Remove push trigger from manual checks

To avoid issues with concurrency groups
Merge pull request #3288 from github/update-bundle/codeql-bundle-v2.23.5
2025-12-26 09:10:07 +08:00 · 2025-11-13 20:53:54 +00:00 · 2025-11-13 20:50:51 +00:00 · 2025-11-13 20:11:59 +00:00 · 2025-11-13 20:11:33 +00:00 · 2025-11-13 19:53:24 +00:00
81 changed files with 2175 additions and 879 deletions
--- a/.github/workflows/__all-platform-bundle.yml
+++ b/.github/workflows/__all-platform-bundle.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -74,6 +84,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - id: init
        uses: ./../action/init
        with:
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -21,9 +21,19 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs: {}
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
-    inputs: {}
+    inputs:
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -59,6 +69,10 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: csharp
--- a/.github/workflows/__build-mode-manual.yml
+++ b/.github/workflows/__build-mode-manual.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -70,6 +80,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -74,6 +84,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -72,6 +82,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          languages: go
--- a/.github/workflows/__go.yml
+++ b/.github/workflows/__go.yml
@@ -8,9 +8,6 @@ env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GO111MODULE: auto
 on:
-  push:
-    paths:
-      - .github/workflows/__go.yml
  workflow_dispatch:
    inputs:
      go-version:
@@ -18,6 +15,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 jobs:
  go-custom-queries:
    name: 'Go: Custom queries'
@@ -27,6 +29,7 @@ jobs:
    uses: ./.github/workflows/__go-custom-queries.yml
    with:
      go-version: ${{ inputs.go-version }}
+      dotnet-version: ${{ inputs.dotnet-version }}
  go-indirect-tracing-workaround-diagnostic:
    name: 'Go: diagnostic when Go is changed after init step'
    permissions:
--- a/.github/workflows/__local-bundle.yml
+++ b/.github/workflows/__local-bundle.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Fetch latest CodeQL bundle
        run: |
          wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -119,6 +129,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -96,6 +106,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -81,6 +91,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -81,6 +91,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging.yml
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -81,6 +91,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging2.yml
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -87,6 +97,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -80,6 +90,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          config-file: .github/codeql/codeql-config-packaging3.yml
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -27,6 +27,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -34,6 +39,11 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -74,6 +84,10 @@ jobs:
        with:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Use Xcode 16
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -87,6 +97,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__upload-sarif.yml
+++ b/.github/workflows/__upload-sarif.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -92,6 +102,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -32,6 +32,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
  workflow_call:
    inputs:
      go-version:
@@ -44,6 +49,11 @@ on:
        description: The version of Python to install
        required: false
        default: '3.13'
+      dotnet-version:
+        type: string
+        description: The version of .NET to install
+        required: false
+        default: 9.x
 defaults:
  run:
    shell: bash
@@ -85,6 +95,10 @@ jobs:
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version || '3.13' }}
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
      - name: Delete original checkout
        run: |
          # delete the original checkout so we don't accidentally use it.
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -54,6 +54,10 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -50,6 +50,10 @@ jobs:
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
+      - name: Install .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '9.x'
      - uses: ./../action/init
        id: init
        with:
--- a/.github/workflows/script/bundle_changelog.py
+++ b/.github/workflows/script/bundle_changelog.py
@@ -0,0 +1,18 @@
+import os
+import re
+
+# Get the PR number from the PR URL.
+pr_number = os.environ['PR_URL'].split('/')[-1]
+changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+with open('CHANGELOG.md', 'r') as f:
+    changelog = f.read()
+
+changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+# Add the changelog note to the bottom of the "[UNRELEASED]" section.
+changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+with open('CHANGELOG.md', 'w') as f:
+    f.write(changelog)
--- a/.github/workflows/test-codeql-bundle-all.yml
+++ b/.github/workflows/test-codeql-bundle-all.yml
@@ -43,6 +43,10 @@ jobs:
      with:
        version: ${{ matrix.version }}
        use-all-platform-bundle: true
+    - name: Install .NET
+      uses: actions/setup-dotnet@v5
+      with:
+        dotnet-version: '9.x'
    - id: init
      uses: ./../action/init
      with:
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -40,6 +40,11 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+
      - name: Set up Node.js
        uses: actions/setup-node@v6
        with:
@@ -78,28 +83,8 @@ jobs:
          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"

      - name: Create changelog note
-        shell: python
        run: |
-          import os
-          import re
-
-          # Get the PR number from the PR URL.
-          pr_number = os.environ['PR_URL'].split('/')[-1]
-          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
-
-          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
-          # Use perl to avoid having to escape the newline character.
-
-          with open('CHANGELOG.md', 'r') as f:
-              changelog = f.read()
-
-          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
-
-          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
-          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
-
-          with open('CHANGELOG.md', 'w') as f:
-              f.write(changelog)
+          python .github/workflows/script/bundle_changelog.py

      - name: Push changelog note
        run: |
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -4,6 +4,12 @@ on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/update-supported-enterprise-server-versions.yml
+      - .github/workflows/update-supported-enterprise-server-versions/update.py

 jobs:
  update-supported-enterprise-server-versions:
@@ -28,6 +34,7 @@ jobs:
          repository: github/enterprise-releases
          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
          path: ${{ github.workspace }}/enterprise-releases/
+          sparse-checkout: releases.json
      - name: Update Supported Enterprise Server Versions
        run: |
          cd ./.github/workflows/update-supported-enterprise-server-versions/
@@ -35,6 +42,7 @@ jobs:
          pipenv install
          pipenv run ./update.py
          rm --recursive "$ENTERPRISE_RELEASES_PATH"
+          npm ci
          npm run build
        env:
          ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
@@ -44,25 +52,33 @@ jobs:
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

-      - name: Commit changes and open PR
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Commit changes
+        id: prepare-commit
        run: |
          if [[ -z $(git status --porcelain) ]]; then
            echo "No changes to commit"
+            echo "committed=false" >> $GITHUB_OUTPUT
          else
            git checkout -b update-supported-enterprise-server-versions
            git add .
            git commit --message "Update supported GitHub Enterprise Server versions"
-            git push origin update-supported-enterprise-server-versions

-            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-            body+="version is about to be feature frozen, or because an old release has been deprecated."
-            body+=$'\n\n'
-            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
-            body+="deprecate the corresponding version of CodeQL."
-
-            gh pr create --draft \
-              --title "Update supported GitHub Enterprise Server versions" \
-              --body "$body"
+            echo "committed=true" >> $GITHUB_OUTPUT
          fi
+
+      - name: Open PR
+        if: github.event_name != 'pull_request' && steps.prepare-commit.outputs.committed == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git push origin update-supported-enterprise-server-versions
+
+          body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
+          body+="version is about to be feature frozen, or because an old release has been deprecated."
+          body+=$'\n\n'
+          body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
+          body+="deprecate the corresponding version of CodeQL."
+
+          gh pr create --draft \
+            --title "Update supported GitHub Enterprise Server versions" \
+            --body "$body"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,8 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

-No user facing changes.
+- CodeQL Action v3 will be deprecated in December 2026.  The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
+- Update default CodeQL bundle version to 2.23.5. [#3288](https://github.com/github/codeql-action/pull/3288)

 ## 4.31.2 - 30 Oct 2025

--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -12,6 +12,7 @@ import filenames from "eslint-plugin-filenames";
 import github from "eslint-plugin-github";
 import _import from "eslint-plugin-import";
 import noAsyncForeach from "eslint-plugin-no-async-foreach";
+import jsdoc from "eslint-plugin-jsdoc";
 import globals from "globals";

 const __filename = fileURLToPath(import.meta.url);
@@ -52,6 +53,7 @@ export default [
      github: fixupPluginRules(github),
      import: fixupPluginRules(_import),
      "no-async-foreach": noAsyncForeach,
+      "jsdoc": jsdoc,
    },

    languageOptions: {
@@ -133,6 +135,16 @@ export default [
      "@typescript-eslint/no-shadow": "error",
      "@typescript-eslint/prefer-optional-chain": "error",
      "one-var": ["error", "never"],
+
+      // Check param names to ensure that we don't have outdated JSDocs.
+      "jsdoc/check-param-names": [
+        "error",
+        {
+          // We don't currently require full JSDoc coverage, so this rule
+          // should not error on missing @param annotations.
+          disableMissingParamChecks: true,
+        }
+      ],
    },
  },
  {
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -119927,6 +119928,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -119955,12 +119961,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -87413,14 +87414,14 @@ async function checkDiskUsage(logger) {
  }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
  !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
    if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
      semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
    )) {
      core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
      );
      core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
    }
@@ -88172,6 +88173,7 @@ var fs6 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));

 // src/caching-utils.ts
+var crypto = __toESM(require("crypto"));
 var core6 = __toESM(require_core());
 async function getTotalCacheSize(paths, logger, quiet = false) {
  const sizes = await Promise.all(
@@ -88182,6 +88184,11 @@ async function getTotalCacheSize(paths, logger, quiet = false) {
 function shouldStoreCache(kind) {
  return kind === "full" /* Full */ || kind === "store" /* Store */;
 }
+var cacheKeyHashLength = 16;
+function createCacheKeyHash(components) {
+  const componentsJson = JSON.stringify(components);
+  return crypto.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength);
+}

 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib3());
@@ -88203,11 +88210,10 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/overlay-database-utils.ts
-var crypto = __toESM(require("crypto"));
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache3());
@@ -88619,10 +88625,6 @@ async function getCacheRestoreKeyPrefix(config, codeQlVersion) {
  const componentsHash = createCacheKeyHash(cacheKeyComponents);
  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
 }
-function createCacheKeyHash(components) {
-  const componentsJson = JSON.stringify(components);
-  return crypto.createHash("sha256").update(componentsJson).digest("hex").substring(0, 16);
-}

