Merge pull request #1248 from github/update-v1.1.23-6a38b7d4

Merge releases/v2 into releases/v1
Update checked-in dependencies
2025-12-06 15:58:06 +08:00 · 2022-09-16 10:57:15 +01:00 · 2022-09-15 09:18:20 +00:00 · 2022-09-15 09:07:19 +00:00 · 2022-09-15 09:07:13 +00:00 · 2022-09-15 09:07:13 +00:00
11619 changed files with 1472898 additions and 663404 deletions
--- a/.eslintrc.json
+++ b/.eslintrc.json
@@ -10,23 +10,32 @@
        "plugin:@typescript-eslint/recommended",
        "plugin:@typescript-eslint/recommended-requiring-type-checking",
        "plugin:github/recommended",
-        "plugin:github/typescript"
+        "plugin:github/typescript",
        "plugin:import/typescript"
    ],
    "rules": {
        "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
        "i18n-text/no-en": "off",
        "import/extensions": "error",
        "import/no-amd": "error",
        "import/no-commonjs": "error",
        "import/no-dynamic-require": "error",
-        "import/no-extraneous-dependencies": ["error", {"devDependencies": false}],
+        // Disable the rule that checks that devDependencies aren't imported since we use a single
        // linting configuration file for both source and test code.
        "import/no-extraneous-dependencies": ["error", {"devDependencies": true}],
        "import/no-namespace": "off",
        "import/no-unresolved": "error",
        "import/no-webpack-loader-syntax": "error",
        "import/order": ["error", {
            "alphabetize": {"order": "asc"},
            "newlines-between": "always"
        }],
        "no-async-foreach/no-async-foreach": "error",
        "no-console": "off",
        "no-sequences": "error",
-        "one-var": ["error", "never"],
+        "no-shadow": "off",
-        "sort-imports": ["error", { "allowSeparatedGroups": true }]
+        "@typescript-eslint/no-shadow": ["error"],
        "one-var": ["error", "never"]
    },
    "overrides": [{
        // "temporarily downgraded during transition to eslint
@@ -39,20 +48,11 @@
            "@typescript-eslint/no-unsafe-call": "off",
            "@typescript-eslint/no-unsafe-member-access": "off",
            "@typescript-eslint/no-unsafe-return": "off",
            "@typescript-eslint/no-unused-vars": "off",
            "@typescript-eslint/no-var-requires": "off",
            "@typescript-eslint/prefer-regexp-exec": "off",
            "@typescript-eslint/require-await": "off",
            "@typescript-eslint/restrict-template-expressions": "off",
            "eslint-comments/no-use": "off",
            "func-style": "off",
            "github/array-foreach": "off",
            "github/no-then": "off",
            "import/no-extraneous-dependencies": "off",
            "no-shadow": "off",
            "no-sparse-arrays": "off",
            "no-throw-literal": "off",
            "no-useless-escape": "off",
            "sort-imports": "off"
        }
    }]
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,9 @@
 lib/*.js linguist-generated=true
 .github/workflows/__* linguist-generated=true
 # Reduce incidence of needless merge conflicts on CHANGELOG.md
 # The man page at
 # https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitattributes.html
 # suggests that this might interleave lines arbitrarily, but empirically
 # it keeps added chunks contiguous
 CHANGELOG.md                merge=union
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +1,5 @@
 blank_issues_enabled: true
 contact_links:
  - name: Contact GitHub Support
-    url: https://support.github.com/contact?subject=Code+Scanning+Beta+Support&tags=code-scanning-support
+    url: https://support.github.com/request
-    about: Contact Support about code scanning
+    about: Contact Support 
--- a/.github/check-codescanning-config/action.yml
+++ b/.github/check-codescanning-config/action.yml
@@ -0,0 +1,60 @@
 name: Check Code-Scanning Config
 description: |
    Checks the code scanning configuration file generated by the
    action to ensure it contains the expected contents
 inputs:
  languages:
    required: false
    description: The languages field passed to the init action.
  packs:
    required: false
    description: The packs field passed to the init action.
  queries:
    required: false
    description: The queries field passed to the init action.
  config-file-test:
    required: false
    description: |
      The location of the config file to use. If empty,
      then no config file is used.
  expected-config-file-contents:
    required: true
    description: |
      A JSON string containing the exact contents of the config file.
  tools:
    required: true
    description: |
      The url of codeql to use.
 runs:
  using: composite
  steps:
    - uses: ./../action/init
      with:
        languages: ${{ inputs.languages }}
        config-file: ${{ inputs.config-file-test }}
        queries: ${{ inputs.queries }}
        packs: ${{ inputs.packs }}
        tools: ${{ inputs.tools }}
        db-location: ${{ runner.temp }}/codescanning-config-cli-test
    - name: Install dependencies
      shell: bash
      run: npm install --location=global ts-node js-yaml
    - name: Check config
      working-directory: ${{ github.action_path }}
      shell: bash
      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
    - name: Clean up
      shell: bash
      if: always()
      run: |
        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
        rm -rf ${{ runner.temp }}/user-config.yaml
--- a/.github/check-codescanning-config/index.ts
+++ b/.github/check-codescanning-config/index.ts
@@ -0,0 +1,39 @@
 import * as core from '@actions/core'
 import * as yaml from 'js-yaml'
 import * as fs from 'fs'
 import * as assert from 'assert'
 const actualConfig = loadActualConfig()
 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
  core.info('No expected configuration provided')
 } else {
  core.startGroup('Expected generated user config')
  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
  core.endGroup()
 }
 const expectedConfig = rawExpectedConfig ? JSON.parse(rawExpectedConfig) : undefined;
 assert.deepStrictEqual(
  actualConfig,
  expectedConfig,
  'Expected configuration does not match actual configuration'
 );
 function loadActualConfig() {
  if (!fs.existsSync(process.argv[2])) {
    core.info('No configuration file found')
    return undefined
  } else {
    const rawActualConfig = fs.readFileSync(process.argv[2], 'utf8')
    core.startGroup('Actual generated user config')
    core.info(rawActualConfig)
    core.endGroup()
    return yaml.load(rawActualConfig)
  }
 }
--- a/.github/check-sarif/action.yml
+++ b/.github/check-sarif/action.yml
@@ -0,0 +1,20 @@
 name: Check SARIF
 description: Checks a SARIF file to see if certain queries were run and others were not run.
 inputs:
  sarif-file:
    required: true
    description: The SARIF file to check
  queries-run:
    required: true
    description: |
      Comma separated list of query ids that should be included in this SARIF file.
  queries-not-run:
    required: true
    description: |
      Comma separated list of query ids that should NOT be included in this SARIF file.
 runs:
  using: node12
  main: index.js
--- a/.github/check-sarif/index.js
+++ b/.github/check-sarif/index.js
@@ -0,0 +1,43 @@
 'use strict'
 const core = require('@actions/core')
 const fs = require('fs')
 const sarif = JSON.parse(fs.readFileSync(core.getInput('sarif-file'), 'utf8'))
 const rules = sarif.runs[0].tool.extensions.flatMap(ext => ext.rules || [])
 const ruleIds = rules.map(rule => rule.id)
 // Check that all the expected queries ran
 const expectedQueriesRun = getQueryIdsInput('queries-run')
 const queriesThatShouldHaveRunButDidNot = expectedQueriesRun.filter(queryId => !ruleIds.includes(queryId))
 if (queriesThatShouldHaveRunButDidNot.length > 0) {
  core.setFailed(`The following queries were expected to run but did not: ${queriesThatShouldHaveRunButDidNot.join(', ')}`)
 }
 // Check that all the unexpected queries did not run
 const expectedQueriesNotRun = getQueryIdsInput('queries-not-run')
 const queriesThatShouldNotHaveRunButDid = expectedQueriesNotRun.filter(queryId => ruleIds.includes(queryId))
 if (queriesThatShouldNotHaveRunButDid.length > 0) {
  core.setFailed(`The following queries were NOT expected to have run but did: ${queriesThatShouldNotHaveRunButDid.join(', ')}`)
 }
 core.startGroup('All queries run')
 rules.forEach(rule => {
  core.info(`${rule.id}: ${(rule.properties && rule.properties.name) || rule.name}`)
 })
 core.endGroup()
 core.startGroup('Full SARIF')
 core.info(JSON.stringify(sarif, null, 2))
 core.endGroup()
 function getQueryIdsInput(name) {
  return core.getInput(name)
    .split(',')
    .map(q => q.trim())
    .filter(q => q.length > 0)
 }
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,20 @@
 version: 2
 updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "thursday" # Gives us a working day to merge this before our typical release
    labels:
      - "Update dependencies"
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
  - package-ecosystem: "npm"
    directory: "/runner"
    schedule:
      interval: "weekly"
      day: "thursday" # Gives us a working day to merge this before our typical release
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
--- a/.github/prepare-test/action.yml
+++ b/.github/prepare-test/action.yml
@@ -0,0 +1,38 @@
 name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
  version:
    required: true
 outputs:
  tools-url:
    value: ${{ steps.get-url.outputs.tools-url }}
 runs:
  using: composite
  steps:
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
        mv ../action/.github/workflows .github
    - id: get-url
      name: Determine URL
      shell: bash
      run: |
        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
          export LATEST=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
          echo "::set-output name=tools-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz"
        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
          echo "::set-output name=tools-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$VERSION-manual/codeql-bundle.tar.gz"
        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
          echo "::set-output name=tools-url::https://github.com/github/codeql-action/releases/download/codeql-bundle-$VERSION/codeql-bundle.tar.gz"
        elif [[ ${{ inputs.version }} == "latest" ]]; then
          echo "::set-output name=tools-url::latest"
        elif [[ ${{ inputs.version }} == "cached" ]]; then
          echo "::set-output name=tools-url::"
        else
          echo "::error Unrecognized version specified!"
        fi
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,5 @@
 ### Merge / deployment checklist
 - [ ] Confirm this change is backwards compatible with existing workflows.
- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary.
+- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
 - [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
--- a/.github/query-filter-test/action.yml
+++ b/.github/query-filter-test/action.yml
@@ -0,0 +1,54 @@
 name: Query Filter Test
 description: Runs a test of query filters using the check SARIF action
 inputs:
  sarif-file:
    required: true
    description: The SARIF file to check
  queries-run:
    required: true
    description: |
      Comma separated list of query ids that should be included in this SARIF file.
  queries-not-run:
    required: true
    description: |
      Comma separated list of query ids that should NOT be included in this SARIF file.
  config-file:
    required: true
    description: |
      The location of the codeql configuration file to use.
  tools:
    required: true
    description: |
      The url of codeql to use.
 runs:
  using: composite
  steps:
    - uses: ./../action/init
      with:
        languages: javascript
        config-file: ${{ inputs.config-file }}
        tools: ${{ inputs.tools }}
        db-location: ${{ runner.temp }}/query-filter-test
      env:
        TEST_MODE: "true"
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
        upload: false
      env:
        TEST_MODE: "true"
    - name: Check SARIF
      uses: ./../action/.github/check-sarif
      with:
        sarif-file:  ${{ inputs.sarif-file }}
        queries-run: ${{ inputs.queries-run}}
        queries-not-run: ${{ inputs.queries-not-run}}
    - name: Cleanup after test
      shell: bash
      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP/query-filter-test"
--- a/.github/update-release-branch.py
+++ b/.github/update-release-branch.py
@@ -1,25 +1,37 @@
 import argparse
 import datetime
 from github import Github
-import random
+import json
-import requests
+import os
 import subprocess
 import sys
-# The branch being merged from.
+EMPTY_CHANGELOG = """# CodeQL Action and CodeQL Runner Changelog
-# This is the one that contains day-to-day development work.
+
-MAIN_BRANCH = 'main'
+## [UNRELEASED]
-# The branch being merged into.
+
-# This is the release branch that users reference.
+No user facing changes.
-LATEST_RELEASE_BRANCH = 'v1'
+
 """
 # Value of the mode flag for a v1 release
 V1_MODE = 'v1-release'
 # Value of the mode flag for a v2 release
 V2_MODE = 'v2-release'
 SOURCE_BRANCH_FOR_MODE = { V1_MODE: 'releases/v2', V2_MODE: 'main' }
 TARGET_BRANCH_FOR_MODE = { V1_MODE: 'releases/v1', V2_MODE: 'releases/v2' }
 # Name of the remote
 ORIGIN = 'origin'
 # Runs git with the given args and returns the stdout.
-# Raises an error if git does not exit successfully.
+# Raises an error if git does not exit successfully (unless passed
-def run_git(*args):
+# allow_non_zero_exit_code=True).
 def run_git(*args, allow_non_zero_exit_code=False):
  cmd = ['git', *args]
  p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-  if (p.returncode != 0):
+  if not allow_non_zero_exit_code and p.returncode != 0:
    raise Exception('Call to ' + ' '.join(cmd) + ' exited with code ' + str(p.returncode) + ' stderr:' + p.stderr.decode('ascii'))
  return p.stdout.decode('ascii')
@@ -27,15 +39,17 @@ def run_git(*args):
 def branch_exists_on_remote(branch_name):
  return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
-# Opens a PR from the given branch to the release branch
+# Opens a PR from the given branch to the target branch
-def open_pr(repo, all_commits, short_main_sha, branch_name):
+def open_pr(
  repo, all_commits, source_branch_short_sha, new_branch_name, source_branch, target_branch,
  conductor, is_v2_release, labels, conflicted_files):
  # Sort the commits into the pull requests that introduced them,
  # and any commits that don't have a pull request
  pull_requests = []
  commits_without_pull_requests = []
  for commit in all_commits:
    pr = get_pr_for_commit(repo, commit)
-    
+
    if pr is None:
      commits_without_pull_requests.append(commit)
    elif not any(p for p in pull_requests if p.number == pr.number):
@@ -47,55 +61,68 @@ def open_pr(repo, all_commits, short_main_sha, branch_name):
  # Sort PRs and commits by age
  pull_requests = sorted(pull_requests, key=lambda pr: pr.number)
  commits_without_pull_requests = sorted(commits_without_pull_requests, key=lambda c: c.commit.author.date)
  # Start constructing the body text
  body = 'Merging ' + short_main_sha + ' into ' + LATEST_RELEASE_BRANCH
-  conductor = get_conductor(repo, pull_requests, commits_without_pull_requests)
+  # Start constructing the body text
-  body += '\n\nConductor for this PR is @' + conductor
+  body = []
  body.append('Merging ' + source_branch_short_sha + ' into ' + target_branch)
  body.append('')
  body.append('Conductor for this PR is @' + conductor)
  # List all PRs merged
  if len(pull_requests) > 0:
-    body += '\n\nContains the following pull requests:'
+    body.append('')
    body.append('Contains the following pull requests:')
    for pr in pull_requests:
      merger = get_merger_of_pr(repo, pr)
-      body += '\n- #' + str(pr.number)
+      body.append('- #' + str(pr.number) + ' - ' + pr.title +' (@' + merger + ')')
-      body += ' - ' + pr.title
+
      body += ' (@' + merger + ')'
  # List all commits not part of a PR
  if len(commits_without_pull_requests) > 0:
-    body += '\n\nContains the following commits not from a pull request:'
+    body.append('')
    body.append('Contains the following commits not from a pull request:')
    for commit in commits_without_pull_requests:
-      body += '\n- ' + commit.sha
+      author_description = ' (@' + commit.author.login + ')' if commit.author is not None else ''
-      body += ' - ' + get_truncated_commit_message(commit)
+      body.append('- ' + commit.sha + ' - ' + get_truncated_commit_message(commit) + author_description)
      body += ' (@' + commit.author.login + ')'
-  title = 'Merge ' + MAIN_BRANCH + ' into ' + LATEST_RELEASE_BRANCH
+  body.append('')
  body.append('Please review the following:')
  if len(conflicted_files) > 0:
    body.append(' - [ ] The `package.json` file contains the correct version.')
    body.append(' - [ ] You have added commits to this branch that resolve the merge conflicts ' +
      'in the following files:')
    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
    body.append(' - [ ] Another maintainer has reviewed the additional commits you added to this ' +
      'branch to resolve the merge conflicts.')
  body.append(' - [ ] The CHANGELOG displays the correct version and date.')
  body.append(' - [ ] The CHANGELOG includes all relevant, user-facing changes since the last release.')
  body.append(' - [ ] There are no unexpected commits being merged into the ' + target_branch + ' branch.')
  body.append(' - [ ] The docs team is aware of any documentation changes that need to be released.')
  if is_v2_release:
    body.append(' - [ ] The mergeback PR is merged back into ' + source_branch + ' after this PR is merged.')
    body.append(' - [ ] The v1 release PR is merged after this PR is merged.')
  title = 'Merge ' + source_branch + ' into ' + target_branch
  # Create the pull request
-  pr = repo.create_pull(title=title, body=body, head=branch_name, base=LATEST_RELEASE_BRANCH)
+  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
  # a maintainer can take the PR out of draft, thereby triggering the PR checks.
  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
  pr.add_to_labels(*labels)
  print('Created PR #' + str(pr.number))
  # Assign the conductor
  pr.add_to_assignees(conductor)
  print('Assigned PR to ' + conductor)
-# Gets the person who should be in charge of the mergeback PR
+# Gets a list of the SHAs of all commits that have happened on the source branch
-def get_conductor(repo, pull_requests, other_commits):
+# since the last release to the target branch.
-  # If there are any PRs then use whoever merged the last one
+# This will not include any commits that exist on the target branch
-  if len(pull_requests) > 0:
+# that aren't on the source branch.
-    return get_merger_of_pr(repo, pull_requests[-1])
+def get_commit_difference(repo, source_branch, target_branch):
-  
+  # Passing split nothing means that the empty string splits to nothing: compare `''.split() == []`
-  # Otherwise take the author of the latest commit
+  # to `''.split('\n') == ['']`.
-  return other_commits[-1].author.login
+  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + target_branch + '..' + ORIGIN + '/' + source_branch).strip().split()
 # Gets a list of the SHAs of all commits that have happened on main
 # since the release branched off.
 # This will not include any commits that exist on the release branch
 # that aren't on main.
 def get_commit_difference(repo):
  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + LATEST_RELEASE_BRANCH + '...' + MAIN_BRANCH).strip().split('\n')
  # Convert to full-fledged commit objects
  commits = [repo.get_commit(c) for c in commits]
@@ -105,7 +132,7 @@ def get_commit_difference(repo):
 # Is the given commit the automatic merge commit from when merging a PR
 def is_pr_merge_commit(commit):
-  return commit.committer.login == 'web-flow' and len(commit.parents) > 1
+  return commit.committer is not None and commit.committer.login == 'web-flow' and len(commit.parents) > 1
 # Gets a copy of the commit message that should display nicely
 def get_truncated_commit_message(commit):
@@ -115,16 +142,16 @@ def get_truncated_commit_message(commit):
  else:
    return message
-# Converts a commit into the PR that introduced it to the main branch.
+# Converts a commit into the PR that introduced it to the source branch.
 # Returns the PR object, or None if no PR could be found.
 def get_pr_for_commit(repo, commit):
  prs = commit.get_pulls()
-  
+
  if prs.totalCount > 0:
    # In the case that there are multiple PRs, return the earliest one
    prs = list(prs)
-    sorted(prs, key=lambda pr: int(pr.number))
+    sorted_prs = sorted(prs, key=lambda pr: int(pr.number))
-    return prs[0]
+    return sorted_prs[0]
  else:
    return None
@@ -135,29 +162,88 @@ def get_pr_for_commit(repo, commit):
 def get_merger_of_pr(repo, pr):
  return repo.get_commit(pr.merge_commit_sha).author.login
-def main():
+def get_current_version():
-  if len(sys.argv) != 3:
+  with open('package.json', 'r') as f:
-    raise Exception('Usage: update-release.branch.py <github token> <repository nwo>')
+    return json.load(f)['version']
  github_token = sys.argv[1]
  repository_nwo = sys.argv[2]
-  repo = Github(github_token).get_repo(repository_nwo)
+def get_today_string():
  today = datetime.datetime.today()
  return '{:%d %b %Y}'.format(today)
 def update_changelog(version):
  if (os.path.exists('CHANGELOG.md')):
    content = ''
    with open('CHANGELOG.md', 'r') as f:
      content = f.read()
  else:
    content = EMPTY_CHANGELOG
  newContent = content.replace('[UNRELEASED]', version + ' - ' + get_today_string(), 1)
  with open('CHANGELOG.md', 'w') as f:
    f.write(newContent)
 def main():
  parser = argparse.ArgumentParser('update-release-branch.py')
  parser.add_argument(
    '--github-token',
    type=str,
    required=True,
    help='GitHub token, typically from GitHub Actions.'
  )
  parser.add_argument(
    '--repository-nwo',
    type=str,
    required=True,
    help='The nwo of the repository, for example github/codeql-action.'
  )
  parser.add_argument(
    '--mode',
    type=str,
    required=True,
    choices=[V2_MODE, V1_MODE],
    help=f"Which release to perform. '{V2_MODE}' uses {SOURCE_BRANCH_FOR_MODE[V2_MODE]} as the source " +
      f"branch and {TARGET_BRANCH_FOR_MODE[V2_MODE]} as the target branch. " +
      f"'{V1_MODE}' uses {SOURCE_BRANCH_FOR_MODE[V1_MODE]} as the source branch and " +
      f"{TARGET_BRANCH_FOR_MODE[V1_MODE]} as the target branch."
  )
  parser.add_argument(
    '--conductor',
    type=str,
    required=True,
    help='The GitHub handle of the person who is conducting the release process.'
  )
  args = parser.parse_args()
  source_branch = SOURCE_BRANCH_FOR_MODE[args.mode]
  target_branch = TARGET_BRANCH_FOR_MODE[args.mode]
  repo = Github(args.github_token).get_repo(args.repository_nwo)
  version = get_current_version()
  if args.mode == V1_MODE:
    # Change the version number to a v1 equivalent
    version = get_current_version()
    version = f'1{version[1:]}'
  # Print what we intend to go
-  print('Considering difference between ' + MAIN_BRANCH + ' and ' + LATEST_RELEASE_BRANCH)
+  print('Considering difference between ' + source_branch + ' and ' + target_branch)
-  short_main_sha = run_git('rev-parse', '--short', MAIN_BRANCH).strip()
+  source_branch_short_sha = run_git('rev-parse', '--short', ORIGIN + '/' + source_branch).strip()
-  print('Current head of ' + MAIN_BRANCH + ' is ' + short_main_sha)
+  print('Current head of ' + source_branch + ' is ' + source_branch_short_sha)
  # See if there are any commits to merge in
-  commits = get_commit_difference(repo)
+  commits = get_commit_difference(repo=repo, source_branch=source_branch, target_branch=target_branch)
  if len(commits) == 0:
-    print('No commits to merge from ' + MAIN_BRANCH + ' to ' + LATEST_RELEASE_BRANCH)
+    print('No commits to merge from ' + source_branch + ' to ' + target_branch)
    return
  # The branch name is based off of the name of branch being merged into
  # and the SHA of the branch being merged from. Thus if the branch already
  # exists we can assume we don't need to recreate it.
-  new_branch_name = 'update-' + LATEST_RELEASE_BRANCH + '-' + short_main_sha
+  new_branch_name = 'update-v' + version + '-' + source_branch_short_sha
  print('Branch name is ' + new_branch_name)
  # Check if the branch already exists. If so we can abort as this script
@@ -165,14 +251,93 @@ def main():
  if branch_exists_on_remote(new_branch_name):
    print('Branch ' + new_branch_name + ' already exists. Nothing to do.')
    return
-  
+
  # Create the new branch and push it to the remote
  print('Creating branch ' + new_branch_name)
-  run_git('checkout', '-b', new_branch_name, MAIN_BRANCH)
+
  # The process of creating the v1 release can run into merge conflicts. We commit the unresolved
  # conflicts so a maintainer can easily resolve them (vs erroring and requiring maintainers to
  # reconstruct the release manually)
  conflicted_files = []
  if args.mode == V1_MODE:
    # If we're performing a backport, start from the target branch
    print(f'Creating {new_branch_name} from the {ORIGIN}/{target_branch} branch')
    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{target_branch}')
    # Revert the commit that we made as part of the last release that updated the version number and
    # changelog to refer to 1.x.x variants. This avoids merge conflicts in the changelog and
    # package.json files when we merge in the v2 branch.
    # This commit will not exist the first time we release the v1 branch from the v2 branch, so we
    # use `git log --grep` to conditionally revert the commit.
    print('Reverting the 1.x.x version number and changelog updates from the last release to avoid conflicts')
    v1_update_commits = run_git('log', '--grep', '^Update version and changelog for v', '--format=%H').split()
    if len(v1_update_commits) > 0:
      print(f'  Reverting {v1_update_commits[0]}')
      # Only revert the newest commit as older ones will already have been reverted in previous
      # releases.
      run_git('revert', v1_update_commits[0], '--no-edit')
      # Also revert the "Update checked-in dependencies" commit created by Actions.
      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
      print(f'  Reverting {update_dependencies_commit}')
      run_git('revert', update_dependencies_commit, '--no-edit')
    else:
      print('  Nothing to revert.')
    print(f'Merging {ORIGIN}/{source_branch} into the release prep branch')
    # Commit any conflicts (see the comment for `conflicted_files`)
    run_git('merge', f'{ORIGIN}/{source_branch}', allow_non_zero_exit_code=True)
    conflicted_files = run_git('diff', '--name-only', '--diff-filter', 'U').splitlines()
    if len(conflicted_files) > 0:
      run_git('add', '.')
      run_git('commit', '--no-edit')
    # Migrate the package version number from a v2 version number to a v1 version number
    print(f'Setting version number to {version}')
    subprocess.check_output(['npm', 'version', version, '--no-git-tag-version'])
    run_git('add', 'package.json', 'package-lock.json')
    # Migrate the changelog notes from v2 version numbers to v1 version numbers
    print('Migrating changelog notes from v2 to v1')
    subprocess.check_output(['sed', '-i', 's/^## 2\./## 1./g', 'CHANGELOG.md'])
    # Remove changelog notes from v2 that don't apply to v1
    subprocess.check_output(['sed', '-i', '/^- \[v2+ only\]/d', 'CHANGELOG.md'])
    # Amend the commit generated by `npm version` to update the CHANGELOG
    run_git('add', 'CHANGELOG.md')
    run_git('commit', '-m', f'Update version and changelog for v{version}')
  else:
    # If we're performing a standard release, there won't be any new commits on the target branch,
    # as these will have already been merged back into the source branch. Therefore we can just
    # start from the source branch.
    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{source_branch}')
    print('Updating changelog')
    update_changelog(version)
    # Create a commit that updates the CHANGELOG
    run_git('add', 'CHANGELOG.md')
    run_git('commit', '-m', f'Update changelog for v{version}')
  run_git('push', ORIGIN, new_branch_name)
  # Open a PR to update the branch
-  open_pr(repo, commits, short_main_sha, new_branch_name)
+  open_pr(
    repo,
    commits,
    source_branch_short_sha,
    new_branch_name,
    source_branch=source_branch,
    target_branch=target_branch,
    conductor=args.conductor,
    is_v2_release=args.mode == V2_MODE,
    labels=['Update dependencies'] if args.mode == V1_MODE else [],
    conflicted_files=conflicted_files
  )
 if __name__ == '__main__':
  main()
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -0,0 +1,97 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  analyze-ref-input:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: windows-2019
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: windows-2019
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: windows-2019
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: "Analyze: 'ref' and 'sha' from inputs"
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
      env:
        TEST_MODE: true
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -0,0 +1,74 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - autobuild-action
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  autobuild-action:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
    name: autobuild-action
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        languages: csharp
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/autobuild
      env:
      # Explicitly disable the CLR tracer.
        COR_ENABLE_PROFILING: ''
        COR_PROFILER: ''
        COR_PROFILER_PATH_64: ''
        CORECLR_ENABLE_PROFILING: ''
        CORECLR_PROFILER: ''
        CORECLR_PROFILER_PATH_64: ''
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d csharp ]]; then
          echo "Did not find a C# database"
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -0,0 +1,68 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Extractor ram and threads options test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  extractor-ram-threads:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
    name: Extractor ram and threads options test
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        languages: java
        ram: 230
        threads: 1
      env:
        TEST_MODE: true
    - name: Assert Results
      shell: bash
      run: |
        if [ "${CODEQL_RAM}" != "230" ]; then
          echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
          exit 1
        fi
        if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
          echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
          exit 1
        fi
        if [ "${CODEQL_THREADS}" != "1" ]; then
          echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
          exit 1
        fi
        if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
          echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -0,0 +1,96 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Go: Custom queries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  go-custom-queries:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: windows-2019
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: windows-2019
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: windows-2019
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Go: Custom queries'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        config-file: ./.github/codeql/custom-queries.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__go-custom-tracing-autobuild.yml
+++ b/.github/workflows/__go-custom-tracing-autobuild.yml
@@ -0,0 +1,86 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Go: Autobuild custom tracing'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  go-custom-tracing-autobuild:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
    name: 'Go: Autobuild custom tracing'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/autobuild
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d go ]]; then
          echo "Did not find a Go database"
          exit 1
        fi
    env:
      CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__go-custom-tracing.yml
+++ b/.github/workflows/__go-custom-tracing.yml
@@ -0,0 +1,96 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Go: Custom tracing'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  go-custom-tracing:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: windows-2019
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: windows-2019
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: windows-2019
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Go: Custom tracing'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: go build main.go
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    env:
      CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__go-reconciled-tracing-autobuilder.yml
+++ b/.github/workflows/__go-reconciled-tracing-autobuilder.yml
@@ -0,0 +1,91 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Go: Reconciled tracing with autobuilder'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  go-reconciled-tracing-autobuilder:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
    name: 'Go: Reconciled tracing with autobuilder'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/autobuild
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - shell: bash
      run: |
        if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
          echo "Expected the Go autobuilder to be run, but the" \
            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
          exit 1
        fi
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d go ]]; then
          echo "Did not find a Go database"
          exit 1
        fi
    env:
      CODEQL_ACTION_RECONCILE_GO_EXTRACTION: 'true'
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__go-reconciled-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-reconciled-tracing-custom-build-steps.yml
@@ -0,0 +1,112 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Go: Reconciled tracing with custom build steps'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  go-reconciled-tracing-custom-build-steps:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: windows-2019
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: windows-2019
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: windows-2019
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Go: Reconciled tracing with custom build steps'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: go build main.go
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - shell: bash
      run: |
        # Once we start running Bash 4.2 in all environments, we can replace the
        # `! -z` flag with the more elegant `-v` which confirms that the variable
        # is actually unset and not potentially set to a blank value.
        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
          echo "Expected the Go autobuilder not to be run, but the" \
            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
          exit 1
        fi
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d go ]]; then
          echo "Did not find a Go database"
          exit 1
        fi
    env:
  # Enable reconciled Go tracing beta functionality
      CODEQL_ACTION_RECONCILE_GO_EXTRACTION: 'true'
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__go-reconciled-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-reconciled-tracing-legacy-workflow.yml
@@ -0,0 +1,86 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Go: Reconciled tracing with legacy workflow'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  go-reconciled-tracing-legacy-workflow:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
    name: 'Go: Reconciled tracing with legacy workflow'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
      with:
        languages: go
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d go ]]; then
          echo "Did not find a Go database"
          exit 1
        fi
    env:
  # Enable reconciled Go tracing beta functionality
      CODEQL_ACTION_RECONCILE_GO_EXTRACTION: 'true'
      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@@ -0,0 +1,83 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Packaging: Download using registries'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  init-with-registries:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Packaging: Download using registries'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - name: Init with registries
      uses: ./../action/init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        config-file: ./.github/codeql/codeql-config-registries.yml
        languages: javascript
        registries: |
          - url: "https://ghcr.io/v2/"
            packages: "*/*"
            token: "${{ secrets.GITHUB_TOKEN }}"
      env:
        TEST_MODE: true
    - name: Verify packages installed
      shell: bash
      run: |
        PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
        CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
        if [[ -d $PRIVATE_PACK ]]
        then
            echo "$PRIVATE_PACK was installed."
