Don't fail post start-proxy action if killing the proxy process fails

Otherwise logs won't get uploaded as artifact, even in debug mode
Add proxy_binary input to start-proxy Action
2025-12-08 00:38:30 +08:00 · 2025-04-25 16:53:21 +01:00 · 2025-04-25 16:53:09 +01:00 · 2025-04-25 16:50:50 +01:00 · 2025-04-25 14:25:57 +01:00 · 2025-04-25 14:25:40 +01:00
8075 changed files with 682617 additions and 669816 deletions
--- a/.github/actions/check-codescanning-config/action.yml
+++ b/.github/actions/check-codescanning-config/action.yml
@@ -61,11 +61,12 @@ runs:
    - name: Check config
      working-directory: ${{ github.action_path }}
      shell: bash
-      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
-
+      env:
+        EXPECTED_CONFIG_FILE_CONTENTS: '${{ inputs.expected-config-file-contents }}'
+      run: ts-node ./index.ts "$RUNNER_TEMP/user-config.yaml" "$EXPECTED_CONFIG_FILE_CONTENTS"
    - name: Clean up
      shell: bash
      if: always()
      run: |
-        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
-        rm -rf ${{ runner.temp }}/user-config.yaml
+        rm -rf $RUNNER_TEMP/codescanning-config-cli-test
+        rm -rf $RUNNER_TEMP/user-config.yaml
--- a/.github/actions/check-codescanning-config/index.ts
+++ b/.github/actions/check-codescanning-config/index.ts
@@ -8,7 +8,7 @@ const actualConfig = loadActualConfig()

 const rawExpectedConfig = process.argv[3].trim()
 if (!rawExpectedConfig) {
-  core.info('No expected configuration provided')
+  core.setFailed('No expected configuration provided')
 } else {
  core.startGroup('Expected generated user config')
  core.info(yaml.dump(JSON.parse(rawExpectedConfig)))
--- a/.github/actions/prepare-test/action.yml
+++ b/.github/actions/prepare-test/action.yml
@@ -29,24 +29,27 @@ runs:
    - id: get-url
      name: Determine URL
      shell: bash
+      env:
+        VERSION: ${{ inputs.version }}
+        USE_ALL_PLATFORM_BUNDLE: ${{ inputs.use-all-platform-bundle }}
      run: |
        set -e # Fail this Action if `gh release list` fails.

-        if [[ ${{ inputs.version }} == "linked" ]]; then
+        if [[ "$VERSION" == "linked" ]]; then
          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
          exit 0
-        elif [[ ${{ inputs.version }} == "default" ]]; then
+        elif [[ "$VERSION" == "default" ]]; then
          echo "tools-url=" >> "$GITHUB_OUTPUT"
          exit 0
        fi

-        if [[ ${{ inputs.version }} == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
+        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
          extension="tar.zst"
        else
          extension="tar.gz"
        fi

-        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
+        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
          artifact_name="codeql-bundle.$extension"
        elif [[ "$RUNNER_OS" == "Linux" ]]; then
          artifact_name="codeql-bundle-linux64.$extension"
@@ -59,14 +62,14 @@ runs:
          exit 1
        fi

-        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+        if [[ "$VERSION" == "nightly-latest" ]]; then
          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+        elif [[ "$VERSION" == *"nightly"* ]]; then
+          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+        elif [[ "$VERSION" == *"stable"* ]]; then
+          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
        else
          echo "::error::Unrecognized version specified!"
--- a/.github/actions/release-branches/action.yml
+++ b/.github/actions/release-branches/action.yml
@@ -18,8 +18,11 @@ runs:
  using: "composite"
  steps:
    - id: branches
+      env:
+        MAJOR_VERSION: ${{ inputs.major_version }}
+        LATEST_TAG: ${{ inputs.latest_tag }}
      run: |
        python ${{ github.action_path }}/release-branches.py \
-            --major-version ${{ inputs.major_version }} \
-            --latest-tag ${{ inputs.latest_tag }}
+            --major-version "$MAJOR_VERSION" \
+            --latest-tag "$LATEST_TAG"
      shell: bash
--- a/.github/codeql/codeql-actions-config.yml
+++ b/.github/codeql/codeql-actions-config.yml
@@ -0,0 +1,4 @@
+# Configuration for the CodeQL Actions Queries
+name: "CodeQL Actions Queries config"
+queries:
+  - uses: security-and-quality
--- a/.github/workflows/__all-platform-bundle.yml
+++ b/.github/workflows/__all-platform-bundle.yml
@@ -32,7 +32,7 @@ jobs:
    name: All-platform bundle
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -36,7 +36,7 @@ jobs:
    name: "Analyze: 'ref' and 'sha' from inputs"
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -36,7 +36,7 @@ jobs:
    name: autobuild-action
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
+++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
@@ -38,7 +38,7 @@ jobs:
    name: Autobuild direct tracing (custom working directory)
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__autobuild-direct-tracing.yml
+++ b/.github/workflows/__autobuild-direct-tracing.yml
@@ -38,7 +38,7 @@ jobs:
    name: Autobuild direct tracing
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__build-mode-autobuild.yml
+++ b/.github/workflows/__build-mode-autobuild.yml
@@ -32,7 +32,7 @@ jobs:
    name: Build mode autobuild
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__build-mode-manual.yml
+++ b/.github/workflows/__build-mode-manual.yml
@@ -32,7 +32,7 @@ jobs:
    name: Build mode manual
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__build-mode-none.yml
+++ b/.github/workflows/__build-mode-none.yml
@@ -34,7 +34,7 @@ jobs:
    name: Build mode none
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__build-mode-rollback.yml
+++ b/.github/workflows/__build-mode-rollback.yml
@@ -32,7 +32,7 @@ jobs:
    name: Build mode rollback
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__cleanup-db-cluster-dir.yml
+++ b/.github/workflows/__cleanup-db-cluster-dir.yml
@@ -32,7 +32,7 @@ jobs:
    name: Clean up database cluster directory
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@@ -42,7 +42,7 @@ jobs:
    name: Config export
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__config-input.yml
+++ b/.github/workflows/__config-input.yml
@@ -32,7 +32,7 @@ jobs:
    name: Config input
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__cpp-deptrace-disabled.yml
+++ b/.github/workflows/__cpp-deptrace-disabled.yml
@@ -36,7 +36,7 @@ jobs:
    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
+++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
@@ -32,7 +32,7 @@ jobs:
    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__cpp-deptrace-enabled.yml
+++ b/.github/workflows/__cpp-deptrace-enabled.yml
@@ -36,7 +36,7 @@ jobs:
    name: 'C/C++: autoinstalling dependencies (Linux)'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@@ -42,7 +42,7 @@ jobs:
    name: Diagnostic export
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -36,7 +36,7 @@ jobs:
    name: Export file baseline information
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__extract-direct-to-toolcache.yml
+++ b/.github/workflows/__extract-direct-to-toolcache.yml
@@ -36,7 +36,7 @@ jobs:
    name: Extract directly to toolcache
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -32,7 +32,7 @@ jobs:
    name: Extractor ram and threads options test
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -34,7 +34,7 @@ jobs:
    name: 'Go: Custom queries'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
@@ -32,7 +32,7 @@ jobs:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
@@ -32,7 +32,7 @@ jobs:
    name: 'Go: diagnostic when `file` is not installed'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-indirect-tracing-workaround.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround.yml
@@ -32,7 +32,7 @@ jobs:
    name: 'Go: workaround for indirect tracing'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-tracing-autobuilder.yml
+++ b/.github/workflows/__go-tracing-autobuilder.yml
@@ -62,7 +62,7 @@ jobs:
    name: 'Go: tracing with autobuilder step'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -77,7 +77,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.23.0
+          go-version: ~1.24.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@@ -62,7 +62,7 @@ jobs:
    name: 'Go: tracing with custom build steps'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -77,7 +77,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.23.0
+          go-version: ~1.24.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
--- a/.github/workflows/__go-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-tracing-legacy-workflow.yml
@@ -62,7 +62,7 @@ jobs:
    name: 'Go: tracing with legacy workflow'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -77,7 +77,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.23.0
+          go-version: ~1.24.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -36,7 +36,7 @@ jobs:
    name: Custom source root
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__job-run-uuid-sarif.yml
+++ b/.github/workflows/__job-run-uuid-sarif.yml
@@ -32,7 +32,7 @@ jobs:
    name: Job run UUID added to SARIF
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__language-aliases.yml
+++ b/.github/workflows/__language-aliases.yml
@@ -32,7 +32,7 @@ jobs:
    name: Language aliases
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -62,7 +62,7 @@ jobs:
    name: Multi-language repository
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Config and input passed to the CLI'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Config and input'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Config file'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -48,7 +48,7 @@ jobs:
    name: 'Packaging: Action input'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -34,7 +34,7 @@ jobs:
    name: Remote config file
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__resolve-environment-action.yml
+++ b/.github/workflows/__resolve-environment-action.yml
@@ -48,7 +48,7 @@ jobs:
    name: Resolve environment
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -32,7 +32,7 @@ jobs:
    name: RuboCop multi-language
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@@ -46,7 +46,7 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252 # v1.229.0
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
--- a/.github/workflows/__ruby.yml
+++ b/.github/workflows/__ruby.yml
@@ -42,7 +42,7 @@ jobs:
    name: Ruby analysis
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__rust.yml
+++ b/.github/workflows/__rust.yml
@@ -0,0 +1,71 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Rust analysis
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  rust:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Rust analysis
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: rust
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+        env:
+          CODEQL_ACTION_RUST_ANALYSIS: true
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        shell: bash
+        run: |
+          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
+          if [[ ! -d "$RUST_DB" ]]; then
+            echo "Did not create a database for Rust."
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -42,7 +42,7 @@ jobs:
    name: Split workflow
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__start-proxy.yml
+++ b/.github/workflows/__start-proxy.yml
@@ -36,7 +36,7 @@ jobs:
    name: Start proxy
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@@ -36,7 +36,8 @@ jobs:
    name: Submit SARIF after failure
    permissions:
      contents: read
-      security-events: write
+      security-events: write # needed to upload the SARIF file
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__swift-autobuild.yml
+++ b/.github/workflows/__swift-autobuild.yml
@@ -32,7 +32,7 @@ jobs:
    name: Swift analysis using autobuild
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -36,7 +36,7 @@ jobs:
    name: Swift analysis using a custom build command
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@@ -32,7 +32,7 @@ jobs:
    name: Autobuild working directory
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -32,7 +32,7 @@ jobs:
    name: Local CodeQL bundle
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -34,7 +34,7 @@ jobs:
    name: Proxy test
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -34,7 +34,7 @@ jobs:
    name: Test unsetting environment variables
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -36,7 +36,7 @@ jobs:
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -36,7 +36,7 @@ jobs:
    name: Use a custom `checkout_path`
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__zstd-bundle-streaming.yml
+++ b/.github/workflows/__zstd-bundle-streaming.yml
@@ -34,7 +34,7 @@ jobs:
    name: Zstandard bundle (streaming)
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__zstd-bundle.yml
+++ b/.github/workflows/__zstd-bundle.yml
@@ -36,7 +36,7 @@ jobs:
    name: Zstandard bundle
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -13,6 +13,9 @@ jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest

+    permissions:
+      contents: read
+
    steps:
      - name: Checkout CodeQL Action
        uses: actions/checkout@v4
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -24,7 +24,7 @@ jobs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
-      security-events: write
+      contents: read

    steps:
    - uses: actions/checkout@v4
@@ -70,16 +70,17 @@ jobs:
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

-  build:
+  analyze-javascript:
    needs: [check-codeql-versions]
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-13,macos-14]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2019,windows-2022,macos-13,macos-14]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    permissions:
+      contents: read
      security-events: write

    steps:
@@ -99,3 +100,27 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:javascript"
+
+
+  analyze-actions:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Initialize CodeQL
+      uses: ./init
+      with:
+        languages: actions
+        config-file: ./.github/codeql/codeql-actions-config.yml
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
+      with:
+        category: "/language:actions"
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -23,6 +23,11 @@ jobs:
  code-scanning-config-tests:
    continue-on-error: true

+    permissions:
+      contents: read
+      packages: read
+      security-events: read
+
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -0,0 +1,102 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist
+# when the analyze step fails.
+name: PR Check - Debug artifacts after failure
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.20.3
+        - default
+        - linked
+        - nightly-latest
+    name: Upload debug artifacts after failure in analyze
+    continue-on-error: true
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    permissions:
+      contents: read
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump GitHub event
+        run: cat "${GITHUB_EVENT_PATH}"
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+        env:
+          # Forces a failure in this step.
+          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
+        with:
+          expect-error: true
+  download-and-check-artifacts:
+    name: Download and check debug artifacts after failure in analyze
+    needs: upload-artifacts
+    timeout-minutes: 45
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            echo "Artifacts from version $version:"
+            pushd "./my-debug-artifacts-${version//./}"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+                echo "Missing a partial database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "log" ]] ; then
+                echo "Missing database initialization logs"
+                exit 1
+              fi
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto
--- a/.github/workflows/debug-artifacts-failure.yml
+++ b/.github/workflows/debug-artifacts-failure.yml
@@ -1,87 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist
-# when the analyze step fails.
-name: PR Check - Debug artifacts after failure
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    name: Upload debug artifacts after failure in analyze
-    continue-on-error: true
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dump GitHub event
-        run: cat "${GITHUB_EVENT_PATH}"
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: linked
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-        env:
-          # Forces a failure in this step.
-          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
-        with:
-          expect-error: true
-  download-and-check-artifacts:
-    name: Download and check debug artifacts after failure in analyze
-    needs: upload-artifacts
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          LANGUAGES="cpp csharp go java javascript python"
-          cd "./my-debug-artifacts"
-          echo "Artifacts from run:"
-          for language in $LANGUAGES; do
-            echo "- Checking $language"
-            if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-              echo "Missing a partial database bundle for $language"
-              exit 1
-            fi
-            if [[ ! -d "log" ]] ; then
-              echo "Missing database initialization logs"
-              exit 1
-            fi
-            if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-              echo "Missing logs for $language"
-              exit 1
-            fi
-          done
-        env:
-          GO111MODULE: auto
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -0,0 +1,97 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist.
+name: PR Check - Debug artifact upload
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.20.3
+        - default
+        - linked
+        - nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
+          languages: cpp,csharp,go,java,javascript,python,ruby
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          VERSIONS="stable-v2.20.3 default linked nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            pushd "./my-debug-artifacts-${version//./}"
+            echo "Artifacts from version $version:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "$language.sarif" ]] ; then
+                echo "Missing a SARIF file for $language"
+                exit 1
+              fi
+              if [[ ! -f "my-db-$language.zip" ]] ; then
+                echo "Missing a database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto
--- a/.github/workflows/debug-artifacts.yml
+++ b/.github/workflows/debug-artifacts.yml
@@ -1,97 +0,0 @@
-# Checks logs, SARIF, and database bundle debug artifacts exist.
-name: PR Check - Debug artifact upload
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-on:
-  push:
-    branches:
-    - main
-    - releases/v*
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch: {}
-jobs:
-  upload-artifacts:
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-        - stable-v2.15.5
-        - stable-v2.16.6
-        - stable-v2.17.6
-        - stable-v2.18.4
-        - stable-v2.19.4
-        - default
-        - linked
-        - nightly-latest
-    name: Upload debug artifacts
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ^1.13.1
-      - uses: ./../action/init
-        id: init
-        with:
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-          debug: true
-          debug-artifact-name: my-debug-artifacts
-          debug-database-name: my-db
-          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
-          languages: cpp,csharp,go,java,javascript,python,ruby
-      - name: Build code
-        shell: bash
-        run: ./build.sh
-      - uses: ./../action/analyze
-        id: analysis
-  download-and-check-artifacts:
-    name: Download and check debug artifacts
-    needs: upload-artifacts
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-      - name: Check expected artifacts exist
-        shell: bash
-        run: |
-          VERSIONS="stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 stable-v2.19.4 default linked nightly-latest"
-          LANGUAGES="cpp csharp go java javascript python"
-          for version in $VERSIONS; do
-            pushd "./my-debug-artifacts-${version//./}"
-            echo "Artifacts from version $version:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "$language.sarif" ]] ; then
-                echo "Missing a SARIF file for $language"
-                exit 1
-              fi
-              if [[ ! -f "my-db-$language.zip" ]] ; then
-                echo "Missing a database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
-          done
-        env:
-          GO111MODULE: auto
--- a/.github/workflows/expected-queries-runs.yml
+++ b/.github/workflows/expected-queries-runs.yml
@@ -24,7 +24,7 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    steps:
    - name: Check out repository
      uses: actions/checkout@v4
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -27,6 +27,10 @@ jobs:
      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