 // src/tools-features.ts
 var semver3 = __toESM(require_semver2());
@@ -88656,6 +88658,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -88684,12 +88691,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -91058,66 +91059,107 @@ var CODEQL_DEPENDENCY_CACHE_VERSION = 1;
 function getJavaTempDependencyDir() {
  return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
 }
-function getDefaultCacheConfig() {
-  return {
-    java: {
-      paths: [
-        // Maven
-        (0, import_path.join)(os3.homedir(), ".m2", "repository"),
-        // Gradle
-        (0, import_path.join)(os3.homedir(), ".gradle", "caches"),
-        // CodeQL Java build-mode: none
-        getJavaTempDependencyDir()
-      ],
-      hash: [
-        // Maven
-        "**/pom.xml",
-        // Gradle
-        "**/*.gradle*",
-        "**/gradle-wrapper.properties",
-        "buildSrc/**/Versions.kt",
-        "buildSrc/**/Dependencies.kt",
-        "gradle/*.versions.toml",
-        "**/versions.properties"
-      ]
-    },
-    csharp: {
-      paths: [(0, import_path.join)(os3.homedir(), ".nuget", "packages")],
-      hash: [
-        // NuGet
-        "**/packages.lock.json",
-        // Paket
-        "**/paket.lock"
-      ]
-    },
-    go: {
-      paths: [(0, import_path.join)(os3.homedir(), "go", "pkg", "mod")],
-      hash: ["**/go.sum"]
-    }
-  };
+function getJavaDependencyDirs() {
+  return [
+    // Maven
+    (0, import_path.join)(os3.homedir(), ".m2", "repository"),
+    // Gradle
+    (0, import_path.join)(os3.homedir(), ".gradle", "caches"),
+    // CodeQL Java build-mode: none
+    getJavaTempDependencyDir()
+  ];
 }
+async function makePatternCheck(patterns) {
+  const globber = await makeGlobber(patterns);
+  if ((await globber.glob()).length === 0) {
+    return void 0;
+  }
+  return patterns;
+}
+var CSHARP_BASE_PATTERNS = [
+  // NuGet
+  "**/packages.lock.json",
+  // Paket
+  "**/paket.lock"
+];
+var CSHARP_EXTRA_PATTERNS = [
+  "**/*.csproj",
+  "**/packages.config",
+  "**/nuget.config"
+];
+async function getCsharpHashPatterns(codeql, features) {
+  const basePatterns = await internal.makePatternCheck(CSHARP_BASE_PATTERNS);
+  if (basePatterns !== void 0) {
+    return basePatterns;
+  }
+  if (await features.getValue("csharp_new_cache_key" /* CsharpNewCacheKey */, codeql)) {
+    return internal.makePatternCheck(CSHARP_EXTRA_PATTERNS);
+  }
+  return void 0;
+}
+var defaultCacheConfigs = {
+  java: {
+    getDependencyPaths: getJavaDependencyDirs,
+    getHashPatterns: async () => internal.makePatternCheck([
+      // Maven
+      "**/pom.xml",
+      // Gradle
+      "**/*.gradle*",
+      "**/gradle-wrapper.properties",
+      "buildSrc/**/Versions.kt",
+      "buildSrc/**/Dependencies.kt",
+      "gradle/*.versions.toml",
+      "**/versions.properties"
+    ])
+  },
+  csharp: {
+    getDependencyPaths: () => [(0, import_path.join)(os3.homedir(), ".nuget", "packages")],
+    getHashPatterns: getCsharpHashPatterns
+  },
+  go: {
+    getDependencyPaths: () => [(0, import_path.join)(os3.homedir(), "go", "pkg", "mod")],
+    getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"])
+  }
+};
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
+async function checkHashPatterns(codeql, features, language, cacheConfig, checkType, logger) {
+  const patterns = await cacheConfig.getHashPatterns(codeql, features);
+  if (patterns === void 0) {
+    logger.info(
+      `Skipping ${checkType} of dependency cache for ${language} as we cannot calculate a hash for the cache key.`
+    );
+  }
+  return patterns;
+}
+async function uploadDependencyCaches(codeql, features, config, logger) {
  const status = [];
  for (const language of config.languages) {
-    const cacheConfig = getDefaultCacheConfig()[language];
+    const cacheConfig = defaultCacheConfigs[language];
    if (cacheConfig === void 0) {
      logger.info(
        `Skipping upload of dependency cache for ${language} as we have no caching configuration for it.`
      );
      continue;
    }
-    const globber = await makeGlobber(cacheConfig.hash);
-    if ((await globber.glob()).length === 0) {
+    const patterns = await checkHashPatterns(
+      codeql,
+      features,
+      language,
+      cacheConfig,
+      "upload",
+      logger
+    );
+    if (patterns === void 0) {
      status.push({ language, result: "no-hash" /* NoHash */ });
-      logger.info(
-        `Skipping upload of dependency cache for ${language} as we cannot calculate a hash for the cache key.`
-      );
      continue;
    }
-    const size = await getTotalCacheSize(cacheConfig.paths, logger, true);
+    const size = await getTotalCacheSize(
+      cacheConfig.getDependencyPaths(),
+      logger,
+      true
+    );
    if (size === 0) {
      status.push({ language, result: "empty" /* Empty */ });
      logger.info(
@@ -91125,13 +91167,13 @@ async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
      );
      continue;
    }
-    const key = await cacheKey2(language, cacheConfig, minimizeJavaJars);
+    const key = await cacheKey2(codeql, features, language, patterns);
    logger.info(
      `Uploading cache of size ${size} for ${language} with key ${key}...`
    );
    try {
      const start = performance.now();
-      await actionsCache3.saveCache(cacheConfig.paths, key);
+      await actionsCache3.saveCache(cacheConfig.getDependencyPaths(), key);
      const upload_duration_ms = Math.round(performance.now() - start);
      status.push({
        language,
@@ -91153,22 +91195,50 @@ async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
  }
  return status;
 }
-async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
-  const hash2 = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language, minimizeJavaJars)}${hash2}`;
+async function cacheKey2(codeql, features, language, patterns) {
+  const hash2 = await glob.hashFiles(patterns.join("\n"));
+  return `${await cachePrefix2(codeql, features, language)}${hash2}`;
 }
-async function cachePrefix2(language, minimizeJavaJars) {
+async function getFeaturePrefix(codeql, features, language) {
+  const enabledFeatures = [];
+  const addFeatureIfEnabled = async (feature) => {
+    if (await features.getValue(feature, codeql)) {
+      enabledFeatures.push(feature);
+    }
+  };
+  if (language === "java" /* java */) {
+    const minimizeJavaJars = await features.getValue(
+      "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
+      codeql
+    );
+    if (minimizeJavaJars) {
+      return "minify-";
+    }
+  } else if (language === "csharp" /* csharp */) {
+    await addFeatureIfEnabled("csharp_new_cache_key" /* CsharpNewCacheKey */);
+  }
+  if (enabledFeatures.length > 0) {
+    return `${createCacheKeyHash(enabledFeatures)}-`;
+  }
+  return "";
+}
+async function cachePrefix2(codeql, features, language) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
-  if (language === "java" /* java */ && minimizeJavaJars) {
-    prefix = `minify-${prefix}`;
+  const featurePrefix = await getFeaturePrefix(codeql, features, language);
+  if (featurePrefix === "minify-") {
+    return `${featurePrefix}${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
+  } else {
+    return `${prefix}-${featurePrefix}${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
  }
-  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }
+var internal = {
+  makePatternCheck
+};

 // src/diagnostics.ts
 var import_fs = require("fs");
@@ -93981,14 +94051,11 @@ async function run() {
      logger
    );
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      const minimizeJavaJars = await features.getValue(
-        "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
-        codeql
-      );
      dependencyCacheResults = await uploadDependencyCaches(
+        codeql,
+        features,
        config,
-        logger,
-        minimizeJavaJars
+        logger
      );
    }
    if (isInTestMode()) {
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -83157,14 +83158,14 @@ async function checkDiskUsage(logger) {
  }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
  !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
    if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
      semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
    )) {
      core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
      );
      core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
    }
@@ -83699,8 +83700,8 @@ var path3 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/overlay-database-utils.ts
 var fs2 = __toESM(require("fs"));
@@ -83976,6 +83977,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -84004,12 +84010,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.5",
+  "cliVersion": "2.23.5",
+  "priorBundleVersion": "codeql-bundle-v2.23.3",
+  "priorCliVersion": "2.23.3"
 }
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -122973,8 +122974,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
@@ -123308,6 +123309,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -123336,12 +123342,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -84734,14 +84735,14 @@ async function checkDiskUsage(logger) {
  }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
  !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
    if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
      semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
    )) {
      core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
      );
      core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
    }
@@ -85233,6 +85234,7 @@ function wrapApiConfigurationError(e) {
 }

 // src/caching-utils.ts
+var crypto = __toESM(require("crypto"));
 var core6 = __toESM(require_core());
 async function getTotalCacheSize(paths, logger, quiet = false) {
  const sizes = await Promise.all(
@@ -85265,6 +85267,11 @@ function getCachingKind(input) {
      return "none" /* None */;
  }
 }
+var cacheKeyHashLength = 16;
+function createCacheKeyHash(components) {
+  const componentsJson = JSON.stringify(components);
+  return crypto.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength);
+}
 function getDependencyCachingEnabled() {
  const dependencyCaching = getOptionalInput("dependency-caching") || process.env["CODEQL_ACTION_DEPENDENCY_CACHING" /* DEPENDENCY_CACHING */];
  if (dependencyCaching !== void 0) return getCachingKind(dependencyCaching);
@@ -85627,11 +85634,10 @@ var path5 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/overlay-database-utils.ts
-var crypto = __toESM(require("crypto"));
 var fs3 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache3());
@@ -86033,10 +86039,6 @@ async function getCacheRestoreKeyPrefix(config, codeQlVersion) {
  const componentsHash = createCacheKeyHash(cacheKeyComponents);
  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
 }
-function createCacheKeyHash(components) {
-  const componentsJson = JSON.stringify(components);
-  return crypto.createHash("sha256").update(componentsJson).digest("hex").substring(0, 16);
-}

 // src/tools-features.ts
 var semver3 = __toESM(require_semver2());
@@ -86070,6 +86072,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -86098,12 +86105,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -86649,10 +86650,9 @@ async function cachePrefix(codeql, language) {
 }