        else
            echo "::error $PRIVATE_PACK pack was not installed."
            exit 1
        fi
        if [[ -d $CODEQL_PACK1 ]]
        then
            echo "$CODEQL_PACK1 was installed."
        else
            echo "::error $CODEQL_PACK1 pack was not installed."
            exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -0,0 +1,70 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Custom source root
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  javascript-source-root:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
    name: Custom source root
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../new-source-root
        mv * ../new-source-root
    - uses: ./../action/init
      with:
        languages: javascript
        source-root: ../new-source-root
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/analyze
      with:
        skip-queries: true
        upload: false
    - name: Assert database exists
      shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d javascript ]]; then
          echo "Did not find a JavaScript database"
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__ml-powered-queries.yml
+++ b/.github/workflows/__ml-powered-queries.yml
@@ -0,0 +1,140 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - ML-powered queries
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  ml-powered-queries:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20220120
        - os: macos-latest
          version: stable-20220120
        - os: windows-latest
          version: stable-20220120
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-latest
          version: nightly-latest
    name: ML-powered queries
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        languages: javascript
        queries: security-extended
        source-root: ./../action/tests/ml-powered-queries-repo
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
      env:
        TEST_MODE: true
    - name: Upload SARIF
      uses: actions/upload-artifact@v3
      with:
        name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
        path: ${{ runner.temp }}/results/javascript.sarif
        retention-days: 7
    - name: Check sarif
      uses: ./../action/.github/check-sarif
      if: matrix.os != 'windows-latest' || matrix.version == 'latest' || matrix.version
        == 'nightly-latest'
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
        queries-not-run: foo,bar
    - name: Check results
    # Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks
    # against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the
    # test starting to fail when the cached CodeQL Bundle gets updated. Once the CodeQL Bundle
    # containing CodeQL CLI 2.9.0 has been fully released, we can drop this line and start running
    # these checks on Windows and `cached`.
      if: matrix.os != 'windows-latest' || matrix.version != 'cached'
      env:
      # Running on Windows requires CodeQL CLI 2.9.0+, which has so far only made it to 'latest'.
        SHOULD_RUN_ML_POWERED_QUERIES: ${{ matrix.os != 'windows-latest' || matrix.version
          == 'latest' || matrix.version == 'nightly-latest' }}
      shell: bash
      run: |
        echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
        cd "$RUNNER_TEMP/results"
        # We should run at least the ML-powered queries in `expected_rules`.
        expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
        for rule in ${expected_rules}; do
          found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
            flatten | .[].id] | any(. == $rule)' javascript.sarif)
          echo "Did find rule '${rule}': ${found_rule}"
          if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
            echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
            exit 1
          elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
            echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
            exit 1
          fi
        done
        # We should have at least one alert from an ML-powered query.
        num_alerts=$(jq '[.runs[0].results[] |
          select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
          javascript.sarif)
        echo "Found ${num_alerts} alerts from ML-powered queries.";
        if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
          echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
          exit 1
        elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
          echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -0,0 +1,109 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Multi-language repository
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  multi-language-autodetect:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
    name: Multi-language repository
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      id: analysis
      env:
        TEST_MODE: true
    - shell: bash
      run: |
        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for CPP, or created it in the wrong location."
          exit 1
        fi
        CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
        if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for C Sharp, or created it in the wrong location."
          exit 1
        fi
        GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
        if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Go, or created it in the wrong location."
          exit 1
        fi
        JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
        if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Java, or created it in the wrong location."
          exit 1
        fi
        JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
        if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Javascript, or created it in the wrong location."
          exit 1
        fi
        PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
        if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Python, or created it in the wrong location."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -0,0 +1,102 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Packaging: Config and input passed to the CLI'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        config-file: .github/codeql/codeql-config-packaging3.yml
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
      env:
        TEST_MODE: true
    - name: Check results
      uses: ./../action/.github/check-sarif
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
        queries-not-run: foo,bar
    - name: Assert Results
      shell: bash
      run: |
        cd "$RUNNER_TEMP/results"
        # We should have 4 hits from these rules
        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
        echo "Found matching rules '$RULES'"
        if [ "$RULES" != "$EXPECTED_RULES" ]; then
          echo "Did not match expected rules '$EXPECTED_RULES'."
          exit 1
        fi
    env:
      CODEQL_PASS_CONFIG_TO_CLI: true
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -0,0 +1,100 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Packaging: Config and input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  packaging-config-inputs-js:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Packaging: Config and input'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        config-file: .github/codeql/codeql-config-packaging3.yml
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
      env:
        TEST_MODE: true
    - name: Check results
      uses: ./../action/.github/check-sarif
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
        queries-not-run: foo,bar
    - name: Assert Results
      shell: bash
      run: |
        cd "$RUNNER_TEMP/results"
        # We should have 4 hits from these rules
        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
        echo "Found matching rules '$RULES'"
        if [ "$RULES" != "$EXPECTED_RULES" ]; then
          echo "Did not match expected rules '$EXPECTED_RULES'."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -0,0 +1,99 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Packaging: Config file'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  packaging-config-js:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Packaging: Config file'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        config-file: .github/codeql/codeql-config-packaging.yml
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
      env:
        TEST_MODE: true
    - name: Check results
      uses: ./../action/.github/check-sarif
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
        queries-not-run: foo,bar
    - name: Assert Results
      shell: bash
      run: |
        cd "$RUNNER_TEMP/results"
        # We should have 4 hits from these rules
        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
        echo "Found matching rules '$RULES'"
        if [ "$RULES" != "$EXPECTED_RULES" ]; then
          echo "Did not match expected rules '$EXPECTED_RULES'."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -0,0 +1,100 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: 'PR Check - Packaging: Action input'
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  packaging-inputs-js:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: 'Packaging: Action input'
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        config-file: .github/codeql/codeql-config-packaging2.yml
        languages: javascript
        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
      env:
        TEST_MODE: true
    - name: Check results
      uses: ./../action/.github/check-sarif
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
        queries-not-run: foo,bar
    - name: Assert Results
      shell: bash
      run: |
        cd "$RUNNER_TEMP/results"
        # We should have 4 hits from these rules
        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
        echo "Found matching rules '$RULES'"
        if [ "$RULES" != "$EXPECTED_RULES" ]; then
          echo "Did not match expected rules '$EXPECTED_RULES'."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -0,0 +1,94 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Remote config file
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  remote-config:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: windows-2019
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: windows-2019
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: windows-2019
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: Remote config file
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -0,0 +1,74 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - RuboCop multi-language
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  rubocop-multi-language:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
    name: RuboCop multi-language
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - name: Set up Ruby
      uses: ruby/setup-ruby@v1
      with:
        ruby-version: 2.6
    - name: Install Code Scanning integration
      shell: bash
      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
    - name: Install dependencies
      shell: bash
      run: bundle install
    - name: RuboCop run
      shell: bash
      run: |
        bash -c "
          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
          [[ $? -ne 2 ]]
        "
    - uses: ./../action/upload-sarif
      with:
        sarif_file: rubocop.sarif
      env:
        TEST_MODE: true
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -0,0 +1,97 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Split workflow
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  split-workflow:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
    name: Split workflow
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        config-file: .github/codeql/codeql-config-packaging3.yml
        packs: +dsp-testing/codeql-pack1@1.0.0
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        skip-queries: true
        output: ${{ runner.temp }}/results
      env:
        TEST_MODE: true
    - name: Assert No Results
      shell: bash
      run: |
        if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
          echo "Expected results directory to be empty after skipping query execution!"
          exit 1
        fi
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
      env:
        TEST_MODE: true
    - name: Assert Results
      shell: bash
      run: |
        cd "$RUNNER_TEMP/results"
        # We should have 4 hits from these rules
        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
        echo "Found matching rules '$RULES'"
        if [ "$RULES" != "$EXPECTED_RULES" ]; then
          echo "Did not match expected rules '$EXPECTED_RULES'."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@@ -0,0 +1,69 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Autobuild working directory
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  test-autobuild-working-dir:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
    name: Autobuild working directory
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - name: Test setup
      shell: bash
      run: |
        # Make sure that Gradle build succeeds in autobuild-dir ...
        cp -a ../action/tests/java-repo autobuild-dir
        # ... and fails if attempted in the current directory
        echo > build.gradle
    - uses: ./../action/init
      with:
        languages: java
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/autobuild
      with:
        working-directory: autobuild-dir
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
        cd "$RUNNER_TEMP/codeql_databases"
        if [[ ! -d java ]]; then
          echo "Did not find a Java database"
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -0,0 +1,59 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Local CodeQL bundle
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  test-local-codeql:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: nightly-latest
    name: Local CodeQL bundle
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - name: Fetch a CodeQL bundle
      shell: bash
      env:
        CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
      run: |
        wget "$CODEQL_URL"
    - uses: ./../action/init
      with:
        tools: ./codeql-bundle.tar.gz
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -0,0 +1,60 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Proxy test
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  test-proxy:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
    name: Proxy test
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    env:
      https_proxy: http://squid-proxy:3128
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
    container:
      image: ubuntu:18.04
      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: datadog/squid:latest
        ports:
        - 3128:3128
--- a/.github/workflows/__test-ruby.yml
+++ b/.github/workflows/__test-ruby.yml
@@ -0,0 +1,71 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Ruby analysis
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  test-ruby:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
    name: Ruby analysis
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        languages: ruby
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/analyze
      id: analysis
      env:
        TEST_MODE: true
    - name: Check database
      shell: bash
      run: |
        RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
        if [[ ! -d "$RUBY_DB" ]]; then
          echo "Did not create a database for Ruby."
          exit 1
        fi
    env:
      CODEQL_ENABLE_EXPERIMENTAL_FEATURES: 'true'
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -0,0 +1,97 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Test unsetting environment variables
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  unset-environment:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
    name: Test unsetting environment variables
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        db-location: ${{ runner.temp }}/customDbLocation
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
    - uses: ./../action/analyze
      id: analysis
      env:
        TEST_MODE: true
    - shell: bash
      run: |
        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for CPP, or created it in the wrong location."
          exit 1
        fi
        CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
        if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for C Sharp, or created it in the wrong location."
          exit 1
        fi
        GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
        if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Go, or created it in the wrong location."
          exit 1
        fi
        JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
        if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Java, or created it in the wrong location."
          exit 1
        fi
        JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
        if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Javascript, or created it in the wrong location."
          exit 1
        fi
        PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
        if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
          echo "Did not create a database for Python, or created it in the wrong location."
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -0,0 +1,104 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  upload-ref-sha-input:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: windows-2019
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: windows-2019
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: windows-2019
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
        languages: cpp,csharp,java,javascript,python
        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
          github.sha }}
      env:
        TEST_MODE: true
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      with:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
        upload: false
      env:
        TEST_MODE: true
    - uses: ./../action/upload-sarif
      with:
        ref: refs/heads/main
        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
      env:
        TEST_MODE: true
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -0,0 +1,148 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
 # to regenerate this file.
 name: PR Check - Use a custom `checkout_path`
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  with-checkout-path:
    strategy:
      matrix:
        include:
        - os: ubuntu-latest
          version: stable-20210308
        - os: macos-latest
          version: stable-20210308
        - os: windows-2019
          version: stable-20210308
        - os: ubuntu-latest
          version: stable-20210319
        - os: macos-latest
          version: stable-20210319
        - os: windows-2019
          version: stable-20210319
        - os: ubuntu-latest
          version: stable-20210809
        - os: macos-latest
          version: stable-20210809
        - os: windows-2019
          version: stable-20210809
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: windows-2019
          version: cached
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: windows-2019
          version: latest
        - os: windows-2022
          version: latest
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
        - os: windows-2019
          version: nightly-latest
        - os: windows-2022
          version: nightly-latest
    name: Use a custom `checkout_path`
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - uses: actions/checkout@v3
      with:
        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        path: x/y/z/some-path
    - uses: ./../action/init
      with:
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      # it's enough to test one compiled language and one interpreted language
        languages: csharp,javascript
        source-path: x/y/z/some-path/tests/multi-language-repo
        debug: true
      env:
        TEST_MODE: true
    - name: Build code (non-windows)
      shell: bash
      if: ${{ runner.os != 'Windows' }}
      run: |
        $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
    - name: Build code (windows)
      shell: bash
      if: ${{ runner.os == 'Windows' }}
      run: |
        x/y/z/some-path/tests/multi-language-repo/build.sh
    - uses: ./../action/analyze
      with:
        checkout_path: x/y/z/some-path/tests/multi-language-repo
        ref: v1.1.0
        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        upload: false
      env:
        TEST_MODE: true
    - uses: ./../action/upload-sarif
      with:
        ref: v1.1.0
        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
        checkout_path: x/y/z/some-path/tests/multi-language-repo
      env:
        TEST_MODE: true
    - name: Verify SARIF after upload
      shell: bash
      run: |
        EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
        EXPECTED_REF="v1.1.0"
        EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
        ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
        ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
        ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
        if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
          echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
          echo "$RUNNER_TEMP/payload.json"
          exit 1
        fi
        if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
          echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
          echo "$RUNNER_TEMP/payload.json"
          exit 1
        fi
        if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
          echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
          echo "$RUNNER_TEMP/payload.json"
          exit 1
        fi
    env:
      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -0,0 +1,25 @@
 name: Check Expected Release Files
 on:
  pull_request:
    paths:
      - .github/workflows/check-expected-release-files.yml
      - src/defaults.json
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
 jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout CodeQL Action
        uses: actions/checkout@v3
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
          set -x
          for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz"; do
            curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
          done
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -2,30 +2,87 @@ name: "CodeQL action"
 on:
  push:
-    branches: [main, v1]
+    branches: [main, releases/v1, releases/v2]
  pull_request:
    branches: [main, releases/v1, releases/v2]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
 jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
  check-codeql-versions:
    runs-on: ubuntu-latest
    outputs:
      versions: ${{ steps.compare.outputs.versions }}
    permissions:
      security-events: write
    steps:
    - uses: actions/checkout@v3
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
      with:
        languages: javascript
    - name: Remove empty database
      # allows us to run init a second time
      run: |
        rm -rf "$RUNNER_TEMP/codeql_databases"
    - name: Init with latest CodeQL bundle
      id: init-latest
      uses: ./init
      with:
        tools: latest
        languages: javascript
    - name: Compare default and latest CodeQL bundle versions
      id: compare
      env:
        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
        # If we're running on push, then we can skip running with `tools: latest` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "latest"]'
        fi
        # Output a JSON-encoded list with the distinct versions to test against.
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "::set-output name=versions::${VERSIONS_JSON}"
  build:
    needs: [check-codeql-versions]
    strategy:
      matrix:
        os: [ubuntu-latest,windows-latest,macos-latest]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}
    permissions:
      security-events: write
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
      with:
        # Must fetch at least the immediate parents so that if this is
        # a pull request then we can checkout the head of the pull request.
        fetch-depth: 2
    # If this run was triggered by a pull request event then checkout
    # the head of the pull request instead of the merge commit.
    - run: git checkout HEAD^2
      if: ${{ github.event_name == 'pull_request' }}
    - uses: ./init
      id: init
      with:
        languages: javascript
        config-file: ./.github/codeql/codeql-config.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
      run: ${{steps.init.outputs.codeql-path}} version --format=json
    - uses: ./analyze
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -0,0 +1,220 @@
 # Tests that the generated code scanning config file contains the expected contents
 name: Code-Scanning config CLI tests
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  CODEQL_PASS_CONFIG_TO_CLI: true
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  code-scanning-config-tests:
    continue-on-error: true
    strategy:
      fail-fast: true
      matrix:
        include:
        - os: ubuntu-latest
          version: latest
        - os: macos-latest
          version: latest
        - os: ubuntu-latest
          version: cached
        - os: macos-latest
          version: cached
        - os: ubuntu-latest
          version: nightly-latest
        - os: macos-latest
          version: nightly-latest
    # Code-Scanning config not created because environment variable is not set
    name: Code Scanning Configuration tests
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
    - name: Empty file
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: "{}"
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Packs from input
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
          }
        languages: javascript
        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Packs from input with +
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
          }
        languages: javascript
        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Queries from input
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }]
          }
        languages: javascript
        queries: ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Queries from input with +
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }]
          }
        languages: javascript
        queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Queries and packs from input with +
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
          }
        languages: javascript
        queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Queries and packs from config
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
            "packs": {
              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
            }
          }
        languages: javascript
        config-file-test: .github/codeql/queries-and-packs-config.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Queries and packs from config overriden by input
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
            "packs": ["codeql/javascript-queries"]
          }
        languages: javascript
        queries: ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
        packs: codeql/javascript-queries
        config-file-test: .github/codeql/queries-and-packs-config.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Queries and packs from config merging with input
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "queries": [
              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" },
              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
            ],
            "packs": {
              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
            }
          }
        languages: javascript
        queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
        packs: + codeql/javascript-queries
        config-file-test: .github/codeql/queries-and-packs-config.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Multi-language packs from config
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "packs": {
              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
              "ruby": ["codeql/ruby-queries"]
            },
            "queries": [
              { "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }
            ]
          }
        languages: javascript,ruby
        config-file-test: .github/codeql/multi-language-packs-config.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Other config properties
      if: success() || failure()
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: |
          {
            "name": "Config using all properties",
            "packs": ["codeql/javascript-queries" ],
            "disable-default-queries": true,
            "paths-ignore": ["xxx"],
            "paths": ["yyy"]
          }
        languages: javascript
        packs: + codeql/javascript-queries
        config-file-test: .github/codeql/other-config-properties.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Config not generated when env var is not set
      if: success() || failure()
      env:
        CODEQL_PASS_CONFIG_TO_CLI: false
      uses: ./../action/.github/check-codescanning-config
      with:
        expected-config-file-contents: ""
        languages: javascript
        packs: + codeql/javascript-queries
        config-file-test: .github/codeql/other-config-properties.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/debug-artifacts-failure.yml
+++ b/.github/workflows/debug-artifacts-failure.yml
@@ -0,0 +1,90 @@
 # Checks logs, SARIF, and database bundle debug artifacts exist
 # when the analyze step fails.
 name: PR Check - Debug artifacts after failure
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  upload-artifacts:
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest]
    name: Upload debug artifacts after failure in analyze
    continue-on-error: true
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
        uses: actions/checkout@v3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/prepare-test
        with:
          version: latest
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          debug: true
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
        env:
          TEST_MODE: true
      - name: Build code
        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis  
        with:
          expect-error: true
          ram: 1
        env:
          TEST_MODE: true
  download-and-check-artifacts:
    name: Download and check debug artifacts after failure in analyze
    needs: upload-artifacts
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@v3
      - name: Check expected artifacts exist
        shell: bash
        run: |
          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
          LANGUAGES="cpp csharp go java javascript python"
          for os in $OPERATING_SYSTEMS; do
            pushd "./my-debug-artifacts-$os"
            echo "Artifacts from run on $os:"
            for language in $LANGUAGES; do
              echo "- Checking $language"
              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
                echo "Missing a partial database bundle for $language"
                exit 1
              fi
              if [[ ! -d "log" ]] ; then
                echo "Missing database initialization logs"
                exit 1
              fi
              if [[ ! -d "$language/log" ]] ; then
                echo "Missing logs for $language"
                exit 1
              fi
            done
            popd
          done
        env:
          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/debug-artifacts.yml
+++ b/.github/workflows/debug-artifacts.yml
@@ -0,0 +1,87 @@
 # Checks logs, SARIF, and database bundle debug artifacts exist.
 name: PR Check - Debug artifact upload
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  upload-artifacts:
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest]
        version: [stable-20210308, stable-20210319, stable-20210809, cached, latest, nightly-latest]
    name: Upload debug artifacts
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out repository
        uses: actions/checkout@v3
      - name: Prepare test
        id: prepare-test
        uses: ./.github/prepare-test
        with:
          version: ${{ matrix.version }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          debug: true
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
        env:
          TEST_MODE: true
      - name: Build code
        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis  
        env:
          TEST_MODE: true
  download-and-check-artifacts:
    name: Download and check debug artifacts
    needs: upload-artifacts
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@v3
      - name: Check expected artifacts exist
        shell: bash
        run: |
          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
          VERSIONS="stable-20210308 stable-20210319 stable-20210809 cached latest nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
          for os in $OPERATING_SYSTEMS; do
            for version in $VERSIONS; do
              pushd "./my-debug-artifacts-$os-$version"
              echo "Artifacts from version $version on $os:"
              for language in $LANGUAGES; do
                echo "- Checking $language"
                if [[ ! -f "$language.sarif" ]] ; then
                  echo "Missing a SARIF file for $language"
                  exit 1
                fi
                if [[ ! -f "my-db-$language.zip" ]] ; then
                  echo "Missing a database bundle for $language"
                  exit 1
                fi
                if [[ ! -d "$language/log" ]] ; then
                  echo "Missing logs for $language"
                  exit 1
                fi
              done
              popd
            done
          done
        env:
          INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/expected-queries-runs.yml
+++ b/.github/workflows/expected-queries-runs.yml
@@ -0,0 +1,49 @@
 name: Check queries that ran
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  expected-queries:
    name: Expected Queries Tests
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: latest
    - uses: ./../action/init
      with:
        languages: javascript
        tools: ${{ steps.prepare-test.outputs.tools-url }}
      env:
        TEST_MODE: true
    - uses: ./../action/analyze
      with:
        output: ${{ runner.temp }}/results
        upload-database: false
        upload: false
      env:
        TEST_MODE: true
    - name: Check Sarif
      uses: ./../action/.github/check-sarif
      with:
        sarif-file: ${{ runner.temp }}/results/javascript.sarif
        queries-run: js/incomplete-hostname-regexp,js/path-injection
        queries-not-run: foo,bar
--- a/.github/workflows/integration-testing.yml
+++ b/.github/workflows/integration-testing.yml
@@ -1,449 +0,0 @@
 name: "Integration Testing"
 on:
  push:
    branches: [main, v1]
  pull_request:
 jobs:
  multi-language-repo_test-autodetect-languages:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - uses: ./../action/init
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
    - run: |
        cd "$RUNNER_TEMP/codeql_databases"
        # List all directories as there will be precisely one directory per database
        # but there may be other files in this directory such as query suites.
        if [ "$(ls -d */ | wc -l)" != 6 ] || \
           [[ ! -d cpp ]] || \
           [[ ! -d csharp ]] || \
           [[ ! -d go ]] || \
           [[ ! -d java ]] || \
           [[ ! -d javascript ]] || \
           [[ ! -d python ]]; then
          echo "Did not find expected number of databases. Database dir contains: $(ls)"
          exit 1
        fi
  multi-language-repo_test-custom-queries-and-remote-config:
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - uses: ./../action/init
      with:
        languages: cpp,csharp,java,javascript,python
        config-file: github/codeql-action/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
  # Currently is not possible to analyze Go in conjunction with other languages in macos
  multi-language-repo_test-go-custom-queries:
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/setup-go@v2
      if: ${{ matrix.os ==  'macos-latest' }}
      with:
        go-version: '^1.13.1'
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - uses: ./../action/init
      with:
        languages: go
        config-file: ./.github/codeql/custom-queries.yml
    - name: Build code
      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
  multi-language-repo_rubocop:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - name: Set up Ruby
      uses: ruby/setup-ruby@v1
      with:
        ruby-version: 2.6
    - name: Install Code Scanning integration
      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
    - name: Install dependencies
      run: bundle install
    - name: Rubocop run
      run: |
        bash -c "
          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
          [[ $? -ne 2 ]]
        "
    - uses: ./../action/upload-sarif
      with:
        sarif_file: rubocop.sarif
      env:
        TEST_MODE: true
  test-proxy:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:18.04
      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: datadog/squid:latest
        ports:
          - 3128:3128
    env:
      https_proxy: http://squid-proxy:3128
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - uses: ./../action/init
      with:
        languages: javascript
    - uses: ./../action/analyze
      env:
        TEST_MODE: true
  runner-analyze-javascript-ubuntu:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build runner
      run: |
        cd runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        # Pass --config-file here, but not for other jobs in this workflow.
        # This means we're testing the config file parsing in the runner
        # but not slowing down all jobs unnecessarily as it doesn't add much
        # testing the parsing on different operating systems and languages.
        runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Run analyze
      run: |
        runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-javascript-windows:
    runs-on: windows-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build runner
      run: |
        cd runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages javascript --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Run analyze
      run: |
        runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-javascript-macos:
    runs-on: macos-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build runner
      run: |
        cd runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Run analyze
      run: |
        runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-csharp-ubuntu:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - name: Build runner
      run: |
        cd ../action/runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Build code
      run: |
        . ./codeql-runner/codeql-env.sh
        dotnet build
    - name: Run analyze
      run: |
        ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-csharp-windows:
    runs-on: windows-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - name: Build runner
      run: |
        cd ../action/runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Build code
      shell: powershell
      run: |
        cat ./codeql-runner/codeql-env.sh | Invoke-Expression
        dotnet build
    - name: Run analyze
      run: |
        ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-csharp-macos:
    runs-on: macos-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - name: Build runner
      run: |
        cd ../action/runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Build code
      shell: bash
      run: |
        . ./codeql-runner/codeql-env.sh
        dotnet build
    - name: Run analyze
      run: |
        ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-csharp-autobuild-ubuntu:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - name: Build runner
      run: |
        cd ../action/runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Build code
      run: |
        ../action/runner/dist/codeql-runner-linux autobuild
    - name: Run analyze
      run: |
        ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-csharp-autobuild-windows:
    runs-on: windows-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - name: Build runner
      run: |
        cd ../action/runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Build code
      shell: powershell
      run: |
        ../action/runner/dist/codeql-runner-win.exe autobuild
    - name: Run analyze
      run: |
        ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-analyze-csharp-autobuild-macos:
    runs-on: macos-latest
    steps:
    - uses: actions/checkout@v2
    - name: Move codeql-action
      shell: bash
      run: |
        mkdir ../action
        mv * .github ../action/
        mv ../action/tests/multi-language-repo/{*,.github} .
    - name: Build runner
      run: |
        cd ../action/runner
        npm install
        npm run build-runner
    - name: Run init
      run: |
        ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
    - name: Build code
      shell: bash
      run: |
        ../action/runner/dist/codeql-runner-macos autobuild
    - name: Run analyze
      run: |
        ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
      env:
        TEST_MODE: true
  runner-upload-sarif:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build runner
      run: |
        cd runner
        npm install
        npm run build-runner
    - name: Upload with runner
      run: |
        # Deliberately don't use TEST_MODE here. This is specifically testing
        # the compatibility with the API.
        runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -0,0 +1,137 @@
 # This workflow runs after a release of the action. For v2 releases, it merges any changes from the
 # release back into the main branch. Typically, this is just a single commit that updates the
 # changelog. For v2 and v1 releases, it then (a) tags the merge commit on the release branch that
 # represents the new release with an `vx.y.z` tag and (b) updates the `vx` tag to refer to this
 # commit.
 name: Tag release and merge back
 on:
  workflow_dispatch:
    inputs:
      baseBranch:
        description: 'The base branch to merge into'
        default: main
        required: false
  push:
    branches:
      - releases/v1
      - releases/v2
 jobs:
  merge-back:
    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'
    env:
      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
    steps:
      - name: Dump environment
        run: env
      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "${GITHUB_CONTEXT}"
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
      - name: Update git config
        run: |
          git config --global user.email "github-actions@github.com"
          git config --global user.name "github-actions[bot]"
      - name: Get version and new branch
        id: getVersion
        run: |
          VERSION="v$(jq '.version' -r 'package.json')"
          echo "::set-output name=version::${VERSION}"
          short_sha="${GITHUB_SHA:0:8}"
          NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
          echo "::set-output name=newBranch::${NEW_BRANCH}"
      - name: Dump branches
        env:
          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
        run: |
          echo "BASE_BRANCH ${BASE_BRANCH}"
          echo "HEAD_BRANCH ${HEAD_BRANCH}"
          echo "NEW_BRANCH ${NEW_BRANCH}"
      - name: Create mergeback branch
        env:
          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
        run: |
          git checkout -b "${NEW_BRANCH}"
      - name: Check for tag
        id: check
        env:
          VERSION: "${{ steps.getVersion.outputs.version }}"
        run: |
          set +e # don't fail on an errored command
          git ls-remote --tags origin | grep "${VERSION}"
          exists="$?"
          if [ "${exists}" -eq 0 ]; then
            echo "Tag ${VERSION} exists. Not going to re-release."
            echo "::set-output name=exists::true"
          else
            echo "Tag ${VERSION} does not exist yet."
          fi
      # we didn't tag the release during the update-release-branch workflow because the
      # commit that actually makes it to the release branch is a merge commit,
      # and not yet known during the first workflow. We tag now because we know the correct commit.
      - name: Tag release
        if: steps.check.outputs.exists != 'true'
        env:
          VERSION: ${{ steps.getVersion.outputs.version }}
        run: |
          # Unshallow the repo in order to allow pushes
          git fetch --unshallow
          # Create the `vx.y.z` tag
          git tag --annotate "${VERSION}" --message "${VERSION}"
          # Update the `vx` tag
          major_version_tag=$(cut -d '.' -f1 <<< "${VERSION}")
          # Use `--force` to overwrite the major version tag
          git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force
          # Push the tags, using:
          # - `--atomic` to make sure we either update both tags or neither (an intermediate state,
          #   e.g. where we update the v2.x.y tag on the remote but not the v2 tag, could result in
          #   unwanted Dependabot updates, e.g. from v2 to v2.x.y)
          # - `--force` since we're overwriting the `vx` tag
          git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"
      - name: Create mergeback branch
        if: steps.check.outputs.exists != 'true' && contains(github.ref, 'releases/v2')
        env:
          VERSION: "${{ steps.getVersion.outputs.version }}"
          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
          set -exu
          pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
          pr_body="Updates version and changelog."
