non-standard-location
+
+        case ${{ matrix.os }} in
+            ubuntu-latest*)     basePath="/opt";;
+            ubuntu-22.04*)     basePath="/opt";;
+            macos-latest*)    basePath="/Users/runner";;
+        esac
+        echo ${basePath}
+
+        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
+
+    - name: Setup for extractor
+      run: |
+        echo $CODEQL_PYTHON
+        # only run if $CODEQL_PYTHON is set
+        if [ ! -z $CODEQL_PYTHON ]; then
+            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
+        fi
+
+    - name: Verify packages installed
+      run: |
+        test -z $LGTM_INDEX_IMPORT_PATH
+
+  test-setup-python-scripts-windows:
+    runs-on: windows-latest
+    strategy:
+        fail-fast: false
+        matrix:
+          python_deps_type: [pipenv, poetry, requirements, setup_py]
+          python_version: [2, 3]
+          exclude:
+            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
+            - python_version: 2
+              python_deps_type: poetry
+            # Python2 and pipenv are not supported since pipenv v2021.11.5
+            - python_version: 2
+              python_deps_type: pipenv
+
+    env:
+      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+    - uses: actions/checkout@v3
+
+    - uses: actions/setup-python@v3
+      with:
+        python-version: ${{ matrix.python_version }}
+
+    - name: Initialize CodeQL
+      uses: ./init
+      with:
+        tools: latest
+        languages: python
+        setup-python-dependencies: false
+      env:
+        TEST_MODE: true
+
+    - name: Test Auto Package Installation
+      run: |
+        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\install_tools.ps1"
+        powershell -File $cmd
+
+        cd $Env:GITHUB_WORKSPACE\\python-setup/tests/$Env:PYTHON_DEPS_TYPE/requests-$Env:PYTHON_VERSION
+        $DefaultsPath = Join-Path (Join-Path $Env:GITHUB_WORKSPACE "src") "defaults.json"
+        $CodeQLBundleName = (Get-Content -Raw -Path $DefaultsPath | ConvertFrom-Json).bundleVersion
+        $CodeQLVersion = "0.0.0-" + $CodeQLBundleName.split("-")[-1]
+        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\auto_install_packages.py C:\\hostedtoolcache\\windows\\CodeQL\\$CodeQLVersion\\x64\\codeql
+
+    - name: Setup for extractor
+      run: |
+        echo $Env:CODEQL_PYTHON
+
+        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\tests\\from_python_exe.py $Env:CODEQL_PYTHON
+
+    - name: Verify packages installed
+      run: |
+        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\tests\\check_requests_2_26_0.ps1"
+        powershell -File $cmd $Env:PYTHON_VERSION

.github/workflows/python312-windows.yml

@@ -1,43 +0,0 @@
-name: Test that the workaround for python 3.12 on windows works
-
-on:
-  push:
-    branches: [main, releases/v*]
-  pull_request:
-    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
-    # by other workflows.
-    types: [opened, synchronize, reopened, ready_for_review]
-  schedule:
-    # Weekly on Monday.
-    - cron: '0 0 * * 1'
-  workflow_dispatch:
-
-jobs:
-  test-setup-python-scripts:
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    permissions:
-      contents: read
-    runs-on: windows-latest
-
-    steps:
-    - uses: actions/setup-python@v5
-      with:
-        python-version: 3.12
-
-    - uses: actions/checkout@v4
-
-    - name: Prepare test
-      uses: ./.github/actions/prepare-test
-      with:
-        version: default
-
-    - name: Initialize CodeQL
-      uses: ./../action/init
-      with:
-        tools: linked
-        languages: python
-
-    - name: Analyze
-      uses: ./../action/analyze

.github/workflows/query-filters.yml

@@ -4,15 +4,14 @@ on:
   push:
     branches:
     - main
-    - releases/v*
+    - releases/v1
+    - releases/v2
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
@@ -20,19 +19,17 @@ jobs:
     name: Query Filters Tests
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    permissions:
-      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
     steps:
     - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/actions/prepare-test
+      uses: ./.github/prepare-test
       with:
-        version: linked
+        version: latest
 
     - name: Check SARIF for default queries with Single include, Single exclude
-      uses: ./../action/.github/actions/query-filter-test
+      uses: ./../action/.github/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip
@@ -41,7 +38,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs with Single include, Single exclude
-      uses: ./../action/.github/actions/query-filter-test
+      uses: ./../action/.github/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block
@@ -50,7 +47,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs and local queries with Single include, Single exclude
-      uses: ./../action/.github/actions/query-filter-test
+      uses: ./../action/.github/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs

.github/workflows/rebuild.yml

@@ -1,82 +0,0 @@
-name: Rebuild Action
-
-on:
-  pull_request:
-    types: [labeled]
-  workflow_dispatch:
-
-jobs:
-  rebuild:
-    name: Rebuild Action
-    runs-on: ubuntu-latest
-    if: github.event.label.name == 'Rebuild'
-
-    permissions:
-      contents: write # needed to push rebuilt commit
-      pull-requests: write # needed to comment on the PR
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-
-      - name: Remove label
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
-            --remove-label "Rebuild"
-
-      - name: Merge in changes from base branch
-        env:
-          BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
-        run: |
-          git fetch origin "$BASE_BRANCH"
-
-          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
-          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected"
-
-          # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
-          # since `node_modules/@types/semver/README.md` fails it.
-          if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
-            echo "Merge conflicts detected outside of lib/ directory. Please resolve them manually."
-            git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
-            exit 1
-          fi
-
-      - name: Compile TypeScript
-        run: |
-          npm install
-          npm run lint -- --fix
-          npm run build
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.11
-
-      - name: Generate workflows
-        run: |
-          cd pr-checks
-          python -m pip install --upgrade pip
-          pip install ruamel.yaml==0.17.31
-          python3 sync.py
-
-      - name: Check for changes and push
-        env:
-          BRANCH: ${{ github.event.pull_request.head.ref }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          if [ ! -z "$(git status --porcelain)" ]; then
-            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-            git config --global user.name "github-actions[bot]"
-            git add --all
-            git commit -m "Rebuild"
-            git push origin "HEAD:$BRANCH"
-            echo "Pushed a commit to rebuild the Action." \
-              "Please mark the PR as ready for review to trigger PR checks." |
-              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
-            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
-          fi