 // src/config-utils.ts
-async function getSupportedLanguageMap(codeql, features, logger) {
-  const resolveSupportedLanguagesUsingCli = await features.getValue(
-    "resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */,
-    codeql
+async function getSupportedLanguageMap(codeql, logger) {
+  const resolveSupportedLanguagesUsingCli = await codeql.supportsFeature(
+    "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
  );
  const resolveResult = await codeql.betterResolveLanguages({
    filterToLanguagesWithQueries: resolveSupportedLanguagesUsingCli
@@ -86700,14 +86700,14 @@ async function getRawLanguagesInRepo(repository, sourceRoot, logger) {
  logger.debug(`Raw languages in repository: ${result.join(", ")}`);
  return result;
 }
-async function getLanguages(codeql, languagesInput, repository, sourceRoot, features, logger) {
+async function getLanguages(codeql, languagesInput, repository, sourceRoot, logger) {
  const { rawLanguages, autodetected } = await getRawLanguages(
    languagesInput,
    repository,
    sourceRoot,
    logger
  );
-  const languageMap = await getSupportedLanguageMap(codeql, features, logger);
+  const languageMap = await getSupportedLanguageMap(codeql, logger);
  const languagesSet = /* @__PURE__ */ new Set();
  const unknownLanguages = [];
  for (const language of rawLanguages) {
@@ -86773,7 +86773,6 @@ async function initActionState({
    languagesInput,
    repository,
    sourceRoot,
-    features,
    logger
  );
  const buildMode = await parseBuildModeInput(
@@ -87247,68 +87246,105 @@ var CODEQL_DEPENDENCY_CACHE_VERSION = 1;
 function getJavaTempDependencyDir() {
  return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository");
 }
-function getDefaultCacheConfig() {
-  return {
-    java: {
-      paths: [
-        // Maven
-        (0, import_path.join)(os2.homedir(), ".m2", "repository"),
-        // Gradle
-        (0, import_path.join)(os2.homedir(), ".gradle", "caches"),
-        // CodeQL Java build-mode: none
-        getJavaTempDependencyDir()
-      ],
-      hash: [
-        // Maven
-        "**/pom.xml",
-        // Gradle
-        "**/*.gradle*",
-        "**/gradle-wrapper.properties",
-        "buildSrc/**/Versions.kt",
-        "buildSrc/**/Dependencies.kt",
-        "gradle/*.versions.toml",
-        "**/versions.properties"
-      ]
-    },
-    csharp: {
-      paths: [(0, import_path.join)(os2.homedir(), ".nuget", "packages")],
-      hash: [
-        // NuGet
-        "**/packages.lock.json",
-        // Paket
-        "**/paket.lock"
-      ]
-    },
-    go: {
-      paths: [(0, import_path.join)(os2.homedir(), "go", "pkg", "mod")],
-      hash: ["**/go.sum"]
-    }
-  };
+function getJavaDependencyDirs() {
+  return [
+    // Maven
+    (0, import_path.join)(os2.homedir(), ".m2", "repository"),
+    // Gradle
+    (0, import_path.join)(os2.homedir(), ".gradle", "caches"),
+    // CodeQL Java build-mode: none
+    getJavaTempDependencyDir()
+  ];
 }
+async function makePatternCheck(patterns) {
+  const globber = await makeGlobber(patterns);
+  if ((await globber.glob()).length === 0) {
+    return void 0;
+  }
+  return patterns;
+}
+var CSHARP_BASE_PATTERNS = [
+  // NuGet
+  "**/packages.lock.json",
+  // Paket
+  "**/paket.lock"
+];
+var CSHARP_EXTRA_PATTERNS = [
+  "**/*.csproj",
+  "**/packages.config",
+  "**/nuget.config"
+];
+async function getCsharpHashPatterns(codeql, features) {
+  const basePatterns = await internal.makePatternCheck(CSHARP_BASE_PATTERNS);
+  if (basePatterns !== void 0) {
+    return basePatterns;
+  }
+  if (await features.getValue("csharp_new_cache_key" /* CsharpNewCacheKey */, codeql)) {
+    return internal.makePatternCheck(CSHARP_EXTRA_PATTERNS);
+  }
+  return void 0;
+}
+var defaultCacheConfigs = {
+  java: {
+    getDependencyPaths: getJavaDependencyDirs,
+    getHashPatterns: async () => internal.makePatternCheck([
+      // Maven
+      "**/pom.xml",
+      // Gradle
+      "**/*.gradle*",
+      "**/gradle-wrapper.properties",
+      "buildSrc/**/Versions.kt",
+      "buildSrc/**/Dependencies.kt",
+      "gradle/*.versions.toml",
+      "**/versions.properties"
+    ])
+  },
+  csharp: {
+    getDependencyPaths: () => [(0, import_path.join)(os2.homedir(), ".nuget", "packages")],
+    getHashPatterns: getCsharpHashPatterns
+  },
+  go: {
+    getDependencyPaths: () => [(0, import_path.join)(os2.homedir(), "go", "pkg", "mod")],
+    getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"])
+  }
+};
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
+async function checkHashPatterns(codeql, features, language, cacheConfig, checkType, logger) {
+  const patterns = await cacheConfig.getHashPatterns(codeql, features);
+  if (patterns === void 0) {
+    logger.info(
+      `Skipping ${checkType} of dependency cache for ${language} as we cannot calculate a hash for the cache key.`
+    );
+  }
+  return patterns;
+}
+async function downloadDependencyCaches(codeql, features, languages, logger) {
  const status = [];
  for (const language of languages) {
-    const cacheConfig = getDefaultCacheConfig()[language];
+    const cacheConfig = defaultCacheConfigs[language];
    if (cacheConfig === void 0) {
      logger.info(
        `Skipping download of dependency cache for ${language} as we have no caching configuration for it.`
      );
      continue;
    }
-    const globber = await makeGlobber(cacheConfig.hash);
-    if ((await globber.glob()).length === 0) {
+    const patterns = await checkHashPatterns(
+      codeql,
+      features,
+      language,
+      cacheConfig,
+      "download",
+      logger
+    );
+    if (patterns === void 0) {
      status.push({ language, hit_kind: "no-hash" /* NoHash */ });
-      logger.info(
-        `Skipping download of dependency cache for ${language} as we cannot calculate a hash for the cache key.`
-      );
      continue;
    }
-    const primaryKey = await cacheKey2(language, cacheConfig, minimizeJavaJars);
+    const primaryKey = await cacheKey2(codeql, features, language, patterns);
    const restoreKeys = [
-      await cachePrefix2(language, minimizeJavaJars)
+      await cachePrefix2(codeql, features, language)
    ];
    logger.info(
      `Downloading cache for ${language} with key ${primaryKey} and restore keys ${restoreKeys.join(
@@ -87317,7 +87353,7 @@ async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
    );
    const start = performance.now();
    const hitKey = await actionsCache3.restoreCache(
-      cacheConfig.paths,
+      cacheConfig.getDependencyPaths(),
      primaryKey,
      restoreKeys
    );
@@ -87333,22 +87369,50 @@ async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
  }
  return status;
 }
-async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
-  const hash = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language, minimizeJavaJars)}${hash}`;
+async function cacheKey2(codeql, features, language, patterns) {
+  const hash = await glob.hashFiles(patterns.join("\n"));
+  return `${await cachePrefix2(codeql, features, language)}${hash}`;
 }
-async function cachePrefix2(language, minimizeJavaJars) {
+async function getFeaturePrefix(codeql, features, language) {
+  const enabledFeatures = [];
+  const addFeatureIfEnabled = async (feature) => {
+    if (await features.getValue(feature, codeql)) {
+      enabledFeatures.push(feature);
+    }
+  };
+  if (language === "java" /* java */) {
+    const minimizeJavaJars = await features.getValue(
+      "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
+      codeql
+    );
+    if (minimizeJavaJars) {
+      return "minify-";
+    }
+  } else if (language === "csharp" /* csharp */) {
+    await addFeatureIfEnabled("csharp_new_cache_key" /* CsharpNewCacheKey */);
+  }
+  if (enabledFeatures.length > 0) {
+    return `${createCacheKeyHash(enabledFeatures)}-`;
+  }
+  return "";
+}
+async function cachePrefix2(codeql, features, language) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
-  if (language === "java" /* java */ && minimizeJavaJars) {
-    prefix = `minify-${prefix}`;
+  const featurePrefix = await getFeaturePrefix(codeql, features, language);
+  if (featurePrefix === "minify-") {
+    return `${featurePrefix}${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
+  } else {
+    return `${prefix}-${featurePrefix}${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
  }
-  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }
+var internal = {
+  makePatternCheck
+};

 // src/diagnostics.ts
 var import_fs = require("fs");
@@ -89712,7 +89776,7 @@ async function getWorkflowAbsolutePath(logger) {
 async function checkWorkflow(logger, codeql) {
  if (!isDynamicWorkflow() && process.env["CODEQL_ACTION_SKIP_WORKFLOW_VALIDATION" /* SKIP_WORKFLOW_VALIDATION */] !== "true") {
    core12.startGroup("Validating workflow");
-    const validateWorkflowResult = await internal.validateWorkflow(
+    const validateWorkflowResult = await internal2.validateWorkflow(
      codeql,
      logger
    );
@@ -89726,7 +89790,7 @@ async function checkWorkflow(logger, codeql) {
    core12.endGroup();
  }
 }
-var internal = {
+var internal2 = {
  validateWorkflow
 };

@@ -90075,15 +90139,12 @@ exec ${goBinaryPath} "$@"`
        core13.exportVariable(envVar, "false");
      }
    }
-    const minimizeJavaJars = await features.getValue(
-      "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
-      codeql
-    );
    if (shouldRestoreCache(config.dependencyCachingEnabled)) {
      dependencyCachingResults = await downloadDependencyCaches(
+        codeql,
+        features,
        config.languages,
-        logger,
-        minimizeJavaJars
+        logger
      );
    }
    if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
@@ -90121,7 +90182,7 @@ exec ${goBinaryPath} "$@"`
      logger.debug(
        `${"CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */} is already set to '${process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]}', so the Action will not override it.`
      );
-    } else if (minimizeJavaJars && config.dependencyCachingEnabled && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
+    } else if (await features.getValue("java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */, codeql) && config.dependencyCachingEnabled && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
      core13.exportVariable(
        "CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */,
        "true"
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -83169,14 +83170,14 @@ async function checkDiskUsage(logger) {
  }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
  !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
    if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
      semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
    )) {
      core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
      );
      core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
    }
@@ -83967,6 +83968,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -83995,12 +84001,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -83245,14 +83246,14 @@ async function checkDiskUsage(logger) {
  }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
  !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
    if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
      semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
    )) {
      core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
      );
      core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
    }
@@ -83587,22 +83588,25 @@ var path4 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache3());

-// src/git-utils.ts
+// src/caching-utils.ts
 var core6 = __toESM(require_core());
+
+// src/git-utils.ts
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
  let stdout = "";
  let stderr = "";
-  core6.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -83622,7 +83626,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error4;
  }
 };
@@ -83733,7 +83737,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core6.debug(
+    core7.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -83759,16 +83763,16 @@ async function isAnalyzingDefaultBranch() {
 }

 // src/logging.ts
-var core7 = __toESM(require_core());
+var core8 = __toESM(require_core());
 function getActionsLogger() {
  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
  };
 }
 function formatDuration(durationMs) {
@@ -83876,6 +83880,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -83904,12 +83913,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -84567,9 +84570,6 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
 })(AnalysisKind || {});
 var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));

-// src/caching-utils.ts
-var core8 = __toESM(require_core());
-
 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib4());
 var semver4 = __toESM(require_semver2());
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -119333,6 +119334,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -119361,12 +119367,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -47338,7 +47338,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -47348,15 +47348,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -99682,8 +99683,8 @@ function getActionsLogger() {
 var core7 = __toESM(require_core());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/languages.ts
 var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => {
@@ -99995,6 +99996,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -100023,12 +100029,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -28977,7 +28977,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -28987,15 +28987,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -86723,8 +86724,8 @@ var path4 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
@@ -87033,6 +87034,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -87061,12 +87067,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -119499,6 +119500,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -119527,12 +119533,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -27680,7 +27680,7 @@ var require_package = __commonJS({
        "@ava/typescript": "6.0.0",
        "@eslint/compat": "^1.4.1",
        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.39.0",
+        "@eslint/js": "^9.39.1",
        "@microsoft/eslint-formatter-sarif": "^3.1.0",
        "@octokit/types": "^16.0.0",
        "@types/archiver": "^7.0.0",
@@ -27690,15 +27690,16 @@ var require_package = __commonJS({
        "@types/node-forge": "^1.3.14",
        "@types/semver": "^7.7.1",
        "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.3",
+        "@typescript-eslint/eslint-plugin": "^8.46.4",
        "@typescript-eslint/parser": "^8.41.0",
        ava: "^6.4.1",
-        esbuild: "^0.25.12",
+        esbuild: "^0.27.0",
        eslint: "^8.57.1",
        "eslint-import-resolver-typescript": "^3.8.7",
        "eslint-plugin-filenames": "^1.3.2",
        "eslint-plugin-github": "^5.1.8",
        "eslint-plugin-import": "2.29.1",
+        "eslint-plugin-jsdoc": "^61.1.12",
        "eslint-plugin-no-async-foreach": "^0.1.1",
        glob: "^11.0.3",
        nock: "^14.0.10",
@@ -86065,14 +86066,14 @@ async function checkDiskUsage(logger) {
  }
 }
 function checkActionVersion(version, githubVersion) {
-  if (!semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+  if (!semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
  !process.env["CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */]) {
    if (githubVersion.type === 0 /* DOTCOM */ || githubVersion.type === 2 /* GHE_DOTCOM */ || githubVersion.type === 1 /* GHES */ && semver.satisfies(
      semver.coerce(githubVersion.version) ?? "0.0.0",
-      ">=3.11"
+      ">=3.20"
    )) {
      core3.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. Please update all occurrences of the CodeQL Action in your workflow files to v3. For more information, see https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/"
+        "CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/"
      );
      core3.exportVariable("CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION" /* LOG_VERSION_DEPRECATION */, "true");
    }
@@ -86503,22 +86504,25 @@ var path4 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());