          # Update the version number ready for the next release
          npm version patch --no-git-tag-version
          # Update the changelog
          perl -i -pe 's/^/## \[UNRELEASED\]\n\nNo user facing changes.\n\n/ if($.==3)' CHANGELOG.md
          git add .
          git commit -m "Update changelog and version after ${VERSION}"
          git push origin "${NEW_BRANCH}"
          # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft
          # so that a maintainer can take the PR out of draft, thereby triggering the PR checks.
          gh pr create \
            --head "${NEW_BRANCH}" \
            --base "${BASE_BRANCH}" \
            --title "${pr_title}" \
            --label "Update dependencies" \
            --body "${pr_body}" \
            --draft
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -1,78 +1,121 @@
-name: "PR checks"
+name: PR Checks
 on:
  push:
-    branches: [main, v1]
+    branches: [main, releases/v1, releases/v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:
 jobs:
  lint-js:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Run Lint
      run: npm run-script lint
  check-js:
    name: Check JS
    runs-on: ubuntu-latest
    timeout-minutes: 45
    strategy:
      fail-fast: true
      matrix:
        node-types-version: [12.12, current]
    steps:
-    - uses: actions/checkout@v2
+      - name: Checkout
-    - name: Check generated JavaScript
+        uses: actions/checkout@v3
-      run: |
+
-        # Sanity check that repo is clean to start with
+      - name: Lint
-        if [ ! -z "$(git status --porcelain)" ]; then
+        run: npm run-script lint
-          # If we get a fail here then this workflow needs attention...
+
-          >&2 echo "Failed: Repo should be clean before testing!"
+      - name: Update version of @types/node
-          exit 1
+        if: matrix.node-types-version != 'current'
-        fi
+        env:
-        # Wipe the lib directory incase there are extra unnecessary files in there
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
-        rm -rf lib
+        run: |
-        # Generate the JavaScript files
+          # Export `NODE_TYPES_VERSION` so it's available to jq
-        npm run-script build
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
-        # Check that repo is still clean
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
-        if [ ! -z "$(git status --porcelain)" ]; then
+          echo "${contents}" > package.json
-          # If we get a fail here then the PR needs attention
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
-          >&2 echo "Failed: JavaScript files are not up to date. Run 'npm run-script build' to update"
+          # However we're not checking in the updated lockfile here, so it's fine to run
-          git status
+          # `npm install` on Linux.
-          exit 1
+          npm install
-        fi
+
-        echo "Success: JavaScript files are up to date"
+          if [ ! -z "$(git status --porcelain)" ]; then
            git config --global user.email "github-actions@github.com"
            git config --global user.name "github-actions[bot]"
            # The period in `git add --all .` ensures that we stage deleted files too.
            git add --all .
            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
          fi
      - name: Check generated JS
        run: .github/workflows/script/check-js.sh
  check-node-modules:
-    runs-on: ubuntu-latest
+    name: Check modules up to date
    runs-on: macos-latest
    timeout-minutes: 45
    steps:
-    - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
-    - name: Check node modules up to date
+      - name: Check node modules up to date
-      run: |
+        run: .github/workflows/script/check-node-modules.sh
-        # Sanity check that repo is clean to start with
+
-        if [ ! -z "$(git status --porcelain)" ]; then
+  check-file-contents:
-          # If we get a fail here then this workflow needs attention...
+    name: Check file contents
-          >&2 echo "Failed: Repo should be clean before testing!"
+    runs-on: ubuntu-latest
-          exit 1
+    timeout-minutes: 45
-        fi
+
-        # Reinstall modules and then clean to remove absolute paths
+    steps:
-        # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
+      - name: Checkout
-        npm ci
+        uses: actions/checkout@v3
-        npm run removeNPMAbsolutePaths
+
-        # Check that repo is still clean
+      # Checks for any conflict markers created by git. This check is primarily intended to validate that
-        if [ ! -z "$(git status --porcelain)" ]; then
+      # any merge conflicts in the v2 -> v1 backport PR are fixed before the PR is merged.
-          # If we get a fail here then the PR needs attention
+      - name: Check for merge conflicts
-          >&2 echo "Failed: node_modules are not up to date. Run 'npm ci' and 'npm run removeNPMAbsolutePaths' to update"
+        run: |
-          git status
+          # Use `|| true` since grep returns exit code 1 if there are no matches, and we don't want
-          exit 1
+          # this to fail the workflow.
-        fi
+          FILES_WITH_CONFLICTS=$(grep --extended-regexp --ignore-case --line-number --recursive \
-        echo "Success: node_modules are up to date"
+            '^(<<<<<<<|>>>>>>>)' . || true)
          if [[ "${FILES_WITH_CONFLICTS}" ]]; then
            echo "Fail: Found merge conflict markers in the following files:"
            echo ""
            echo "${FILES_WITH_CONFLICTS}"
            exit 1
          else
            echo "Success: Found no merge conflict markers."
          fi
      - name: Set up Python
        uses: actions/setup-python@v3
        with:
          python-version: 3.8
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install ruamel.yaml
      # Ensure the generated PR check workflows are up to date.
      - name: Verify PR checks up to date
        run: .github/workflows/script/verify-pr-checks.sh
  npm-test:
    name: Unit Test
    needs: [check-js, check-node-modules]
    strategy:
      matrix:
-        os: [ubuntu-latest,macos-latest]
+        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45
    steps:
-    - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
-    - name: npm run-script test
+      - name: npm test
-      run: npm run-script test
+        run: |
          # Run any commands referenced in package.json using Bash, otherwise
          # we won't be able to find them on Windows.
          npm config set script-shell bash
          npm test
--- a/.github/workflows/python-deps.yml
+++ b/.github/workflows/python-deps.yml
@@ -0,0 +1,186 @@
 name: Test Python Package Installation on Linux and Mac
 on:
  push:
    branches: [main, releases/v1, releases/v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
    paths:
      # Changes to this workflow.
      - '.github/workflows/python-deps.yml'
      # Changes to the Python package installation scripts and their tests.
      - 'python-setup/**'
      # Changes to the default CodeQL bundle version.
      - '**/defaults.json'
  schedule:
    # Weekly on Monday.
    - cron: '0 0 * * 1'
  workflow_dispatch:
 jobs:
  test-setup-python-scripts:
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    strategy:
        fail-fast: false
        matrix:
          os: [ubuntu-latest, macos-latest]
          python_deps_type: [pipenv, poetry, requirements, setup_py]
          python_version: [2, 3]
          exclude:
            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
            - python_version: 2
              python_deps_type: poetry
            # Python2 and pipenv are not supported since pipenv v2021.11.5
            - python_version: 2
              python_deps_type: pipenv
    env:
      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
      PYTHON_VERSION: ${{ matrix.python_version }}
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3
    - name: Initialize CodeQL
      uses: ./init
      id: init
      with:
        tools: latest
        languages: python
        setup-python-dependencies: false
    - name: Test Auto Package Installation
      run: |
        set -x
        $GITHUB_WORKSPACE/python-setup/install_tools.sh
        cd $GITHUB_WORKSPACE/python-setup/tests/${PYTHON_DEPS_TYPE}/requests-${PYTHON_VERSION}
        case ${{ matrix.os }} in
            ubuntu-latest*)     basePath="/opt";;
            macos-latest*)    basePath="/Users/runner";;
        esac
        echo ${basePath}
        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
    - name: Setup for extractor
      run: |
        echo $CODEQL_PYTHON
        # only run if $CODEQL_PYTHON is set
        if [ ! -z $CODEQL_PYTHON ]; then
            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
        fi
    - name: Verify packages installed
      run: |
        $GITHUB_WORKSPACE/python-setup/tests/check_requests_2_26_0.sh ${PYTHON_VERSION}
  # This one shouldn't fail, but also won't install packages
  test-setup-python-scripts-non-standard-location:
    runs-on: ${{ matrix.os }}
    strategy:
        fail-fast: false
        matrix:
          os: [ubuntu-latest, macos-latest]
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3
    - name: Initialize CodeQL
      uses: ./init
      id: init
      with:
        tools: latest
        languages: python
        setup-python-dependencies: false
    - name: Test Auto Package Installation
      run: |
        set -x
        $GITHUB_WORKSPACE/python-setup/install_tools.sh
        cd $GITHUB_WORKSPACE/python-setup/tests/requirements/non-standard-location
        case ${{ matrix.os }} in
            ubuntu-latest*)     basePath="/opt";;
            macos-latest*)    basePath="/Users/runner";;
        esac
        echo ${basePath}
        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
    - name: Setup for extractor
      run: |
        echo $CODEQL_PYTHON
        # only run if $CODEQL_PYTHON is set
        if [ ! -z $CODEQL_PYTHON ]; then
            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
        fi
    - name: Verify packages installed
      run: |
        test -z $LGTM_INDEX_IMPORT_PATH
  test-setup-python-scripts-windows:
    runs-on: windows-latest
    strategy:
        fail-fast: false
        matrix:
          python_deps_type: [pipenv, poetry, requirements, setup_py]
          python_version: [2, 3]
          exclude:
            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
            - python_version: 2
              python_deps_type: poetry
            # Python2 and pipenv are not supported since pipenv v2021.11.5
            - python_version: 2
              python_deps_type: pipenv
    env:
      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
      PYTHON_VERSION: ${{ matrix.python_version }}
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3
    - uses: actions/setup-python@v3
      with:
        python-version: ${{ matrix.python_version }}
    - name: Initialize CodeQL
      uses: ./init
      with:
        tools: latest
        languages: python
        setup-python-dependencies: false
      env:
        TEST_MODE: true
    - name: Test Auto Package Installation
      run: |
        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\install_tools.ps1"
        powershell -File $cmd
        cd $Env:GITHUB_WORKSPACE\\python-setup/tests/$Env:PYTHON_DEPS_TYPE/requests-$Env:PYTHON_VERSION
        $DefaultsPath = Join-Path (Join-Path $Env:GITHUB_WORKSPACE "src") "defaults.json"
        $CodeQLBundleName = (Get-Content -Raw -Path $DefaultsPath | ConvertFrom-Json).bundleVersion
        $CodeQLVersion = "0.0.0-" + $CodeQLBundleName.split("-")[-1]
        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\auto_install_packages.py C:\\hostedtoolcache\\windows\\CodeQL\\$CodeQLVersion\\x64\\codeql
    - name: Setup for extractor
      run: |
        echo $Env:CODEQL_PYTHON
        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\tests\\from_python_exe.py $Env:CODEQL_PYTHON
    - name: Verify packages installed
      run: |
        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\tests\\check_requests_2_26_0.ps1"
        powershell -File $cmd $Env:PYTHON_VERSION
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -0,0 +1,56 @@
 name: Query filters tests
 on:
  push:
    branches:
    - main
    - releases/v1
    - releases/v2
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  workflow_dispatch: {}
 jobs:
  query-filters:
    name: Query Filters Tests
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
    - name: Check out repository
      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: latest
    - name: Check SARIF for default queries with Single include, Single exclude
      uses: ./../action/.github/query-filter-test
      with:
        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
        queries-run: js/zipslip
        queries-not-run: js/path-injection
        config-file: ./.github/codeql/codeql-config-query-filters1.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Check SARIF for query packs with Single include, Single exclude
      uses: ./../action/.github/query-filter-test
      with:
        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
        queries-run: js/zipslip,javascript/example/empty-or-one-block
        queries-not-run: js/path-injection
        config-file: ./.github/codeql/codeql-config-query-filters2.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Check SARIF for query packs and local queries with Single include, Single exclude
      uses: ./../action/.github/query-filter-test
      with:
        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
        queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
        queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
        config-file: ./.github/codeql/codeql-config-query-filters3.yml
        tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/runner-checks.yml
+++ b/.github/workflows/runner-checks.yml
@@ -0,0 +1,412 @@
 name: CodeQL Runner Checks
 on:
  push:
    branches: [main, releases/v1, releases/v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:
 jobs:
  runner-analyze-javascript-ubuntu:
    name: Runner ubuntu JS analyze
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Build runner
        run: |
          cd runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          # Pass --config-file here, but not for other jobs in this workflow.
          # This means we're testing the config file parsing in the runner
          # but not slowing down all jobs unnecessarily as it doesn't add much
          # testing the parsing on different operating systems and languages.
          runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Run analyze
        run: |
          runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-javascript-windows:
    name: Runner windows JS analyze
    timeout-minutes: 45
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v3
      - name: Build runner
        run: |
          cd runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages javascript --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Run analyze
        run: |
          runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-javascript-macos:
    name: Runner macos JS analyze
    timeout-minutes: 45
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v3
      - name: Build runner
        run: |
          cd runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Run analyze
        run: |
          runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-csharp-ubuntu:
    name: Runner ubuntu C# analyze
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
        run: |
          mkdir ../action
          mv * .github ../action/
          mv ../action/tests/multi-language-repo/{*,.github} .
          mv ../action/.github/workflows .github
      - name: Build runner
        run: |
          cd ../action/runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Build code
        run: |
          . ./codeql-runner/codeql-env.sh
          $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
      - name: Run analyze
        run: |
          ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-csharp-windows:
    name: Runner windows C# analyze
    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
    # `windows-latest`.
    timeout-minutes: 45
    runs-on: windows-2019
    steps:
      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
        run: |
          mkdir ../action
          mv * .github ../action/
          mv ../action/tests/multi-language-repo/{*,.github} .
          mv ../action/.github/workflows .github
      - name: Build runner
        run: |
          cd ../action/runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Build code
        shell: powershell
        run: |
          cat ./codeql-runner/codeql-env.sh | Invoke-Expression
          & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
      - name: Upload tracer logs
        uses: actions/upload-artifact@v3
        with:
          name: tracer-logs
          path: ./codeql-runner/compound-build-tracer.log
      - name: Run analyze
        run: |
          ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-csharp-macos:
    name: Runner macos C# analyze
    timeout-minutes: 45
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
        run: |
          mkdir ../action
          mv * .github ../action/
          mv ../action/tests/multi-language-repo/{*,.github} .
          mv ../action/.github/workflows .github
      - name: Build runner
        run: |
          cd ../action/runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Build code
        shell: bash
        run: |
          . ./codeql-runner/codeql-env.sh
          $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
      - name: Run analyze
        run: |
          ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-csharp-autobuild-ubuntu:
    name: Runner ubuntu autobuild C# analyze
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
        run: |
          mkdir ../action
          mv * .github ../action/
          mv ../action/tests/multi-language-repo/{*,.github} .
          mv ../action/.github/workflows .github
      - name: Build runner
        run: |
          cd ../action/runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Build code
        run: |
          ../action/runner/dist/codeql-runner-linux autobuild
      - name: Run analyze
        run: |
          ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-csharp-autobuild-windows:
    timeout-minutes: 45
    name: Runner windows autobuild C# analyze
    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
    # `windows-latest`.
    runs-on: windows-2019
    steps:
      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
        run: |
          mkdir ../action
          mv * .github ../action/
          mv ../action/tests/multi-language-repo/{*,.github} .
          mv ../action/.github/workflows .github
      - name: Build runner
        run: |
          cd ../action/runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Build code
        shell: powershell
        run: |
          ../action/runner/dist/codeql-runner-win.exe autobuild
      - name: Run analyze
        run: |
          ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-analyze-csharp-autobuild-macos:
    name: Runner macos autobuild C# analyze
    runs-on: macos-latest
    timeout-minutes: 45
    steps:
      - uses: actions/checkout@v3
      - name: Move codeql-action
        shell: bash
        run: |
          mkdir ../action
          mv * .github ../action/
          mv ../action/tests/multi-language-repo/{*,.github} .
          mv ../action/.github/workflows .github
      - name: Build runner
        run: |
          cd ../action/runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Build code
        shell: bash
        run: |
          . codeql-runner/codeql-env.sh
          CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')"
          echo "$CODEQL_RUNNER"
          $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild
      - name: Run analyze
        run: |
          ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
  runner-upload-sarif:
    name: Runner upload sarif
    runs-on: ubuntu-latest
    timeout-minutes: 45
    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
    steps:
      - uses: actions/checkout@v3
      - name: Build runner
        run: |
          cd runner
          npm install
          npm run build-runner
      - name: Upload with runner
        run: |
          # Deliberately don't use TEST_MODE here. This is specifically testing
          # the compatibility with the API.
          runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
  runner-extractor-ram-threads-options:
    name: Runner ubuntu extractor RAM and threads options
    runs-on: ubuntu-latest
    timeout-minutes: 45
    steps:
      - uses: actions/checkout@v3
      - name: Build runner
        run: |
          cd runner
          npm install
          npm run build-runner
      - name: Run init
        run: |
          runner/dist/codeql-runner-linux init --ram=230 --threads=1 --repository $GITHUB_REPOSITORY --languages java --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
        env:
          TEST_MODE: true
      - name: Assert Results
        shell: bash
        run: |
          . ./codeql-runner/codeql-env.sh
          if [ "${CODEQL_RAM}" != "230" ]; then
            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
            exit 1
          fi
          if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
            echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
            exit 1
          fi
          if [ "${CODEQL_THREADS}" != "1" ]; then
            echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
            exit 1
          fi
          if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
            echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
            exit 1
          fi
--- a/.github/workflows/script/check-js.sh
+++ b/.github/workflows/script/check-js.sh
@@ -0,0 +1,21 @@
 #!/bin/bash
 set -eu
 # Sanity check that repo is clean to start with
 if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then this workflow needs attention...
    >&2 echo "Failed: Repo should be clean before testing!"
    exit 1
 fi
 # Wipe the lib directory incase there are extra unnecessary files in there
 rm -rf lib
 # Generate the JavaScript files
 npm run-script build
 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update"
    git status
    exit 1
 fi
 echo "Success: JavaScript files are up to date"
--- a/.github/workflows/script/check-node-modules.sh
+++ b/.github/workflows/script/check-node-modules.sh
@@ -0,0 +1,22 @@
 #!/bin/bash
 set -eu
 # Sanity check that repo is clean to start with
 if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then this workflow needs attention...
    >&2 echo "Failed: Repo should be clean before testing!"
    exit 1
 fi
 sudo npm install --force -g npm@latest
 # Reinstall modules and then clean to remove absolute paths
 # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
 npm ci
 npm run removeNPMAbsolutePaths
 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    >&2 echo "Failed: node_modules are not up to date. Run 'npm ci && npm run removeNPMAbsolutePaths' on a macOS machine to update. Note it is important this command is run on macOS and not any other operating system as there is one dependency (fsevents) that is needed for macOS and may not be installed if the command is run on a Windows or Linux machine."
    git status
    exit 1
 fi
 echo "Success: node_modules are up to date"
--- a/.github/workflows/script/update-required-checks.sh
+++ b/.github/workflows/script/update-required-checks.sh
@@ -0,0 +1,37 @@
 #!/usr/bin/env bash
 # Update the required checks based on the current branch.
 # Typically, this will be main.
 if ! gh auth status 2>/dev/null; then
  gh auth status
  echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
  exit 1
 fi
 if [ "$#" -eq 1 ]; then
  # If we were passed an argument, use that as the SHA
  GITHUB_SHA="$0"
 elif [ "$#" -gt 1 ]; then
  echo "Usage: $0 [SHA]"
  echo "Update the required checks based on the SHA, or main."
  exit 1
 elif [ -z "$GITHUB_SHA" ]; then
  # If we don't have a SHA, use main
  GITHUB_SHA="$(git rev-parse main)"
 fi
 echo "Getting checks for $GITHUB_SHA"
 # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
 CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") or contains("update") | not)] | unique | sort')"
 echo "$CHECKS" | jq
 echo "{\"contexts\": ${CHECKS}}" > checks.json
 for BRANCH in main releases/v2 releases/v1; do
  echo "Updating $BRANCH"
  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
 done
 rm checks.json
--- a/.github/workflows/script/verify-pr-checks.sh
+++ b/.github/workflows/script/verify-pr-checks.sh
@@ -0,0 +1,25 @@
 #!/bin/bash
 set -eu
 # Sanity check that repo is clean to start with
 if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then this workflow needs attention...
    >&2 echo "Failed: Repo should be clean before testing!"
    exit 1
 fi
 # Wipe the generated PR checks in case there are extra unnecessary files in there
 rm -rf .github/workflows/__*
 # Generate the PR checks
 cd pr-checks && python3 sync.py
 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    git diff
    git status
    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
    exit 1
 fi
 echo "Success: PR checks are up to date"
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -0,0 +1,40 @@
 name: Update dependencies
 on:
  pull_request_target:
    types: [opened, synchronize, reopened, ready_for_review, labeled]
 jobs:
  update:
    name: Update dependencies
    timeout-minutes: 45
    runs-on: macos-latest
    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
    - name: Remove PR label
      env:
        REPOSITORY: '${{ github.repository }}'
        PR_NUMBER: '${{ github.event.pull_request.number }}'
        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
      run: |
        gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE
    - name: Push updated dependencies
      env:
        BRANCH: '${{ github.head_ref }}'
      run: |
        git fetch origin "$BRANCH" --depth=1
        git checkout "origin/$BRANCH"
        sudo npm install --force -g npm@latest
        npm install
        npm ci
        npm run removeNPMAbsolutePaths
        if [ ! -z "$(git status --porcelain)" ]; then
          git config --global user.email "github-actions@github.com"
          git config --global user.name "github-actions[bot]"
          git add node_modules
          git commit -am "Update checked-in dependencies"
          git push origin "HEAD:$BRANCH"
        fi
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -1,32 +1,62 @@
 name: Update release branch
 on:
-  schedule:
+  # You can trigger this workflow via workflow dispatch to start a release.
-    - cron: 0 9 * * 1
+  # This will open a PR to update the v2 release branch.
  repository_dispatch:
    # Example of how to trigger this:
    # curl -H "Authorization: Bearer <token>" -X POST https://api.github.com/repos/github/codeql-action/dispatches -d '{"event_type":"update-release-branch"}'
    # Replace <token> with a personal access token from this page: https://github.com/settings/tokens
    types: [update-release-branch]
  workflow_dispatch:
  # When the v2 release is complete, this workflow will open a PR to update the v1 release branch.
  push:
    branches:
      - releases/v2
 jobs:
  update:
    timeout-minutes: 45
    runs-on: ubuntu-latest
    if: github.repository == 'github/codeql-action'
    steps:
-    - uses: actions/checkout@v2
+    - name: Dump environment
      run: env
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: '${{ toJson(github) }}'
      run: echo "$GITHUB_CONTEXT"
    - uses: actions/checkout@v3
      with:
        # Need full history so we calculate diffs
        fetch-depth: 0
    - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v3
      with:
-        python-version: 3.5
+        python-version: 3.8
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
-        pip install PyGithub==1.51 requests
+        pip install PyGithub==1.55 requests
-    - name: Update release branch
+    - name: Update git config
-      run: python .github/update-release-branch.py ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }}
+      run: |
        git config --global user.email "github-actions@github.com"
        git config --global user.name "github-actions[bot]"
    - name: Update v2 release branch
      if: github.event_name == 'workflow_dispatch'
      run: |
        python .github/update-release-branch.py \
          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --mode v2-release \
          --conductor ${GITHUB_ACTOR}
    - name: Update v1 release branch
      if: github.event_name == 'push'
      run: |
        python .github/update-release-branch.py \
          --github-token ${{ secrets.GITHUB_TOKEN }} \
          --repository-nwo ${{ github.repository }} \
          --mode v1-release \
          --conductor ${GITHUB_ACTOR}
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -0,0 +1,47 @@
 name: Update Supported Enterprise Server Versions
 on:
  schedule:
    - cron: "0 0 * * *"
 jobs:
  update-supported-enterprise-server-versions:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'github/codeql-action' }}
    steps:
      - name: Setup Python
        uses: actions/setup-python@v3
        with:
          python-version: "3.7"
      - name: Checkout CodeQL Action
        uses: actions/checkout@v3
      - name: Checkout Enterprise Releases
        uses: actions/checkout@v3
        with:
          repository: github/enterprise-releases
          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
          path: ${{ github.workspace }}/enterprise-releases/
      - name: Update Supported Enterprise Server Versions
        run: |
          cd ./.github/workflows/update-supported-enterprise-server-versions/
          python3 -m pip install pipenv
          pipenv install
          pipenv run ./update.py
          rm --recursive "$ENTERPRISE_RELEASES_PATH"
          npm run build
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
      - name: Commit Changes
        uses: peter-evans/create-pull-request@c7f493a8000b8aeb17a1332e326ba76b57cb83eb # v3.4.1
        with:
          commit-message: Update supported GitHub Enterprise Server versions.
          title: Update supported GitHub Enterprise Server versions.
          body: ""
          author: GitHub <noreply@github.com>
          branch: update-supported-enterprise-server-versions
          draft: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/update-supported-enterprise-server-versions/Pipfile
+++ b/.github/workflows/update-supported-enterprise-server-versions/Pipfile
@@ -0,0 +1,9 @@
 [[source]]
 name = "pypi"
 url = "https://pypi.org/simple"
 verify_ssl = true
 [dev-packages]
 [packages]
 semver = "*"
--- a/.github/workflows/update-supported-enterprise-server-versions/Pipfile.lock
+++ b/.github/workflows/update-supported-enterprise-server-versions/Pipfile.lock
@@ -0,0 +1,27 @@
 {
    "_meta": {
        "hash": {
            "sha256": "e3ba923dcb4888e05de5448c18a732bf40197e80fabfa051a61c01b22c504879"
        },
        "pipfile-spec": 6,
        "requires": {},
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "semver": {
            "hashes": [
                "sha256:ced8b23dceb22134307c1b8abfa523da14198793d9787ac838e70e29e77458d4",
                "sha256:fa0fe2722ee1c3f57eac478820c3a5ae2f624af8264cbdf9000c980ff7f75e3f"
            ],
            "index": "pypi",
            "version": "==2.13.0"
        }
    },
    "develop": {}
 }
--- a/.github/workflows/update-supported-enterprise-server-versions/update.py
+++ b/.github/workflows/update-supported-enterprise-server-versions/update.py
@@ -0,0 +1,43 @@
 #!/usr/bin/env python3
 import datetime
 import json
 import os
 import pathlib
 import semver
 _API_COMPATIBILITY_PATH = pathlib.Path(__file__).absolute().parents[3] / "src" / "api-compatibility.json"
 _ENTERPRISE_RELEASES_PATH = pathlib.Path(os.environ["ENTERPRISE_RELEASES_PATH"])
 _RELEASE_FILE_PATH = _ENTERPRISE_RELEASES_PATH / "releases.json"
 _FIRST_SUPPORTED_RELEASE = semver.VersionInfo.parse("2.22.0") # Versions older than this did not include Code Scanning.
 def main():
 	api_compatibility_data = json.loads(_API_COMPATIBILITY_PATH.read_text())
 	releases = json.loads(_RELEASE_FILE_PATH.read_text())
 	oldest_supported_release = None
 	newest_supported_release = semver.VersionInfo.parse(api_compatibility_data["maximumVersion"] + ".0")
 	for release_version_string, release_data in releases.items():
 		release_version = semver.VersionInfo.parse(release_version_string + ".0")
 		if release_version < _FIRST_SUPPORTED_RELEASE:
 			continue
 		if release_version > newest_supported_release:
 			feature_freeze_date = datetime.date.fromisoformat(release_data["feature_freeze"])
 			if feature_freeze_date < datetime.date.today() + datetime.timedelta(weeks=2):
 				newest_supported_release = release_version
 		if oldest_supported_release is None or release_version < oldest_supported_release:
 			end_of_life_date = datetime.date.fromisoformat(release_data["end"])
 			if end_of_life_date > datetime.date.today():
 				oldest_supported_release = release_version
 	api_compatibility_data = {
 		"minimumVersion": f"{oldest_supported_release.major}.{oldest_supported_release.minor}",
 		"maximumVersion": f"{newest_supported_release.major}.{newest_supported_release.minor}",
 	}
 	_API_COMPATIBILITY_PATH.write_text(json.dumps(api_compatibility_data, sort_keys=True) + "\n")
 if __name__ == "__main__":
 	main()
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 /runner/dist/
 /runner/node_modules/
 # Ignore for example failing-tests.json from AVA
 node_modules/.cache
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,15 @@
 {
 	"version": "2.0.0",
 	"tasks": [
 		{
 			"type": "typescript",
 			"tsconfig": "tsconfig.json",
 			"option": "watch",
 			"problemMatcher": [
 				"$tsc-watch"
 			],
 			"group": "build",
 			"label": "tsc: watch - tsconfig.json"
 		}
 	]
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,269 @@
 # CodeQL Action Changelog
 ## 1.1.23 - 14 Sep 2022
 - Allow CodeQL packs to be downloaded from GitHub Enterprise Server instances, using the new `registries` input for the `init` action.  [#1221](https://github.com/github/codeql-action/pull/1221)
 - Update default CodeQL bundle version to 2.10.5. [#1240](https://github.com/github/codeql-action/pull/1240)
 ## 1.1.22 - 01 Sep 2022
 - Downloading CodeQL packs has been moved to the `init` step. Previously, CodeQL packs were downloaded during the `analyze` step. [#1218](https://github.com/github/codeql-action/pull/1218)
 - Update default CodeQL bundle version to 2.10.4. [#1224](https://github.com/github/codeql-action/pull/1224)
 - The newly released [Poetry 1.2](https://python-poetry.org/blog/announcing-poetry-1.2.0) is not yet supported. In the most common case where the CodeQL Action is automatically installing Python dependencies, it will continue to install and use Poetry 1.1 on its own. However, in certain cases such as with self-hosted runners, you may need to ensure Poetry 1.1 is installed yourself.
 ## 1.1.21 - 25 Aug 2022
 - Improve error messages when the code scanning configuration file includes an invalid `queries` block or an invalid `query-filters` block. [#1208](https://github.com/github/codeql-action/pull/1208)
 - Fix a bug where Go build tracing could fail on Windows. [#1209](https://github.com/github/codeql-action/pull/1209)
 ## 1.1.20 - 22 Aug 2022
 No user facing changes.