+    permissions:
+      contents: write # needed to create tags and push commits
+      pull-requests: write
+
    steps:
      - name: Dump environment
        run: env
@@ -164,7 +168,7 @@ jobs:
            --draft

      - name: Generate token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
+        uses: actions/create-github-app-token@v2.0.2
        id: app-token
        with:
          app-id: ${{ vars.AUTOMATION_APP_ID }}
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -15,7 +15,7 @@ jobs:
    timeout-minutes: 45
    permissions:
      contents: read
-      security-events: write
+      security-events: write # needed to upload ESLint results

    strategy:
      fail-fast: false
@@ -40,6 +40,8 @@ jobs:
  check-node-modules:
    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check modules up to date
+    permissions:
+      contents: read
    runs-on: macos-latest
    timeout-minutes: 45

@@ -51,6 +53,8 @@ jobs:
  check-file-contents:
    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
    name: Check file contents
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    timeout-minutes: 45

@@ -81,6 +85,8 @@ jobs:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
+    permissions:
+      contents: read
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45

@@ -101,6 +107,9 @@ jobs:
    env:
      BASE_REF: ${{ github.base_ref }}

+    permissions:
+      contents: read
+
    steps:
      - uses: actions/checkout@v4
      - id: head-version
--- a/.github/workflows/python312-windows.yml
+++ b/.github/workflows/python312-windows.yml
@@ -17,6 +17,8 @@ jobs:
    env:
      CODEQL_ACTION_TEST_MODE: true
    timeout-minutes: 45
+    permissions:
+      contents: read
    runs-on: windows-latest

    steps:
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -20,6 +20,8 @@ jobs:
    name: Query Filters Tests
    timeout-minutes: 45
    runs-on: ubuntu-latest
+    permissions:
+      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
    steps:
    - name: Check out repository
      uses: actions/checkout@v4
--- a/.github/workflows/rebuild.yml
+++ b/.github/workflows/rebuild.yml
@@ -11,6 +11,9 @@ jobs:
    runs-on: ubuntu-latest
    if: github.event.label.name == 'Rebuild'

+    permissions:
+      contents: write # needed to push rebuilt commit
+      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
        uses: actions/checkout@v4
--- a/.github/workflows/test-codeql-bundle-all.yml
+++ b/.github/workflows/test-codeql-bundle-all.yml
@@ -27,7 +27,7 @@ jobs:
    name: 'CodeQL Bundle All'
    permissions:
      contents: read
-      security-events: write
+      security-events: read
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -17,6 +17,9 @@ jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull requests
    steps:
      - name: Dump environment
        run: env
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -9,6 +9,9 @@ jobs:
    timeout-minutes: 45
    runs-on: macos-latest
    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
+    permissions:
+      contents: write # needed to push the updated dependencies
+      pull-requests: write # needed to comment on the PR
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -22,6 +22,8 @@ jobs:
      latest_tag: ${{ steps.versions.outputs.latest_tag }}
      backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
      backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
+    permissions:
+      contents: read
    steps:
    - uses: actions/checkout@v4
      with:
@@ -63,6 +65,9 @@ jobs:
      REPOSITORY: "${{ github.repository }}"
      MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
      LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
    steps:
    - uses: actions/checkout@v4
      with:
@@ -114,9 +119,12 @@ jobs:
    env:
      SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
      TARGET_BRANCH: ${{ matrix.target_branch }}
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
    steps:
    - name: Generate token
-      uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
+      uses: actions/create-github-app-token@v2.0.2
      id: app-token
      with:
        app-id: ${{ vars.AUTOMATION_APP_ID }}
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -10,20 +10,23 @@ jobs:
    name: Update Supported Enterprise Server Versions
    timeout-minutes: 45
    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'github/codeql-action' }}
+    if: github.repository == 'github/codeql-action'
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request

    steps:
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
-          python-version: "3.7"
+          python-version: "3.13"
      - name: Checkout CodeQL Action
        uses: actions/checkout@v4
      - name: Checkout Enterprise Releases
        uses: actions/checkout@v4
        with:
          repository: github/enterprise-releases
-          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
+          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
          path: ${{ github.workspace }}/enterprise-releases/
      - name: Update Supported Enterprise Server Versions
        run: |
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,20 +1,20 @@
 repos:
  - repo: local
    hooks:
+      - id: lint-ts
+        name: Lint typescript code
+        files: \.ts$
+        language: system
+        entry: npm run lint -- --fix
      - id: compile-ts
        name: Compile typescript
        files: \.[tj]s$
        language: system
        entry: npm run build
        pass_filenames: false
-      - id: lint-ts
-        name: Lint typescript code
-        files: \.ts$
-        language: system
-        entry: npm run lint -- --fix
      - id: pr-checks-sync
        name: Synchronize PR check workflows
        files: ^.github/workflows/__.*\.yml$|^pr-checks
        language: system
-        entry: python3 pr-checks/sync.py
+        entry: pr-checks/sync.sh
        pass_filenames: false
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,66 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 No user facing changes.