 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.3";
-var cliVersion = "2.23.3";
+var bundleVersion = "codeql-bundle-v2.23.5";
+var cliVersion = "2.23.5";

 // src/overlay-database-utils.ts
 var fs3 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
 var actionsCache = __toESM(require_cache3());

-// src/git-utils.ts
+// src/caching-utils.ts
 var core6 = __toESM(require_core());
+
+// src/git-utils.ts
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
  let stdout = "";
  let stderr = "";
-  core6.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
  try {
    await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
      silent: true,
@@ -86538,7 +86542,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) {
    if (stderr.includes("not a git repository")) {
      reason = "The checkout path provided to the action does not appear to be a git repository.";
    }
-    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
    throw error4;
  }
 };
@@ -86683,7 +86687,7 @@ async function getRef() {
  ) !== head;
  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core6.debug(
+    core7.debug(
      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
    );
    return newRef;
@@ -86709,16 +86713,16 @@ async function isAnalyzingDefaultBranch() {
 }

 // src/logging.ts
-var core7 = __toESM(require_core());
+var core8 = __toESM(require_core());
 function getActionsLogger() {
  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
  };
 }
 function formatDuration(durationMs) {
@@ -86826,6 +86830,11 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: "2.15.0"
  },
+  ["csharp_new_cache_key" /* CsharpNewCacheKey */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: void 0
+  },
  ["diff_informed_queries" /* DiffInformedQueries */]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -86854,12 +86863,6 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
-  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: void 0,
-    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
-  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -87267,9 +87270,6 @@ var core9 = __toESM(require_core());
 var fs6 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));

-// src/caching-utils.ts
-var core8 = __toESM(require_core());
-
 // src/config/db-config.ts
 var jsonschema = __toESM(require_lib4());
 var semver4 = __toESM(require_semver2());
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -53,7 +53,7 @@
    "@ava/typescript": "6.0.0",
    "@eslint/compat": "^1.4.1",
    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.39.0",
+    "@eslint/js": "^9.39.1",
    "@microsoft/eslint-formatter-sarif": "^3.1.0",
    "@octokit/types": "^16.0.0",
    "@types/archiver": "^7.0.0",
@@ -63,15 +63,16 @@
    "@types/node-forge": "^1.3.14",
    "@types/semver": "^7.7.1",
    "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.3",
+    "@typescript-eslint/eslint-plugin": "^8.46.4",
    "@typescript-eslint/parser": "^8.41.0",
    "ava": "^6.4.1",
-    "esbuild": "^0.25.12",
+    "esbuild": "^0.27.0",
    "eslint": "^8.57.1",
    "eslint-import-resolver-typescript": "^3.8.7",
    "eslint-plugin-filenames": "^1.3.2",
    "eslint-plugin-github": "^5.1.8",
    "eslint-plugin-import": "2.29.1",
+    "eslint-plugin-jsdoc": "^61.1.12",
    "eslint-plugin-no-async-foreach": "^0.1.1",
    "glob": "^11.0.3",
    "nock": "^14.0.10",
--- a/pr-checks/checks/all-platform-bundle.yml
+++ b/pr-checks/checks/all-platform-bundle.yml
@@ -4,6 +4,7 @@ operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 useAllPlatformBundle: "true"
 installGo: true
+installDotNet: true
 steps:
  - id: init
    uses: ./../action/init
--- a/pr-checks/checks/analyze-ref-input.yml
+++ b/pr-checks/checks/analyze-ref-input.yml
@@ -3,6 +3,7 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/autobuild-action.yml
+++ b/pr-checks/checks/autobuild-action.yml
@@ -2,6 +2,7 @@ name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["linked"]
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/build-mode-manual.yml
+++ b/pr-checks/checks/build-mode-manual.yml
@@ -2,6 +2,7 @@ name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
 versions: ["nightly-latest"]
 installGo: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    id: init
--- a/pr-checks/checks/export-file-baseline-information.yml
+++ b/pr-checks/checks/export-file-baseline-information.yml
@@ -3,6 +3,7 @@ description: "Tests that file baseline information is exported when the feature
 operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 installGo: true
+installDotNet: true
 env:
  CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
 steps:
--- a/pr-checks/checks/go-custom-queries.yml
+++ b/pr-checks/checks/go-custom-queries.yml
@@ -7,6 +7,7 @@ versions:
  - linked
  - nightly-latest
 installGo: true
+installDotNet: true
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
--- a/pr-checks/checks/local-bundle.yml
+++ b/pr-checks/checks/local-bundle.yml
@@ -3,6 +3,7 @@ description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  - name: Fetch latest CodeQL bundle
    run: |
--- a/pr-checks/checks/multi-language-autodetect.yml
+++ b/pr-checks/checks/multi-language-autodetect.yml
@@ -5,6 +5,7 @@ env:
  CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  - name: Use Xcode 16
    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
--- a/pr-checks/checks/packaging-codescanning-config-inputs-js.yml
+++ b/pr-checks/checks/packaging-codescanning-config-inputs-js.yml
@@ -4,6 +4,7 @@ versions: ["linked", "default", "nightly-latest"] # This feature is not compatib
 installGo: true
 installNode: true
 installPython: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/packaging-config-inputs-js.yml
+++ b/pr-checks/checks/packaging-config-inputs-js.yml
@@ -3,6 +3,7 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/packaging-config-js.yml
+++ b/pr-checks/checks/packaging-config-js.yml
@@ -3,6 +3,7 @@ description: "Checks that specifying packages using only a config file works"
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/packaging-inputs-js.yml
+++ b/pr-checks/checks/packaging-inputs-js.yml
@@ -3,6 +3,7 @@ description: "Checks that specifying packages using the input to the Action work
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/remote-config.yml
+++ b/pr-checks/checks/remote-config.yml
@@ -7,6 +7,7 @@ versions:
  - nightly-latest
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/split-workflow.yml
+++ b/pr-checks/checks/split-workflow.yml
@@ -3,6 +3,7 @@ description: "Tests a split-up workflow in which we first build a database and l
 operatingSystems: ["ubuntu", "macos"]
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/swift-custom-build.yml
+++ b/pr-checks/checks/swift-custom-build.yml
@@ -3,6 +3,7 @@ description: "Tests creation of a Swift database using custom build"
 versions: ["linked", "default", "nightly-latest"]
 operatingSystems: ["macos"]
 installGo: true
+installDotNet: true
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
--- a/pr-checks/checks/unset-environment.yml
+++ b/pr-checks/checks/unset-environment.yml
@@ -7,6 +7,7 @@ versions:
  - nightly-latest
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    id: init
--- a/pr-checks/checks/upload-ref-sha-input.yml
+++ b/pr-checks/checks/upload-ref-sha-input.yml
@@ -3,6 +3,7 @@ description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/upload-sarif.yml
+++ b/pr-checks/checks/upload-sarif.yml
@@ -4,6 +4,7 @@ versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  - uses: ./../action/init
    with:
--- a/pr-checks/checks/with-checkout-path.yml
+++ b/pr-checks/checks/with-checkout-path.yml
@@ -3,6 +3,7 @@ description: "Checks that a custom `checkout_path` will find the proper commit_o
 versions: ["linked"]
 installGo: true
 installPython: true
+installDotNet: true
 steps:
  # This ensures we don't accidentally use the original checkout for any part of the test.
  - name: Delete original checkout
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@@ -204,6 +204,25 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
            }
        })

+    installDotNet = is_truthy(checkSpecification.get('installDotNet', ''))
+
+    if installDotNet:
+        baseDotNetVersionExpr = '9.x'
+        workflowInputs['dotnet-version'] = {
+            'type': 'string',
+            'description': 'The version of .NET to install',
+            'required': False,
+            'default': baseDotNetVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install .NET',
+            'uses': 'actions/setup-dotnet@v5',
+            'with': {
+                'dotnet-version': '${{ inputs.dotnet-version || \'' + baseDotNetVersionExpr + '\' }}'
+            }
+        })
+
    # If container initialisation steps are present in the check specification,
    # make sure to execute them first.
    if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -337,11 +356,6 @@ for collection_name in collections:
                'GO111MODULE': 'auto'
            },
            'on': {
-                'push': {
-                    'paths': [
-                        f'.github/workflows/__{collection_name}.yml'
-                    ]
-                },
                'workflow_dispatch': {
                    'inputs': combinedInputs
                },
--- a/src/analyze-action.ts
+++ b/src/analyze-action.ts
@@ -438,14 +438,11 @@ async function run() {

    // Store dependency cache(s) if dependency caching is enabled.
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      const minimizeJavaJars = await features.getValue(
-        Feature.JavaMinimizeDependencyJars,
-        codeql,
-      );
      dependencyCacheResults = await uploadDependencyCaches(
+        codeql,
+        features,
        config,
        logger,
-        minimizeJavaJars,
      );
    }

--- a/src/analyze.ts
+++ b/src/analyze.ts
@@ -38,89 +38,26 @@ export class CodeQLAnalysisError extends Error {
  }
 }

-export interface QueriesStatusReport {
-  /**
-   * Time taken in ms to run queries for actions (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_actions_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for cpp (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_cpp_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for csharp (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_csharp_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for go (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_go_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for java (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_java_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for javascript (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_javascript_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for python (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_python_duration_ms?: number;
-  /**
-   * Time taken in ms to run queries for ruby (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_ruby_duration_ms?: number;
-  /** Time taken in ms to run queries for swift (or undefined if this language was not analyzed).
-   *
-   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
-   * taken to run _all_ the queries.
-   */
-  analyze_builtin_queries_swift_duration_ms?: number;
+type KnownLanguageKey = keyof typeof KnownLanguage;