 ## 1.1.19 - 17 Aug 2022
 - Add the ability to filter queries from a code scanning run by using the `query-filters` option in the code scanning configuration file. [#1098](https://github.com/github/codeql-action/pull/1098)
 - In debug mode, debug artifacts are now uploaded even if a step in the Actions workflow fails. [#1159](https://github.com/github/codeql-action/pull/1159)
 - Update default CodeQL bundle version to 2.10.3. [#1178](https://github.com/github/codeql-action/pull/1178)
 - The combination of python2 and Pipenv is no longer supported. [#1181](https://github.com/github/codeql-action/pull/1181)
 ## 1.1.18 - 03 Aug 2022
 - Update default CodeQL bundle version to 2.10.2.  [#1156](https://github.com/github/codeql-action/pull/1156)
 ## 1.1.17 - 28 Jul 2022
 - Update default CodeQL bundle version to 2.10.1.  [#1143](https://github.com/github/codeql-action/pull/1143)
 ## 1.1.16 - 13 Jul 2022
 - You can now quickly debug a job that uses the CodeQL Action by re-running the job from the GitHub UI and selecting the "Enable debug logging" option. [#1132](https://github.com/github/codeql-action/pull/1132)
 - You can now see diagnostic messages produced by the analysis in the logs of the `analyze` Action by enabling debug mode. To enable debug mode, pass `debug: true` to the `init` Action, or [enable step debug logging](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging). This feature is available for CodeQL CLI version 2.10.0 and later. [#1133](https://github.com/github/codeql-action/pull/1133)
 ## 1.1.15 - 28 Jun 2022
 - CodeQL query packs listed in the `packs` configuration field will be skipped if their target language is not being analyzed in the current Actions job. Previously, this would throw an error. [#1116](https://github.com/github/codeql-action/pull/1116)
 - The combination of python2 and poetry is no longer supported. See <https://github.com/actions/setup-python/issues/374> for more details. [#1124](https://github.com/github/codeql-action/pull/1124)
 - Update default CodeQL bundle version to 2.10.0. [#1123](https://github.com/github/codeql-action/pull/1123)
 ## 1.1.14 - 22 Jun 2022
 No user facing changes.
 ## 1.1.13 - 21 Jun 2022
 - Update default CodeQL bundle version to 2.9.4. [#1100](https://github.com/github/codeql-action/pull/1100)
 ## 1.1.12 - 01 Jun 2022
 - Update default CodeQL bundle version to 2.9.3. [#1084](https://github.com/github/codeql-action/pull/1084)
 ## 1.1.11 - 17 May 2022
 - Update default CodeQL bundle version to 2.9.2. [#1074](https://github.com/github/codeql-action/pull/1074)
 ## 1.1.10 - 10 May 2022
 - Update default CodeQL bundle version to 2.9.1. [#1056](https://github.com/github/codeql-action/pull/1056)
 - When `wait-for-processing` is enabled, the workflow will now fail if there were any errors that occurred during processing of the analysis results.
 ## 1.1.9 - 27 Apr 2022
 - Add `working-directory` input to the `autobuild` action. [#1024](https://github.com/github/codeql-action/pull/1024)
 - The `analyze` and `upload-sarif` actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the `wait-for-processing` action input to `"false"`. [#1007](https://github.com/github/codeql-action/pull/1007)
 - Update default CodeQL bundle version to 2.9.0.
 - Fix a bug where [status reporting fails on Windows](https://github.com/github/codeql-action/issues/1041). [#1042](https://github.com/github/codeql-action/pull/1042)
 ## 1.1.8 - 08 Apr 2022
 - Update default CodeQL bundle version to 2.8.5. [#1014](https://github.com/github/codeql-action/pull/1014)
 - Fix error where the init action would fail due to a GitHub API request that was taking too long to complete [#1025](https://github.com/github/codeql-action/pull/1025)
 ## 1.1.7 - 05 Apr 2022
 - A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. [#1018](https://github.com/github/codeql-action/pull/1018)
 ## 1.1.6 - 30 Mar 2022
 - Update default CodeQL bundle version to 2.8.4. [#990](https://github.com/github/codeql-action/pull/990)
 - Fix a bug where an invalid `commit_oid` was being sent to code scanning when a custom checkout path was being used. [#956](https://github.com/github/codeql-action/pull/956)
 ## 1.1.5 - 15 Mar 2022
 - Update default CodeQL bundle version to 2.8.3.
 - The CodeQL runner is now deprecated and no longer being released. For more information, see [CodeQL runner deprecation](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/).
 - Fix two bugs that cause action failures with GHES 3.3 or earlier. [#978](https://github.com/github/codeql-action/pull/978)
  - Fix `not a permitted key` invalid requests with GHES 3.1 or earlier
  - Fix `RUNNER_ARCH environment variable must be set` errors with GHES 3.3 or earlier
 ## 1.1.4 - 07 Mar 2022
 - Update default CodeQL bundle version to 2.8.2. [#950](https://github.com/github/codeql-action/pull/950)
 - Fix a bug where old results can be uploaded if the languages in a repository change when using a non-ephemeral self-hosted runner. [#955](https://github.com/github/codeql-action/pull/955)
 ## 1.1.3 - 23 Feb 2022
 - Fix a bug where the CLR traces can continue tracing even after tracing should be stopped. [#938](https://github.com/github/codeql-action/pull/938)
 ## 1.1.2 - 17 Feb 2022
 - Due to potential issues for GHES 3.1–3.3 customers who are using recent versions of the CodeQL Action via GHES Connect, the CodeQL Action now uses Node.js v12 rather than Node.js v16. [#937](https://github.com/github/codeql-action/pull/937)
 ## 1.1.1 - 17 Feb 2022
 - The CodeQL CLI versions up to and including version 2.4.4 are not compatible with the CodeQL Action 1.1.1 and later. The Action will emit an error if it detects that it is being used by an incompatible version of the CLI. [#931](https://github.com/github/codeql-action/pull/931)
 - Update default CodeQL bundle version to 2.8.1. [#925](https://github.com/github/codeql-action/pull/925)
 ## 1.1.0 - 11 Feb 2022
 - The CodeQL Action now uses Node.js v16. [#909](https://github.com/github/codeql-action/pull/909)
 - Beware that the CodeQL build tracer in this release (and in all earlier releases) is incompatible with Windows 11 and Windows Server 2022. This incompatibility affects database extraction for compiled languages: cpp, csharp, go, and java. As a result, analyzing these languages with the `windows-latest` or `windows-2022` Actions virtual environments is currently unsupported. If you use any of these languages, please use the `windows-2019` Actions virtual environment or otherwise avoid these specific Windows versions until a new release fixes this incompatibility.
 ## 1.0.32 - 07 Feb 2022
 - Add `sarif-id` as an output for the `upload-sarif` and `analyze` actions. [#889](https://github.com/github/codeql-action/pull/889)
 - Add `ref` and `sha` inputs to the `analyze` action, which override the defaults provided by the GitHub Action context. [#889](https://github.com/github/codeql-action/pull/889)
 - Update default CodeQL bundle version to 2.8.0. [#911](https://github.com/github/codeql-action/pull/911)
 ## 1.0.31 - 31 Jan 2022
 - Remove `experimental` message when using custom CodeQL packages. [#888](https://github.com/github/codeql-action/pull/888)
 - Add a better warning message stating that experimental features will be disabled if the workflow has been triggered by a pull request from a fork or the `security-events: write` permission is not present. [#882](https://github.com/github/codeql-action/pull/882)
 ## 1.0.30 - 24 Jan 2022
 - Display a better error message when encountering a workflow that runs the `codeql-action/init` action multiple times. [#876](https://github.com/github/codeql-action/pull/876)
 - Update default CodeQL bundle version to 2.7.6. [#877](https://github.com/github/codeql-action/pull/877)
 ## 1.0.29 - 21 Jan 2022
 - The feature to wait for SARIF processing to complete after upload has been disabled by default due to a bug in its interaction with pull requests from forks.
 ## 1.0.28 - 18 Jan 2022
 - Update default CodeQL bundle version to 2.7.5. [#866](https://github.com/github/codeql-action/pull/866)
 - Fix a bug where SARIF files were failing upload due to an invalid test for unique categories. [#872](https://github.com/github/codeql-action/pull/872)
 ## 1.0.27 - 11 Jan 2022
 - The `analyze` and `upload-sarif` actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the `wait-for-processing` action input to `"false"`. [#855](https://github.com/github/codeql-action/pull/855)
 ## 1.0.26 - 10 Dec 2021
 - Update default CodeQL bundle version to 2.7.3. [#842](https://github.com/github/codeql-action/pull/842)
 ## 1.0.25 - 06 Dec 2021
 No user facing changes.
 ## 1.0.24 - 23 Nov 2021
 - Update default CodeQL bundle version to 2.7.2. [#827](https://github.com/github/codeql-action/pull/827)
 ## 1.0.23 - 16 Nov 2021
 - The `upload-sarif` action now allows multiple uploads in a single job, as long as they have different categories. [#801](https://github.com/github/codeql-action/pull/801)
 - Update default CodeQL bundle version to 2.7.1. [#816](https://github.com/github/codeql-action/pull/816)
 ## 1.0.22 - 04 Nov 2021
 - The `init` step of the Action now supports `ram` and `threads` inputs to limit resource use of CodeQL extractors. These inputs also serve as defaults to the subsequent `analyze` step, which finalizes the database and executes queries. [#738](https://github.com/github/codeql-action/pull/738)
 - When used with CodeQL 2.7.1 or above, the Action now includes custom query help in the analysis results uploaded to GitHub code scanning, if available. To add help text for a custom query, create a Markdown file next to the `.ql` file containing the query, using the same base name but the file extension `.md`. [#804](https://github.com/github/codeql-action/pull/804)
 ## 1.0.21 - 28 Oct 2021
 - Update default CodeQL bundle version to 2.7.0. [#795](https://github.com/github/codeql-action/pull/795)
 ## 1.0.20 - 25 Oct 2021
 No user facing changes.
 ## 1.0.19 - 18 Oct 2021
 No user facing changes.
 ## 1.0.18 - 08 Oct 2021
 - Fixed a bug where some builds were no longer being traced correctly. [#766](https://github.com/github/codeql-action/pull/766)
 ## 1.0.17 - 07 Oct 2021
 - Update default CodeQL bundle version to 2.6.3. [#761](https://github.com/github/codeql-action/pull/761)
 ## 1.0.16 - 05 Oct 2021
 No user facing changes.
 ## 1.0.15 - 22 Sep 2021
 - Update default CodeQL bundle version to 2.6.2. [#746](https://github.com/github/codeql-action/pull/746)
 ## 1.0.14 - 09 Sep 2021
 - Update default CodeQL bundle version to 2.6.1. [#733](https://github.com/github/codeql-action/pull/733)
 ## 1.0.13 - 06 Sep 2021
 - Update default CodeQL bundle version to 2.6.0. [#712](https://github.com/github/codeql-action/pull/712)
 - Update baseline lines of code counter for python. All multi-line strings are counted as code. [#714](https://github.com/github/codeql-action/pull/714)
 - Remove old baseline LoC injection [#715](https://github.com/github/codeql-action/pull/715)
 ## 1.0.12 - 16 Aug 2021
 - Update README to include a sample permissions block. [#689](https://github.com/github/codeql-action/pull/689)
 ## 1.0.11 - 09 Aug 2021
 - Update default CodeQL bundle version to 2.5.9. [#687](https://github.com/github/codeql-action/pull/687)
 ## 1.0.10 - 03 Aug 2021
 - Fix an issue where a summary of diagnostics information from CodeQL was not output to the logs of the `analyze` step of the Action. [#672](https://github.com/github/codeql-action/pull/672)
 ## 1.0.9 - 02 Aug 2021
 No user facing changes.
 ## 1.0.8 - 26 Jul 2021
 - Update default CodeQL bundle version to 2.5.8. [#631](https://github.com/github/codeql-action/pull/631)
 ## 1.0.7 - 21 Jul 2021
 No user facing changes.
 ## 1.0.6 - 19 Jul 2021
 - The `init` step of the Action now supports a `source-root` input as a path to the root source-code directory. By default, the path is relative to `$GITHUB_WORKSPACE`. [#607](https://github.com/github/codeql-action/pull/607)
 - The `init` step will now try to install a few Python tools needed by this Action when running on a self-hosted runner. [#616](https://github.com/github/codeql-action/pull/616)
 ## 1.0.5 - 12 Jul 2021
 - The `analyze` step of the Action now supports a `skip-queries` option to merely build the CodeQL database without analyzing. This functionality is not present in the runner. Additionally, the step will no longer fail if it encounters a finalized database, and will instead continue with query execution. [#602](https://github.com/github/codeql-action/pull/602)
 - Update the warning message when the baseline lines of code count is unavailable. [#608](https://github.com/github/codeql-action/pull/608)
 ## 1.0.4 - 28 Jun 2021
 - Fix `RUNNER_TEMP environment variable must be set` when using runner. [#594](https://github.com/github/codeql-action/pull/594)
 - Fix couting of lines of code for C# projects. [#586](https://github.com/github/codeql-action/pull/586)
 ## 1.0.3 - 23 Jun 2021
 No user facing changes.
 ## 1.0.2 - 17 Jun 2021
 - Fix out of memory in hash computation. [#550](https://github.com/github/codeql-action/pull/550)
 - Clean up logging during analyze results. [#557](https://github.com/github/codeql-action/pull/557)
 - Add `--finalize-dataset` to `database finalize` call, freeing up some disk space after database creation. [#558](https://github.com/github/codeql-action/pull/558)
 ## 1.0.1 - 07 Jun 2021
 - Pass the `--sarif-group-rules-by-pack` argument to CodeQL CLI invocations that generate SARIF. This means the SARIF rule object for each query will now be found underneath its corresponding query pack in `runs[].tool.extensions`. [#546](https://github.com/github/codeql-action/pull/546)
 - Output the location of CodeQL databases created in the analyze step. [#543](https://github.com/github/codeql-action/pull/543)
 ## 1.0.0 - 31 May 2021
 - Add this changelog file. [#507](https://github.com/github/codeql-action/pull/507)
 - Improve grouping of analysis logs. Add a new log group containing a summary of metrics and diagnostics, if they were produced by CodeQL builtin queries. [#515](https://github.com/github/codeql-action/pull/515)
 - Add metrics and diagnostics summaries from custom query suites to the analysis summary log group. [#532](https://github.com/github/codeql-action/pull/532)
--- a/3
+++ b/3
@@ -0,0 +1,3 @@
 **/* @github/codeql-action-reviewers
 /python-setup/ @github/codeql-python @github/codeql-action-reviewers
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -12,7 +12,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 ## Development and Testing
-Before you start, ensure that you have a recent version of node installed. You can see which version of node is used by the action in `init/action.yml`.
+Before you start, ensure that you have a recent version of node (14 or higher) installed, along with a recent version of npm (7 or higher). You can see which version of node is used by the action in `init/action.yml`.
 ### Common tasks
@@ -22,29 +22,18 @@ Before you start, ensure that you have a recent version of node installed. You c
 This project also includes configuration to run tests from VSCode (with support for breakpoints) - open the test file you wish to run and choose "Debug AVA test file" from the Run menu in the Run panel.
 You may want to run `tsc --watch` from the command line or inside of vscode in order to ensure build artifacts are up to date as you are working.
 ### Checking in compiled artifacts and `node_modules`
 Because CodeQL Action users consume the code directly from this repository, and there can be no build step during an GitHub Actions run, this repository contains all compiled artifacts and node modules. There is a PR check that will fail if any of the compiled artifacts are not up to date. Compiled artifacts are stored in the `lib/` directory. For all day-to-day development purposes, this folder can be ignored.
 Only run `npm install` if you are explicitly changing the set of dependencies in `package.json`. The `node_modules` directory should be up to date when you check out, but if for some reason, there is an inconsistency use `npm ci && npm run removeNPMAbsolutePaths` to ensure the directory is in a state consistent with the `package-lock.json`. Note that due to a macOS-specific dependency, this command should be run on a macOS machine. There is a PR check to ensure the consistency of the `node_modules` directory.
 ### Running the action
 To see the effect of your changes and to test them, push your changes in a branch and then look at the [Actions output](https://github.com/github/codeql-action/actions) for that branch.  You can also exercise the code locally by running the automated tests.
 ### Running the action locally
 It is possible to run this action locally via [act](https://github.com/nektos/act) via the following steps:
 1. Create a GitHub [Personal Access Token](https://github.com/settings/tokens) (PAT).
 1. Install [act](https://github.com/nektos/act) v0.2.10 or greater.
 1. Add a `.env` file in the root of the project you are running:
  ```bash
  CODEQL_LOCAL_RUN=true
  # Optional, for better logging
  GITHUB_JOB=<ANY_JOB_NAME>
  ```
 1. Run `act -j codeql -s GITHUB_TOKEN=<PAT>`
 Running locally will generate the CodeQL database and run all the queries, but it will avoid uploading and reporting results to GitHub. Note that this must be done on a repository that _consumes_ this action, not this repository. The use case is to debug failures of this action on specific repositories.
 ### Integration tests
 As well as the unit tests (see _Common tasks_ above), there are integration tests, defined in `.github/workflows/integration-testing.yml`.  These are run by a CI check.  Depending on the change you’re making, you may want to add a test to this file or extend an existing one.
@@ -69,6 +58,34 @@ Here are a few things you can do that will increase the likelihood of your pull
 - Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
 - Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
 ## Releasing (write access required)
 1. The first step of releasing a new version of the `codeql-action` is running the "Update release branch" workflow.
    This workflow goes through the pull requests that have been merged to `main` since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into the `releases/v2` release branch.
    You can start a release by triggering this workflow via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
 1. The workflow run will open a pull request titled "Merge main into releases/v2". Mark the pull request as [ready for review](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review) to trigger the PR checks.
 1. Review the checklist items in the pull request description.
    Once you've checked off all but the last two of these, approve the PR and automerge it.
 1. When the "Merge main into releases/v2" pull request is merged into the `releases/v2` branch, the "Tag release and merge back" workflow will create a mergeback PR.
    This mergeback incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v2" pull request, and bumps the patch version of the CodeQL Action.
    Approve the mergeback PR and automerge it.
 1. When the "Merge main into releases/v2" pull request is merged into the `releases/v2` branch, the "Update release branch" workflow will create a "Merge releases/v2 into releases/v1" pull request to merge the changes since the last release into the `releases/v1` release branch.
    This ensures we keep both the `releases/v1` and `releases/v2` release branches up to date and fully supported.
    Review the checklist items in the pull request description.
    Once you've checked off all the items, approve the PR and automerge it.
 1. Once the mergeback has been merged to `main` and the "Merge releases/v2 into releases/v1" PR has been merged to `releases/v1`, the release is complete.
 ## Keeping the PR checks up to date (admin access required)
 Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. You can regenerate the checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
 1. By default, this script retrieves the checks from the latest SHA on `main`, so make sure that your `main` branch is up to date.
 2. Run the script. If there's a reason to, you can pass in a different SHA as a CLI argument.
 3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v1`, and `v2` have been updated.
 ## Resources
 - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
 # CodeQL Action
-This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/github/codeql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
+This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/github/codeql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 For a list of recent changes, see the CodeQL Action's [changelog](CHANGELOG.md).
 ## License
@@ -20,33 +22,41 @@ name: "Code Scanning - Action"
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
-    - cron: '0 0 * * 0'
+    #        ┌───────────── minute (0 - 59)
    #        │  ┌───────────── hour (0 - 23)
    #        │  │ ┌───────────── day of the month (1 - 31)
    #        │  │ │ ┌───────────── month (1 - 12 or JAN-DEC)
    #        │  │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
    #        │  │ │ │ │
    #        │  │ │ │ │
    #        │  │ │ │ │
    #        *  * * * *
    - cron: '30 1 * * 0'
 jobs:
  CodeQL-Build:
    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
    runs-on: ubuntu-latest
    permissions:
      # required for all workflows
      security-events: write
      # only required for workflows in private repositories
      actions: read
      contents: read
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          # Must fetch at least the immediate parents so that if this is
          # a pull request then we can checkout the head of the pull request.
          # Only include this option if you are running this workflow on pull requests.
          fetch-depth: 2
      # If this run was triggered by a pull request event then checkout
      # the head of the pull request instead of the merge commit.
      # Only include this step if you are running this workflow on pull requests.
      - run: git checkout HEAD^2
        if: ${{ github.event_name == 'pull_request' }}
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
        # Override language selection by uncommenting this and choosing your languages
        # with:
        #   languages: go, javascript, csharp, python, cpp, java
@@ -54,38 +64,38 @@ jobs:
      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below).
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 https://git.io/JvXDl
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
      # ✏️ If the Autobuild fails above, remove it and uncomment the following
      #    three lines and modify them (or add more) to build your code if your
      #    project uses a compiled language
      #- run: |
-      #   make bootstrap
+      #     make bootstrap
-      #   make release
+      #     make release
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
 ```
 If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:
 ```yaml
 - name: Initialize CodeQL
-  uses: github/codeql-action/init@v1
+  uses: github/codeql-action/init@v2
  with:
    languages: go, javascript
 # Here is where you build your code
 - run: |
-  make bootstrap
+    make bootstrap
-  make release
+    make release
 - name: Perform CodeQL Analysis
-  uses: github/codeql-action/analyze@v1
+  uses: github/codeql-action/analyze@v2
 ```
 ### Configuration file
@@ -93,17 +103,26 @@ If you prefer to integrate this within an existing CI workflow, it should end up
 Use the `config-file` parameter of the `init` action to enable the configuration file. The value of `config-file` is the path to the configuration file you want to use. This example loads the configuration file `./.github/codeql/codeql-config.yml`.
 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml
 ```
-The configuration file must be located within the local repository. For information on how to write a configuration file, see "[Using a custom configuration file](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#using-a-custom-configuration-file)."
+The configuration file can be located in a different repository. This is useful if you want to share the same configuration across multiple repositories. If the configuration file is in a private repository you can also specify an `external-repository-token` option. This should be a personal access token that has read access to any repositories containing referenced config files and queries.
 ```yaml
 - uses: github/codeql-action/init@v2
  with:
    config-file: owner/repo/codeql-config.yml@branch
    external-repository-token: ${{ secrets.EXTERNAL_REPOSITORY_TOKEN }}
 ```
 For information on how to write a configuration file, see "[Using a custom configuration file](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#using-a-custom-configuration-file)."
 If you only want to customise the queries used, you can specify them in your workflow instead of creating a config file, using the `queries` property of the `init` action:
 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    queries: <local-or-remote-query>,<another-query>
 ```
@@ -111,7 +130,7 @@ If you only want to customise the queries used, you can specify them in your wor
 By default, this will override any queries specified in a config file. If you wish to use both sets of queries, prefix the list of queries in the workflow with `+`:
 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    queries: +<local-or-remote-query>,<another-query>
 ```
@@ -119,3 +138,4 @@ By default, this will override any queries specified in a config file. If you wi
 ## Troubleshooting
 Read about [troubleshooting code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning).
--- a/analyze/action.yml
+++ b/analyze/action.yml
@@ -1,6 +1,6 @@
-name: 'CodeQL: Finish'
+name: "CodeQL: Finish"
-description: 'Finalize CodeQL database'
+description: "Finalize CodeQL database"
-author: 'GitHub'
+author: "GitHub"
 inputs:
  check_name:
    description: The name of the check run to add text to.
@@ -8,29 +8,74 @@ inputs:
  output:
    description: The path of the directory in which to save the SARIF results
    required: false
-    default: '../results'
+    default: "../results"
  upload:
-    description: Upload the SARIF file
+    description: Upload the SARIF file to Code Scanning
    required: false
    default: "true"
  cleanup-level:
    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
    required: false
    default: "brutal"
  ram:
-    description: Override the amount of memory in MB to be used by CodeQL. By default, almost all the memory of the machine is used.
+    description: >-
      The amount of memory in MB that can be used by CodeQL for database finalization and query execution.
      By default, this action will use the same amount of memory as previously set in the "init" action.
      If the "init" action also does not have an explicit "ram" input, this action will use most of the
      memory available in the system (which for GitHub-hosted runners is 6GB for Linux, 5.5GB for Windows,
      and 13GB for macOS).
    required: false
  add-snippets:
    description: Specify whether or not to add code snippets to the output sarif file.
    required: false
    default: "false"
  skip-queries:
    description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
    required: false
    default: "false"
  threads:
-    description: The number of threads to be used by CodeQL.
+    description: >-
      The number of threads that can be used by CodeQL for database finalization and query execution.
      By default, this action will use the same number of threads as previously set in the "init" action.
      If the "init" action also does not have an explicit "threads" input, this action will use all the
      hardware threads available in the system (which for GitHub-hosted runners is 2 for Linux and Windows
      and 3 for macOS).
    required: false
  checkout_path:
-    description: "The path at which the analyzed repository was checked out. Used to relativeize any absolute paths in the uploaded SARIF file."
+    description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
    required: false
    default: ${{ github.workspace }}
  ref:
    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is not available in pull requests from forks."
    required: false
  sha:
    description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is not available in pull requests from forks."
    required: false
  category:
    description: String used by Code Scanning for matching the analyses
    required: false
  upload-database:
    description: Whether to upload the resulting CodeQL database
    required: false
    default: "true"
  wait-for-processing:
    description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
    required: true
    default: "true"
  token:
    default: ${{ github.token }}
  matrix:
    default: ${{ toJson(matrix) }}
  expect-error:
    description: "[Internal] It is an error to use this input outside of integration testing of the codeql-action."
    required: false
    default: "false"
 outputs:
  db-locations:
    description: A map from language to absolute path for each database created by CodeQL.
  sarif-id:
    description: The ID of the uploaded SARIF file.
 runs:
-  using: 'node12'
+  using: "node12"
-  main: '../lib/analyze-action.js'
+  main: "../lib/analyze-action.js"
  post: "../lib/analyze-action-post.js"
--- a/autobuild/action.yml
+++ b/autobuild/action.yml
@@ -6,6 +6,12 @@ inputs:
    default: ${{ github.token }}
  matrix:
    default: ${{ toJson(matrix) }}
  working-directory:
    description: >-
      Run the autobuilder using this path (relative to $GITHUB_WORKSPACE) as
      working directory. If this input is not set, the autobuilder runs with
      $GITHUB_WORKSPACE as its working directory.
    required: false
 runs:
  using: 'node12'
-  main: '../lib/autobuild-action.js'
+  main: '../lib/autobuild-action.js'
--- a/init/action.yml
+++ b/init/action.yml
@@ -1,5 +1,5 @@
 name: 'CodeQL: Init'
-description: 'Setup the CodeQL tracer'
+description: 'Set up CodeQL'
 author: 'GitHub'
 inputs:
  tools:
@@ -10,15 +10,101 @@ inputs:
    description: The languages to be analysed
    required: false
  token:
    description: GitHub token to use for authenticating with this instance of GitHub. To download custom packs from multiple registries, use the registries input.
    default: ${{ github.token }}
    required: false
  registries:
    description: |
      Use this input only when you need to download CodeQL packages from another instance of GitHub. If you only need to download packages from this GitHub instance, use the token input instead.
      A YAML string that defines the list of GitHub container registries to use for downloading packs. The string is in the following form (the | is required on the first line):
      registries: |
          - url: https://containers.GHEHOSTNAME1/v2/
            packages:
              - my-company/*
              - my-company2/*
            token: \$\{{ secrets.GHEHOSTNAME1_TOKEN }}
          - url: https://ghcr.io/v2/
            packages: */*
            token: \$\{{ secrets.GHCR_TOKEN }}
      The `url` property contains the URL to the container registry you want to connect to.
      The `packages` property contains a single glob string or a list of glob strings, specifying which packages should be retrieved from this particular container registry. Order is important. Earlier entries will match before later entries.
      The `token` property contains a connection token for this registry.    required: false
  matrix:
    default: ${{ toJson(matrix) }}
    required: false
  config-file:
    description: Path of the config file to use
    required: false
  db-location:
    description: Path where CodeQL databases should be created. If not specified, a temporary directory will be used.
    required: false
  queries:
    description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to use both sets of queries.
    required: false
  packs:
    description: >-
      [Experimental] Comma-separated list of packs to run. Reference a pack in the format `scope/name[@version]`. If `version` is not
      specified, then the latest version of the pack is used. By default, this overrides the same setting in a
      configuration file; prefix with "+" to use both sets of packs.
      This input is only available in single-language analyses. To use packs in multi-language
      analyses, you must specify packs in the codeql-config.yml file.
    required: false
  external-repository-token:
    description: A token for fetching external config files and queries if they reside in a private repository in the same GitHub instance that is running this action.
    required: false
  setup-python-dependencies:
    description: Try to auto-install your python dependencies
    required: true
    default: 'true'
  source-root:
    description: Path of the root source code directory, relative to $GITHUB_WORKSPACE.
    required: false
  ram:
    description: >-
      The amount of memory in MB that can be used by CodeQL extractors.
      By default, CodeQL extractors will use most of the memory available in the system
      (which for GitHub-hosted runners is 6GB for Linux, 5.5GB for Windows, and 13GB for macOS).
      This input also sets the amount of memory that can later be used by the "analyze" action.
    required: false
  threads:
    description: >-
      The number of threads that can be used by CodeQL extractors.
      By default, CodeQL extractors will use all the hardware threads available in the system
      (which for GitHub-hosted runners is 2 for Linux and Windows and 3 for macOS).
      This input also sets the number of threads that can later be used by the "analyze" action.
    required: false
  debug:
    description: >-
      Enable debugging mode.
      This will result in more output being produced which may be useful when debugging certain issues.
      Debugging mode is enabled automatically when step debug logging is turned on.
    required: false
    default: 'false'
  debug-artifact-name:
    description: >-
      The name of the artifact to store debugging information in.
      This is only used when debug mode is enabled.
    required: false
  debug-database-name:
    description: >-
      The name of the database uploaded to the debugging artifact.
      This is only used when debug mode is enabled.
    required: false
  trap-caching:
    description: >-
      Explicitly enable or disable TRAP caching rather than respecting the feature flag for it.
    required: false
 outputs:
  codeql-path:
    description: The path of the CodeQL binary used for analysis
 runs:
  using: 'node12'
  main: '../lib/init-action.js'
  post: '../lib/init-action-post.js'
--- a/lib/actions-util.js
+++ b/lib/actions-util.js
@@ -1,17 +1,41 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    result["default"] = mod;
+    __setModuleDefault(result, mod);
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.getWorkflowRunID = exports.getWorkflow = exports.formatWorkflowCause = exports.formatWorkflowErrors = exports.validateWorkflow = exports.getWorkflowErrors = exports.WorkflowErrors = exports.patternIsSuperset = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
-const toolrunnner = __importStar(require("@actions/exec/lib/toolrunner"));
+const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const safeWhich = __importStar(require("@chrisgavin/safe-which"));
 const yaml = __importStar(require("js-yaml"));
 const api = __importStar(require("./api-client"));
 const sharedEnv = __importStar(require("./shared-environment"));
 const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 /**
 * The utils in this module are meant to be run inside of the action only.
 * Code paths from the runner should not enter this module.
 */
 /**
 * Wrapper around core.getInput for inputs that always have a value.
 * Also see getOptionalInput.