+## 3.28.16 - 23 Apr 2025
+
+- Update default CodeQL bundle version to 2.21.1. [#2863](https://github.com/github/codeql-action/pull/2863)
+
+## 3.28.15 - 07 Apr 2025
+
+- Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. [#2842](https://github.com/github/codeql-action/pull/2842)
+
+## 3.28.14 - 07 Apr 2025
+
+- Update default CodeQL bundle version to 2.21.0. [#2838](https://github.com/github/codeql-action/pull/2838)
+
+## 3.28.13 - 24 Mar 2025
+
+No user facing changes.
+
+## 3.28.12 - 19 Mar 2025
+
+- Dependency caching should now cache more dependencies for Java `build-mode: none` extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
+- Update default CodeQL bundle version to 2.20.7. [#2810](https://github.com/github/codeql-action/pull/2810)
+
+## 3.28.11 - 07 Mar 2025
+
+- Update default CodeQL bundle version to 2.20.6. [#2793](https://github.com/github/codeql-action/pull/2793)
+
+## 3.28.10 - 21 Feb 2025
+
+- Update default CodeQL bundle version to 2.20.5. [#2772](https://github.com/github/codeql-action/pull/2772)
+- Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. [#2768](https://github.com/github/codeql-action/pull/2768)
+
+## 3.28.9 - 07 Feb 2025
+
+- Update default CodeQL bundle version to 2.20.4. [#2753](https://github.com/github/codeql-action/pull/2753)
+
+## 3.28.8 - 29 Jan 2025
+
+- Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. [#2744](https://github.com/github/codeql-action/pull/2744)
+
+## 3.28.7 - 29 Jan 2025
+
+No user facing changes.
+
+## 3.28.6 - 27 Jan 2025
+
+- Re-enable debug artifact upload for CLI versions 2.20.3 or greater. [#2726](https://github.com/github/codeql-action/pull/2726)
+
+## 3.28.5 - 24 Jan 2025
+
+- Update default CodeQL bundle version to 2.20.3. [#2717](https://github.com/github/codeql-action/pull/2717)
+
+## 3.28.4 - 23 Jan 2025
+
+No user facing changes.
+
+## 3.28.3 - 22 Jan 2025
+
+- Update default CodeQL bundle version to 2.20.2. [#2707](https://github.com/github/codeql-action/pull/2707)
+- Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the [CodeQL Action sync tool](https://github.com/github/codeql-action-sync-tool) and the Actions runner did not have Zstandard installed. [#2710](https://github.com/github/codeql-action/pull/2710)
+- Uploading debug artifacts for CodeQL analysis is temporarily disabled. [#2712](https://github.com/github/codeql-action/pull/2712)
+
 ## 3.28.2 - 21 Jan 2025