-  /** Time taken in ms to interpret results for actions (or undefined if this language was not analyzed). */
-  interpret_results_actions_duration_ms?: number;
-  /** Time taken in ms to interpret results for cpp (or undefined if this language was not analyzed). */
-  interpret_results_cpp_duration_ms?: number;
-  /** Time taken in ms to interpret results for csharp (or undefined if this language was not analyzed). */
-  interpret_results_csharp_duration_ms?: number;
-  /** Time taken in ms to interpret results for go (or undefined if this language was not analyzed). */
-  interpret_results_go_duration_ms?: number;
-  /** Time taken in ms to interpret results for java (or undefined if this language was not analyzed). */
-  interpret_results_java_duration_ms?: number;
-  /** Time taken in ms to interpret results for javascript (or undefined if this language was not analyzed). */
-  interpret_results_javascript_duration_ms?: number;
-  /** Time taken in ms to interpret results for python (or undefined if this language was not analyzed). */
-  interpret_results_python_duration_ms?: number;
-  /** Time taken in ms to interpret results for ruby (or undefined if this language was not analyzed). */
-  interpret_results_ruby_duration_ms?: number;
-  /** Time taken in ms to interpret results for swift (or undefined if this language was not analyzed). */
-  interpret_results_swift_duration_ms?: number;
+type RunQueriesDurationStatusReport = {
+  /**
+   * Time taken in ms to run queries for the language (or undefined if this language was not analyzed).
+   *
+   * The "builtin" designation is now outdated with the move to CLI config parsing: this is the time
+   * taken to run _all_ the queries.
+   */
+  [L in KnownLanguageKey as `analyze_builtin_queries_${L}_duration_ms`]?: number;
+};

+type InterpretResultsDurationStatusReport = {
+  /** Time taken in ms to interpret results for the language (or undefined if this language was not analyzed). */
+  [L in KnownLanguageKey as `interpret_results_${L}_duration_ms`]?: number;
+};
+
+export interface QueriesStatusReport
+  extends RunQueriesDurationStatusReport,
+    InterpretResultsDurationStatusReport {
  /**
   * Whether the analysis is diff-informed (in the sense that the action generates a diff-range data
   * extension for the analysis, regardless of whether the data extension is actually used by queries).
--- a/src/caching-utils.ts
+++ b/src/caching-utils.ts
@@ -1,3 +1,5 @@
+import * as crypto from "crypto";
+
 import * as core from "@actions/core";

 import { getOptionalInput, isDefaultSetup } from "./actions-util";
@@ -71,6 +73,33 @@ export function getCachingKind(input: string | undefined): CachingKind {
  }
 }

+// The length to which `createCacheKeyHash` truncates hash strings.
+export const cacheKeyHashLength = 16;
+
+/**
+ * Creates a SHA-256 hash of the cache key components to ensure uniqueness
+ * while keeping the cache key length manageable.
+ *
+ * @param components Object containing all components that should influence cache key uniqueness
+ * @returns A short SHA-256 hash (first 16 characters) of the components
+ */
+export function createCacheKeyHash(components: Record<string, any>): string {
+  // From https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify
+  //
+  // "Properties are visited using the same algorithm as Object.keys(), which
+  // has a well-defined order and is stable across implementations. For example,
+  // JSON.stringify on the same object will always produce the same string, and
+  // JSON.parse(JSON.stringify(obj)) would produce an object with the same key
+  // ordering as the original (assuming the object is completely
+  // JSON-serializable)."
+  const componentsJson = JSON.stringify(components);
+  return crypto
+    .createHash("sha256")
+    .update(componentsJson)
+    .digest("hex")
+    .substring(0, cacheKeyHashLength);
+}
+
 /** Determines whether dependency caching is enabled. */
 export function getDependencyCachingEnabled(): CachingKind {
  // If the workflow specified something always respect that
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -1071,8 +1071,11 @@ export async function getCodeQLForCmd(
 /**
 * Gets the options for `path` of `options` as an array of extra option strings.
 *
- * @param ignoringOptions Options that should be ignored, for example because they have already
- *                        been passed and it is an error to pass them more than once.
+ * @param paths The CLI command components to get extra options for.
+ * @param args Additional arguments for this function.
+ * @param args.ignoringOptions
+ *   Options that should be ignored, for example because they have already
+ *   been passed and it is an error to pass them more than once.
 */
 function getExtraOptionsFromEnv(
  paths: string[],
@@ -1154,8 +1157,9 @@ async function runCli(
 /**
 * Writes the code scanning configuration that is to be used by the CLI.
 *
- * @param codeql The CodeQL object to use.
- * @param config The CodeQL Action state to use.
+ * @param config The CodeQL Action state to write.
+ * @param logger The logger to use.
+ *
 * @returns The path to the generated user configuration file.
 */
 async function writeCodeScanningConfigFile(
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@@ -873,71 +873,62 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
    expectedLanguages: ["javascript"],
  },
 ].forEach((args) => {
-  for (const resolveSupportedLanguagesUsingCli of [true, false]) {
-    test(`getLanguages${resolveSupportedLanguagesUsingCli ? " (supported languages via CLI)" : ""}: ${args.name}`, async (t) => {
-      const features = createFeatures(
-        resolveSupportedLanguagesUsingCli
-          ? [Feature.ResolveSupportedLanguagesUsingCli]
-          : [],
-      );
-      const mockRequest = mockLanguagesInRepo(args.languagesInRepository);
-      const stubExtractorEntry = {
-        extractor_root: "",
-      };
-      const codeQL = createStubCodeQL({
-        betterResolveLanguages: (options) =>
-          Promise.resolve({
-            aliases: {
-              "c#": KnownLanguage.csharp,
-              c: KnownLanguage.cpp,
-              kotlin: KnownLanguage.java,
-              typescript: KnownLanguage.javascript,
-            },
-            extractors: {
-              cpp: [stubExtractorEntry],
-              csharp: [stubExtractorEntry],
-              java: [stubExtractorEntry],
-              javascript: [stubExtractorEntry],
-              python: [stubExtractorEntry],
-              ...(options?.filterToLanguagesWithQueries
-                ? {}
-                : {
-                    html: [stubExtractorEntry],
-                  }),
-            },
-          }),
-      });
-
-      if (args.expectedLanguages) {
-        // happy path
-        const actualLanguages = await configUtils.getLanguages(
-          codeQL,
-          args.languagesInput,
-          mockRepositoryNwo,
-          ".",
-          features,
-          mockLogger,
-        );
-
-        t.deepEqual(actualLanguages.sort(), args.expectedLanguages.sort());
-      } else {
-        // there is an error
-        await t.throwsAsync(
-          async () =>
-            await configUtils.getLanguages(
-              codeQL,
-              args.languagesInput,
-              mockRepositoryNwo,
-              ".",
-              features,
-              mockLogger,
-            ),
-          { message: args.expectedError },
-        );
-      }
-      t.deepEqual(mockRequest.called, args.expectedApiCall);
+  test(`getLanguages: ${args.name}`, async (t) => {
+    const mockRequest = mockLanguagesInRepo(args.languagesInRepository);
+    const stubExtractorEntry = {
+      extractor_root: "",
+    };
+    const codeQL = createStubCodeQL({
+      betterResolveLanguages: (options) =>
+        Promise.resolve({
+          aliases: {
+            "c#": KnownLanguage.csharp,
+            c: KnownLanguage.cpp,
+            kotlin: KnownLanguage.java,
+            typescript: KnownLanguage.javascript,
+          },
+          extractors: {
+            cpp: [stubExtractorEntry],
+            csharp: [stubExtractorEntry],
+            java: [stubExtractorEntry],
+            javascript: [stubExtractorEntry],
+            python: [stubExtractorEntry],
+            ...(options?.filterToLanguagesWithQueries
+              ? {}
+              : {
+                  html: [stubExtractorEntry],
+                }),
+          },
+        }),
    });
-  }
+
+    if (args.expectedLanguages) {
+      // happy path
+      const actualLanguages = await configUtils.getLanguages(
+        codeQL,
+        args.languagesInput,
+        mockRepositoryNwo,
+        ".",
+        mockLogger,
+      );
+
+      t.deepEqual(actualLanguages.sort(), args.expectedLanguages.sort());
+    } else {
+      // there is an error
+      await t.throwsAsync(
+        async () =>
+          await configUtils.getLanguages(
+            codeQL,
+            args.languagesInput,
+            mockRepositoryNwo,
+            ".",
+            mockLogger,
+          ),
+        { message: args.expectedError },
+      );
+    }
+    t.deepEqual(mockRequest.called, args.expectedApiCall);
+  });
 });

 for (const { displayName, language, feature } of [
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -34,6 +34,7 @@ import {
  OverlayDatabaseMode,
 } from "./overlay-database-utils";
 import { RepositoryNwo } from "./repository";
+import { ToolsFeature } from "./tools-features";
 import { downloadTrapCaches } from "./trap-caching";
 import {
  GitHubVersion,
@@ -177,12 +178,10 @@ export interface Config {

 export async function getSupportedLanguageMap(
  codeql: CodeQL,
-  features: FeatureEnablement,
  logger: Logger,
 ): Promise<Record<string, string>> {
-  const resolveSupportedLanguagesUsingCli = await features.getValue(
-    Feature.ResolveSupportedLanguagesUsingCli,
-    codeql,
+  const resolveSupportedLanguagesUsingCli = await codeql.supportsFeature(
+    ToolsFeature.BuiltinExtractorsSpecifyDefaultQueries,
  );
  const resolveResult = await codeql.betterResolveLanguages({
    filterToLanguagesWithQueries: resolveSupportedLanguagesUsingCli,
@@ -283,7 +282,6 @@ export async function getLanguages(
  languagesInput: string | undefined,
  repository: RepositoryNwo,
  sourceRoot: string,
-  features: FeatureEnablement,
  logger: Logger,
 ): Promise<Language[]> {
  // Obtain languages without filtering them.
@@ -294,7 +292,7 @@ export async function getLanguages(
    logger,
  );

-  const languageMap = await getSupportedLanguageMap(codeql, features, logger);
+  const languageMap = await getSupportedLanguageMap(codeql, logger);
  const languagesSet = new Set<Language>();
  const unknownLanguages: string[] = [];

@@ -431,7 +429,6 @@ export async function initActionState(
    languagesInput,
    repository,
    sourceRoot,
-    features,
    logger,
  );