@@ -30,40 +54,22 @@ exports.getRequiredInput = getRequiredInput;
 * This allows us to get stronger type checking of required/optional inputs
 * and make behaviour more consistent between actions and the runner.
 */
-function getOptionalInput(name) {
+const getOptionalInput = function (name) {
    const value = core.getInput(name);
    return value.length > 0 ? value : undefined;
-}
+};
 exports.getOptionalInput = getOptionalInput;
-/**
+function getTemporaryDirectory() {
- * Get an environment parameter, but throw an error if it is not set.
+    const value = process.env["CODEQL_ACTION_TEMP"];
- */
+    return value !== undefined && value !== ""
-function getRequiredEnvParam(paramName) {
+        ? value
-    const value = process.env[paramName];
+        : (0, util_1.getRequiredEnvParam)("RUNNER_TEMP");
    if (value === undefined || value.length === 0) {
        throw new Error(`${paramName} environment variable must be set`);
    }
    core.debug(`${paramName}=${value}`);
    return value;
 }
-exports.getRequiredEnvParam = getRequiredEnvParam;
+exports.getTemporaryDirectory = getTemporaryDirectory;
 /**
 * Ensures all required environment variables are set in the context of a local run.
 */
 function prepareLocalRunEnvironment() {
    if (!util_1.isLocalRun()) {
        return;
    }
    core.debug("Action is running locally.");
    if (!process.env.GITHUB_JOB) {
        core.exportVariable("GITHUB_JOB", "UNKNOWN-JOB");
    }
 }
 exports.prepareLocalRunEnvironment = prepareLocalRunEnvironment;
 /**
 * Gets the SHA of the commit that is currently checked out.
 */
-async function getCommitOid() {
+const getCommitOid = async function (checkoutPath, ref = "HEAD") {
    // Try to use git to get the current commit SHA. If that fails then
    // log but otherwise silently fall back to using the SHA from the environment.
    // The only time these two values will differ is during analysis of a PR when
@@ -73,7 +79,7 @@ async function getCommitOid() {
    // reported on the merge commit.
    try {
        let commitOid = "";
-        await new toolrunnner.ToolRunner("git", ["rev-parse", "HEAD"], {
+        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["rev-parse", ref], {
            silent: true,
            listeners: {
                stdout: (data) => {
@@ -83,25 +89,268 @@ async function getCommitOid() {
                    process.stderr.write(data);
                },
            },
            cwd: checkoutPath,
        }).exec();
        return commitOid.trim();
    }
    catch (e) {
-        core.info(`Failed to call git to get current commit. Continuing with data from environment: ${e}`);
+        core.info(`Failed to call git to get current commit. Continuing with data from environment or input: ${e}`);
-        return getRequiredEnvParam("GITHUB_SHA");
+        core.info(e.stack || "NO STACK");
        return (0, exports.getOptionalInput)("sha") || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
    }
-}
+};
 exports.getCommitOid = getCommitOid;
 /**
 * If the action was triggered by a pull request, determine the commit sha of the merge base.
 * Returns undefined if run by other triggers or the merge base cannot be determined.
 */
 const determineMergeBaseCommitOid = async function () {
    if (workflowEventName() !== "pull_request") {
        return undefined;
    }
    const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
    const checkoutPath = (0, exports.getOptionalInput)("checkout_path");
    try {
        let commitOid = "";
        let baseOid = "";
        let headOid = "";
        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["show", "-s", "--format=raw", mergeSha], {
            silent: true,
            listeners: {
                stdline: (data) => {
                    if (data.startsWith("commit ") && commitOid === "") {
                        commitOid = data.substring(7);
                    }
                    else if (data.startsWith("parent ")) {
                        if (baseOid === "") {
                            baseOid = data.substring(7);
                        }
                        else if (headOid === "") {
                            headOid = data.substring(7);
                        }
                    }
                },
                stderr: (data) => {
                    process.stderr.write(data);
                },
            },
            cwd: checkoutPath,
        }).exec();
        // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
        if (commitOid === mergeSha &&
            headOid.length === 40 &&
            baseOid.length === 40) {
            return baseOid;
        }
        return undefined;
    }
    catch (e) {
        core.info(`Failed to call git to determine merge base. Continuing with data from environment: ${e}`);
        core.info(e.stack || "NO STACK");
        return undefined;
    }
 };
 exports.determineMergeBaseCommitOid = determineMergeBaseCommitOid;
 function isObject(o) {
    return o !== null && typeof o === "object";
 }
 const GLOB_PATTERN = new RegExp("(\\*\\*?)");
 function escapeRegExp(string) {
    return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
 }
 function patternToRegExp(value) {
    return new RegExp(`^${value
        .toString()
        .split(GLOB_PATTERN)
        .reduce(function (arr, cur) {
        if (cur === "**") {
            arr.push(".*?");
        }
        else if (cur === "*") {
            arr.push("[^/]*?");
        }
        else if (cur) {
            arr.push(escapeRegExp(cur));
        }
        return arr;
    }, [])
        .join("")}$`);
 }
 // this function should return true if patternA is a superset of patternB
 // e.g: * is a superset of main-* but main-* is not a superset of *.
 function patternIsSuperset(patternA, patternB) {
    return patternToRegExp(patternA).test(patternB);
 }
 exports.patternIsSuperset = patternIsSuperset;
 function branchesToArray(branches) {
    if (typeof branches === "string") {
        return [branches];
    }
    if (Array.isArray(branches)) {
        if (branches.length === 0) {
            return "**";
        }
        return branches;
    }
    return "**";
 }
 function toCodedErrors(errors) {
    return Object.entries(errors).reduce((acc, [key, value]) => {
        acc[key] = { message: value, code: key };
        return acc;
    }, {});
 }
 // code to send back via status report
 // message to add as a warning annotation to the run
 exports.WorkflowErrors = toCodedErrors({
    MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
    MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
    PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
    PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
    CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
 });
 function getWorkflowErrors(doc) {
    var _a, _b, _c, _d, _e;
    const errors = [];
    const jobName = process.env.GITHUB_JOB;
    if (jobName) {
        const job = (_a = doc === null || doc === void 0 ? void 0 : doc.jobs) === null || _a === void 0 ? void 0 : _a[jobName];
        const steps = job === null || job === void 0 ? void 0 : job.steps;
        if (Array.isArray(steps)) {
            for (const step of steps) {
                // this was advice that we used to give in the README
                // we actually want to run the analysis on the merge commit
                // to produce results that are more inline with expectations
                // (i.e: this is what will happen if you merge this PR)
                // and avoid some race conditions
                if ((step === null || step === void 0 ? void 0 : step.run) === "git checkout HEAD^2") {
                    errors.push(exports.WorkflowErrors.CheckoutWrongHead);
                    break;
                }
            }
        }
    }
    let missingPush = false;
    if (doc.on === undefined) {
        // this is not a valid config
    }
    else if (typeof doc.on === "string") {
        if (doc.on === "pull_request") {
            missingPush = true;
        }
    }
    else if (Array.isArray(doc.on)) {
        const hasPush = doc.on.includes("push");
        const hasPullRequest = doc.on.includes("pull_request");
        if (hasPullRequest && !hasPush) {
            missingPush = true;
        }
    }
    else if (isObject(doc.on)) {
        const hasPush = Object.prototype.hasOwnProperty.call(doc.on, "push");
        const hasPullRequest = Object.prototype.hasOwnProperty.call(doc.on, "pull_request");
        if (!hasPush && hasPullRequest) {
            missingPush = true;
        }
        if (hasPush && hasPullRequest) {
            const paths = (_b = doc.on.push) === null || _b === void 0 ? void 0 : _b.paths;
            // if you specify paths or paths-ignore you can end up with commits that have no baseline
            // if they didn't change any files
            // currently we cannot go back through the history and find the most recent baseline
            if (Array.isArray(paths) && paths.length > 0) {
                errors.push(exports.WorkflowErrors.PathsSpecified);
            }
            const pathsIgnore = (_c = doc.on.push) === null || _c === void 0 ? void 0 : _c["paths-ignore"];
            if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
                errors.push(exports.WorkflowErrors.PathsIgnoreSpecified);
            }
        }
        // if doc.on.pull_request is null that means 'all branches'
        // if doc.on.pull_request is undefined that means 'off'
        // we only want to check for mismatched branches if pull_request is on.
        if (doc.on.pull_request !== undefined) {
            const push = branchesToArray((_d = doc.on.push) === null || _d === void 0 ? void 0 : _d.branches);
            if (push !== "**") {
                const pull_request = branchesToArray((_e = doc.on.pull_request) === null || _e === void 0 ? void 0 : _e.branches);
                if (pull_request !== "**") {
                    const difference = pull_request.filter((value) => !push.some((o) => patternIsSuperset(o, value)));
                    if (difference.length > 0) {
                        // there are branches in pull_request that may not have a baseline
                        // because we are not building them on push
                        errors.push(exports.WorkflowErrors.MismatchedBranches);
                    }
                }
                else if (push.length > 0) {
                    // push is set up to run on a subset of branches
                    // and you could open a PR against a branch with no baseline
                    errors.push(exports.WorkflowErrors.MismatchedBranches);
                }
            }
        }
    }
    if (missingPush) {
        errors.push(exports.WorkflowErrors.MissingPushHook);
    }
    return errors;
 }
 exports.getWorkflowErrors = getWorkflowErrors;
 async function validateWorkflow() {
    let workflow;
    try {
        workflow = await getWorkflow();
    }
    catch (e) {
        return `error: getWorkflow() failed: ${String(e)}`;
    }
    let workflowErrors;
    try {
        workflowErrors = getWorkflowErrors(workflow);
    }
    catch (e) {
        return `error: getWorkflowErrors() failed: ${String(e)}`;
    }
    if (workflowErrors.length > 0) {
        let message;
        try {
            message = formatWorkflowErrors(workflowErrors);
        }
        catch (e) {
            return `error: formatWorkflowErrors() failed: ${String(e)}`;
        }
        core.warning(message);
    }
    return formatWorkflowCause(workflowErrors);
 }
 exports.validateWorkflow = validateWorkflow;
 function formatWorkflowErrors(errors) {
    const issuesWere = errors.length === 1 ? "issue was" : "issues were";
    const errorsList = errors.map((e) => e.message).join(" ");
    return `${errors.length} ${issuesWere} detected with this workflow: ${errorsList}`;
 }
 exports.formatWorkflowErrors = formatWorkflowErrors;
 function formatWorkflowCause(errors) {
    if (errors.length === 0) {
        return undefined;
    }
    return errors.map((e) => e.code).join(",");
 }
 exports.formatWorkflowCause = formatWorkflowCause;
 async function getWorkflow() {
    const relativePath = await getWorkflowPath();
    const absolutePath = path.join((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), relativePath);
    return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
 }
 exports.getWorkflow = getWorkflow;
 /**
 * Get the path of the currently executing workflow.
 */
 async function getWorkflowPath() {
-    const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
+    const repo_nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY").split("/");
    const owner = repo_nwo[0];
    const repo = repo_nwo[1];
-    const run_id = Number(getRequiredEnvParam("GITHUB_RUN_ID"));
+    const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
    const apiClient = api.getActionsApiClient();
-    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id", {
+    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
        owner,
        repo,
        run_id,
@@ -114,7 +363,7 @@ async function getWorkflowPath() {
 * Get the workflow run ID.
 */
 function getWorkflowRunID() {
-    const workflowRunID = parseInt(getRequiredEnvParam("GITHUB_RUN_ID"), 10);
+    const workflowRunID = parseInt((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"), 10);
    if (Number.isNaN(workflowRunID)) {
        throw new Error("GITHUB_RUN_ID must define a non NaN workflow run ID");
    }
@@ -122,7 +371,7 @@ function getWorkflowRunID() {
 }
 exports.getWorkflowRunID = getWorkflowRunID;
 /**
- * Get the analysis key paramter for the current job.
+ * Get the analysis key parameter for the current job.
 *
 * This will combine the workflow path and current job name.
 * Computing this the first time requires making requests to
@@ -135,32 +384,96 @@ async function getAnalysisKey() {
        return analysisKey;
    }
    const workflowPath = await getWorkflowPath();
-    const jobName = getRequiredEnvParam("GITHUB_JOB");
+    const jobName = (0, util_1.getRequiredEnvParam)("GITHUB_JOB");
    analysisKey = `${workflowPath}:${jobName}`;
    core.exportVariable(analysisKeyEnvVar, analysisKey);
    return analysisKey;
 }
 exports.getAnalysisKey = getAnalysisKey;
 async function getAutomationID() {
    const analysis_key = await getAnalysisKey();
    const environment = getRequiredInput("matrix");
    return computeAutomationID(analysis_key, environment);
 }
 exports.getAutomationID = getAutomationID;
 function computeAutomationID(analysis_key, environment) {
    let automationID = `${analysis_key}/`;
    // the id has to be deterministic so we sort the fields
    if (environment !== undefined && environment !== "null") {
        const environmentObject = JSON.parse(environment);
        for (const entry of Object.entries(environmentObject).sort()) {
            if (typeof entry[1] === "string") {
                automationID += `${entry[0]}:${entry[1]}/`;
            }
            else {
                // In code scanning we just handle the string values,
                // the rest get converted to the empty string
                automationID += `${entry[0]}:/`;
            }
        }
    }
    return automationID;
 }
 exports.computeAutomationID = computeAutomationID;
 /**
 * Get the ref currently being analyzed.
 */
-function getRef() {
+async function getRef() {
    // Will be in the form "refs/heads/master" on a push event
    // or in the form "refs/pull/N/merge" on a pull_request event
-    const ref = getRequiredEnvParam("GITHUB_REF");
+    const refInput = (0, exports.getOptionalInput)("ref");
-    // For pull request refs we want to convert from the 'merge' ref
+    const shaInput = (0, exports.getOptionalInput)("sha");
-    // to the 'head' ref, as that is what we want to analyse.
+    const checkoutPath = (0, exports.getOptionalInput)("checkout_path") ||
-    // There should have been some code earlier in the workflow to do
+        (0, exports.getOptionalInput)("source-root") ||
-    // the checkout, but we have no way of verifying that here.
+        (0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE");
    const hasRefInput = !!refInput;
    const hasShaInput = !!shaInput;
    // If one of 'ref' or 'sha' are provided, both are required
    if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) {
        throw new Error("Both 'ref' and 'sha' are required if one of them is provided.");
    }
    const ref = refInput || (0, util_1.getRequiredEnvParam)("GITHUB_REF");
    const sha = shaInput || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
    // If the ref is a user-provided input, we have to skip logic
    // and assume that it is really where they want to upload the results.
    if (refInput) {
        return refInput;
    }
    // For pull request refs we want to detect whether the workflow
    // has run `git checkout HEAD^2` to analyze the 'head' ref rather
    // than the 'merge' ref. If so, we want to convert the ref that
    // we report back.
    const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
-    if (pull_ref_regex.test(ref)) {
+    if (!pull_ref_regex.test(ref)) {
-        return ref.replace(pull_ref_regex, "refs/pull/$1/head");
+        return ref;
    }
    const head = await (0, exports.getCommitOid)(checkoutPath, "HEAD");
    // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
    // in actions/checkout@v1 this may not be true as it checks out the repository
    // using GITHUB_REF. There is a subtle race condition where
    // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
    // git git-parse GITHUB_REF == git rev-parse HEAD instead.
    const hasChangedRef = sha !== head &&
        (await (0, exports.getCommitOid)(checkoutPath, ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !== head;
    if (hasChangedRef) {
        const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
        core.debug(`No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`);
        return newRef;
    }
    else {
        return ref;
    }
 }
 exports.getRef = getRef;
 function getActionsStatus(error, otherFailureCause) {
    if (error || otherFailureCause) {
        return error instanceof util_1.UserError ? "user-error" : "failure";
    }
    else {
        return "success";
    }
 }
 exports.getActionsStatus = getActionsStatus;
 /**
 * Compose a StatusReport.
 *
@@ -171,8 +484,8 @@ exports.getRef = getRef;
 * @param exception Exception (only supply if status is 'failure')
 */
 async function createStatusReportBase(actionName, status, actionStartedAt, cause, exception) {
-    const commitOid = process.env["GITHUB_SHA"] || "";
+    const commitOid = (0, exports.getOptionalInput)("sha") || process.env["GITHUB_SHA"] || "";
-    const ref = getRef();
+    const ref = await getRef();
    const workflowRunIDStr = process.env["GITHUB_RUN_ID"];
    let workflowRunID = -1;
    if (workflowRunIDStr) {
@@ -186,6 +499,9 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
        workflowStartedAt = actionStartedAt.toISOString();
        core.exportVariable(sharedEnv.CODEQL_WORKFLOW_STARTED_AT, workflowStartedAt);
    }
    const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
    const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
    const actionRef = process.env["GITHUB_ACTION_REF"];
    const statusReport = {
        workflow_run_id: workflowRunID,
        workflow_name: workflowName,
@@ -194,10 +510,13 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
        commit_oid: commitOid,
        ref,
        action_name: actionName,
        action_ref: actionRef,
        action_oid: "unknown",
        started_at: workflowStartedAt,
        action_started_at: actionStartedAt.toISOString(),
        status,
        runner_os: runnerOs,
        action_version: pkg.version,
    };
    // Add optional parameters
    if (cause) {
@@ -206,16 +525,34 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
    if (exception) {
        statusReport.exception = exception;
    }
-    if (status === "success" || status === "failure" || status === "aborted") {
+    if (status === "success" ||
        status === "failure" ||
        status === "aborted" ||
        status === "user-error") {
        statusReport.completed_at = new Date().toISOString();
    }
    const matrix = getRequiredInput("matrix");
    if (matrix) {
        statusReport.matrix_vars = matrix;
    }
    if ("RUNNER_ARCH" in process.env) {
        // RUNNER_ARCH is available only in GHES 3.4 and later
        // Values other than X86, X64, ARM, or ARM64 are discarded server side
        statusReport.runner_arch = process.env["RUNNER_ARCH"];
    }
    if (runnerOs === "Windows" || runnerOs === "macOS") {
        statusReport.runner_os_release = os.release();
    }
    if (codeQlCliVersion !== undefined) {
        statusReport.codeql_version = codeQlCliVersion;
    }
    return statusReport;
 }
 exports.createStatusReportBase = createStatusReportBase;
 const GENERIC_403_MSG = "The repo on which this action is running is not opted-in to CodeQL code scanning.";
 const GENERIC_404_MSG = "Not authorized to use the CodeQL code scanning feature on this repo.";
 const OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
 const INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 /**
 * Send a status report to the code_scanning/analysis/status endpoint.
 *
@@ -225,42 +562,160 @@ exports.createStatusReportBase = createStatusReportBase;
 *
 * Returns whether sending the status report was successful of not.
 */
-async function sendStatusReport(statusReport, ignoreFailures) {
+async function sendStatusReport(statusReport) {
-    if (getRequiredEnvParam("GITHUB_SERVER_URL") !== util_1.GITHUB_DOTCOM_URL) {
+    const gitHubVersion = await api.getGitHubVersionActionsOnly();
-        core.debug("Not sending status report to GitHub Enterprise");
+    if ((0, util_1.isGitHubGhesVersionBelow)(gitHubVersion, "3.2.0")) {
-        return true;
+        // GHES 3.1 and earlier versions reject unexpected properties, which means
-    }
+        // that they will reject status reports with newly added properties.
-    if (util_1.isLocalRun()) {
+        // Inhibiting status reporting for GHES < 3.2 avoids such failures.
        core.debug("Not sending status report because this is a local run");
        return true;
    }
    const statusReportJSON = JSON.stringify(statusReport);
    core.debug(`Sending status report: ${statusReportJSON}`);
-    const nwo = getRequiredEnvParam("GITHUB_REPOSITORY");
+    // If in test mode we don't want to upload the results
    if ((0, util_1.isInTestMode)()) {
        core.debug("In test mode. Status reports are not uploaded.");
        return true;
    }
    const nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY");
    const [owner, repo] = nwo.split("/");
    const client = api.getActionsApiClient();
-    const statusResponse = await client.request("PUT /repos/:owner/:repo/code-scanning/analysis/status", {
+    try {
-        owner,
+        await client.request("PUT /repos/:owner/:repo/code-scanning/analysis/status", {
-        repo,
+            owner,
-        data: statusReportJSON,
+            repo,
-    });
+            data: statusReportJSON,
-    if (!ignoreFailures) {
+        });
-        // If the status report request fails with a 403 or a 404, then this is a deliberate
+        return true;
-        // message from the endpoint that the SARIF upload can be expected to fail too,
+    }
-        // so the action should fail to avoid wasting actions minutes.
+    catch (e) {
-        //
+        console.log(e);
-        // Other failure responses (or lack thereof) could be transitory and should not
+        if ((0, util_1.isHTTPError)(e)) {
-        // cause the action to fail.
+            switch (e.status) {
-        if (statusResponse.status === 403) {
+                case 403:
-            core.setFailed("The repo on which this action is running is not opted-in to CodeQL code scanning.");
+                    if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
-            return false;
+                        core.setFailed('Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
-        }
+                            "Uploading Code Scanning results requires write access. " +
-        if (statusResponse.status === 404) {
+                            'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
-            core.setFailed("Not authorized to used the CodeQL code scanning feature on this repo.");
+                            "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.");
-            return false;
+                    }
-        }
+                    else {
                        core.setFailed(e.message || GENERIC_403_MSG);
                    }
                    return false;
                case 404:
                    core.setFailed(GENERIC_404_MSG);
                    return false;
                case 422:
                    // schema incompatibility when reporting status
                    // this means that this action version is no longer compatible with the API
                    // we still want to continue as it is likely the analysis endpoint will work
                    if ((0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL") !== util_1.GITHUB_DOTCOM_URL) {
                        core.debug(INCOMPATIBLE_MSG);
                    }
                    else {
                        core.debug(OUT_OF_DATE_MSG);
                    }
                    return true;
            }
        }
        // something else has gone wrong and the request/response will be logged by octokit
        // it's possible this is a transient error and we should continue scanning
        core.error("An unexpected error occurred when sending code scanning status report.");
        return true;
    }
    return true;
 }
 exports.sendStatusReport = sendStatusReport;
 function workflowEventName() {
    // If the original event is dynamic CODESCANNING_EVENT_NAME will contain the right info (push/pull_request)
    if (process.env["GITHUB_EVENT_NAME"] === "dynamic") {
        const value = process.env["CODESCANNING_EVENT_NAME"];
        if (value === undefined || value.length === 0) {
            return process.env["GITHUB_EVENT_NAME"];
        }
        return value;
    }
    return process.env["GITHUB_EVENT_NAME"];
 }
 exports.workflowEventName = workflowEventName;
 // Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
 function workflowIsTriggeredByPushEvent() {
    return workflowEventName() === "push";
 }
 // Is dependabot the actor that triggered the current workflow run.
 function isDependabotActor() {
    return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
 }
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 function isRunningLocalAction() {
    const relativeScriptPath = getRelativeScriptPath();
    return (relativeScriptPath.startsWith("..") || path.isAbsolute(relativeScriptPath));
 }
 exports.isRunningLocalAction = isRunningLocalAction;
 // Get the location where the action is running from.
 // This can be used to get the actions name or tell if we're running a local action.
 function getRelativeScriptPath() {
    const runnerTemp = (0, util_1.getRequiredEnvParam)("RUNNER_TEMP");
    const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
    return path.relative(actionsDirectory, __filename);
 }
 exports.getRelativeScriptPath = getRelativeScriptPath;
 // Reads the contents of GITHUB_EVENT_PATH as a JSON object
 function getWorkflowEvent() {
    const eventJsonFile = (0, util_1.getRequiredEnvParam)("GITHUB_EVENT_PATH");
    try {
        return JSON.parse(fs.readFileSync(eventJsonFile, "utf-8"));
    }
    catch (e) {
        throw new Error(`Unable to read workflow event JSON from ${eventJsonFile}: ${e}`);
    }
 }
 function removeRefsHeadsPrefix(ref) {
    return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref;
 }
 // Is the version of the repository we are currently analyzing from the default branch,
 // or alternatively from another branch or a pull request.
 async function isAnalyzingDefaultBranch() {
    var _a;
    // Get the current ref and trim and refs/heads/ prefix
    let currentRef = await getRef();
    currentRef = removeRefsHeadsPrefix(currentRef);
    const event = getWorkflowEvent();
    let defaultBranch = (_a = event === null || event === void 0 ? void 0 : event.repository) === null || _a === void 0 ? void 0 : _a.default_branch;
    if (process.env.GITHUB_EVENT_NAME === "schedule") {
        defaultBranch = removeRefsHeadsPrefix((0, util_1.getRequiredEnvParam)("GITHUB_REF"));
    }
    return currentRef === defaultBranch;
 }
 exports.isAnalyzingDefaultBranch = isAnalyzingDefaultBranch;
 async function printDebugLogs(config) {
    for (const language of config.languages) {
        const databaseDirectory = (0, util_1.getCodeQLDatabasePath)(config, language);
        const logsDirectory = path.join(databaseDirectory, "log");
        if (!(0, util_1.doesDirectoryExist)(logsDirectory)) {
            core.info(`Directory ${logsDirectory} does not exist.`);
            continue; // Skip this language database.