 No user facing changes.
--- a/30
+++ b/30
@@ -0,0 +1,30 @@
+# Perform all working copy cleanup operations
+all: lint sync
+
+# Lint source typescript
+lint:
+    npm run lint-fix
+
+# Sync generated files (javascript and PR checks)
+sync: build update-pr-checks
+
+# Perform all necessary steps to update the PR checks
+update-pr-checks:
+    pr-checks/sync.sh
+
+# Transpile typescript code into javascript
+build:
+    npm run build
+
+# Build then run all the tests
+test: build
+    npm run test
+
+# Run the tests for a single file
+test_file filename: build
+    npx ava --verbose {{filename}}
+
+[doc("Refresh the .js build artefacts in the lib directory")]
+[confirm]
+refresh-lib:
+    rm -rf lib && npm run build
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -38,11 +38,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
 * It will run after the all steps in this job, in reverse order in relation to
 * other `post:` hooks.
 */
+const fs = __importStar(require("fs"));
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
+const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
+const dependency_caching_1 = require("./dependency-caching");
 const environment_1 = require("./environment");
 const logging_1 = require("./logging");
 const util_1 = require("./util");
@@ -57,7 +60,21 @@ async function runWrapper() {
        if (process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true") {
            const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
            if (config !== undefined) {
-                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type));
+                const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+                const version = await codeql.getVersion();
+                await debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, version.version);
+            }
+        }
+        // If we analysed Java in build-mode: none, we may have downloaded dependencies
+        // to the temp directory. Clean these up so they don't persist unnecessarily
+        // long on self-hosted runners.
+        const javaTempDependencyDir = (0, dependency_caching_1.getJavaTempDependencyDir)();
+        if (fs.existsSync(javaTempDependencyDir)) {
+            try {
+                fs.rmSync(javaTempDependencyDir, { recursive: true });
+            }
+            catch (error) {
+                logger.info(`Failed to remove temporary Java dependencies directory: ${(0, util_1.getErrorMessage)(error)}`);
            }
        }
    }
--- a/lib/analyze-action-post.js.map
+++ b/lib/analyze-action-post.js.map
@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,CAC1B,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,uCAAyB;AAEzB,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,qCAAqC;AACrC,iDAA2C;AAC3C,kEAAoD;AACpD,6DAAgE;AAChE,+CAAuC;AACvC,uCAA6C;AAC7C,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC1C,MAAM,cAAc,CAAC,4BAA4B,CAC/C,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,OAAO,CAAC,OAAO,CAChB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,4EAA4E;QAC5E,+BAA+B;QAC/B,MAAM,qBAAqB,GAAG,IAAA,6CAAwB,GAAE,CAAC;QACzD,IAAI,EAAE,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,qBAAqB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CACT,2DAA2D,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -41,7 +41,6 @@ const fs = __importStar(require("fs"));
 const path_1 = __importDefault(require("path"));
 const perf_hooks_1 = require("perf_hooks");
 const core = __importStar(require("@actions/core"));
-const github = __importStar(require("@actions/github"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze_1 = require("./analyze");
 const api_client_1 = require("./api-client");
@@ -51,6 +50,7 @@ const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const database_upload_1 = require("./database-upload");
 const dependency_caching_1 = require("./dependency-caching");
+const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
@@ -160,6 +160,14 @@ async function run() {
    let dbCreationTimings = undefined;
    let didUploadTrapCaches = false;
    util.initializeEnvironment(actionsUtil.getActionVersion());
+    // Unset the CODEQL_PROXY_* environment variables, as they are not needed
+    // and can cause issues with the CodeQL CLI
+    // Check for CODEQL_PROXY_HOST: and if it is empty but set, unset it
+    if (process.env.CODEQL_PROXY_HOST === "") {
+        delete process.env.CODEQL_PROXY_HOST;
+        delete process.env.CODEQL_PROXY_PORT;
+        delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
+    }
    // Make inputs accessible in the `post` step, details at
    // https://github.com/github/codeql-action/issues/2553
    actionsUtil.persistInputs();
@@ -181,22 +189,24 @@ async function run() {
        const outputDir = actionsUtil.getRequiredInput("output");
        core.exportVariable(environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
        const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
-        const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
+        const repositoryNwo = (0, repository_1.getRepositoryNwo)();
        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
        util.checkActionVersion(actionsUtil.getActionVersion(), gitHubVersion);
        const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
        const memory = util.getMemoryFlag(actionsUtil.getOptionalInput("ram") || process.env["CODEQL_RAM"], logger);
-        const pull_request = github.context.payload.pull_request;
-        const diffRangePackDir = pull_request &&
-            (await (0, analyze_1.setupDiffInformedQueryRun)(pull_request.base.ref, pull_request.head.label, codeql, logger, features));
+        const branches = await (0, diff_informed_analysis_utils_1.getDiffInformedAnalysisBranches)(codeql, features, logger);
+        const diffRangePackDir = branches
+            ? await (0, analyze_1.setupDiffInformedQueryRun)(branches, logger)
+            : undefined;
        await (0, analyze_1.warnIfGoInstalledAfterInit)(config, logger);
        await runAutobuildIfLegacyGoWorkflow(config, logger);
        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, codeql, config, logger);
+        const cleanupLevel = actionsUtil.getOptionalInput("cleanup-level") || "brutal";
        if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
-            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, diffRangePackDir, actionsUtil.getOptionalInput("category"), config, logger, features);
+            runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, cleanupLevel, diffRangePackDir, actionsUtil.getOptionalInput("category"), config, logger, features);
        }
-        if (actionsUtil.getOptionalInput("cleanup-level") !== "none") {
-            await (0, analyze_1.runCleanup)(config, actionsUtil.getOptionalInput("cleanup-level") || "brutal", logger);
+        if (cleanupLevel !== "none") {
+            await (0, analyze_1.runCleanup)(config, cleanupLevel, logger);
        }
        const dbLocations = {};
        for (const language of config.languages) {
@@ -230,7 +240,7 @@ async function run() {
        }
        else if (uploadResult !== undefined &&
            actionsUtil.getRequiredInput("wait-for-processing") === "true") {
-            await uploadLib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
+            await uploadLib.waitForProcessing((0, repository_1.getRepositoryNwo)(), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
        }
        // If we did not throw an error yet here, but we expect one, throw it.
        if (actionsUtil.getOptionalInput("expect-error") === "true") {
--- a/lib/analyze-action.js.map
+++ b/lib/analyze-action.js.map
--- a/lib/analyze.js
+++ b/lib/analyze.js
@@ -54,11 +54,14 @@ const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
 const codeql_1 = require("./codeql");
+const dependency_caching_1 = require("./dependency-caching");
 const diagnostics_1 = require("./diagnostics");
+const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const tools_features_1 = require("./tools-features");
 const tracer_config_1 = require("./tracer-config");
 const upload_lib_1 = require("./upload-lib");
@@ -101,6 +104,14 @@ async function runExtraction(codeql, config, logger) {
                    config.buildMode === util_1.BuildMode.Autobuild) {
                    await (0, autobuild_1.setupCppAutobuild)(codeql, logger);
                }
+                // The Java `build-mode: none` extractor places dependencies (.jar files) in the
+                // database scratch directory by default. For dependency caching purposes, we want
+                // a stable path that caches can be restored into and that we can cache at the
+                // end of the workflow (i.e. that does not get removed when the scratch directory is).
+                if (language === languages_1.Language.java && config.buildMode === util_1.BuildMode.None) {
+                    process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] =
+                        (0, dependency_caching_1.getJavaTempDependencyDir)();
+                }
                await codeql.extractUsingBuildMode(config, language);
            }
            else {
@@ -151,21 +162,13 @@ async function finalizeDatabaseCreation(codeql, config, threadsFlag, memoryFlag,
 /**
 * Set up the diff-informed analysis feature.
 *
- * @param baseRef The base branch name, used for calculating the diff range.
- * @param headLabel The label that uniquely identifies the head branch across
- * repositories, used for calculating the diff range.
- * @param codeql
- * @param logger
- * @param features
 * @returns Absolute path to the directory containing the extension pack for
 * the diff range information, or `undefined` if the feature is disabled.
 */
-async function setupDiffInformedQueryRun(baseRef, headLabel, codeql, logger, features) {
-    if (!(await features.getValue(feature_flags_1.Feature.DiffInformedQueries, codeql))) {
-        return undefined;
-    }
+async function setupDiffInformedQueryRun(branches, logger) {
    return await (0, logging_1.withGroupAsync)("Generating diff range extension pack", async () => {
-        const diffRanges = await getPullRequestEditedDiffRanges(baseRef, headLabel, logger);