@@ -1036,7 +1033,6 @@ export async function getConfig(
 * pack.
 *
 * @param registriesInput The value of the `registries` input.
- * @param codeQL a codeQL object, used only for checking the version of CodeQL.
 * @param tempDir a temporary directory to store the generated qlconfig.yml file.
 * @param logger a logger object.
 * @returns The path to the generated `qlconfig.yml` file and the auth tokens to
--- a/src/config/db-config.ts
+++ b/src/config/db-config.ts
@@ -160,7 +160,6 @@ const PACK_IDENTIFIER_PATTERN = (function () {
 * Version and path are optional.
 *
 * @param packStr the package specification to verify.
- * @param configFile Config file to use for error reporting
 */
 export function parsePacksSpecification(packStr: string): Pack {
  if (typeof packStr !== "string") {
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.3",
-  "cliVersion": "2.23.3",
-  "priorBundleVersion": "codeql-bundle-v2.23.2",
-  "priorCliVersion": "2.23.2"
+  "bundleVersion": "codeql-bundle-v2.23.5",
+  "cliVersion": "2.23.5",
+  "priorBundleVersion": "codeql-bundle-v2.23.3",
+  "priorCliVersion": "2.23.3"
 }
--- a/src/dependency-caching.test.ts
+++ b/src/dependency-caching.test.ts
@@ -0,0 +1,389 @@
+import * as fs from "fs";
+import path from "path";
+
+import * as actionsCache from "@actions/cache";
+import * as glob from "@actions/glob";
+import test from "ava";
+import * as sinon from "sinon";
+
+import { cacheKeyHashLength } from "./caching-utils";
+import { createStubCodeQL } from "./codeql";
+import {
+  CacheConfig,
+  checkHashPatterns,
+  getCsharpHashPatterns,
+  getFeaturePrefix,
+  makePatternCheck,
+  internal,
+  CSHARP_BASE_PATTERNS,
+  CSHARP_EXTRA_PATTERNS,
+  downloadDependencyCaches,
+  CacheHitKind,
+  cacheKey,
+} from "./dependency-caching";
+import { Feature } from "./feature-flags";
+import { KnownLanguage } from "./languages";
+import {
+  setupTests,
+  createFeatures,
+  getRecordingLogger,
+  checkExpectedLogMessages,
+  LoggedMessage,
+} from "./testing-utils";
+import { withTmpDir } from "./util";
+
+setupTests(test);
+
+function makeAbsolutePatterns(tmpDir: string, patterns: string[]): string[] {
+  return patterns.map((pattern) => path.join(tmpDir, pattern));
+}
+
+test("makePatternCheck - returns undefined if no patterns match", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    fs.writeFileSync(path.join(tmpDir, "test.java"), "");
+    const result = await makePatternCheck(
+      makeAbsolutePatterns(tmpDir, ["**/*.cs"]),
+    );
+    t.is(result, undefined);
+  });
+});
+
+test("makePatternCheck - returns all patterns if any pattern matches", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    fs.writeFileSync(path.join(tmpDir, "test.java"), "");
+    const patterns = makeAbsolutePatterns(tmpDir, ["**/*.cs", "**/*.java"]);
+    const result = await makePatternCheck(patterns);
+    t.deepEqual(result, patterns);
+  });
+});
+
+test("getCsharpHashPatterns - returns base patterns if any pattern matches", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([]);
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+  makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).rejects();
+
+  await t.notThrowsAsync(async () => {
+    const result = await getCsharpHashPatterns(codeql, features);
+    t.deepEqual(result, CSHARP_BASE_PATTERNS);
+  });
+});
+
+test("getCsharpHashPatterns - returns base patterns if any base pattern matches and CsharpNewCacheKey is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpNewCacheKey]);
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+  makePatternCheckStub
+    .withArgs(CSHARP_EXTRA_PATTERNS)
+    .resolves(CSHARP_EXTRA_PATTERNS);
+
+  await t.notThrowsAsync(async () => {
+    const result = await getCsharpHashPatterns(codeql, features);
+    t.deepEqual(result, CSHARP_BASE_PATTERNS);
+  });
+});
+
+test("getCsharpHashPatterns - returns extra patterns if any extra pattern matches and CsharpNewCacheKey is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpNewCacheKey]);
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+
+  makePatternCheckStub.withArgs(CSHARP_BASE_PATTERNS).resolves(undefined);
+  makePatternCheckStub
+    .withArgs(CSHARP_EXTRA_PATTERNS)
+    .resolves(CSHARP_EXTRA_PATTERNS);
+
+  await t.notThrowsAsync(async () => {
+    const result = await getCsharpHashPatterns(codeql, features);
+    t.deepEqual(result, CSHARP_EXTRA_PATTERNS);
+  });
+});
+
+test("getCsharpHashPatterns - returns undefined if neither base nor extra patterns match", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpNewCacheKey]);
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+
+  makePatternCheckStub.withArgs(CSHARP_BASE_PATTERNS).resolves(undefined);
+  makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).resolves(undefined);
+
+  await t.notThrowsAsync(async () => {
+    const result = await getCsharpHashPatterns(codeql, features);
+    t.deepEqual(result, undefined);
+  });
+});
+
+test("checkHashPatterns - logs when no patterns match", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([]);
+  const messages: LoggedMessage[] = [];
+  const config: CacheConfig = {
+    getDependencyPaths: () => [],
+    getHashPatterns: async () => undefined,
+  };
+
+  const result = await checkHashPatterns(
+    codeql,
+    features,
+    KnownLanguage.csharp,
+    config,
+    "download",
+    getRecordingLogger(messages),
+  );
+
+  t.is(result, undefined);
+  checkExpectedLogMessages(t, messages, [
+    "Skipping download of dependency cache",
+  ]);
+});
+
+test("checkHashPatterns - returns patterns when patterns match", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    const codeql = createStubCodeQL({});
+    const features = createFeatures([]);
+    const messages: LoggedMessage[] = [];
+    const patterns = makeAbsolutePatterns(tmpDir, ["**/*.cs", "**/*.java"]);
+
+    fs.writeFileSync(path.join(tmpDir, "test.java"), "");
+
+    const config: CacheConfig = {
+      getDependencyPaths: () => [],
+      getHashPatterns: async () => makePatternCheck(patterns),
+    };
+
+    const result = await checkHashPatterns(
+      codeql,
+      features,
+      KnownLanguage.csharp,
+      config,
+      "upload",
+      getRecordingLogger(messages),
+    );
+
+    t.deepEqual(result, patterns);
+    t.deepEqual(messages, []);
+  });
+});
+
+type RestoreCacheFunc = (
+  paths: string[],
+  primaryKey: string,
+  restoreKeys: string[] | undefined,
+) => Promise<string | undefined>;
+
+/**
+ * Constructs a function that `actionsCache.restoreCache` can be stubbed with.
+ *
+ * @param mockCacheKeys The keys of caches that we want to exist in the Actions cache.
+ *
+ * @returns Returns a function that `actionsCache.restoreCache` can be stubbed with.
+ */
+function makeMockCacheCheck(mockCacheKeys: string[]): RestoreCacheFunc {
+  return async (
+    _paths: string[],
+    primaryKey: string,
+    restoreKeys: string[] | undefined,
+  ) => {
+    // The behaviour here mirrors what the real `restoreCache` would do:
+    // - Starting with the primary restore key, check all caches for a match:
+    //   even for the primary restore key, this only has to be a prefix match.
+    // - If the primary restore key doesn't prefix-match any cache, then proceed
+    //   in the same way for each restore key in turn.
+    for (const restoreKey of [primaryKey, ...(restoreKeys || [])]) {
+      for (const mockCacheKey of mockCacheKeys) {
+        if (mockCacheKey.startsWith(restoreKey)) {
+          return mockCacheKey;
+        }
+      }
+    }
+    // Only if no restore key matches any cache key prefix, there is no matching
+    // cache and we return `undefined`.
+    return undefined;
+  };
+}
+
+test("downloadDependencyCaches - does not restore caches with feature keys if no features are enabled", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  sinon.stub(glob, "hashFiles").resolves("abcdef");
+
+  const keyWithFeature = await cacheKey(
+    codeql,
+    createFeatures([Feature.CsharpNewCacheKey]),
+    KnownLanguage.csharp,
+    // Patterns don't matter here because we have stubbed `hashFiles` to always return a specific hash above.
+    [],
+  );
+
+  const restoreCacheStub = sinon
+    .stub(actionsCache, "restoreCache")
+    .callsFake(makeMockCacheCheck([keyWithFeature]));
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+  makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).resolves(undefined);
+
+  const results = await downloadDependencyCaches(
+    codeql,
+    createFeatures([]),
+    [KnownLanguage.csharp],
+    logger,
+  );
+  t.is(results.length, 1);
+  t.is(results[0].language, KnownLanguage.csharp);
+  t.is(results[0].hit_kind, CacheHitKind.Miss);
+  t.assert(restoreCacheStub.calledOnce);
+});
+
+test("downloadDependencyCaches - restores caches with feature keys if features are enabled", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([Feature.CsharpNewCacheKey]);
+
+  sinon.stub(glob, "hashFiles").resolves("abcdef");
+
+  const keyWithFeature = await cacheKey(
+    codeql,
+    features,
+    KnownLanguage.csharp,
+    // Patterns don't matter here because we have stubbed `hashFiles` to always return a specific hash above.
+    [],
+  );
+
+  const restoreCacheStub = sinon
+    .stub(actionsCache, "restoreCache")
+    .callsFake(makeMockCacheCheck([keyWithFeature]));
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+  makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).resolves(undefined);
+
+  const results = await downloadDependencyCaches(
+    codeql,
+    features,
+    [KnownLanguage.csharp],
+    logger,
+  );
+  t.is(results.length, 1);
+  t.is(results[0].language, KnownLanguage.csharp);
+  t.is(results[0].hit_kind, CacheHitKind.Exact);
+  t.assert(restoreCacheStub.calledOnce);
+});
+
+test("downloadDependencyCaches - restores caches with feature keys if features are enabled for partial matches", async (t) => {
+  process.env["RUNNER_OS"] = "Linux";
+
+  const codeql = createStubCodeQL({});
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+  const features = createFeatures([Feature.CsharpNewCacheKey]);
+
+  const hashFilesStub = sinon.stub(glob, "hashFiles");
+  hashFilesStub.onFirstCall().resolves("abcdef");
+  hashFilesStub.onSecondCall().resolves("123456");
+
+  const keyWithFeature = await cacheKey(
+    codeql,
+    features,
+    KnownLanguage.csharp,
+    // Patterns don't matter here because we have stubbed `hashFiles` to always return a specific hash above.
+    [],
+  );
+
+  const restoreCacheStub = sinon
+    .stub(actionsCache, "restoreCache")
+    .callsFake(makeMockCacheCheck([keyWithFeature]));
+
+  const makePatternCheckStub = sinon.stub(internal, "makePatternCheck");
+  makePatternCheckStub
+    .withArgs(CSHARP_BASE_PATTERNS)
+    .resolves(CSHARP_BASE_PATTERNS);
+  makePatternCheckStub.withArgs(CSHARP_EXTRA_PATTERNS).resolves(undefined);
+
+  const results = await downloadDependencyCaches(
+    codeql,
+    features,
+    [KnownLanguage.csharp],
+    logger,
+  );
+  t.is(results.length, 1);
+  t.is(results[0].language, KnownLanguage.csharp);
+  t.is(results[0].hit_kind, CacheHitKind.Partial);
+  t.assert(restoreCacheStub.calledOnce);
+});
+
+test("getFeaturePrefix - returns empty string if no features are enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([]);
+
+  for (const knownLanguage of Object.values(KnownLanguage)) {
+    const result = await getFeaturePrefix(codeql, features, knownLanguage);
+    t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
+  }
+});
+
+test("getFeaturePrefix - Java - returns 'minify-' if JavaMinimizeDependencyJars is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.JavaMinimizeDependencyJars]);
+
+  const result = await getFeaturePrefix(codeql, features, KnownLanguage.java);
+  t.deepEqual(result, "minify-");
+});
+
+test("getFeaturePrefix - non-Java - returns '' if JavaMinimizeDependencyJars is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.JavaMinimizeDependencyJars]);
+
+  for (const knownLanguage of Object.values(KnownLanguage)) {
+    // Skip Java since we expect a result for it, which is tested in the previous test.
+    if (knownLanguage === KnownLanguage.java) {
+      continue;
+    }
+    const result = await getFeaturePrefix(codeql, features, knownLanguage);
+    t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
+  }
+});
+
+test("getFeaturePrefix - C# - returns prefix if CsharpNewCacheKey is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpNewCacheKey]);
+
+  const result = await getFeaturePrefix(codeql, features, KnownLanguage.csharp);
+  t.notDeepEqual(result, "");
+  t.assert(result.endsWith("-"));
+  // Check the length of the prefix, which should correspond to `cacheKeyHashLength` + 1 for the trailing `-`.
+  t.is(result.length, cacheKeyHashLength + 1);
+});
+
+test("getFeaturePrefix - non-C# - returns '' if CsharpNewCacheKey is enabled", async (t) => {
+  const codeql = createStubCodeQL({});
+  const features = createFeatures([Feature.CsharpNewCacheKey]);
+
+  for (const knownLanguage of Object.values(KnownLanguage)) {
+    // Skip C# since we expect a result for it, which is tested in the previous test.
+    if (knownLanguage === KnownLanguage.csharp) {
+      continue;
+    }
+    const result = await getFeaturePrefix(codeql, features, knownLanguage);
+    t.deepEqual(result, "", `Expected no feature prefix for ${knownLanguage}`);
+  }
+});
--- a/src/dependency-caching.ts
+++ b/src/dependency-caching.ts
@@ -6,9 +6,11 @@ import * as glob from "@actions/glob";