        }
        const walkLogFiles = (dir) => {
            const entries = fs.readdirSync(dir, { withFileTypes: true });
            if (entries.length === 0) {
                core.info(`No debug logs found at directory ${logsDirectory}.`);
            }
            for (const entry of entries) {
                if (entry.isFile()) {
                    const absolutePath = path.resolve(dir, entry.name);
                    core.startGroup(`CodeQL Debug Logs - ${language} - ${entry.name} from file at path ${absolutePath}`);
                    process.stdout.write(fs.readFileSync(absolutePath));
                    core.endGroup();
                }
                else if (entry.isDirectory()) {
                    walkLogFiles(path.resolve(dir, entry.name));
                }
            }
        };
        walkLogFiles(logsDirectory);
    }
 }
 exports.printDebugLogs = printDebugLogs;
 //# sourceMappingURL=actions-util.js.map
--- a/lib/actions-util.js.map
+++ b/lib/actions-util.js.map
--- a/lib/actions-util.test.js
+++ b/lib/actions-util.test.js
@@ -1,31 +1,525 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
-const actions_util_1 = require("./actions-util");
+const yaml = __importStar(require("js-yaml"));
 const sinon = __importStar(require("sinon"));
 const actionsutil = __importStar(require("./actions-util"));
 const testing_utils_1 = require("./testing-utils");
-testing_utils_1.setupTests(ava_1.default);
+const util_1 = require("./util");
-ava_1.default("getRef() throws on the empty string", (t) => {
+function errorCodes(actual, expected) {
    return [actual.map(({ code }) => code), expected.map(({ code }) => code)];
 }
 (0, testing_utils_1.setupTests)(ava_1.default);
 (0, ava_1.default)("getRef() throws on the empty string", async (t) => {
    process.env["GITHUB_REF"] = "";
-    t.throws(actions_util_1.getRef);
+    await t.throwsAsync(actionsutil.getRef);
 });
-ava_1.default("prepareEnvironment() when a local run", (t) => {
+(0, ava_1.default)("getRef() returns merge PR ref if GITHUB_SHA still checked out", async (t) => {
-    const origLocalRun = process.env.CODEQL_LOCAL_RUN;
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
-    process.env.CODEQL_LOCAL_RUN = "false";
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    process.env.GITHUB_JOB = "YYY";
+        const expectedRef = "refs/pull/1/merge";
-    actions_util_1.prepareLocalRunEnvironment();
+        const currentSha = "a".repeat(40);
-    // unchanged
+        process.env["GITHUB_REF"] = expectedRef;
-    t.deepEqual(process.env.GITHUB_JOB, "YYY");
+        process.env["GITHUB_SHA"] = currentSha;
-    process.env.CODEQL_LOCAL_RUN = "true";
+        const callback = sinon.stub(actionsutil, "getCommitOid");
-    actions_util_1.prepareLocalRunEnvironment();
+        callback.withArgs("HEAD").resolves(currentSha);
-    // unchanged
+        const actualRef = await actionsutil.getRef();
-    t.deepEqual(process.env.GITHUB_JOB, "YYY");
+        t.deepEqual(actualRef, expectedRef);
-    process.env.GITHUB_JOB = "";
+        callback.restore();
-    actions_util_1.prepareLocalRunEnvironment();
+    });
-    // updated
+});
-    t.deepEqual(process.env.GITHUB_JOB, "UNKNOWN-JOB");
+(0, ava_1.default)("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
-    process.env.CODEQL_LOCAL_RUN = origLocalRun;
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const expectedRef = "refs/pull/1/merge";
        process.env["GITHUB_REF"] = expectedRef;
        process.env["GITHUB_SHA"] = "b".repeat(40);
        const sha = "a".repeat(40);
        const callback = sinon.stub(actionsutil, "getCommitOid");
        callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
        callback.withArgs("HEAD").resolves(sha);
        const actualRef = await actionsutil.getRef();
        t.deepEqual(actualRef, expectedRef);
        callback.restore();
    });
 });
 (0, ava_1.default)("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        process.env["GITHUB_REF"] = "refs/pull/1/merge";
        process.env["GITHUB_SHA"] = "a".repeat(40);
        const callback = sinon.stub(actionsutil, "getCommitOid");
        callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(40));
        callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(40));
        const actualRef = await actionsutil.getRef();
        t.deepEqual(actualRef, "refs/pull/1/head");
        callback.restore();
    });
 });
 (0, ava_1.default)("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
        getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
        getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
        // These values are be ignored
        process.env["GITHUB_REF"] = "refs/pull/1/merge";
        process.env["GITHUB_SHA"] = "a".repeat(40);
        const callback = sinon.stub(actionsutil, "getCommitOid");
        callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
        callback.withArgs("HEAD").resolves("b".repeat(40));
        const actualRef = await actionsutil.getRef();
        t.deepEqual(actualRef, "refs/pull/2/merge");
        callback.restore();
        getAdditionalInputStub.restore();
    });
 });
 (0, ava_1.default)("getRef() throws an error if only `ref` is provided as an input", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
        getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
        await t.throwsAsync(async () => {
            await actionsutil.getRef();
        }, {
            instanceOf: Error,
            message: "Both 'ref' and 'sha' are required if one of them is provided.",
        });
        getAdditionalInputStub.restore();
    });
 });
 (0, ava_1.default)("getRef() throws an error if only `sha` is provided as an input", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        process.env["GITHUB_WORKSPACE"] = "/tmp";
        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
        getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
        await t.throwsAsync(async () => {
            await actionsutil.getRef();
        }, {
            instanceOf: Error,
            message: "Both 'ref' and 'sha' are required if one of them is provided.",
        });
        getAdditionalInputStub.restore();
    });
 });
 (0, ava_1.default)("computeAutomationID()", async (t) => {
    let actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", '{"language": "javascript", "os": "linux"}');
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/");
    // check the environment sorting
    actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", '{"os": "linux", "language": "javascript"}');
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/");
    // check that an empty environment produces the right results
    actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", "{}");
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/");
    // check non string environment values
    actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", '{"number": 1, "object": {"language": "javascript"}}');
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/number:/object:/");
    // check undefined environment
    actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", undefined);
    t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/");
 });
 (0, ava_1.default)("getWorkflowErrors() when on is empty", (t) => {
    const errors = actionsutil.getWorkflowErrors({ on: {} });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", (t) => {
    const errors = actionsutil.getWorkflowErrors({ on: ["push"] });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", (t) => {
    const errors = actionsutil.getWorkflowErrors({ on: ["pull_request"] });
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MissingPushHook]));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is valid", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: ["push", "pull_request"],
    });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: ["push", "pull_request", "schedule"],
    });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push should not have a path", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: {
            push: { branches: ["main"], paths: ["test/*"] },
            pull_request: { branches: ["main"] },
        },
    });
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.PathsSpecified]));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
    });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: { push: { branches: ["main"] }, pull_request: { branches: "*" } },
    });
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: { push: { branches: "*" }, pull_request: { branches: "*" } },
    });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", (t) => {
    const errors = actionsutil.getWorkflowErrors(yaml.load(`
 on:
  push:
  pull_request:
 `));
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is mismatched", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: {
            push: { branches: ["main"] },
            pull_request: { branches: ["feature"] },
        },
    });
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: {
            push: { branches: ["main", "feature"] },
            pull_request: { branches: ["main"] },
        },
    });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push is mismatched for pull_request", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: {
            push: { branches: ["main"] },
            pull_request: { branches: ["main", "feature"] },
        },
    });
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
 });
 (0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", (t) => {
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: {
            push: 1,
            pull_request: 1,
        },
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: 1,
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: [1],
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: { 1: 1 },
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: { test: 1 },
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: { test: [1] },
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: { test: { steps: 1 } },
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: 1,
        jobs: { test: [undefined] },
    }), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(1), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors({
        on: {
            push: {
                branches: 1,
            },
            pull_request: {
                branches: 1,
            },
        },
    }), []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.pull_request for every branch but push specifies branches", (t) => {
    const errors = actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on:
  push:
    branches: ["main"]
  pull_request:
 `));
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: {
            push: { branches: ["feature/*"] },
            pull_request: { branches: "feature/moose" },
        },
    });
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.pull_request for mismatched wildcard branches", (t) => {
    const errors = actionsutil.getWorkflowErrors({
        on: {
            push: { branches: ["feature/moose"] },
            pull_request: { branches: "feature/*" },
        },
    });
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.MismatchedBranches]));
 });
 (0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", (t) => {
    process.env.GITHUB_JOB = "test";
    const errors = actionsutil.getWorkflowErrors({
        on: ["push", "pull_request"],
        jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
    });
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]));
 });
 (0, ava_1.default)("formatWorkflowErrors() when there is one error", (t) => {
    const message = actionsutil.formatWorkflowErrors([
        actionsutil.WorkflowErrors.CheckoutWrongHead,
    ]);
    t.true(message.startsWith("1 issue was detected with this workflow:"));
 });
 (0, ava_1.default)("formatWorkflowErrors() when there are multiple errors", (t) => {
    const message = actionsutil.formatWorkflowErrors([
        actionsutil.WorkflowErrors.CheckoutWrongHead,
        actionsutil.WorkflowErrors.PathsSpecified,
    ]);
    t.true(message.startsWith("2 issues were detected with this workflow:"));
 });
 (0, ava_1.default)("formatWorkflowCause() with no errors", (t) => {
    const message = actionsutil.formatWorkflowCause([]);
    t.deepEqual(message, undefined);
 });
 (0, ava_1.default)("formatWorkflowCause()", (t) => {
    const message = actionsutil.formatWorkflowCause([
        actionsutil.WorkflowErrors.CheckoutWrongHead,
        actionsutil.WorkflowErrors.PathsSpecified,
    ]);
    t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
    t.deepEqual(actionsutil.formatWorkflowCause([]), undefined);
 });
 (0, ava_1.default)("patternIsSuperset()", (t) => {
    t.false(actionsutil.patternIsSuperset("main-*", "main"));
    t.true(actionsutil.patternIsSuperset("*", "*"));
    t.true(actionsutil.patternIsSuperset("*", "main-*"));
    t.false(actionsutil.patternIsSuperset("main-*", "*"));
    t.false(actionsutil.patternIsSuperset("main-*", "main"));
    t.true(actionsutil.patternIsSuperset("main", "main"));
    t.false(actionsutil.patternIsSuperset("*", "feature/*"));
    t.true(actionsutil.patternIsSuperset("**", "feature/*"));
    t.false(actionsutil.patternIsSuperset("feature-*", "**"));
    t.false(actionsutil.patternIsSuperset("a/**/c", "a/**/d"));
    t.false(actionsutil.patternIsSuperset("a/**/c", "a/**"));
    t.true(actionsutil.patternIsSuperset("a/**", "a/**/c"));
    t.true(actionsutil.patternIsSuperset("a/**/c", "a/main-**/c"));
    t.false(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/d/**/c"));
    t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/c/**/c"));
    t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/d/**/c"));
    t.false(actionsutil.patternIsSuperset("a/**/c/d/**/c", "a/**/b/**/c"));
    t.false(actionsutil.patternIsSuperset("a/main-**/c", "a/**/c"));
    t.true(actionsutil.patternIsSuperset("/robin/*/release/*", "/robin/moose/release/goose"));
    t.false(actionsutil.patternIsSuperset("/robin/moose/release/goose", "/robin/*/release/*"));
 });
 (0, ava_1.default)("getWorkflowErrors() when branches contain dots", (t) => {
    const errors = actionsutil.getWorkflowErrors(yaml.load(`
  on:
    push:
      branches: [4.1, master]
    pull_request:
      # The branches below must be a subset of the branches above
      branches: [4.1, master]
 `));
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", (t) => {
    const errors = actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on:
  push:
    branches: [master, ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
 `));
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => {
    process.env.GITHUB_JOB = "test";
    const errors = actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on:
  push:
    branches: [master]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
 jobs:
  test:
    steps:
      - run: "git checkout HEAD^2"
  test2:
    steps:
      - run: "git checkout HEAD^2"
  test3:
    steps: []
 `));
    t.deepEqual(...errorCodes(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]));
 });
 (0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => {
    process.env.GITHUB_JOB = "test3";
    const errors = actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on:
  push:
    branches: [master]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
 jobs:
  test:
    steps:
      - run: "git checkout HEAD^2"
  test2:
    steps:
      - run: "git checkout HEAD^2"
  test3:
    steps: []
 `));
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() when on is missing", (t) => {
    const errors = actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 `));
    t.deepEqual(...errorCodes(errors, []));
 });
 (0, ava_1.default)("getWorkflowErrors() with a different on setup", (t) => {
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on: "workflow_dispatch"
 `)), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on: [workflow_dispatch]
 `)), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on:
  workflow_dispatch: {}
 `)), []));
 });
 (0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => {
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on:
  push:
    branches: [master]
 `)), []));
    t.deepEqual(...errorCodes(actionsutil.getWorkflowErrors(yaml.load(`
 name: "CodeQL"
 on: ["push"]
 `)), []));
 });
 (0, ava_1.default)("initializeEnvironment", (t) => {
    (0, util_1.initializeEnvironment)(util_1.Mode.actions, "1.2.3");
    t.deepEqual((0, util_1.getMode)(), util_1.Mode.actions);
    t.deepEqual(process.env.CODEQL_ACTION_VERSION, "1.2.3");
    (0, util_1.initializeEnvironment)(util_1.Mode.runner, "4.5.6");
    t.deepEqual((0, util_1.getMode)(), util_1.Mode.runner);
    t.deepEqual(process.env.CODEQL_ACTION_VERSION, "4.5.6");
 });
 (0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const envFile = path.join(tmpDir, "event.json");
        fs.writeFileSync(envFile, JSON.stringify({
            repository: {
                default_branch: "main",
            },
        }));
        process.env["GITHUB_EVENT_PATH"] = envFile;
        process.env["GITHUB_REF"] = "main";
        process.env["GITHUB_SHA"] = "1234";
        t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), true);
        process.env["GITHUB_REF"] = "refs/heads/main";
        t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), true);
        process.env["GITHUB_REF"] = "feature";
        t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), false);
        fs.writeFileSync(envFile, JSON.stringify({
            schedule: "0 0 * * *",
        }));
        process.env["GITHUB_EVENT_NAME"] = "schedule";
        process.env["GITHUB_REF"] = "refs/heads/main";
        t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), true);
        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
        getAdditionalInputStub
            .withArgs("ref")
            .resolves("refs/heads/something-else");
        getAdditionalInputStub
            .withArgs("sha")
            .resolves("0000000000000000000000000000000000000000");
        process.env["GITHUB_EVENT_NAME"] = "schedule";
        process.env["GITHUB_REF"] = "refs/heads/main";
        t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), false);
        getAdditionalInputStub.restore();
    });
 });
 (0, ava_1.default)("workflowEventName()", async (t) => {
    process.env["GITHUB_EVENT_NAME"] = "push";
    t.deepEqual(actionsutil.workflowEventName(), "push");
    process.env["GITHUB_EVENT_NAME"] = "dynamic";
    t.deepEqual(actionsutil.workflowEventName(), "dynamic");
    process.env["CODESCANNING_EVENT_NAME"] = "push";
    t.deepEqual(actionsutil.workflowEventName(), "push");
 });
 //# sourceMappingURL=actions-util.test.js.map
--- a/lib/actions-util.test.js.map
+++ b/lib/actions-util.test.js.map
--- a/lib/analysis-paths.js
+++ b/lib/analysis-paths.js
@@ -1,10 +1,31 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.includeAndExcludeAnalysisPaths = exports.printPathFiltersWarning = exports.legalWindowsPathCharactersRegex = void 0;
 const path = __importStar(require("path"));
 function isInterpretedLanguage(language) {
-    return language === "javascript" || language === "python";
+    return (language === "javascript" || language === "python" || language === "ruby");
 }
 // Matches a string containing only characters that are legal to include in paths on windows.
-exports.legalWindowsPathCharactersRegex = /^[^<>:"\|?]*$/;
+exports.legalWindowsPathCharactersRegex = /^[^<>:"|?]*$/;
 // Builds an environment variable suitable for LGTM_INDEX_INCLUDE or LGTM_INDEX_EXCLUDE
 function buildIncludeExcludeEnvVar(paths) {
    // Ignore anything containing a *
@@ -16,11 +37,11 @@ function buildIncludeExcludeEnvVar(paths) {
    return paths.join("\n");
 }
 function printPathFiltersWarning(config, logger) {
-    // Index include/exclude/filters only work in javascript and python.
+    // Index include/exclude/filters only work in javascript/python/ruby.
    // If any other languages are detected/configured then show a warning.
    if ((config.paths.length !== 0 || config.pathsIgnore.length !== 0) &&
        !config.languages.every(isInterpretedLanguage)) {
-        logger.warning('The "paths"/"paths-ignore" fields of the config only have effect for Javascript and Python');
+        logger.warning('The "paths"/"paths-ignore" fields of the config only have effect for JavaScript, Python, and Ruby');
    }
 }
 exports.printPathFiltersWarning = printPathFiltersWarning;
@@ -35,8 +56,15 @@ function includeAndExcludeAnalysisPaths(config) {
    if (config.paths.length !== 0) {
        process.env["LGTM_INDEX_INCLUDE"] = buildIncludeExcludeEnvVar(config.paths);
    }
-    if (config.pathsIgnore.length !== 0) {
+    // If the temporary or tools directory is in the working directory ignore that too.
-        process.env["LGTM_INDEX_EXCLUDE"] = buildIncludeExcludeEnvVar(config.pathsIgnore);
+    const tempRelativeToWorking = path.relative(process.cwd(), config.tempDir);
    let pathsIgnore = config.pathsIgnore;
    if (!tempRelativeToWorking.startsWith("..") &&
        !path.isAbsolute(tempRelativeToWorking)) {
        pathsIgnore = pathsIgnore.concat(tempRelativeToWorking);
    }
    if (pathsIgnore.length !== 0) {
        process.env["LGTM_INDEX_EXCLUDE"] = buildIncludeExcludeEnvVar(pathsIgnore);
    }
    // The 'LGTM_INDEX_FILTERS' environment variable controls which files are
    // extracted or ignored. It does not control which directories are traversed.
--- a/lib/analysis-paths.js.map
+++ b/lib/analysis-paths.js.map
@@ -1 +1 @@
-{"version":3,"file":"analysis-paths.js","sourceRoot":"","sources":["../src/analysis-paths.ts"],"names":[],"mappings":";;AAGA,SAAS,qBAAqB,CAAC,QAAQ;IACrC,OAAO,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,CAAC;AAC5D,CAAC;AAED,6FAA6F;AAChF,QAAA,+BAA+B,GAAG,eAAe,CAAC;AAE/D,uFAAuF;AACvF,SAAS,yBAAyB,CAAC,KAAe;IAChD,iCAAiC;IACjC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnD,uDAAuD;IACvD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;QAChC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,uCAA+B,CAAC,CAAC,CAAC;KACvE;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAgB,uBAAuB,CACrC,MAA0B,EAC1B,MAAc;IAEd,oEAAoE;IACpE,sEAAsE;IACtE,IACE,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QAC9D,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAC9C;QACA,MAAM,CAAC,OAAO,CACZ,4FAA4F,CAC7F,CAAC;KACH;AACH,CAAC;AAdD,0DAcC;AAED,SAAgB,8BAA8B,CAAC,MAA0B;IACvE,0EAA0E;IAC1E,+DAA+D;IAC/D,sEAAsE;IACtE,qDAAqD;IACrD,gFAAgF;IAChF,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAC7B,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KAC7E;IACD,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE;QACnC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAC3D,MAAM,CAAC,WAAW,CACnB,CAAC;KACH;IAED,yEAAyE;IACzE,6EAA6E;IAC7E,wDAAwD;IACxD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE;QACxB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACxD;AACH,CAAC;AA1BD,wEA0BC"}
+{"version":3,"file":"analysis-paths.js","sourceRoot":"","sources":["../src/analysis-paths.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAK7B,SAAS,qBAAqB,CAAC,QAAQ;IACrC,OAAO,CACL,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,MAAM,CAC1E,CAAC;AACJ,CAAC;AAED,6FAA6F;AAChF,QAAA,+BAA+B,GAAG,cAAc,CAAC;AAE9D,uFAAuF;AACvF,SAAS,yBAAyB,CAAC,KAAe;IAChD,iCAAiC;IACjC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnD,uDAAuD;IACvD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;QAChC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,uCAA+B,CAAC,CAAC,CAAC;KACvE;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAgB,uBAAuB,CACrC,MAA0B,EAC1B,MAAc;IAEd,qEAAqE;IACrE,sEAAsE;IACtE,IACE,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QAC9D,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAC9C;QACA,MAAM,CAAC,OAAO,CACZ,mGAAmG,CACpG,CAAC;KACH;AACH,CAAC;AAdD,0DAcC;AAED,SAAgB,8BAA8B,CAAC,MAA0B;IACvE,0EAA0E;IAC1E,+DAA+D;IAC/D,sEAAsE;IACtE,qDAAqD;IACrD,gFAAgF;IAChF,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAC7B,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KAC7E;IACD,mFAAmF;IACnF,MAAM,qBAAqB,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3E,IAAI,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACrC,IACE,CAAC,qBAAqB,CAAC,UAAU,CAAC,IAAI,CAAC;QACvC,CAAC,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,EACvC;QACA,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;KACzD;IACD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE;QAC5B,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;KAC5E;IAED,yEAAyE;IACzE,6EAA6E;IAC7E,wDAAwD;IACxD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE;QACxB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACxD;AACH,CAAC;AAjCD,wEAiCC"}
--- a/lib/analysis-paths.test.js
+++ b/lib/analysis-paths.test.js
@@ -1,21 +1,34 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
+    if (k2 === undefined) k2 = k;
-};
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    result["default"] = mod;
+    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
 const analysisPaths = __importStar(require("./analysis-paths"));
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
-testing_utils_1.setupTests(ava_1.default);
+(0, testing_utils_1.setupTests)(ava_1.default);
-ava_1.default("emptyPaths", async (t) => {
+(0, ava_1.default)("emptyPaths", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
        const config = {
            languages: [],
@@ -24,8 +37,20 @@ ava_1.default("emptyPaths", async (t) => {
            paths: [],
            originalUserInput: {},
            tempDir: tmpDir,
            toolCacheDir: tmpDir,
            codeQLCmd: "",
            gitHubVersion: { type: util.GitHubVariant.DOTCOM },
            dbLocation: path.resolve(tmpDir, "codeql_databases"),
            packs: {},
            debugMode: false,
            debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
            debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
            augmentationProperties: {
                injectedMlQueries: false,
                packsInputCombines: false,
                queriesInputCombines: false,
            },
            trapCaches: {},
            trapCacheDownloadTime: 0,
        };
        analysisPaths.includeAndExcludeAnalysisPaths(config);
        t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);
@@ -33,7 +58,7 @@ ava_1.default("emptyPaths", async (t) => {
        t.is(process.env["LGTM_INDEX_FILTERS"], undefined);
    });
 });
-ava_1.default("nonEmptyPaths", async (t) => {
+(0, ava_1.default)("nonEmptyPaths", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
        const config = {
            languages: [],
@@ -42,8 +67,20 @@ ava_1.default("nonEmptyPaths", async (t) => {
            pathsIgnore: ["path4", "path5", "path6/**"],
            originalUserInput: {},
            tempDir: tmpDir,
            toolCacheDir: tmpDir,
            codeQLCmd: "",
            gitHubVersion: { type: util.GitHubVariant.DOTCOM },
            dbLocation: path.resolve(tmpDir, "codeql_databases"),
            packs: {},
            debugMode: false,
            debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
            debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
            augmentationProperties: {
                injectedMlQueries: false,
                packsInputCombines: false,
                queriesInputCombines: false,
            },
            trapCaches: {},
            trapCacheDownloadTime: 0,
        };
        analysisPaths.includeAndExcludeAnalysisPaths(config);
        t.is(process.env["LGTM_INDEX_INCLUDE"], "path1\npath2");
@@ -51,4 +88,33 @@ ava_1.default("nonEmptyPaths", async (t) => {
        t.is(process.env["LGTM_INDEX_FILTERS"], "include:path1\ninclude:path2\ninclude:**/path3\nexclude:path4\nexclude:path5\nexclude:path6/**");
    });
 });
 (0, ava_1.default)("exclude temp dir", async (t) => {
    const tempDir = path.join(process.cwd(), "codeql-runner-temp");
    const config = {
        languages: [],
        queries: {},
        pathsIgnore: [],
        paths: [],
        originalUserInput: {},
        tempDir,
        codeQLCmd: "",
        gitHubVersion: { type: util.GitHubVariant.DOTCOM },
        dbLocation: path.resolve(tempDir, "codeql_databases"),
        packs: {},
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
        augmentationProperties: {
            injectedMlQueries: false,
            packsInputCombines: false,
            queriesInputCombines: false,
        },
        trapCaches: {},
        trapCacheDownloadTime: 0,
    };
    analysisPaths.includeAndExcludeAnalysisPaths(config);
    t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);
    t.is(process.env["LGTM_INDEX_EXCLUDE"], "codeql-runner-temp");
    t.is(process.env["LGTM_INDEX_FILTERS"], undefined);
 });
 //# sourceMappingURL=analysis-paths.test.js.map
--- a/lib/analysis-paths.test.js.map
+++ b/lib/analysis-paths.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,8CAAuB;AAEvB,gEAAkD;AAClD,mDAA6C;AAC7C,6CAA+B;AAE/B,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;SACd,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;SACd,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,gEAAkD;AAClD,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE;gBACtB,iBAAiB,EAAE,KAAK;gBACxB,kBAAkB,EAAE,KAAK;gBACzB,oBAAoB,EAAE,KAAK;aAC5B;YACD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE;gBACtB,iBAAiB,EAAE,KAAK;gBACxB,kBAAkB,EAAE,KAAK;gBACzB,oBAAoB,EAAE,KAAK;aAC5B;YACD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kBAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,oBAAoB,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG;QACb,SAAS,EAAE,EAAE;QACb,OAAO,EAAE,EAAE;QACX,WAAW,EAAE,EAAE;QACf,KAAK,EAAE,EAAE;QACT,iBAAiB,EAAE,EAAE;QACrB,OAAO;QACP,SAAS,EAAE,EAAE;QACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;QACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,CAAC;QACrD,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,KAAK;QAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,sBAAsB,EAAE;YACtB,iBAAiB,EAAE,KAAK;YACxB,kBAAkB,EAAE,KAAK;YACzB,oBAAoB,EAAE,KAAK;SAC5B;QACD,UAAU,EAAE,EAAE;QACd,qBAAqB,EAAE,CAAC;KACzB,CAAC;IACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;IACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC,CAAC;IAC9D,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;AACrD,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action-env.test.js
+++ b/lib/analyze-action-env.test.js
@@ -0,0 +1,84 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze = __importStar(require("./analyze"));
 const configUtils = __importStar(require("./config-utils"));
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 (0, testing_utils_1.setupTests)(ava_1.default);
 // This test needs to be in its own file so that ava would run it in its own
 // nodejs process. The code being tested is in analyze-action.ts, which runs
 // immediately on load. So the file needs to be loaded during part of the test,
 // and that can happen only once per nodejs process. If multiple such tests are
 // in the same test file, ava would run them in the same nodejs process, and all
 // but the first test would fail.
 (0, ava_1.default)("analyze action with RAM & threads from environment variables", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
        process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
        process.env["GITHUB_API_URL"] = "https://api.github.com";
        sinon
            .stub(actionsUtil, "createStatusReportBase")
            .resolves({});
        sinon.stub(actionsUtil, "sendStatusReport").resolves(true);
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
        };
        sinon.stub(configUtils, "getConfig").resolves({
            gitHubVersion,
            languages: [],
            packs: [],
        });
        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
        requiredInputStub.withArgs("token").returns("fake-token");
        requiredInputStub.withArgs("upload-database").returns("false");
        const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(util, "getGitHubVersion").resolves(gitHubVersion);
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, {});
        // When there are no action inputs for RAM and threads, the action uses
        // environment variables (passed down from the init action) to set RAM and
        // threads usage.
        process.env["CODEQL_THREADS"] = "-1";
        process.env["CODEQL_RAM"] = "4992";
        const runFinalizeStub = sinon.stub(analyze, "runFinalize");
        const runQueriesStub = sinon.stub(analyze, "runQueries");
        const analyzeAction = require("./analyze-action");
        // When analyze-action.ts loads, it runs an async function from the top
        // level but does not wait for it to finish. To ensure that calls to
        // runFinalize and runQueries are correctly captured by spies, we explicitly
        // wait for the action promise to complete before starting verification.
        await analyzeAction.runPromise;
        t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
        t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
        t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
        t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
    });
 });
 //# sourceMappingURL=analyze-action-env.test.js.map
--- a/lib/analyze-action-env.test.js.map
+++ b/lib/analyze-action-env.test.js.map
@@ -0,0 +1 @@
 {"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action-input.test.js
+++ b/lib/analyze-action-input.test.js
@@ -0,0 +1,84 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze = __importStar(require("./analyze"));
 const configUtils = __importStar(require("./config-utils"));
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 (0, testing_utils_1.setupTests)(ava_1.default);
 // This test needs to be in its own file so that ava would run it in its own
 // nodejs process. The code being tested is in analyze-action.ts, which runs
 // immediately on load. So the file needs to be loaded during part of the test,
 // and that can happen only once per nodejs process. If multiple such tests are
 // in the same test file, ava would run them in the same nodejs process, and all
 // but the first test would fail.
 (0, ava_1.default)("analyze action with RAM & threads from action inputs", async (t) => {
    await util.withTmpDir(async (tmpDir) => {
        process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
        process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
        process.env["GITHUB_API_URL"] = "https://api.github.com";
        sinon
            .stub(actionsUtil, "createStatusReportBase")
            .resolves({});
        sinon.stub(actionsUtil, "sendStatusReport").resolves(true);
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
        };
        sinon.stub(configUtils, "getConfig").resolves({
            gitHubVersion,
            languages: [],
            packs: [],
        });
        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
        requiredInputStub.withArgs("token").returns("fake-token");
        requiredInputStub.withArgs("upload-database").returns("false");
        const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
        optionalInputStub.withArgs("cleanup-level").returns("none");
        optionalInputStub.withArgs("expect-error").returns("false");
        sinon.stub(util, "getGitHubVersion").resolves(gitHubVersion);
        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, {});
        process.env["CODEQL_THREADS"] = "1";
        process.env["CODEQL_RAM"] = "4992";
        // Action inputs have precedence over environment variables.
        optionalInputStub.withArgs("threads").returns("-1");
        optionalInputStub.withArgs("ram").returns("3012");
        const runFinalizeStub = sinon.stub(analyze, "runFinalize");
        const runQueriesStub = sinon.stub(analyze, "runQueries");
        const analyzeAction = require("./analyze-action");
        // When analyze-action.ts loads, it runs an async function from the top
        // level but does not wait for it to finish. To ensure that calls to
        // runFinalize and runQueries are correctly captured by spies, we explicitly
        // wait for the action promise to complete before starting verification.
        await analyzeAction.runPromise;
        t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
        t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
        t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
        t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
    });
 });
 //# sourceMappingURL=analyze-action-input.test.js.map
--- a/lib/analyze-action-input.test.js.map
+++ b/lib/analyze-action-input.test.js.map
@@ -0,0 +1 @@
 {"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action-post-helper.js
+++ b/lib/analyze-action-post-helper.js
@@ -0,0 +1,41 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.run = void 0;
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const config_utils_1 = require("./config-utils");
 const logging_1 = require("./logging");
 async function run(uploadSarifDebugArtifact) {
    const logger = (0, logging_1.getActionsLogger)();
    const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
    if (config === undefined) {
        throw new Error("Config file could not be found at expected location. Did the 'init' action fail to start?");
    }
    // Upload Actions SARIF artifacts for debugging
    if (config === null || config === void 0 ? void 0 : config.debugMode) {
        core.info("Debug mode is on. Uploading available SARIF files as Actions debugging artifact...");
        const outputDir = actionsUtil.getRequiredInput("output");
        await uploadSarifDebugArtifact(config, outputDir);
    }
 }
 exports.run = run;
 //# sourceMappingURL=analyze-action-post-helper.js.map
--- a/lib/analyze-action-post-helper.js.map
+++ b/lib/analyze-action-post-helper.js.map
@@ -0,0 +1 @@
 {"version":3,"file":"analyze-action-post-helper.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CAAC,wBAAkC;IAC1D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;KACH;IAED,+CAA+C;IAC/C,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,oFAAoF,CACrF,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;KACnD;AACH,CAAC;AAlBD,kBAkBC"}
--- a/lib/analyze-action-post-helper.test.js
+++ b/lib/analyze-action-post-helper.test.js
@@ -0,0 +1,69 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyzeActionPostHelper = __importStar(require("./analyze-action-post-helper"));
 const configUtils = __importStar(require("./config-utils"));
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 (0, testing_utils_1.setupTests)(ava_1.default);
 (0, ava_1.default)("post: analyze action with debug mode off", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
        process.env["RUNNER_TEMP"] = tmpDir;
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
        };
        sinon.stub(configUtils, "getConfig").resolves({
            debugMode: false,
            gitHubVersion,
            languages: [],
            packs: [],
        });
        const uploadSarifSpy = sinon.spy();
        await analyzeActionPostHelper.run(uploadSarifSpy);
        t.assert(uploadSarifSpy.notCalled);
    });
 });
 (0, ava_1.default)("post: analyze action with debug mode on", async (t) => {
    return await util.withTmpDir(async (tmpDir) => {
        process.env["RUNNER_TEMP"] = tmpDir;
        const gitHubVersion = {
            type: util.GitHubVariant.DOTCOM,
        };
        sinon.stub(configUtils, "getConfig").resolves({
            debugMode: true,
            gitHubVersion,
            languages: [],
            packs: [],
        });
        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
        requiredInputStub.withArgs("output").returns("fake-output-dir");
        const uploadSarifSpy = sinon.spy();
        await analyzeActionPostHelper.run(uploadSarifSpy);
        t.assert(uploadSarifSpy.called);
    });
 });
 //# sourceMappingURL=analyze-action-post-helper.test.js.map
--- a/lib/analyze-action-post-helper.test.js.map
+++ b/lib/analyze-action-post-helper.test.js.map
@@ -0,0 +1 @@
 {"version":3,"file":"analyze-action-post-helper.test.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,sFAAwE;AACxE,4DAA8C;AAC9C,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,0CAA0C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC3D,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC;QAEpC,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,SAAS,EAAE,KAAK;YAChB,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QAEpC,MAAM,cAAc,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAElD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC;QAEpC,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,SAAS,EAAE,IAAI;YACf,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QAEpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAEhE,MAAM,cAAc,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAElD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -0,0 +1,40 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 /**
 * This file is the entry point for the `post:` hook of `analyze-action.yml`.
 * It will run after the all steps in this job, in reverse order in relation to
 * other `post:` hooks.