+        logger.info(`Calculating diff ranges for ${branches.base}...${branches.head}`);
+        const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
        const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
        if (packDir === undefined) {
            logger.warning("Cannot create diff range extension pack for diff-informed queries; " +
@@ -180,17 +183,15 @@ async function setupDiffInformedQueryRun(baseRef, headLabel, codeql, logger, fea
 /**
 * Return the file line ranges that were added or modified in the pull request.
 *
- * @param baseRef The base branch name, used for calculating the diff range.
- * @param headLabel The label that uniquely identifies the head branch across
- * repositories, used for calculating the diff range.
+ * @param branches The base and head branches of the pull request.
 * @param logger
 * @returns An array of tuples, where each tuple contains the absolute path of a
 * file, the start line and the end line (both 1-based and inclusive) of an
 * added or modified range in that file. Returns `undefined` if the action was
 * not triggered by a pull request or if there was an error.
 */
-async function getPullRequestEditedDiffRanges(baseRef, headLabel, logger) {
-    const fileDiffs = await getFileDiffsWithBasehead(baseRef, headLabel, logger);
+async function getPullRequestEditedDiffRanges(branches, logger) {
+    const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
    if (fileDiffs === undefined) {
        return undefined;
    }
@@ -213,15 +214,15 @@ async function getPullRequestEditedDiffRanges(baseRef, headLabel, logger) {
    }
    return results;
 }
-async function getFileDiffsWithBasehead(baseRef, headLabel, logger) {
-    const ownerRepo = util.getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
-    const owner = ownerRepo[0];
-    const repo = ownerRepo[1];
-    const basehead = `${baseRef}...${headLabel}`;
+async function getFileDiffsWithBasehead(branches, logger) {
+    // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
+    // to GITHUB_REPOSITORY.
+    const repositoryNwo = (0, repository_1.getRepositoryNwoFromEnv)("CODE_SCANNING_REPOSITORY", "GITHUB_REPOSITORY");
+    const basehead = `${branches.base}...${branches.head}`;
    try {
        const response = await (0, api_client_1.getApiClient)().rest.repos.compareCommitsWithBasehead({
-            owner,
-            repo,
+            owner: repositoryNwo.owner,
+            repo: repositoryNwo.repo,
            basehead,
            per_page: 1,
        });
@@ -333,6 +334,14 @@ function writeDiffRangeDataExtensionPack(logger, ranges) {
    if (ranges === undefined) {
        return undefined;
    }
+    if (ranges.length === 0) {
+        // An empty diff range means that there are no added or modified lines in
+        // the pull request. But the `restrictAlertsTo` extensible predicate
+        // interprets an empty data extension differently, as an indication that
+        // all alerts should be included. So we need to specifically set the diff
+        // range to a non-empty list that cannot match any alert location.
+        ranges = [{ path: "", startLine: 0, endLine: 0 }];
+    }
    const diffRangeDir = path.join(actionsUtil.getTemporaryDirectory(), "pr-diff-range");
    fs.mkdirSync(diffRangeDir);
    fs.writeFileSync(path.join(diffRangeDir, "qlpack.yml"), `
@@ -349,6 +358,7 @@ extensions:
  - addsTo:
      pack: codeql/util
      extensible: restrictAlertsTo
+      checkPresence: false
    data:
 `;
    let data = ranges
@@ -368,23 +378,27 @@ extensions:
    const extensionFilePath = path.join(diffRangeDir, "pr-diff-range.yml");
    fs.writeFileSync(extensionFilePath, extensionContents);
    logger.debug(`Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`);
+    // Write the diff ranges to a JSON file, for action-side alert filtering by the
+    // upload-lib module.
+    (0, diff_informed_analysis_utils_1.writeDiffRangesJsonFile)(logger, ranges);
    return diffRangeDir;
 }
 // Runs queries and creates sarif files in the given folder
-async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, diffRangePackDir, automationDetailsId, config, logger, features) {
+async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, cleanupLevel, diffRangePackDir, automationDetailsId, config, logger, features) {
    const statusReport = {};
+    const queryFlags = [memoryFlag, threadsFlag];
+    if (cleanupLevel !== "overlay") {
+        queryFlags.push("--expect-discarded-cache");
+    }
    statusReport.analysis_is_diff_informed = diffRangePackDir !== undefined;
-    const dataExtensionFlags = diffRangePackDir
-        ? [
-            `--additional-packs=${diffRangePackDir}`,
-            "--extension-packs=codeql-action/pr-diff-range",
-        ]
-        : [];
+    if (diffRangePackDir) {
+        queryFlags.push(`--additional-packs=${diffRangePackDir}`);
+        queryFlags.push("--extension-packs=codeql-action/pr-diff-range");
+    }
    const sarifRunPropertyFlag = diffRangePackDir
        ? "--sarif-run-property=incrementalMode=diff-informed"
        : undefined;
    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
-    const queryFlags = [memoryFlag, threadsFlag, ...dataExtensionFlags];
    for (const language of config.languages) {
        try {
            const sarifFile = path.join(sarifFolder, `${language}.sarif`);
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/lib/analyze.test.js
+++ b/lib/analyze.test.js
@@ -114,7 +114,7 @@ const util = __importStar(require("./util"));
            fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
                recursive: true,
            });
-            const statusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, undefined, undefined, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.QaTelemetryEnabled]));
+            const statusReport = await (0, analyze_1.runQueries)(tmpDir, memoryFlag, addSnippetsFlag, threadsFlag, "brutal", undefined, undefined, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.QaTelemetryEnabled]));
            t.deepEqual(Object.keys(statusReport).sort(), [
                "analysis_is_diff_informed",
                `analyze_builtin_queries_${language}_duration_ms`,
--- a/lib/analyze.test.js.map
+++ b/lib/analyze.test.js.map
--- a/lib/api-client.js
+++ b/lib/api-client.js
@@ -122,14 +122,12 @@ async function getGitHubVersion() {
 * Get the path of the currently executing workflow relative to the repository root.
 */
 async function getWorkflowRelativePath() {
-    const repo_nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY").split("/");
-    const owner = repo_nwo[0];
-    const repo = repo_nwo[1];
+    const repo_nwo = (0, repository_1.getRepositoryNwo)();
    const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
    const apiClient = getApiClient();
    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
-        owner,
-        repo,
+        owner: repo_nwo.owner,
+        repo: repo_nwo.repo,
        run_id,
    });
    const workflowUrl = runsResponse.data.workflow_url;
@@ -187,7 +185,7 @@ function computeAutomationID(analysis_key, environment) {
 }
 /** List all Actions cache entries matching the provided key and ref. */
 async function listActionsCaches(key, ref) {
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
    return await getApiClient().paginate("GET /repos/{owner}/{repo}/actions/caches", {
        owner: repositoryNwo.owner,
        repo: repositoryNwo.repo,
@@ -197,7 +195,7 @@ async function listActionsCaches(key, ref) {
 }
 /** Delete an Actions cache item by its ID. */
 async function deleteActionsCache(id) {
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
    await getApiClient().rest.actions.deleteActionsCacheById({
        owner: repositoryNwo.owner,
        repo: repositoryNwo.repo,
@@ -206,11 +204,16 @@ async function deleteActionsCache(id) {
 }
 function wrapApiConfigurationError(e) {
    if ((0, util_1.isHTTPError)(e)) {
-        if (e.message.includes("API rate limit exceeded for site ID installation") ||
+        if (e.message.includes("API rate limit exceeded for installation") ||
            e.message.includes("commit not found") ||
-            /^ref .* not found in this repository$/.test(e.message)) {
+            e.message.includes("Resource not accessible by integration") ||
+            /ref .* not found in this repository/.test(e.message)) {
            return new util_1.ConfigurationError(e.message);
        }
+        else if (e.message.includes("Bad credentials") ||
+            e.message.includes("Not Found")) {
+            return new util_1.ConfigurationError("Please check that your token is valid and has the required permissions: contents: read, security-events: write");
+        }
    }
    return e;
 }
--- a/lib/api-client.js.map
+++ b/lib/api-client.js.map
--- a/lib/api-client.test.js
+++ b/lib/api-client.test.js
@@ -120,4 +120,40 @@ function mockGetMetaVersionHeader(versionHeader) {
    });
    t.deepEqual({ type: util.GitHubVariant.GHE_DOTCOM }, gheDotcom);
 });
+(0, ava_1.default)("wrapApiConfigurationError correctly wraps specific configuration errors", (t) => {
+    // We don't reclassify arbitrary errors
+    const arbitraryError = new Error("arbitrary error");
+    let res = api.wrapApiConfigurationError(arbitraryError);
+    t.is(res, arbitraryError);
+    // Same goes for arbitrary errors
+    const configError = new util.ConfigurationError("arbitrary error");
+    res = api.wrapApiConfigurationError(configError);
+    t.is(res, configError);
+    // If an HTTP error doesn't contain a specific error message, we don't
+    // wrap is an an API error.
+    const httpError = new util.HTTPError("arbitrary HTTP error", 456);
+    res = api.wrapApiConfigurationError(httpError);
+    t.is(res, httpError);
+    // For other HTTP errors, we wrap them as Configuration errors if they contain
+    // specific error messages.
+    const httpNotFoundError = new util.HTTPError("commit not found", 404);
+    res = api.wrapApiConfigurationError(httpNotFoundError);
+    t.deepEqual(res, new util.ConfigurationError("commit not found"));
+    const refNotFoundError = new util.HTTPError("ref 'refs/heads/jitsi' not found in this repository - https://docs.github.com/rest", 404);