 import { getTemporaryDirectory } from "./actions-util";
 import { listActionsCaches } from "./api-client";
-import { getTotalCacheSize } from "./caching-utils";
+import { createCacheKeyHash, getTotalCacheSize } from "./caching-utils";
+import { CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { KnownLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { getErrorMessage, getRequiredEnvParam } from "./util";
@@ -16,15 +18,21 @@ import { getErrorMessage, getRequiredEnvParam } from "./util";
 /**
 * Caching configuration for a particular language.
 */
-interface CacheConfig {
-  /** The paths of directories on the runner that should be included in the cache. */
-  paths: string[];
+export interface CacheConfig {
+  /** Gets the paths of directories on the runner that should be included in the cache. */
+  getDependencyPaths: () => string[];
  /**
-   * Patterns for the paths of files whose contents affect which dependencies are used
-   * by a project. We find all files which match these patterns, calculate a hash for
-   * their contents, and use that hash as part of the cache key.
+   * Gets an array of glob patterns for the paths of files whose contents affect which dependencies are used
+   * by a project. This function also checks whether there are any matching files and returns
+   * `undefined` if no files match.
+   *
+   * The glob patterns are intended to be used for cache keys, where we find all files which match these
+   * patterns, calculate a hash for their contents, and use that hash as part of the cache key.
   */
-  hash: string[];
+  getHashPatterns: (
+    codeql: CodeQL,
+    features: FeatureEnablement,
+  ) => Promise<string[] | undefined>;
 }

 const CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies";
@@ -39,21 +47,105 @@ export function getJavaTempDependencyDir(): string {
  return join(getTemporaryDirectory(), "codeql_java", "repository");
 }

+/**
+ * Returns an array of paths of directories on the runner that should be included in a dependency cache
+ * for a Java analysis. It is important that this is a function, because we call `getTemporaryDirectory`
+ * which would otherwise fail in tests if we haven't had a chance to initialise `RUNNER_TEMP`.
+ *
+ * @returns The paths of directories on the runner that should be included in a dependency cache
+ * for a Java analysis.
+ */
+export function getJavaDependencyDirs(): string[] {
+  return [
+    // Maven
+    join(os.homedir(), ".m2", "repository"),
+    // Gradle
+    join(os.homedir(), ".gradle", "caches"),
+    // CodeQL Java build-mode: none
+    getJavaTempDependencyDir(),
+  ];
+}
+
+/**
+ * Checks that there are files which match `patterns`. If there are matching files for any of the patterns,
+ * this function returns all `patterns`. Otherwise, `undefined` is returned.
+ *
+ * @param patterns The glob patterns to find matching files for.
+ * @returns The array of glob patterns if there are matching files, or `undefined` otherwise.
+ */
+export async function makePatternCheck(
+  patterns: string[],
+): Promise<string[] | undefined> {
+  const globber = await makeGlobber(patterns);
+
+  if ((await globber.glob()).length === 0) {
+    return undefined;
+  }
+
+  return patterns;
+}
+
+/** These files contain accurate information about dependencies, including the exact versions
+ * that the relevant package manager has determined for the project. Using these gives us
+ * stable hashes unless the dependencies change.
+ */
+export const CSHARP_BASE_PATTERNS = [
+  // NuGet
+  "**/packages.lock.json",
+  // Paket
+  "**/paket.lock",
+];
+
+/** These are less accurate for use in cache key calculations, because they:
+ *
+ * - Don't contain the exact versions used. They may only contain version ranges or none at all.
+ * - They contain information unrelated to dependencies, which we don't care about.
+ *
+ * As a result, the hash we compute from these files may change, even if
+ * the dependencies haven't changed.
+ */
+export const CSHARP_EXTRA_PATTERNS = [
+  "**/*.csproj",
+  "**/packages.config",
+  "**/nuget.config",
+];
+
+/**
+ * Returns the list of glob patterns that should be used to calculate the cache key hash
+ * for a C# dependency cache. This will try to use `CSHARP_BASE_PATTERNS` whenever possible.
+ * As a fallback, it will also use `CSHARP_EXTRA_PATTERNS` if the corresponding FF is enabled.
+ *
+ * @param codeql The CodeQL instance to use.
+ * @param features Information about which FFs are enabled.
+ * @returns A list of glob patterns to use for hashing.
+ */
+export async function getCsharpHashPatterns(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+): Promise<string[] | undefined> {
+  const basePatterns = await internal.makePatternCheck(CSHARP_BASE_PATTERNS);
+
+  if (basePatterns !== undefined) {
+    return basePatterns;
+  }
+
+  if (await features.getValue(Feature.CsharpNewCacheKey, codeql)) {
+    return internal.makePatternCheck(CSHARP_EXTRA_PATTERNS);
+  }
+
+  // If we get to this point, we didn't find any files with `CSHARP_BASE_PATTERNS`,
+  // and `Feature.CsharpNewCacheKey` is not enabled.
+  return undefined;
+}
+
 /**
 * Default caching configurations per language.
 */
-function getDefaultCacheConfig(): { [language: string]: CacheConfig } {
-  return {
-    java: {
-      paths: [
-        // Maven
-        join(os.homedir(), ".m2", "repository"),
-        // Gradle
-        join(os.homedir(), ".gradle", "caches"),
-        // CodeQL Java build-mode: none
-        getJavaTempDependencyDir(),
-      ],
-      hash: [
+const defaultCacheConfigs: { [language: string]: CacheConfig } = {
+  java: {
+    getDependencyPaths: getJavaDependencyDirs,
+    getHashPatterns: async () =>
+      internal.makePatternCheck([
        // Maven
        "**/pom.xml",
        // Gradle
@@ -63,23 +155,17 @@ function getDefaultCacheConfig(): { [language: string]: CacheConfig } {
        "buildSrc/**/Dependencies.kt",
        "gradle/*.versions.toml",
        "**/versions.properties",
-      ],
-    },
-    csharp: {
-      paths: [join(os.homedir(), ".nuget", "packages")],
-      hash: [
-        // NuGet
-        "**/packages.lock.json",
-        // Paket
-        "**/paket.lock",
-      ],
-    },
-    go: {
-      paths: [join(os.homedir(), "go", "pkg", "mod")],
-      hash: ["**/go.sum"],
-    },
-  };
-}
+      ]),
+  },
+  csharp: {
+    getDependencyPaths: () => [join(os.homedir(), ".nuget", "packages")],
+    getHashPatterns: getCsharpHashPatterns,
+  },
+  go: {
+    getDependencyPaths: () => [join(os.homedir(), "go", "pkg", "mod")],
+    getHashPatterns: async () => internal.makePatternCheck(["**/go.sum"]),
+  },
+};

 async function makeGlobber(patterns: string[]): Promise<glob.Globber> {
  return glob.create(patterns.join("\n"));
@@ -107,23 +193,57 @@ export interface DependencyCacheRestoreStatus {
 /** An array of `DependencyCacheRestoreStatus` objects for each analysed language with a caching configuration. */
 export type DependencyCacheRestoreStatusReport = DependencyCacheRestoreStatus[];

+/**
+ * A wrapper around `cacheConfig.getHashPatterns` which logs when there are no files to calculate
+ * a hash for the cache key from.
+ *
+ * @param codeql The CodeQL instance to use.
+ * @param features Information about which FFs are enabled.
+ * @param language The language the `CacheConfig` is for. For use in the log message.
+ * @param cacheConfig The caching configuration to call `getHashPatterns` on.
+ * @param checkType Whether we are checking the patterns for a download or upload.
+ * @param logger The logger to write the log message to if there is an error.
+ * @returns An array of glob patterns to use for hashing files, or `undefined` if there are no matching files.
+ */
+export async function checkHashPatterns(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+  language: Language,
+  cacheConfig: CacheConfig,
+  checkType: "download" | "upload",
+  logger: Logger,
+): Promise<string[] | undefined> {
+  const patterns = await cacheConfig.getHashPatterns(codeql, features);
+
+  if (patterns === undefined) {
+    logger.info(
+      `Skipping ${checkType} of dependency cache for ${language} as we cannot calculate a hash for the cache key.`,
+    );
+  }
+
+  return patterns;
+}
+
 /**
 * Attempts to restore dependency caches for the languages being analyzed.
 *
+ * @param codeql The CodeQL instance to use.
+ * @param features Information about which FFs are enabled.
 * @param languages The languages being analyzed.
 * @param logger A logger to record some informational messages to.
- * @param minimizeJavaJars Whether the Java extractor should rewrite downloaded JARs to minimize their size.
+ *
 * @returns An array of `DependencyCacheRestoreStatus` objects for each analysed language with a caching configuration.
 */
 export async function downloadDependencyCaches(
+  codeql: CodeQL,
+  features: FeatureEnablement,
  languages: Language[],
  logger: Logger,
-  minimizeJavaJars: boolean,
 ): Promise<DependencyCacheRestoreStatusReport> {
  const status: DependencyCacheRestoreStatusReport = [];

  for (const language of languages) {
-    const cacheConfig = getDefaultCacheConfig()[language];
+    const cacheConfig = defaultCacheConfigs[language];

    if (cacheConfig === undefined) {
      logger.info(
@@ -134,19 +254,22 @@ export async function downloadDependencyCaches(

    // Check that we can find files to calculate the hash for the cache key from, so we don't end up
    // with an empty string.
-    const globber = await makeGlobber(cacheConfig.hash);
-
-    if ((await globber.glob()).length === 0) {
+    const patterns = await checkHashPatterns(
+      codeql,
+      features,
+      language,
+      cacheConfig,
+      "download",
+      logger,
+    );
+    if (patterns === undefined) {
      status.push({ language, hit_kind: CacheHitKind.NoHash });
-      logger.info(
-        `Skipping download of dependency cache for ${language} as we cannot calculate a hash for the cache key.`,
-      );
      continue;
    }