 */
 const core = __importStar(require("@actions/core"));
 const analyzeActionPostHelper = __importStar(require("./analyze-action-post-helper"));
 const debugArtifacts = __importStar(require("./debug-artifacts"));
 async function runWrapper() {
    try {
        await analyzeActionPostHelper.run(debugArtifacts.uploadSarifDebugArtifact);
    }
    catch (error) {
        core.setFailed(`analyze post-action step failed: ${error}`);
        console.log(error);
    }
 }
 void runWrapper();
 //# sourceMappingURL=analyze-action-post.js.map
--- a/lib/analyze-action-post.js.map
+++ b/lib/analyze-action-post.js.map
@@ -0,0 +1 @@
 {"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,sFAAwE;AACxE,kEAAoD;AAEpD,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,wBAAwB,CAAC,CAAC;KAC5E;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,oCAAoC,KAAK,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -1,56 +1,243 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    result["default"] = mod;
+    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runPromise = exports.sendStatusReport = void 0;
 const fs = __importStar(require("fs"));
 const path_1 = __importDefault(require("path"));
 // We need to import `performance` on Node 12
 const perf_hooks_1 = require("perf_hooks");
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze_1 = require("./analyze");
 const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const database_upload_1 = require("./database-upload");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
 const trap_caching_1 = require("./trap-caching");
 const upload_lib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
-async function sendStatusReport(startedAt, stats, error) {
+// eslint-disable-next-line import/no-commonjs
-    var _a, _b, _c;
+const pkg = require("../package.json");
-    const status = ((_a = stats) === null || _a === void 0 ? void 0 : _a.analyze_failure_language) !== undefined || error !== undefined
+async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger) {
-        ? "failure"
+    const status = actionsUtil.getActionsStatus(error, stats === null || stats === void 0 ? void 0 : stats.analyze_failure_language);
-        : "success";
+    const statusReportBase = await actionsUtil.createStatusReportBase("finish", status, startedAt, error === null || error === void 0 ? void 0 : error.message, error === null || error === void 0 ? void 0 : error.stack);
    const statusReportBase = await actionsUtil.createStatusReportBase("finish", status, startedAt, (_b = error) === null || _b === void 0 ? void 0 : _b.message, (_c = error) === null || _c === void 0 ? void 0 : _c.stack);
    const statusReport = {
        ...statusReportBase,
        ...(config
            ? {
                ml_powered_javascript_queries: util.getMlPoweredJsQueriesStatus(config),
            }
            : {}),
        ...(stats || {}),
        ...(dbCreationTimings || {}),
    };
-    await actionsUtil.sendStatusReport(statusReport);
+    if (config && didUploadTrapCaches) {
        const trapCacheUploadStatusReport = {
            ...statusReport,
            trap_cache_upload_duration_ms: Math.round(trapCacheUploadTime || 0),
            trap_cache_upload_size_bytes: Math.round(await (0, trap_caching_1.getTotalCacheSize)(config.trapCaches, logger)),
        };
        await actionsUtil.sendStatusReport(trapCacheUploadStatusReport);
    }
    else {
        await actionsUtil.sendStatusReport(statusReport);
    }
 }
 exports.sendStatusReport = sendStatusReport;
 // `expect-error` should only be set to a non-false value by the CodeQL Action PR checks.
 function hasBadExpectErrorInput() {
    return (actionsUtil.getOptionalInput("expect-error") !== "false" &&
        !util.isInTestMode());
 }
 /**
 * Returns whether any TRAP files exist under the `db-go` folder,
 * indicating whether Go extraction has extracted at least one file.
 */
 function doesGoExtractionOutputExist(config) {
    const golangDbDirectory = util.getCodeQLDatabasePath(config, languages_1.Language.go);
    const trapDirectory = path_1.default.join(golangDbDirectory, "trap", languages_1.Language.go);
    return (fs.existsSync(trapDirectory) &&
        fs
            .readdirSync(trapDirectory)
            .some((fileName) => [
            ".trap",
            ".trap.gz",
            ".trap.br",
            ".trap.tar.gz",
            ".trap.tar.br",
            ".trap.tar",
        ].some((ext) => fileName.endsWith(ext))));
 }
 /**
 * When Go extraction reconciliation is enabled, either via the feature flag
 * or an environment variable, we will attempt to autobuild Go to preserve
 * compatibility for users who have set up Go using a legacy scanning style
 * CodeQL workflow, i.e. one without an autobuild step or manual build
 * steps.
 *
 * - We detect whether an autobuild step is present by checking the
 * `CODEQL_ACTION_DID_AUTOBUILD_GOLANG` environment variable, which is set
 * when the autobuilder is invoked.
 * - We approximate whether manual build steps are present by looking at
 * whether any extraction output already exists for Go.
 */
 async function runAutobuildIfLegacyGoWorkflow(config, featureFlags, logger) {
    if (!config.languages.includes(languages_1.Language.go)) {
        return;
    }
    if (!(await util.isGoExtractionReconciliationEnabled(featureFlags))) {
        logger.debug("Won't run Go autobuild since Go extraction reconciliation is not enabled.");
        return;
    }
    if (process.env["CODEQL_ACTION_DID_AUTOBUILD_GOLANG"] === "true") {
        // This log line is info level while Go extraction reconciliation is in beta.
        // We will make it debug level once Go extraction reconciliation is GA.
        logger.info("Won't run Go autobuild since it has already been run.");
        return;
    }
    // This captures whether a user has added manual build steps for Go
    if (doesGoExtractionOutputExist(config)) {
        // This log line is info level while Go extraction reconciliation is in beta.
        // We will make it debug level once Go extraction reconciliation is GA.
        logger.info("Won't run Go autobuild since at least one file of Go code has already been extracted.");
        return;
    }
    await (0, autobuild_1.runAutobuild)(languages_1.Language.go, config, logger);
 }
 async function run() {
    const startedAt = new Date();
-    let stats = undefined;
+    let uploadResult = undefined;
    let runStats = undefined;
    let config = undefined;
    let trapCacheUploadTime = undefined;
    let dbCreationTimings = undefined;
    let didUploadTrapCaches = false;
    util.initializeEnvironment(util.Mode.actions, pkg.version);
    await util.checkActionVersion(pkg.version);
    const logger = (0, logging_1.getActionsLogger)();
    try {
-        actionsUtil.prepareLocalRunEnvironment();
+        if (!(await actionsUtil.sendStatusReport(await actionsUtil.createStatusReportBase("finish", "starting", startedAt)))) {
        if (!(await actionsUtil.sendStatusReport(await actionsUtil.createStatusReportBase("finish", "starting", startedAt), true))) {
            return;
        }
-        const logger = logging_1.getActionsLogger();
+        config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
        const config = await config_utils_1.getConfig(actionsUtil.getRequiredEnvParam("RUNNER_TEMP"), logger);
        if (config === undefined) {
            throw new Error("Config file could not be found at expected location. Has the 'init' action been called?");
        }
-        stats = await analyze_1.runAnalyze(repository_1.parseRepositoryNwo(actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")), await actionsUtil.getCommitOid(), actionsUtil.getRef(), await actionsUtil.getAnalysisKey(), actionsUtil.getRequiredEnvParam("GITHUB_WORKFLOW"), actionsUtil.getWorkflowRunID(), actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getRequiredInput("matrix"), actionsUtil.getRequiredInput("token"), actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"), actionsUtil.getRequiredInput("upload") === "true", "actions", actionsUtil.getRequiredInput("output"), util.getMemoryFlag(actionsUtil.getOptionalInput("ram")), util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), util.getThreadsFlag(actionsUtil.getOptionalInput("threads"), logger), config, logger);
+        if (hasBadExpectErrorInput()) {
            throw new Error("`expect-error` input parameter is for internal use only. It should only be set by codeql-action or a fork.");
        }
        await util.enrichEnvironment(util.Mode.actions, await (0, codeql_1.getCodeQL)(config.codeQLCmd));
        const apiDetails = (0, api_client_1.getApiDetails)();
        const outputDir = actionsUtil.getRequiredInput("output");
        const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
        const memory = util.getMemoryFlag(actionsUtil.getOptionalInput("ram") || process.env["CODEQL_RAM"]);
        const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
        const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
        const featureFlags = new feature_flags_1.GitHubFeatureFlags(gitHubVersion, apiDetails, repositoryNwo, logger);
        await runAutobuildIfLegacyGoWorkflow(config, featureFlags, logger);
        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger, featureFlags);
        if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, actionsUtil.getOptionalInput("category"), config, logger);
        }
        if (actionsUtil.getOptionalInput("cleanup-level") !== "none") {
            await (0, analyze_1.runCleanup)(config, actionsUtil.getOptionalInput("cleanup-level") || "brutal", logger);
        }
        const dbLocations = {};
        for (const language of config.languages) {
            dbLocations[language] = util.getCodeQLDatabasePath(config, language);
        }
        core.setOutput("db-locations", dbLocations);
        if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
            uploadResult = await upload_lib.uploadFromActions(outputDir, config.gitHubVersion, apiDetails, logger);
            core.setOutput("sarif-id", uploadResult.sarifID);
        }
        else {
            logger.info("Not uploading results");
        }
        // Possibly upload the database bundles for remote queries
        await (0, database_upload_1.uploadDatabases)(repositoryNwo, config, apiDetails, logger);
        // Possibly upload the TRAP caches for later re-use
        const trapCacheUploadStartTime = perf_hooks_1.performance.now();
        const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
        didUploadTrapCaches = await (0, trap_caching_1.uploadTrapCaches)(codeql, config, logger);
        trapCacheUploadTime = perf_hooks_1.performance.now() - trapCacheUploadStartTime;
        // We don't upload results in test mode, so don't wait for processing
        if (util.isInTestMode()) {
            core.debug("In test mode. Waiting for processing is disabled.");
        }
        else if (uploadResult !== undefined &&
            actionsUtil.getRequiredInput("wait-for-processing") === "true") {
            await upload_lib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, apiDetails, (0, logging_1.getActionsLogger)());
        }
        // If we did not throw an error yet here, but we expect one, throw it.
        if (actionsUtil.getOptionalInput("expect-error") === "true") {
            core.setFailed(`expect-error input was set to true but no error was thrown.`);
        }
    }
-    catch (error) {
+    catch (origError) {
-        core.setFailed(error.message);
+        const error = origError instanceof Error ? origError : new Error(String(origError));
        if (actionsUtil.getOptionalInput("expect-error") !== "true" ||
            hasBadExpectErrorInput()) {
            core.setFailed(error.message);
        }
        console.log(error);
-        await sendStatusReport(startedAt, stats, error);
+        if (error instanceof analyze_1.CodeQLAnalysisError) {
            const stats = { ...error.queriesStatusReport };
            await sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
        }
        else {
            await sendStatusReport(startedAt, config, undefined, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
        }
        return;
    }
-    await sendStatusReport(startedAt, stats);
+    if (runStats && uploadResult) {
        await sendStatusReport(startedAt, config, {
            ...runStats,
            ...uploadResult.statusReport,
        }, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
    }
    else if (runStats) {
        await sendStatusReport(startedAt, config, { ...runStats }, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
    }
    else {
        await sendStatusReport(startedAt, config, undefined, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
    }
 }
-run().catch((e) => {
+exports.runPromise = run();
-    core.setFailed(`analyze action failed: ${e}`);
+async function runWrapper() {
-    console.log(e);
+    try {
-});
+        await exports.runPromise;
    }
    catch (error) {
        core.setFailed(`analyze action failed: ${error}`);
        console.log(error);
    }
 }
 void runWrapper();
 //# sourceMappingURL=analyze-action.js.map
--- a/lib/analyze-action.js.map
+++ b/lib/analyze-action.js.map
--- a/lib/analyze.js
+++ b/lib/analyze.js
@@ -1,100 +1,377 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    result["default"] = mod;
+    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateQueryFilters = exports.runCleanup = exports.runFinalize = exports.createQuerySuiteContents = exports.convertPackToQuerySuiteEntry = exports.runQueries = exports.dbIsFinalized = exports.createdDBForScannedLanguages = exports.CodeQLAnalysisError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const perf_hooks_1 = require("perf_hooks"); // We need to import `performance` on Node 12
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const del_1 = __importDefault(require("del"));
 const yaml = __importStar(require("js-yaml"));
 const analysisPaths = __importStar(require("./analysis-paths"));
 const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
 const count_loc_1 = require("./count-loc");
 const languages_1 = require("./languages");
 const sharedEnv = __importStar(require("./shared-environment"));
-const upload_lib = __importStar(require("./upload-lib"));
+const tracer_config_1 = require("./tracer-config");
 const util = __importStar(require("./util"));
-async function createdDBForScannedLanguages(config, logger) {
+class CodeQLAnalysisError extends Error {
    constructor(queriesStatusReport, message) {
        super(message);
        this.name = "CodeQLAnalysisError";
        this.queriesStatusReport = queriesStatusReport;
    }
 }
 exports.CodeQLAnalysisError = CodeQLAnalysisError;
 async function setupPythonExtractor(logger) {
    const codeqlPython = process.env["CODEQL_PYTHON"];
    if (codeqlPython === undefined || codeqlPython.length === 0) {
        // If CODEQL_PYTHON is not set, no dependencies were installed, so we don't need to do anything
        return;
    }
    let output = "";
    const options = {
        listeners: {
            stdout: (data) => {
                output += data.toString();
            },
        },
    };
    await new toolrunner.ToolRunner(codeqlPython, [
        "-c",
        "import os; import pip; print(os.path.dirname(os.path.dirname(pip.__file__)))",
    ], options).exec();
    logger.info(`Setting LGTM_INDEX_IMPORT_PATH=${output}`);
    process.env["LGTM_INDEX_IMPORT_PATH"] = output;
    output = "";
    await new toolrunner.ToolRunner(codeqlPython, ["-c", "import sys; print(sys.version_info[0])"], options).exec();
    logger.info(`Setting LGTM_PYTHON_SETUP_VERSION=${output}`);
    process.env["LGTM_PYTHON_SETUP_VERSION"] = output;
 }
 async function createdDBForScannedLanguages(codeql, config, logger, featureFlags) {
    // Insert the LGTM_INDEX_X env vars at this point so they are set when
    // we extract any scanned languages.
    analysisPaths.includeAndExcludeAnalysisPaths(config);
    const codeql = codeql_1.getCodeQL(config.codeQLCmd);
    for (const language of config.languages) {
-        if (languages_1.isScannedLanguage(language)) {
+        if ((0, languages_1.isScannedLanguage)(language, await util.isGoExtractionReconciliationEnabled(featureFlags), logger) &&
            !dbIsFinalized(config, language, logger)) {
            logger.startGroup(`Extracting ${language}`);
-            await codeql.extractScannedLanguage(util.getCodeQLDatabasePath(config.tempDir, language), language);
+            if (language === languages_1.Language.python) {
                await setupPythonExtractor(logger);
            }
            await codeql.extractScannedLanguage(config, language);
            logger.endGroup();
        }
    }
 }
-async function finalizeDatabaseCreation(config, logger) {
+exports.createdDBForScannedLanguages = createdDBForScannedLanguages;
-    await createdDBForScannedLanguages(config, logger);
+function dbIsFinalized(config, language, logger) {
-    const codeql = codeql_1.getCodeQL(config.codeQLCmd);
+    const dbPath = util.getCodeQLDatabasePath(config, language);
-    for (const language of config.languages) {
+    try {
-        logger.startGroup(`Finalizing ${language}`);
+        const dbInfo = yaml.load(fs.readFileSync(path.resolve(dbPath, "codeql-database.yml"), "utf8"));
-        await codeql.finalizeDatabase(util.getCodeQLDatabasePath(config.tempDir, language));
+        return !("inProgress" in dbInfo);
-        logger.endGroup();
+    }
    catch (e) {
        logger.warning(`Could not check whether database for ${language} was finalized. Assuming it is not.`);
        return false;
    }
 }
-// Runs queries and creates sarif files in the given folder
+exports.dbIsFinalized = dbIsFinalized;
-async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, config, logger) {
+async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, featureFlags) {
-    const statusReport = {};
+    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    const extractionStart = perf_hooks_1.performance.now();
    await createdDBForScannedLanguages(codeql, config, logger, featureFlags);
    const extractionTime = perf_hooks_1.performance.now() - extractionStart;
    const trapImportStart = perf_hooks_1.performance.now();
    for (const language of config.languages) {
        if (dbIsFinalized(config, language, logger)) {
            logger.info(`There is already a finalized database for ${language} at the location where the CodeQL Action places databases, so we did not create one.`);
        }
        else {
            logger.startGroup(`Finalizing ${language}`);
            await codeql.finalizeDatabase(util.getCodeQLDatabasePath(config, language), threadsFlag, memoryFlag);
            logger.endGroup();
        }
    }
    const trapImportTime = perf_hooks_1.performance.now() - trapImportStart;
    return {
        scanned_language_extraction_duration_ms: Math.round(extractionTime),
        trap_import_duration_ms: Math.round(trapImportTime),
    };
 }
 // Runs queries and creates sarif files in the given folder
 async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, automationDetailsId, config, logger) {
    const statusReport = {};
    let locPromise = Promise.resolve({});
    const cliCanCountBaseline = await cliCanCountLoC();
    const countLocDebugMode = process.env["INTERNAL_CODEQL_ACTION_DEBUG_LOC"] || config.debugMode;
    if (!cliCanCountBaseline || countLocDebugMode) {
        // count the number of lines in the background
        locPromise = (0, count_loc_1.countLoc)(path.resolve(), 
        // config.paths specifies external directories. the current
        // directory is included in the analysis by default. Replicate
        // that here.
        config.paths, config.pathsIgnore, config.languages, logger);
    }
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    for (const language of config.languages) {
        logger.startGroup(`Analyzing ${language}`);
        const queries = config.queries[language];
-        if (queries.builtin.length === 0 && queries.custom.length === 0) {
+        const queryFilters = validateQueryFilters(config.originalUserInput["query-filters"]);
        const packsWithVersion = config.packs[language] || [];
        const hasBuiltinQueries = (queries === null || queries === void 0 ? void 0 : queries.builtin.length) > 0;
        const hasCustomQueries = (queries === null || queries === void 0 ? void 0 : queries.custom.length) > 0;
        const hasPackWithCustomQueries = packsWithVersion.length > 0;
        if (!hasBuiltinQueries && !hasCustomQueries && !hasPackWithCustomQueries) {
            throw new Error(`Unable to analyse ${language} as no queries were selected for this language`);
        }
        try {
-            for (const type of ["builtin", "custom"]) {
+            if (await util.useCodeScanningConfigInCli(codeql)) {
-                if (queries[type].length > 0) {
+                // If we are using the codescanning config in the CLI,
-                    const startTime = new Date().getTime();
+                // much of the work needed to generate the query suites
-                    const databasePath = util.getCodeQLDatabasePath(config.tempDir, language);
+                // is done in the CLI. We just need to make a single
-                    // Pass the queries to codeql using a file instead of using the command
+                // call to run all the queries for each language and
-                    // line to avoid command line length restrictions, particularly on windows.
+                // another to interpret the results.
-                    const querySuitePath = `${databasePath}-queries-${type}.qls`;
+                logger.startGroup(`Running queries for ${language}`);
-                    const querySuiteContents = queries[type]
+                const startTimeBuiltIn = new Date().getTime();
-                        .map((q) => `- query: ${q}`)
+                await runQueryGroup(language, "all", undefined, undefined);
-                        .join("\n");
+                // TODO should not be using `builtin` here. We should be using `all` instead.
-                    fs.writeFileSync(querySuitePath, querySuiteContents);
+                // The status report does not support `all` yet.
-                    logger.debug(`Query suite file for ${language}...\n${querySuiteContents}`);
+                statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
-                    const sarifFile = path.join(sarifFolder, `${language}-${type}.sarif`);
+                    new Date().getTime() - startTimeBuiltIn;
-                    const codeql = codeql_1.getCodeQL(config.codeQLCmd);
+                logger.startGroup(`Interpreting results for ${language}`);
-                    await codeql.databaseAnalyze(databasePath, sarifFile, querySuitePath, memoryFlag, addSnippetsFlag, threadsFlag);
+                const startTimeInterpretResults = new Date().getTime();
-                    logger.debug(`SARIF results for database ${language} created at "${sarifFile}"`);
+                const sarifFile = path.join(sarifFolder, `${language}.sarif`);
-                    logger.endGroup();
+                const analysisSummary = await runInterpretResults(language, undefined, sarifFile, config.debugMode);
-                    // Record the performance
+                statusReport[`interpret_results_${language}_duration_ms`] =
-                    const endTime = new Date().getTime();
+                    new Date().getTime() - startTimeInterpretResults;
-                    statusReport[`analyze_${type}_queries_${language}_duration_ms`] =
+                logger.endGroup();
-                        endTime - startTime;
+                logger.info(analysisSummary);
            }
            else {
                logger.startGroup(`Running queries for ${language}`);
                const querySuitePaths = [];
                if (queries["builtin"].length > 0) {
                    const startTimeBuiltIn = new Date().getTime();
                    querySuitePaths.push((await runQueryGroup(language, "builtin", createQuerySuiteContents(queries["builtin"], queryFilters), undefined)));
                    statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
                        new Date().getTime() - startTimeBuiltIn;
                }
                const startTimeCustom = new Date().getTime();
                let ranCustom = false;
                for (let i = 0; i < queries["custom"].length; ++i) {
                    if (queries["custom"][i].queries.length > 0) {
                        querySuitePaths.push((await runQueryGroup(language, `custom-${i}`, createQuerySuiteContents(queries["custom"][i].queries, queryFilters), queries["custom"][i].searchPath)));
                        ranCustom = true;
                    }
                }
                if (packsWithVersion.length > 0) {
                    querySuitePaths.push(await runQueryPacks(language, "packs", packsWithVersion, queryFilters));
                    ranCustom = true;
                }
                if (ranCustom) {
                    statusReport[`analyze_custom_queries_${language}_duration_ms`] =
                        new Date().getTime() - startTimeCustom;
                }
                logger.endGroup();
                logger.startGroup(`Interpreting results for ${language}`);
                const startTimeInterpretResults = new Date().getTime();
                const sarifFile = path.join(sarifFolder, `${language}.sarif`);
                const analysisSummary = await runInterpretResults(language, querySuitePaths, sarifFile, config.debugMode);
                if (!cliCanCountBaseline) {
                    await injectLinesOfCode(sarifFile, language, locPromise);
                }
                statusReport[`interpret_results_${language}_duration_ms`] =
                    new Date().getTime() - startTimeInterpretResults;
                logger.endGroup();
                logger.info(analysisSummary);
            }
            if (!cliCanCountBaseline || countLocDebugMode) {
                printLinesOfCodeSummary(logger, language, await locPromise);
            }
            if (cliCanCountBaseline) {
                logger.info(await runPrintLinesOfCode(language));
            }
        }
        catch (e) {
-            logger.error(`Error running analysis for ${language}: ${e}`);
+            logger.info(String(e));
-            logger.info(e);
+            if (e instanceof Error) {
                logger.info(e.stack);
            }
            statusReport.analyze_failure_language = language;
-            return statusReport;
+            throw new CodeQLAnalysisError(statusReport, `Error running analysis for ${language}: ${e}`);
        }
    }
    return statusReport;
    async function runInterpretResults(language, queries, sarifFile, enableDebugLogging) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId);
    }
    async function cliCanCountLoC() {
        return await util.codeQlVersionAbove(await (0, codeql_1.getCodeQL)(config.codeQLCmd), codeql_1.CODEQL_VERSION_COUNTS_LINES);
    }
    async function runPrintLinesOfCode(language) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
        return await codeql.databasePrintBaseline(databasePath);
    }
    async function runQueryGroup(language, type, querySuiteContents, searchPath) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
        // Pass the queries to codeql using a file instead of using the command
        // line to avoid command line length restrictions, particularly on windows.
        const querySuitePath = querySuiteContents
            ? `${databasePath}-queries-${type}.qls`
            : undefined;
        if (querySuiteContents && querySuitePath) {
            fs.writeFileSync(querySuitePath, querySuiteContents);
            logger.debug(`Query suite file for ${language}-${type}...\n${querySuiteContents}`);
        }
        await codeql.databaseRunQueries(databasePath, searchPath, querySuitePath, memoryFlag, threadsFlag);
        logger.debug(`BQRS results produced for ${language} (queries: ${type})"`);
        return querySuitePath;
    }
    async function runQueryPacks(language, type, packs, queryFilters) {
        const databasePath = util.getCodeQLDatabasePath(config, language);
        for (const pack of packs) {
            logger.debug(`Running query pack for ${language}-${type}: ${pack}`);
        }
        // combine the list of packs into a query suite in order to run them all simultaneously.
        const querySuite = packs.map(convertPackToQuerySuiteEntry).concat(queryFilters);
        const querySuitePath = `${databasePath}-queries-${type}.qls`;
        fs.writeFileSync(querySuitePath, yaml.dump(querySuite));
        logger.debug(`BQRS results produced for ${language} (queries: ${type})"`);
        await codeql.databaseRunQueries(databasePath, undefined, querySuitePath, memoryFlag, threadsFlag);
        return querySuitePath;
    }
 }
 exports.runQueries = runQueries;
-async function runAnalyze(repositoryNwo, commitOid, ref, analysisKey, analysisName, workflowRunID, checkoutPath, environment, githubAuth, githubUrl, doUpload, mode, outputDir, memoryFlag, addSnippetsFlag, threadsFlag, config, logger) {
+function convertPackToQuerySuiteEntry(packStr) {
-    // Delete the tracer config env var to avoid tracing ourselves
+    var _a, _b, _c, _d;
-    delete process.env[sharedEnv.ODASA_TRACER_CONFIGURATION];
+    const pack = configUtils.parsePacksSpecification(packStr);
-    fs.mkdirSync(outputDir, { recursive: true });
+    return {
-    logger.info("Finalizing database creation");
+        qlpack: !pack.path ? pack.name : undefined,
-    await finalizeDatabaseCreation(config, logger);
+        from: pack.path ? pack.name : undefined,
-    logger.info("Analyzing database");
+        version: pack.version,
-    const queriesStats = await runQueries(outputDir, memoryFlag, addSnippetsFlag, threadsFlag, config, logger);
+        query: ((_a = pack.path) === null || _a === void 0 ? void 0 : _a.endsWith(".ql")) ? pack.path : undefined,
-    if (!doUpload) {
+        queries: !((_b = pack.path) === null || _b === void 0 ? void 0 : _b.endsWith(".ql")) && !((_c = pack.path) === null || _c === void 0 ? void 0 : _c.endsWith(".qls"))
-        logger.info("Not uploading results");
+            ? pack.path
-        return { ...queriesStats };
+            : undefined,
-    }
+        apply: ((_d = pack.path) === null || _d === void 0 ? void 0 : _d.endsWith(".qls")) ? pack.path : undefined,
-    const uploadStats = await upload_lib.upload(outputDir, repositoryNwo, commitOid, ref, analysisKey, analysisName, workflowRunID, checkoutPath, environment, githubAuth, githubUrl, mode, logger);
+    };
    return { ...queriesStats, ...uploadStats };
 }
-exports.runAnalyze = runAnalyze;
+exports.convertPackToQuerySuiteEntry = convertPackToQuerySuiteEntry;
 function createQuerySuiteContents(queries, queryFilters) {
    return yaml.dump(queries.map((q) => ({ query: q })).concat(queryFilters));
 }
 exports.createQuerySuiteContents = createQuerySuiteContents;
 async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger, featureFlags) {
    try {
        await (0, del_1.default)(outputDir, { force: true });
    }
    catch (error) {
        if ((error === null || error === void 0 ? void 0 : error.code) !== "ENOENT") {
            throw error;
        }
    }
    await fs.promises.mkdir(outputDir, { recursive: true });
    const timings = await finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, featureFlags);
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    // WARNING: This does not _really_ end tracing, as the tracer will restore its
    // critical environment variables and it'll still be active for all processes
    // launched from this build step.
    // However, it will stop tracing for all steps past the codeql-action/analyze
    // step.
    if (await util.codeQlVersionAbove(codeql, codeql_1.CODEQL_VERSION_NEW_TRACING)) {
        // Delete variables as specified by the end-tracing script
        await (0, tracer_config_1.endTracingForCluster)(config, await util.isGoExtractionReconciliationEnabled(featureFlags), logger);
    }
    else {
        // Delete the tracer config env var to avoid tracing ourselves
        delete process.env[sharedEnv.ODASA_TRACER_CONFIGURATION];
    }
    return timings;
 }
 exports.runFinalize = runFinalize;
 async function runCleanup(config, cleanupLevel, logger) {
    logger.startGroup("Cleaning up databases");
    for (const language of config.languages) {
        const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
        const databasePath = util.getCodeQLDatabasePath(config, language);
        await codeql.databaseCleanup(databasePath, cleanupLevel);
    }
    logger.endGroup();
 }
 exports.runCleanup = runCleanup;
 async function injectLinesOfCode(sarifFile, language, locPromise) {
    var _a;
    const lineCounts = await locPromise;
    if (language in lineCounts) {
        const sarif = JSON.parse(fs.readFileSync(sarifFile, "utf8"));
        if (Array.isArray(sarif.runs)) {
            for (const run of sarif.runs) {
                run.properties = run.properties || {};
                run.properties.metricResults = run.properties.metricResults || [];
                for (const metric of run.properties.metricResults) {
                    // Baseline is inserted when matching rule has tag lines-of-code
                    if (metric.rule && metric.rule.toolComponent) {
                        const matchingRule = run.tool.extensions[metric.rule.toolComponent.index].rules[metric.rule.index];
                        if ((_a = matchingRule.properties.tags) === null || _a === void 0 ? void 0 : _a.includes("lines-of-code")) {
                            metric.baseline = lineCounts[language];
                        }
                    }
                }
            }
        }
        fs.writeFileSync(sarifFile, JSON.stringify(sarif));
    }
 }
 function printLinesOfCodeSummary(logger, language, lineCounts) {
    if (language in lineCounts) {
        logger.info(`Counted a baseline of ${lineCounts[language]} lines of code for ${language}.`);
    }
 }
 // exported for testing
 function validateQueryFilters(queryFilters) {
    if (!queryFilters) {
        return [];
    }
    if (!Array.isArray(queryFilters)) {
        throw new Error(`Query filters must be an array of "include" or "exclude" entries. Found ${typeof queryFilters}`);
    }
    const errors = [];
    for (const qf of queryFilters) {
        const keys = Object.keys(qf);
        if (keys.length !== 1) {
            errors.push(`Query filter must have exactly one key: ${JSON.stringify(qf)}`);
        }
        if (!["exclude", "include"].includes(keys[0])) {
            errors.push(`Only "include" or "exclude" filters are allowed:\n${JSON.stringify(qf)}`);
        }
    }
    if (errors.length) {
        throw new Error(`Invalid query filter.\n${errors.join("\n")}`);
    }
    return queryFilters;
 }
 exports.validateQueryFilters = validateQueryFilters;
 //# sourceMappingURL=analyze.js.map
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/lib/analyze.test.js
+++ b/lib/analyze.test.js
@@ -1,35 +1,105 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
+    if (k2 === undefined) k2 = k;
-};
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    result["default"] = mod;
+    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
 const yaml = __importStar(require("js-yaml"));
 const sinon = __importStar(require("sinon"));
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
 const count = __importStar(require("./count-loc"));
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
-testing_utils_1.setupTests(ava_1.default);
+(0, testing_utils_1.setupTests)(ava_1.default);
 // Checks that the duration fields are populated for the correct language
-// and correct case of builtin or custom.
+// and correct case of builtin or custom. Also checks the correct search
-ava_1.default("status report fields", async (t) => {
+// paths are set in the database analyze invocation.