+    res = api.wrapApiConfigurationError(refNotFoundError);
+    t.deepEqual(res, new util.ConfigurationError("ref 'refs/heads/jitsi' not found in this repository - https://docs.github.com/rest"));
+    const apiRateLimitError = new util.HTTPError("API rate limit exceeded for installation", 403);
+    res = api.wrapApiConfigurationError(apiRateLimitError);
+    t.deepEqual(res, new util.ConfigurationError("API rate limit exceeded for installation"));
+    const tokenSuggestionMessage = "Please check that your token is valid and has the required permissions: contents: read, security-events: write";
+    const badCredentialsError = new util.HTTPError("Bad credentials", 401);
+    res = api.wrapApiConfigurationError(badCredentialsError);
+    t.deepEqual(res, new util.ConfigurationError(tokenSuggestionMessage));
+    const notFoundError = new util.HTTPError("Not Found", 404);
+    res = api.wrapApiConfigurationError(notFoundError);
+    t.deepEqual(res, new util.ConfigurationError(tokenSuggestionMessage));
+    const resourceNotAccessibleError = new util.HTTPError("Resource not accessible by integration", 403);
+    res = api.wrapApiConfigurationError(resourceNotAccessibleError);
+    t.deepEqual(res, new util.ConfigurationError("Resource not accessible by integration"));
+});
 //# sourceMappingURL=api-client.test.js.map
--- a/lib/api-client.test.js.map
+++ b/lib/api-client.test.js.map
--- a/lib/api-compatibility.json
+++ b/lib/api-compatibility.json
@@ -1 +1 @@
-{ "maximumVersion": "3.16", "minimumVersion": "3.12" }
+{ "maximumVersion": "3.17", "minimumVersion": "3.12" }
--- a/lib/autobuild.js
+++ b/lib/autobuild.js
@@ -123,7 +123,7 @@ async function setupCppAutobuild(codeql, logger) {
    const envVar = feature_flags_1.featureConfig[feature_flags_1.Feature.CppDependencyInstallation].envVar;
    const featureName = "C++ automatic installation of dependencies";
    const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
    const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
    if (await features.getValue(feature_flags_1.Feature.CppDependencyInstallation, codeql)) {
        // disable autoinstall on self-hosted runners unless explicitly requested
--- a/lib/autobuild.js.map
+++ b/lib/autobuild.js.map
@@ -1 +1 @@
-{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAeA,kEAkGC;AAED,8CAqCC;AAED,oCAsBC;AAhLD,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,uCAAmC;AACnC,+CAAuC;AACvC,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAkD;AAClD,qDAAgD;AAChD,iCAAwD;AAEjD,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,MAA0B,EAC1B,MAAc;IAEd,IACE,CAAC,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,IAAI;QAClC,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,MAAM,EACrC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,qBAAqB,MAAM,CAAC,SAAS,2BAA2B;YAC9D,OAAO,gBAAM,CAAC,kBAAkB,wBAAwB,CAC3D,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QACjD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,OAAO,gBAAM,CAAC,4BAA4B,wBAAwB,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE,CAAC;QACvE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B,CAAC;YACD,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,gBAAM,CAAC,oBAAoB,wBAAwB;gBAClJ,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,gBAAM,CAAC,oBAAoB,wBAAwB,CACnK,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAkB,EAClB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IACE,MAAM,CAAC,SAAS;QAChB,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,EACrE,CAAC;QACD,MAAM,MAAM,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC"}
+{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAeA,kEAkGC;AAED,8CAmCC;AAED,oCAsBC;AA9KD,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,uCAAmC;AACnC,+CAAuC;AACvC,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAgD;AAChD,qDAAgD;AAChD,iCAAmC;AAE5B,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,MAA0B,EAC1B,MAAc;IAEd,IACE,CAAC,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,IAAI;QAClC,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,MAAM,EACrC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,qBAAqB,MAAM,CAAC,SAAS,2BAA2B;YAC9D,OAAO,gBAAM,CAAC,kBAAkB,wBAAwB,CAC3D,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QACjD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,OAAO,gBAAM,CAAC,4BAA4B,wBAAwB,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,6BAAgB,GAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE,CAAC;QACvE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B,CAAC;YACD,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,gBAAM,CAAC,oBAAoB,wBAAwB;gBAClJ,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,gBAAM,CAAC,oBAAoB,wBAAwB,CACnK,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAkB,EAClB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IACE,MAAM,CAAC,SAAS;QAChB,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,EACrE,CAAC;QACD,MAAM,MAAM,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC"}
--- a/lib/cli-errors.js
+++ b/lib/cli-errors.js
@@ -110,6 +110,7 @@ function extractAutobuildErrors(error) {
 var CliConfigErrorCategory;
 (function (CliConfigErrorCategory) {
    CliConfigErrorCategory["AutobuildError"] = "AutobuildError";
+    CliConfigErrorCategory["CouldNotCreateTempDir"] = "CouldNotCreateTempDir";
    CliConfigErrorCategory["ExternalRepositoryCloneFailed"] = "ExternalRepositoryCloneFailed";
    CliConfigErrorCategory["GradleBuildFailed"] = "GradleBuildFailed";
    CliConfigErrorCategory["IncompatibleWithActionVersion"] = "IncompatibleWithActionVersion";
@@ -139,6 +140,9 @@ exports.cliErrorsConfig = {
            new RegExp("We were unable to automatically build your code"),
        ],
    },
+    [CliConfigErrorCategory.CouldNotCreateTempDir]: {
+        cliErrorMessageCandidates: [new RegExp("Could not create temp directory")],
+    },
    [CliConfigErrorCategory.ExternalRepositoryCloneFailed]: {
        cliErrorMessageCandidates: [
            new RegExp("Failed to clone external Git repository"),
--- a/lib/cli-errors.js.map
+++ b/lib/cli-errors.js.map
--- a/lib/codeql.js
+++ b/lib/codeql.js
@@ -55,6 +55,7 @@ const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const git_utils_1 = require("./git-utils");
 const languages_1 = require("./languages");
+const overlay_database_utils_1 = require("./overlay-database-utils");
 const setupCodeql = __importStar(require("./setup-codeql"));
 const tools_features_1 = require("./tools-features");
 const tracer_config_1 = require("./tracer-config");
@@ -133,7 +134,11 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
        };
    }
    catch (e) {
-        throw new Error(`Unable to download and extract CodeQL CLI: ${(0, util_1.getErrorMessage)(e)}${e instanceof Error && e.stack ? `\n\nDetails: ${e.stack}` : ""}`);
+        const ErrorClass = e instanceof util.ConfigurationError ||
+            (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
+            ? util.ConfigurationError
+            : Error;
+        throw new ErrorClass(`Unable to download and extract CodeQL CLI: ${(0, util_1.getErrorMessage)(e)}${e instanceof Error && e.stack ? `\n\nDetails: ${e.stack}` : ""}`);
    }
 }
 /**
@@ -250,7 +255,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        async supportsFeature(feature) {
            return (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), feature);
        },
-        async databaseInitCluster(config, sourceRoot, processName, qlconfigFile, logger) {
+        async databaseInitCluster(config, sourceRoot, processName, qlconfigFile, overlayDatabaseMode, logger) {
            const extraArgs = config.languages.map((language) => `--language=${language}`);
            if (await (0, tracer_config_1.shouldEnableIndirectTracing)(codeql, config)) {
                extraArgs.push("--begin-tracing");
@@ -258,9 +263,17 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                extraArgs.push(`--trace-process-name=${processName}`);
            }
            if (config.languages.indexOf(languages_1.Language.actions) >= 0) {
-                extraArgs.push("--search-path");
-                const extractorPath = path.resolve(__dirname, "../actions-extractor");
-                extraArgs.push(extractorPath);
+                // We originally added an embedded version of the Actions extractor to the CodeQL Action
+                // itself in order to deploy the extractor between CodeQL releases. When we did add the
+                // extractor to the CLI, though, its autobuild script was missing the execute bit.
+                // 2.20.6 is the first CLI release with the fully-functional extractor in the CLI. For older
+                // versions, we'll keep using the embedded extractor. We can remove the embedded extractor
+                // once 2.20.6 is deployed in the runner images.
+                if (!(await util.codeQlVersionAtLeast(codeql, "2.20.6"))) {
+                    extraArgs.push("--search-path");
+                    const extractorPath = path.resolve(__dirname, "../actions-extractor");
+                    extraArgs.push(extractorPath);
+                }
            }
            const codeScanningConfigFile = await generateCodeScanningConfig(config, logger);
            const externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
@@ -278,10 +291,19 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            const overwriteFlag = (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), tools_features_1.ToolsFeature.ForceOverwrite)
                ? "--force-overwrite"
                : "--overwrite";
+            if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.Overlay) {
+                const overlayChangesFile = await (0, overlay_database_utils_1.writeOverlayChangesFile)(config, sourceRoot, logger);
+                extraArgs.push(`--overlay-changes=${overlayChangesFile}`);
+            }
+            else if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.OverlayBase) {
+                extraArgs.push("--overlay-base");
+            }
            await runCli(cmd, [
                "database",
                "init",
-                overwriteFlag,