 (0, ava_1.default)("status report fields and search path setting", async (t) => {
    const mockLinesOfCode = Object.values(languages_1.Language).reduce((obj, lang, i) => {
        // use a different line count for each language
        obj[lang] = i + 1;
        return obj;
    }, {});
    sinon.stub(count, "countLoc").resolves(mockLinesOfCode);
    let searchPathsUsed = [];
    return await util.withTmpDir(async (tmpDir) => {
-        codeql_1.setCodeQL({
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
            databaseAnalyze: async () => undefined,
        });
        const memoryFlag = "";
        const addSnippetsFlag = "";
        const threadsFlag = "";
        const packs = {
            [languages_1.Language.cpp]: ["a/b@1.0.0"],
            [languages_1.Language.java]: ["c/d@2.0.0"],
        };
        for (const language of Object.values(languages_1.Language)) {
            (0, codeql_1.setCodeQL)({
                packDownload: async () => ({ packs: [] }),
                databaseRunQueries: async (_db, searchPath) => {
                    searchPathsUsed.push(searchPath);
                },
                databaseInterpretResults: async (_db, _queriesRun, sarifFile) => {
                    fs.writeFileSync(sarifFile, JSON.stringify({
                        runs: [
                            // references a rule with the lines-of-code tag, so baseline should be injected
                            {
                                tool: {
                                    extensions: [
                                        {
                                            rules: [
                                                {
                                                    properties: {
                                                        tags: ["lines-of-code"],
                                                    },
                                                },
                                            ],
                                        },
                                    ],
                                },
                                properties: {
                                    metricResults: [
                                        {
                                            rule: {
                                                index: 0,
                                                toolComponent: {
                                                    index: 0,
                                                },
                                            },
                                            value: 123,
                                        },
                                    ],
                                },
                            },
                            {},
                        ],
                    }));
                    return "";
                },
            });
            searchPathsUsed = [];
            const config = {
                languages: [language],
                queries: {},
@@ -37,27 +107,249 @@ ava_1.default("status report fields", async (t) => {
                paths: [],
                originalUserInput: {},
                tempDir: tmpDir,
                toolCacheDir: tmpDir,
                codeQLCmd: "",
                gitHubVersion: {
                    type: util.GitHubVariant.DOTCOM,
                },
                dbLocation: path.resolve(tmpDir, "codeql_databases"),
                packs,
                debugMode: false,
                debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
                debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
                augmentationProperties: {
                    injectedMlQueries: false,
                    packsInputCombines: false,
                    queriesInputCombines: false,
                },
                trapCaches: {},
                trapCacheDownloadTime: 0,
            };
-            fs.mkdirSync(util.getCodeQLDatabasePath(config.tempDir, language), {
+            fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
                recursive: true,
            });
            config.queries[language] = {
                builtin: ["foo.ql"],
                custom: [],
            };
-            const builtinStatusReport = await analyze_1.runQueries(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, config, logging_1.getRunnerLogger(true));
+            const builtinStatusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, config, (0, logging_1.getRunnerLogger)(true));
-            t.deepEqual(Object.keys(builtinStatusReport).length, 1);
+            const hasPacks = language in packs;
-            t.true(`analyze_builtin_queries_${language}_duration_ms` in builtinStatusReport);
+            const statusReportKeys = Object.keys(builtinStatusReport).sort();
            if (hasPacks) {
                t.deepEqual(statusReportKeys.length, 3, statusReportKeys.toString());
                t.deepEqual(statusReportKeys[0], `analyze_builtin_queries_${language}_duration_ms`);
                t.deepEqual(statusReportKeys[1], `analyze_custom_queries_${language}_duration_ms`);
                t.deepEqual(statusReportKeys[2], `interpret_results_${language}_duration_ms`);
            }
            else {
                t.deepEqual(statusReportKeys[0], `analyze_builtin_queries_${language}_duration_ms`);
                t.deepEqual(statusReportKeys[1], `interpret_results_${language}_duration_ms`);
            }
            config.queries[language] = {
                builtin: [],
-                custom: ["foo.ql"],
+                custom: [
                    {
                        queries: ["foo.ql"],
                        searchPath: "/1",
                    },
                    {
                        queries: ["bar.ql"],
                        searchPath: "/2",
                    },
                ],
            };
-            const customStatusReport = await analyze_1.runQueries(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, config, logging_1.getRunnerLogger(true));
+            const customStatusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, config, (0, logging_1.getRunnerLogger)(true));
-            t.deepEqual(Object.keys(customStatusReport).length, 1);
+            t.deepEqual(Object.keys(customStatusReport).length, 2);
            t.true(`analyze_custom_queries_${language}_duration_ms` in customStatusReport);
            const expectedSearchPathsUsed = hasPacks
                ? [undefined, undefined, "/1", "/2", undefined]
                : [undefined, "/1", "/2"];
            t.deepEqual(searchPathsUsed, expectedSearchPathsUsed);
            t.true(`interpret_results_${language}_duration_ms` in customStatusReport);
        }
        verifyLineCounts(tmpDir);
        verifyQuerySuites(tmpDir);
    });
    function verifyLineCounts(tmpDir) {
        // eslint-disable-next-line github/array-foreach
        Object.keys(languages_1.Language).forEach((lang, i) => {
            verifyLineCountForFile(path.join(tmpDir, `${lang}.sarif`), i + 1);
        });
    }
    function verifyLineCountForFile(filePath, lineCount) {
        const sarif = JSON.parse(fs.readFileSync(filePath, "utf8"));
        t.deepEqual(sarif.runs[0].properties.metricResults, [
            {
                rule: {
                    index: 0,
                    toolComponent: {
                        index: 0,
                    },
                },
                value: 123,
                baseline: lineCount,
            },
        ]);
        // when the rule doesn't exist, it should not be added
        t.deepEqual(sarif.runs[1].properties.metricResults, []);
    }
    function verifyQuerySuites(tmpDir) {
        const qlsContent = [
            {
                query: "foo.ql",
            },
        ];
        const qlsContent2 = [
            {
                query: "bar.ql",
            },
        ];
        for (const lang of Object.values(languages_1.Language)) {
            t.deepEqual(readContents(`${lang}-queries-builtin.qls`), qlsContent);
            t.deepEqual(readContents(`${lang}-queries-custom-0.qls`), qlsContent);
            t.deepEqual(readContents(`${lang}-queries-custom-1.qls`), qlsContent2);
        }
        function readContents(name) {
            const x = fs.readFileSync(path.join(tmpDir, "codeql_databases", name), "utf8");
            console.log(x);
            return yaml.load(fs.readFileSync(path.join(tmpDir, "codeql_databases", name), "utf8"));
        }
    }
 });
 (0, ava_1.default)("validateQueryFilters", (t) => {
    t.notThrows(() => (0, analyze_1.validateQueryFilters)([]));
    t.notThrows(() => (0, analyze_1.validateQueryFilters)(undefined));
    t.notThrows(() => {
        return (0, analyze_1.validateQueryFilters)([
            {
                exclude: {
                    "problem.severity": "recommendation",
                },
            },
            {
                exclude: {
                    "tags contain": ["foo", "bar"],
                },
            },
            {
                include: {
                    "problem.severity": "something-to-think-about",
                },
            },
            {
                include: {
                    "tags contain": ["baz", "bop"],
                },
            },
        ]);
    });
    t.throws(() => {
        return (0, analyze_1.validateQueryFilters)([
            {
                exclude: {
                    "tags contain": ["foo", "bar"],
                },
                include: {
                    "tags contain": ["baz", "bop"],
                },
            },
        ]);
    }, { message: /Query filter must have exactly one key/ });
    t.throws(() => {
        return (0, analyze_1.validateQueryFilters)([{ xxx: "foo" }]);
    }, { message: /Only "include" or "exclude" filters are allowed/ });
    t.throws(() => {
        return (0, analyze_1.validateQueryFilters)({ exclude: "foo" });
    }, {
        message: /Query filters must be an array of "include" or "exclude" entries/,
    });
 });
 const convertPackToQuerySuiteEntryMacro = ava_1.default.macro({
    exec: (t, packSpec, suiteEntry) => t.deepEqual((0, analyze_1.convertPackToQuerySuiteEntry)(packSpec), suiteEntry),
    title: (_providedTitle, packSpec) => `Query Suite Entry: ${packSpec}`,
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b", {
    qlpack: "a/b",
    from: undefined,
    version: undefined,
    query: undefined,
    queries: undefined,
    apply: undefined,
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b@~1.2.3", {
    qlpack: "a/b",
    from: undefined,
    version: "~1.2.3",
    query: undefined,
    queries: undefined,
    apply: undefined,
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b:my/path", {
    qlpack: undefined,
    from: "a/b",
    version: undefined,
    query: undefined,
    queries: "my/path",
    apply: undefined,
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b@~1.2.3:my/path", {
    qlpack: undefined,
    from: "a/b",
    version: "~1.2.3",
    query: undefined,
    queries: "my/path",
    apply: undefined,
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b:my/path/query.ql", {
    qlpack: undefined,
    from: "a/b",
    version: undefined,
    query: "my/path/query.ql",
    queries: undefined,
    apply: undefined,
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b@~1.2.3:my/path/query.ql", {
    qlpack: undefined,
    from: "a/b",
    version: "~1.2.3",
    query: "my/path/query.ql",
    queries: undefined,
    apply: undefined,
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b:my/path/suite.qls", {
    qlpack: undefined,
    from: "a/b",
    version: undefined,
    query: undefined,
    queries: undefined,
    apply: "my/path/suite.qls",
 });
 (0, ava_1.default)(convertPackToQuerySuiteEntryMacro, "a/b@~1.2.3:my/path/suite.qls", {
    qlpack: undefined,
    from: "a/b",
    version: "~1.2.3",
    query: undefined,
    queries: undefined,
    apply: "my/path/suite.qls",
 });
 (0, ava_1.default)("convertPackToQuerySuiteEntry Failure", (t) => {
    t.throws(() => (0, analyze_1.convertPackToQuerySuiteEntry)("this-is-not-a-pack"));
 });
 (0, ava_1.default)("createQuerySuiteContents", (t) => {
    const yamlResult = (0, analyze_1.createQuerySuiteContents)(["query1.ql", "query2.ql"], [
        {
            exclude: { "problem.severity": "recommendation" },
        },
        {
            include: { "problem.severity": "recommendation" },
        },
    ]);
    const expected = `- query: query1.ql
 - query: query2.ql
 - exclude:
    problem.severity: recommendation
 - include:
    problem.severity: recommendation
 `;
    t.deepEqual(yamlResult, expected);
 });
 //# sourceMappingURL=analyze.test.js.map
--- a/lib/analyze.test.js.map
+++ b/lib/analyze.test.js.map
--- a/lib/api-client.js
+++ b/lib/api-client.js
@@ -1,34 +1,57 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    result["default"] = mod;
+    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const github = __importStar(require("@actions/github"));
+exports.getGitHubVersionActionsOnly = exports.getActionsApiClient = exports.getApiDetails = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
 const console_log_level_1 = __importDefault(require("console-log-level"));
 const path = __importStar(require("path"));
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const retry = __importStar(require("@octokit/plugin-retry"));
 const console_log_level_1 = __importDefault(require("console-log-level"));
 const actions_util_1 = require("./actions-util");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
-exports.getApiClient = function (githubAuth, githubUrl, allowLocalRun = false) {
+// eslint-disable-next-line import/no-commonjs
-    if (util_1.isLocalRun() && !allowLocalRun) {
+const pkg = require("../package.json");
-        throw new Error("Invalid API call in local run");
+var DisallowedAPIVersionReason;
-    }
+(function (DisallowedAPIVersionReason) {
-    return new github.GitHub({
+    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_OLD"] = 0] = "ACTION_TOO_OLD";
-        auth: githubAuth,
+    DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_NEW"] = 1] = "ACTION_TOO_NEW";
-        baseUrl: getApiUrl(githubUrl),
+})(DisallowedAPIVersionReason = exports.DisallowedAPIVersionReason || (exports.DisallowedAPIVersionReason = {}));
-        userAgent: "CodeQL Action",
+const getApiClient = function (apiDetails, { allowExternal = false } = {}) {
-        log: console_log_level_1.default({ level: "debug" }),
+    const auth = (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
-    });
+    const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
    const apiURL = apiDetails.apiURL || deriveApiUrl(apiDetails.url);
    return new retryingOctokit(githubUtils.getOctokitOptions(auth, {
        baseUrl: apiURL,
        userAgent: `CodeQL-${(0, util_1.getMode)()}/${pkg.version}`,
        log: (0, console_log_level_1.default)({ level: "debug" }),
    }));
 };
-function getApiUrl(githubUrl) {
+exports.getApiClient = getApiClient;
 // Once the runner is deleted, this can also be removed since the GitHub API URL is always available in an environment variable on Actions.
 function deriveApiUrl(githubUrl) {
    const url = new URL(githubUrl);
-    // If we detect this is trying to be to github.com
+    // If we detect this is trying to connect to github.com
    // then return with a fixed canonical URL.
    if (url.hostname === "github.com" || url.hostname === "api.github.com") {
        return "https://api.github.com";
@@ -37,11 +60,38 @@ function getApiUrl(githubUrl) {
    url.pathname = path.join(url.pathname, "api", "v3");
    return url.toString();
 }
 function getApiDetails() {
    return {
        auth: (0, actions_util_1.getRequiredInput)("token"),
        url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
        apiURL: (0, util_1.getRequiredEnvParam)("GITHUB_API_URL"),
    };
 }
 exports.getApiDetails = getApiDetails;
 // Temporary function to aid in the transition to running on and off of github actions.
-// Once all code has been coverted this function should be removed or made canonical
+// Once all code has been converted this function should be removed or made canonical
 // and called only from the action entrypoints.
-function getActionsApiClient(allowLocalRun = false) {
+function getActionsApiClient() {
-    return exports.getApiClient(actions_util_1.getRequiredInput("token"), actions_util_1.getRequiredEnvParam("GITHUB_SERVER_URL"), allowLocalRun);
+    return (0, exports.getApiClient)(getApiDetails());
 }
 exports.getActionsApiClient = getActionsApiClient;
 let cachedGitHubVersion = undefined;
 /**
 * Report the GitHub server version. This is a wrapper around
 * util.getGitHubVersion() that automatically supplies GitHub API details using
 * GitHub Action inputs. If you need to get the GitHub server version from the
 * Runner, please call util.getGitHubVersion() instead.
 *
 * @returns GitHub version
 */
 async function getGitHubVersionActionsOnly() {
    if (!util.isActions()) {
        throw new Error("getGitHubVersionActionsOnly() works only in an action");
    }
    if (cachedGitHubVersion === undefined) {
        cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
    }
    return cachedGitHubVersion;
 }
 exports.getGitHubVersionActionsOnly = getGitHubVersionActionsOnly;
 //# sourceMappingURL=api-client.js.map
--- a/lib/api-client.js.map
+++ b/lib/api-client.js.map
@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA0C;AAC1C,0EAAgD;AAChD,2CAA6B;AAE7B,iDAAuE;AACvE,iCAAoC;AAEvB,QAAA,YAAY,GAAG,UAC1B,UAAkB,EAClB,SAAiB,EACjB,aAAa,GAAG,KAAK;IAErB,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IACD,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC;QACvB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,SAAS,CAAC,SAAS,CAAC;QAC7B,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CAAC;AACL,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,kDAAkD;IAClD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,oFAAoF;AACpF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,OAAO,oBAAY,CACjB,+BAAgB,CAAC,OAAO,CAAC,EACzB,kCAAmB,CAAC,mBAAmB,CAAC,EACxC,aAAa,CACd,CAAC;AACJ,CAAC;AAND,kDAMC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAiBM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACjE,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAfW,QAAA,YAAY,gBAevB;AAEF,2IAA2I;AAC3I,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAgB,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAND,sCAMC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}
--- a/lib/api-client.test.js
+++ b/lib/api-client.test.js
@@ -0,0 +1,102 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const api_client_1 = require("./api-client");
 const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 (0, testing_utils_1.setupTests)(ava_1.default);
 let pluginStub;
 let githubStub;
 ava_1.default.beforeEach(() => {
    pluginStub = sinon.stub(githubUtils.GitHub, "plugin");
    githubStub = sinon.stub();
    pluginStub.returns(githubStub);
    (0, util_1.initializeEnvironment)(util_1.Mode.actions, pkg.version);
 });
 (0, ava_1.default)("Get the client API", async (t) => {
    doTest(t, {
        auth: "xyz",
        externalRepoAuth: "abc",
        url: "http://hucairz",
    }, undefined, {
        auth: "token xyz",
        baseUrl: "http://hucairz/api/v3",
        userAgent: `CodeQL-Action/${pkg.version}`,
    });
 });
 (0, ava_1.default)("Get the client API external", async (t) => {
    doTest(t, {
        auth: "xyz",
        externalRepoAuth: "abc",
        url: "http://hucairz",
    }, { allowExternal: true }, {
        auth: "token abc",
        baseUrl: "http://hucairz/api/v3",
        userAgent: `CodeQL-Action/${pkg.version}`,
    });
 });
 (0, ava_1.default)("Get the client API external not present", async (t) => {
    doTest(t, {
        auth: "xyz",
        url: "http://hucairz",
    }, { allowExternal: true }, {
        auth: "token xyz",
        baseUrl: "http://hucairz/api/v3",
        userAgent: `CodeQL-Action/${pkg.version}`,
    });
 });
 (0, ava_1.default)("Get the client API with github url", async (t) => {
    doTest(t, {
        auth: "xyz",
        url: "https://github.com/some/invalid/url",
    }, undefined, {
        auth: "token xyz",
        baseUrl: "https://api.github.com",
        userAgent: `CodeQL-Action/${pkg.version}`,
    });
 });
 (0, ava_1.default)("Get the API with an API URL directly", async (t) => {
    doTest(t, {
        auth: "xyz",
        url: "http://github.localhost",
        apiURL: "http://api.github.localhost",
    }, undefined, {
        auth: "token xyz",
        baseUrl: "http://api.github.localhost",
        userAgent: `CodeQL-Action/${pkg.version}`,
    });
 });
 function doTest(t, clientArgs, clientOptions, expected) {
    (0, api_client_1.getApiClient)(clientArgs, clientOptions);
    const firstCallArgs = githubStub.args[0];
    // log is a function, so we don't need to test for equality of it
    delete firstCallArgs[0].log;
    t.deepEqual(firstCallArgs, [expected]);
 }
 //# sourceMappingURL=api-client.test.js.map
--- a/lib/api-client.test.js.map
+++ b/lib/api-client.test.js.map
@@ -0,0 +1 @@
 {"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,6CAA+B;AAE/B,6CAA4C;AAC5C,mDAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAChC,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC/B,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sCAAsC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,yBAAyB;QAC9B,MAAM,EAAE,6BAA6B;KACtC,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,IAAA,yBAAY,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}
--- a/lib/api-compatibility.json
+++ b/lib/api-compatibility.json
@@ -0,0 +1 @@
 { "maximumVersion": "3.7", "minimumVersion": "3.2" }
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -1,58 +1,92 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    result["default"] = mod;
+    __setModuleDefault(result, mod);
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
-const actionsUtil = __importStar(require("./actions-util"));
+const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
-const config_utils = __importStar(require("./config-utils"));
+const configUtils = __importStar(require("./config-utils"));
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
 const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 async function sendCompletedStatusReport(startedAt, allLanguages, failingLanguage, cause) {
-    var _a, _b;
+    (0, util_1.initializeEnvironment)(util_1.Mode.actions, pkg.version);
-    const status = failingLanguage !== undefined || cause !== undefined
+    const status = (0, actions_util_1.getActionsStatus)(cause, failingLanguage);
-        ? "failure"
+    const statusReportBase = await (0, actions_util_1.createStatusReportBase)("autobuild", status, startedAt, cause === null || cause === void 0 ? void 0 : cause.message, cause === null || cause === void 0 ? void 0 : cause.stack);
        : "success";
    const statusReportBase = await actionsUtil.createStatusReportBase("autobuild", status, startedAt, (_a = cause) === null || _a === void 0 ? void 0 : _a.message, (_b = cause) === null || _b === void 0 ? void 0 : _b.stack);
    const statusReport = {
        ...statusReportBase,
        autobuild_languages: allLanguages.join(","),
        autobuild_failure: failingLanguage,
    };
-    await actionsUtil.sendStatusReport(statusReport);
+    await (0, actions_util_1.sendStatusReport)(statusReport);
 }
 async function run() {
    const logger = logging_1.getActionsLogger();
    const startedAt = new Date();
    const logger = (0, logging_1.getActionsLogger)();
    await (0, util_1.checkActionVersion)(pkg.version);
    let language = undefined;
    try {
-        actionsUtil.prepareLocalRunEnvironment();
+        if (!(await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("autobuild", "starting", startedAt)))) {
        if (!(await actionsUtil.sendStatusReport(await actionsUtil.createStatusReportBase("autobuild", "starting", startedAt), true))) {
            return;
        }
-        const config = await config_utils.getConfig(actionsUtil.getRequiredEnvParam("RUNNER_TEMP"), logger);
+        const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions);
        const featureFlags = new feature_flags_1.GitHubFeatureFlags(gitHubVersion, (0, api_client_1.getApiDetails)(), (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY")), logger);
        const config = await configUtils.getConfig((0, actions_util_1.getTemporaryDirectory)(), logger);
        if (config === undefined) {
            throw new Error("Config file could not be found at expected location. Has the 'init' action been called?");
        }
-        language = autobuild_1.determineAutobuildLanguage(config, logger);
+        language = await (0, autobuild_1.determineAutobuildLanguage)(config, featureFlags, logger);
        if (language !== undefined) {
-            await autobuild_1.runAutobuild(language, config, logger);
+            const workingDirectory = (0, actions_util_1.getOptionalInput)("working-directory");
            if (workingDirectory) {
                logger.info(`Changing autobuilder working directory to ${workingDirectory}`);
                process.chdir(workingDirectory);
            }
            await (0, autobuild_1.runAutobuild)(language, config, logger);
            if (language === languages_1.Language.go) {
                core.exportVariable("CODEQL_ACTION_DID_AUTOBUILD_GOLANG", "true");
            }
        }
    }
    catch (error) {
-        core.setFailed(`We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps.  ${error.message}`);
+        core.setFailed(`We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps.  ${error instanceof Error ? error.message : String(error)}`);
        console.log(error);
-        await sendCompletedStatusReport(startedAt, language ? [language] : [], language, error);
+        await sendCompletedStatusReport(startedAt, language ? [language] : [], language, error instanceof Error ? error : new Error(String(error)));
        return;
    }
    await sendCompletedStatusReport(startedAt, language ? [language] : []);
 }
-run().catch((e) => {
+async function runWrapper() {
-    core.setFailed(`autobuild action failed.  ${e}`);
+    try {
-    console.log(e);
+        await run();
-});
+    }
    catch (error) {
        core.setFailed(`autobuild action failed. ${error}`);
        console.log(error);
    }
 }
 void runWrapper();
 //# sourceMappingURL=autobuild-action.js.map
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`*/ @github/codeql-action-reviewers`

							`/python-setup/ @github/codeql-python @github/codeql-action-reviewers`
		`@@ -1 +1 @@`
			{"version":3,"file":"analysis-paths.js","sourceRoot":"","sources":["../src/analysis-paths.ts"],"names":[],"mappings":";;AAGA,SAAS,qBAAqB,CAAC,QAAQ;IACrC,OAAO,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,CAAC;AAC5D,CAAC;AAED,6FAA6F;AAChF,QAAA,+BAA+B,GAAG,eAAe,CAAC;AAE/D,uFAAuF;AACvF,SAAS,yBAAyB,CAAC,KAAe;IAChD,iCAAiC;IACjC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnD,uDAAuD;IACvD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;QAChC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,uCAA+B,CAAC,CAAC,CAAC;KACvE;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAgB,uBAAuB,CACrC,MAA0B,EAC1B,MAAc;IAEd,oEAAoE;IACpE,sEAAsE;IACtE,IACE,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QAC9D,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAC9C;QACA,MAAM,CAAC,OAAO,CACZ,4FAA4F,CAC7F,CAAC;KACH;AACH,CAAC;AAdD,0DAcC;AAED,SAAgB,8BAA8B,CAAC,MAA0B;IACvE,0EAA0E;IAC1E,+DAA+D;IAC/D,sEAAsE;IACtE,qDAAqD;IACrD,gFAAgF;IAChF,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAC7B,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KAC7E;IACD,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE;QACnC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAC3D,MAAM,CAAC,WAAW,CACnB,CAAC;KACH;IAED,yEAAyE;IACzE,6EAA6E;IAC7E,wDAAwD;IACxD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE;QACxB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACxD;AACH,CAAC;AA1BD,wEA0BC"}				{"version":3,"file":"analysis-paths.js","sourceRoot":"","sources":["../src/analysis-paths.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAK7B,SAAS,qBAAqB,CAAC,QAAQ;IACrC,OAAO,CACL,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,MAAM,CAC1E,CAAC;AACJ,CAAC;AAED,6FAA6F;AAChF,QAAA,+BAA+B,GAAG,cAAc,CAAC;AAE9D,uFAAuF;AACvF,SAAS,yBAAyB,CAAC,KAAe;IAChD,iCAAiC;IACjC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnD,uDAAuD;IACvD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;QAChC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,uCAA+B,CAAC,CAAC,CAAC;KACvE;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAgB,uBAAuB,CACrC,MAA0B,EAC1B,MAAc;IAEd,qEAAqE;IACrE,sEAAsE;IACtE,IACE,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QAC9D,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAC9C;QACA,MAAM,CAAC,OAAO,CACZ,mGAAmG,CACpG,CAAC;KACH;AACH,CAAC;AAdD,0DAcC;AAED,SAAgB,8BAA8B,CAAC,MAA0B;IACvE,0EAA0E;IAC1E,+DAA+D;IAC/D,sEAAsE;IACtE,qDAAqD;IACrD,gFAAgF;IAChF,sEAAsE;IACtE,sDAAsD;IACtD,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAC7B,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KAC7E;IACD,mFAAmF;IACnF,MAAM,qBAAqB,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3E,IAAI,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACrC,IACE,CAAC,qBAAqB,CAAC,UAAU,CAAC,IAAI,CAAC;QACvC,CAAC,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,EACvC;QACA,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;KACzD;IACD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE;QAC5B,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;KAC5E;IAED,yEAAyE;IACzE,6EAA6E;IAC7E,wDAAwD;IACxD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE;QACxB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACxD;AACH,CAAC;AAjCD,wEAiCC"}
		`@@ -1 +1 @@`
			{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,8CAAuB;AAEvB,gEAAkD;AAClD,mDAA6C;AAC7C,6CAA+B;AAE/B,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;SACd,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;SACd,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}				{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,gEAAkD;AAClD,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE;gBACtB,iBAAiB,EAAE,KAAK;gBACxB,kBAAkB,EAAE,KAAK;gBACzB,oBAAoB,EAAE,KAAK;aAC5B;YACD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,sBAAsB,EAAE;gBACtB,iBAAiB,EAAE,KAAK;gBACxB,kBAAkB,EAAE,KAAK;gBACzB,oBAAoB,EAAE,KAAK;aAC5B;YACD,UAAU,EAAE,EAAE;YACd,qBAAqB,EAAE,CAAC;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kBAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,oBAAoB,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG;QACb,SAAS,EAAE,EAAE;QACb,OAAO,EAAE,EAAE;QACX,WAAW,EAAE,EAAE;QACf,KAAK,EAAE,EAAE;QACT,iBAAiB,EAAE,EAAE;QACrB,OAAO;QACP,SAAS,EAAE,EAAE;QACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;QACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,CAAC;QACrD,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,KAAK;QAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;QACnD,sBAAsB,EAAE;YACtB,iBAAiB,EAAE,KAAK;YACxB,kBAAkB,EAAE,KAAK;YACzB,oBAAoB,EAAE,KAAK;SAC5B;QACD,UAAU,EAAE,EAAE;QACd,qBAAqB,EAAE,CAAC;KACzB,CAAC;IACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;IACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC,CAAC;IAC9D,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;AACrD,CAAC,CAAC,CAAC"}
		`@@ -0,0 +1 @@`
							{"version":3,"file":"analyze-action-env.test.js","sourceRoot":"","sources":["../src/analyze-action-env.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/E,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,uEAAuE;QACvE,0EAA0E;QAC1E,iBAAiB;QACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
		`@@ -0,0 +1 @@`
							{"version":3,"file":"analyze-action-input.test.js","sourceRoot":"","sources":["../src/analyze-action-input.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,mDAAqC;AACrC,4DAA8C;AAC9C,mDAIyB;AACzB,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,4EAA4E;AAC5E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,iCAAiC;AAEjC,IAAA,aAAI,EAAC,sDAAsD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvE,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,sCAAsC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,wBAAwB,CAAC;QACzD,KAAK;aACF,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC;aAC3C,QAAQ,CAAC,EAAkC,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QACpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/D,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,GAAG,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC;QAEnC,4DAA4D;QAC5D,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAElD,uEAAuE;QACvE,oEAAoE;QACpE,4EAA4E;QAC5E,wEAAwE;QACxE,MAAM,aAAa,CAAC,UAAU,CAAC;QAE/B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;QAC9D,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
		`@@ -0,0 +1 @@`
							{"version":3,"file":"analyze-action-post-helper.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CAAC,wBAAkC;IAC1D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;KACH;IAED,+CAA+C;IAC/C,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,oFAAoF,CACrF,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;KACnD;AACH,CAAC;AAlBD,kBAkBC"}
		`@@ -0,0 +1 @@`
							`{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,sFAAwE;AACxE,kEAAoD;AAEpD,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,wBAAwB,CAAC,CAAC;KAC5E;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,oCAAoC,KAAK,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}`
		`@@ -1 +1 @@`
			{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA0C;AAC1C,0EAAgD;AAChD,2CAA6B;AAE7B,iDAAuE;AACvE,iCAAoC;AAEvB,QAAA,YAAY,GAAG,UAC1B,UAAkB,EAClB,SAAiB,EACjB,aAAa,GAAG,KAAK;IAErB,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IACD,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC;QACvB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,SAAS,CAAC,SAAS,CAAC;QAC7B,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CAAC;AACL,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,kDAAkD;IAClD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,oFAAoF;AACpF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,OAAO,oBAAY,CACjB,+BAAgB,CAAC,OAAO,CAAC,EACzB,kCAAmB,CAAC,mBAAmB,CAAC,EACxC,aAAa,CACd,CAAC;AACJ,CAAC;AAND,kDAMC"}				{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAiBM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACjE,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAfW,QAAA,YAAY,gBAevB;AAEF,2IAA2I;AAC3I,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAgB,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAND,sCAMC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}
		`@@ -0,0 +1 @@`
							{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,6CAA+B;AAE/B,6CAA4C;AAC5C,mDAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAChC,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC/B,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sCAAsC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,yBAAyB;QAC9B,MAAM,EAAE,6BAA6B;KACtC,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,iBAAiB,GAAG,CAAC,OAAO,EAAE;KAC1C,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,IAAA,yBAAY,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}
		`@@ -0,0 +1 @@`
							`{ "maximumVersion": "3.7", "minimumVersion": "3.2" }`