+                ...(overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.Overlay
+                    ? []
+                    : [overwriteFlag]),
                "--db-cluster",
                config.dbLocation,
                `--source-root=${sourceRoot}`,
@@ -293,6 +315,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                    ignoringOptions: ["--overwrite"],
                }),
            ], { stdin: externalRepositoryToken });
+            if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.OverlayBase) {
+                await (0, overlay_database_utils_1.writeBaseDatabaseOidsFile)(config, sourceRoot);
+            }
        },
        async runAutobuild(config, language) {
            applyAutobuildAzurePipelinesTimeoutFix();
@@ -446,7 +471,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                "run-queries",
                ...flags,
                databasePath,
-                "--expect-discarded-cache",
                "--intra-layer-parallelism",
                "--min-disk-free=1024", // Try to leave at least 1GB free
                "-v",
@@ -785,6 +809,13 @@ async function generateCodeScanningConfig(config, logger) {
    if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
        delete augmentedConfig.packs;
    }
+    augmentedConfig["query-filters"] = [
+        ...(config.augmentationProperties.defaultQueryFilters || []),
+        ...(augmentedConfig["query-filters"] || []),
+    ];
+    if (augmentedConfig["query-filters"]?.length === 0) {
+        delete augmentedConfig["query-filters"];
+    }
    logger.info(`Writing augmented user configuration file to ${codeScanningConfigFile}`);
    logger.startGroup("Augmented user configuration file contents");
    logger.info(yaml.dump(augmentedConfig));
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/codeql.test.js
+++ b/lib/codeql.test.js
@@ -53,6 +53,7 @@ const defaults = __importStar(require("./defaults.json"));
 const doc_url_1 = require("./doc-url");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const overlay_database_utils_1 = require("./overlay-database-utils");
 const setup_codeql_1 = require("./setup-codeql");
 const testing_utils_1 = require("./testing-utils");
 const tools_features_1 = require("./tools-features");
@@ -335,7 +336,7 @@ const injectedConfigMacro = ava_1.default.macro({
                tempDir,
                augmentationProperties,
            };
-            await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, undefined, (0, logging_1.getRunnerLogger)(true));
+            await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, undefined, overlay_database_utils_1.OverlayDatabaseMode.None, (0, logging_1.getRunnerLogger)(true));
            const args = runnerConstructorStub.firstCall.args[1];
            // should have used an config file
            const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -471,7 +472,7 @@ const injectedConfigMacro = ava_1.default.macro({
        const runnerConstructorStub = stubToolRunnerConstructor();
        const codeqlObject = await codeql.getCodeQLForTesting();
        sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
-        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, "/path/to/qlconfig.yml", (0, logging_1.getRunnerLogger)(true));
+        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, "/path/to/qlconfig.yml", overlay_database_utils_1.OverlayDatabaseMode.None, (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        // should have used a config file
        const hasCodeScanningConfigArg = args.some((arg) => arg.startsWith("--codescanning-config="));
@@ -487,7 +488,7 @@ const injectedConfigMacro = ava_1.default.macro({
        const codeqlObject = await codeql.getCodeQLForTesting();
        sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.17.6"));
        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, undefined, // undefined qlconfigFile
-        (0, logging_1.getRunnerLogger)(true));
+        overlay_database_utils_1.OverlayDatabaseMode.None, (0, logging_1.getRunnerLogger)(true));
        const args = runnerConstructorStub.firstCall.args[1];
        const hasQlconfigArg = args.some((arg) => arg.startsWith("--qlconfig-file="));
        t.false(hasQlconfigArg, "should NOT have injected a qlconfig");
@@ -612,7 +613,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
    sinon.stub(io, "which").resolves("");
    await t.throwsAsync(async () => await codeqlObject.databaseRunQueries(stubConfig.dbLocation, []), {
        instanceOf: cli_errors_1.CliError,
-        message: `Encountered a fatal error while running "codeql-for-testing database run-queries  --expect-discarded-cache --intra-layer-parallelism --min-disk-free=1024 -v". Exit code was 1 and error was: Oops! A fatal internal error occurred. Details:
+        message: `Encountered a fatal error while running "codeql-for-testing database run-queries  --intra-layer-parallelism --min-disk-free=1024 -v". Exit code was 1 and error was: Oops! A fatal internal error occurred. Details:
    com.semmle.util.exception.CatastrophicError: An error occurred while evaluating ControlFlowGraph::ControlFlow::Root.isRootOf/1#dispred#f610e6ed/2@86282cc8
    Severe disk cache trouble (corruption or out of space) at /home/runner/work/_temp/codeql_databases/go/db-go/default/cache/pages/28/33.pack: Failed to write item to disk. See the logs for more details.`,
    });
@@ -638,7 +639,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
    sinon.stub(io, "which").resolves("");
    process.env["CODEQL_ACTION_EXTRA_OPTIONS"] =
        '{ "database": { "init": ["--overwrite"] } }';
-    await codeqlObject.databaseInitCluster(stubConfig, "sourceRoot", undefined, undefined, (0, logging_1.getRunnerLogger)(false));
+    await codeqlObject.databaseInitCluster(stubConfig, "sourceRoot", undefined, undefined, overlay_database_utils_1.OverlayDatabaseMode.None, (0, logging_1.getRunnerLogger)(false));
    t.true(runnerConstructorStub.calledOnce);
    const args = runnerConstructorStub.firstCall.args[1];
    t.is(args.filter((option) => option === "--overwrite").length, 1, "--overwrite should only be passed once");
--- a/lib/codeql.test.js.map
+++ b/lib/codeql.test.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@@ -64,6 +64,7 @@ const yaml = __importStar(require("js-yaml"));
 const semver = __importStar(require("semver"));
 const api = __importStar(require("./api-client"));
 const caching_utils_1 = require("./caching-utils");
+const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const trap_caching_1 = require("./trap-caching");
@@ -79,6 +80,7 @@ exports.defaultAugmentationProperties = {
    packsInputCombines: false,
    packsInput: undefined,
    queriesInput: undefined,
+    defaultQueryFilters: [],
 };
 function getPacksStrInvalid(packStr, configFile) {
    return configFile
@@ -227,7 +229,7 @@ async function getRawLanguages(languagesInput, repository, logger) {
 async function getDefaultConfig({ languagesInput, queriesInput, packsInput, buildModeInput, dbLocation, trapCachingEnabled, dependencyCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeql, githubVersion, features, logger, }) {
    const languages = await getLanguages(codeql, languagesInput, repository, logger);
    const buildMode = await parseBuildModeInput(buildModeInput, languages, features, logger);
-    const augmentationProperties = calculateAugmentation(packsInput, queriesInput, languages);
+    const augmentationProperties = await calculateAugmentation(codeql, features, packsInput, queriesInput, languages, logger);
    const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeql, languages, logger);
    return {
        languages,
@@ -277,7 +279,7 @@ async function loadConfig({ languagesInput, queriesInput, packsInput, buildModeI
    }
    const languages = await getLanguages(codeql, languagesInput, repository, logger);
    const buildMode = await parseBuildModeInput(buildModeInput, languages, features, logger);
-    const augmentationProperties = calculateAugmentation(packsInput, queriesInput, languages);
+    const augmentationProperties = await calculateAugmentation(codeql, features, packsInput, queriesInput, languages, logger);
    const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeql, languages, logger);
    return {
        languages,
@@ -303,11 +305,14 @@ async function loadConfig({ languagesInput, queriesInput, packsInput, buildModeI
 * and the CLI does not know about these inputs so we need to inject them into
 * the config file sent to the CLI.
 *
+ * @param codeql The CodeQL object.
+ * @param features The feature enablement object.
 * @param rawPacksInput The packs input from the action configuration.
 * @param rawQueriesInput The queries input from the action configuration.
 * @param languages The languages that the config file is for. If the packs input
 *    is non-empty, then there must be exactly one language. Otherwise, an
 *    error is thrown.
+ * @param logger The logger to use for logging.
 *
 * @returns The properties that need to be augmented in the config file.
 *
@@ -315,16 +320,21 @@ async function loadConfig({ languagesInput, queriesInput, packsInput, buildModeI
 *     not have exactly one language.
 */
 // exported for testing.
-function calculateAugmentation(rawPacksInput, rawQueriesInput, languages) {
+async function calculateAugmentation(codeql, features, rawPacksInput, rawQueriesInput, languages, logger) {
    const packsInputCombines = shouldCombine(rawPacksInput);
    const packsInput = parsePacksFromInput(rawPacksInput, languages, packsInputCombines);
    const queriesInputCombines = shouldCombine(rawQueriesInput);
    const queriesInput = parseQueriesFromInput(rawQueriesInput, queriesInputCombines);
+    const defaultQueryFilters = [];
+    if (await (0, diff_informed_analysis_utils_1.shouldPerformDiffInformedAnalysis)(codeql, features, logger)) {
+        defaultQueryFilters.push({ exclude: { tags: "exclude-from-incremental" } });
+    }
    return {
        packsInputCombines,
        packsInput: packsInput?.[languages[0]],
        queriesInput,
        queriesInputCombines,
+        defaultQueryFilters,
    };
 }
 function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) {
--- a/Show More
+++ b/Show More