-    const primaryKey = await cacheKey(language, cacheConfig, minimizeJavaJars);
+    const primaryKey = await cacheKey(codeql, features, language, patterns);
    const restoreKeys: string[] = [
-      await cachePrefix(language, minimizeJavaJars),
+      await cachePrefix(codeql, features, language),
    ];

    logger.info(
@@ -157,7 +280,7 @@ export async function downloadDependencyCaches(

    const start = performance.now();
    const hitKey = await actionsCache.restoreCache(
-      cacheConfig.paths,
+      cacheConfig.getDependencyPaths(),
      primaryKey,
      restoreKeys,
    );
@@ -203,20 +326,22 @@ export type DependencyCacheUploadStatusReport = DependencyCacheUploadStatus[];
 /**
 * Attempts to store caches for the languages that were analyzed.
 *
+ * @param codeql The CodeQL instance to use.
+ * @param features Information about which FFs are enabled.
 * @param config The configuration for this workflow.
 * @param logger A logger to record some informational messages to.
- * @param minimizeJavaJars Whether the Java extractor should rewrite downloaded JARs to minimize their size.
 *
 * @returns An array of `DependencyCacheUploadStatus` objects for each analysed language with a caching configuration.
 */
 export async function uploadDependencyCaches(
+  codeql: CodeQL,
+  features: FeatureEnablement,
  config: Config,
  logger: Logger,
-  minimizeJavaJars: boolean,
 ): Promise<DependencyCacheUploadStatusReport> {
  const status: DependencyCacheUploadStatusReport = [];
  for (const language of config.languages) {
-    const cacheConfig = getDefaultCacheConfig()[language];
+    const cacheConfig = defaultCacheConfigs[language];

    if (cacheConfig === undefined) {
      logger.info(
@@ -227,13 +352,16 @@ export async function uploadDependencyCaches(

    // Check that we can find files to calculate the hash for the cache key from, so we don't end up
    // with an empty string.
-    const globber = await makeGlobber(cacheConfig.hash);
-
-    if ((await globber.glob()).length === 0) {
+    const patterns = await checkHashPatterns(
+      codeql,
+      features,
+      language,
+      cacheConfig,
+      "upload",
+      logger,
+    );
+    if (patterns === undefined) {
      status.push({ language, result: CacheStoreResult.NoHash });
-      logger.info(
-        `Skipping upload of dependency cache for ${language} as we cannot calculate a hash for the cache key.`,
-      );
      continue;
    }

@@ -247,7 +375,11 @@ export async function uploadDependencyCaches(
    //   use the cache quota that we compete with. In that case, we do not wish to use up all of the quota
    //   with the dependency caches. For this, we could use the Cache API to check whether other workflows
    //   are using the quota and how full it is.
-    const size = await getTotalCacheSize(cacheConfig.paths, logger, true);
+    const size = await getTotalCacheSize(
+      cacheConfig.getDependencyPaths(),
+      logger,
+      true,
+    );

    // Skip uploading an empty cache.
    if (size === 0) {
@@ -258,7 +390,7 @@ export async function uploadDependencyCaches(
      continue;
    }

-    const key = await cacheKey(language, cacheConfig, minimizeJavaJars);
+    const key = await cacheKey(codeql, features, language, patterns);

    logger.info(
      `Uploading cache of size ${size} for ${language} with key ${key}...`,
@@ -266,7 +398,7 @@ export async function uploadDependencyCaches(

    try {
      const start = performance.now();
-      await actionsCache.saveCache(cacheConfig.paths, key);
+      await actionsCache.saveCache(cacheConfig.getDependencyPaths(), key);
      const upload_duration_ms = Math.round(performance.now() - start);

      status.push({
@@ -299,31 +431,86 @@ export async function uploadDependencyCaches(
 /**
 * Computes a cache key for the specified language.
 *
+ * @param codeql The CodeQL instance to use.
+ * @param features Information about which FFs are enabled.
 * @param language The language being analyzed.
- * @param cacheConfig The cache configuration for the language.
- * @param minimizeJavaJars Whether the Java extractor should rewrite downloaded JARs to minimize their size.
+ * @param patterns The file patterns to hash.
+ *
 * @returns A cache key capturing information about the project(s) being analyzed in the specified language.
 */
-async function cacheKey(
+export async function cacheKey(
+  codeql: CodeQL,
+  features: FeatureEnablement,
  language: Language,
-  cacheConfig: CacheConfig,
-  minimizeJavaJars: boolean = false,
+  patterns: string[],
 ): Promise<string> {
-  const hash = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix(language, minimizeJavaJars)}${hash}`;
+  const hash = await glob.hashFiles(patterns.join("\n"));
+  return `${await cachePrefix(codeql, features, language)}${hash}`;
+}
+
+/**
+ * If experimental features which the cache contents depend on are enabled for the current language,
+ * this function returns a prefix that uniquely identifies the set of enabled features. The purpose of
+ * this is to avoid restoring caches whose contents depended on experimental features, if those
+ * experimental features are later disabled.
+ *
+ * @param codeql The CodeQL instance.
+ * @param features Information about enabled features.
+ * @param language The language we are creating the key for.
+ *
+ * @returns A cache key prefix identifying the enabled, experimental features that the cache depends on.
+ */
+export async function getFeaturePrefix(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+  language: Language,
+): Promise<string> {
+  const enabledFeatures: Feature[] = [];
+
+  const addFeatureIfEnabled = async (feature: Feature) => {
+    if (await features.getValue(feature, codeql)) {
+      enabledFeatures.push(feature);
+    }
+  };
+
+  if (language === KnownLanguage.java) {
+    // To ensure a safe rollout of JAR minimization, we change the key when the feature is enabled.
+    const minimizeJavaJars = await features.getValue(
+      Feature.JavaMinimizeDependencyJars,
+      codeql,
+    );
+
+    // To maintain backwards compatibility with this, we return "minify-" instead of a hash.
+    if (minimizeJavaJars) {
+      return "minify-";
+    }
+  } else if (language === KnownLanguage.csharp) {
+    await addFeatureIfEnabled(Feature.CsharpNewCacheKey);
+  }
+
+  // If any features that affect the cache are enabled, return a feature prefix by
+  // computing a hash of the feature array.
+  if (enabledFeatures.length > 0) {
+    return `${createCacheKeyHash(enabledFeatures)}-`;
+  }
+
+  // No feature prefix.
+  return "";
 }

 /**
 * Constructs a prefix for the cache key, comprised of a CodeQL-specific prefix, a version number that
 * can be changed to invalidate old caches, the runner's operating system, and the specified language name.
 *
+ * @param codeql The CodeQL instance to use.
+ * @param features Information about which FFs are enabled.
 * @param language The language being analyzed.
- * @param minimizeJavaJars Whether the Java extractor should rewrite downloaded JARs to minimize their size.
 * @returns The prefix that identifies what a cache is for.
 */
 async function cachePrefix(
+  codeql: CodeQL,
+  features: FeatureEnablement,
  language: Language,
-  minimizeJavaJars: boolean,
 ): Promise<string> {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env[EnvVar.DEPENDENCY_CACHING_PREFIX];
@@ -333,12 +520,18 @@ async function cachePrefix(
    prefix = `${prefix}-${customPrefix}`;
  }

-  // To ensure a safe rollout of JAR minimization, we change the key when the feature is enabled.
-  if (language === KnownLanguage.java && minimizeJavaJars) {
-    prefix = `minify-${prefix}`;
-  }
+  // Calculate the feature prefix for the cache, if any. This is a hash that identifies
+  // experimental features that affect the cache contents.
+  const featurePrefix = await getFeaturePrefix(codeql, features, language);

-  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
+  // Assemble the cache key. For backwards compatibility with the JAR minification experiment's existing
+  // feature prefix usage, we add that feature prefix at the start. Other feature prefixes are inserted
+  // after the general CodeQL dependency cache prefix.
+  if (featurePrefix === "minify-") {
+    return `${featurePrefix}${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
+  } else {
+    return `${prefix}-${featurePrefix}${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
+  }
 }

 /** Represents information about our overall cache usage for CodeQL dependency caches. */
@@ -371,3 +564,7 @@ export async function getDependencyCacheUsage(

  return undefined;
 }
+
+export const internal = {
+  makePatternCheck,
+};
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -47,6 +47,7 @@ export enum Feature {
  AnalyzeUseNewUpload = "analyze_use_new_upload",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
+  CsharpNewCacheKey = "csharp_new_cache_key",
  DiffInformedQueries = "diff_informed_queries",
  DisableCsharpBuildless = "disable_csharp_buildless",
  DisableJavaBuildlessEnabled = "disable_java_buildless_enabled",
@@ -76,7 +77,6 @@ export enum Feature {
  OverlayAnalysisSwift = "overlay_analysis_swift",
  PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
  QaTelemetryEnabled = "qa_telemetry_enabled",
-  ResolveSupportedLanguagesUsingCli = "resolve_supported_languages_using_cli",
  UseRepositoryProperties = "use_repository_properties",
  ValidateDbConfig = "validate_db_config",
 }
@@ -133,6 +133,11 @@ export const featureConfig: Record<
    legacyApi: true,
    minimumVersion: "2.15.0",
  },
+  [Feature.CsharpNewCacheKey]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY",
+    minimumVersion: undefined,
+  },
  [Feature.DiffInformedQueries]: {
    defaultValue: true,
    envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
@@ -161,12 +166,6 @@ export const featureConfig: Record<
    legacyApi: true,
    minimumVersion: undefined,
  },
-  [Feature.ResolveSupportedLanguagesUsingCli]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
-    minimumVersion: undefined,
-    toolsFeature: ToolsFeature.BuiltinExtractorsSpecifyDefaultQueries,
-  },
  [Feature.OverlayAnalysis]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -578,15 +578,12 @@ async function run() {
    }

    // Restore dependency cache(s), if they exist.
-    const minimizeJavaJars = await features.getValue(
-      Feature.JavaMinimizeDependencyJars,
-      codeql,
-    );
    if (shouldRestoreCache(config.dependencyCachingEnabled)) {
      dependencyCachingResults = await downloadDependencyCaches(
+        codeql,
+        features,
        config.languages,
        logger,
-        minimizeJavaJars,
      );
    }

@@ -648,7 +645,7 @@ async function run() {
        `${EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS} is already set to '${process.env[EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS]}', so the Action will not override it.`,
      );
    } else if (
-      minimizeJavaJars &&
+      (await features.getValue(Feature.JavaMinimizeDependencyJars, codeql)) &&
      config.dependencyCachingEnabled &&
      config.buildMode === BuildMode.None &&
      config.languages.includes(KnownLanguage.java)
--- a/src/overlay-database-utils.ts
+++ b/src/overlay-database-utils.ts
@@ -1,4 +1,3 @@
-import * as crypto from "crypto";
 import * as fs from "fs";
 import * as path from "path";

@@ -11,6 +10,7 @@ import {
  getWorkflowRunID,
 } from "./actions-util";
 import { getAutomationID } from "./api-client";
+import { createCacheKeyHash } from "./caching-utils";
 import { type CodeQL } from "./codeql";
 import { type Config } from "./config-utils";
 import { getCommitOid, getFileOidsUnderPath } from "./git-utils";
@@ -514,27 +514,3 @@ export async function getCacheRestoreKeyPrefix(
  // easier to debug and understand the cache key structure.
  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
 }
-
-/**
- * Creates a SHA-256 hash of the cache key components to ensure uniqueness
- * while keeping the cache key length manageable.
- *
- * @param components Object containing all components that should influence cache key uniqueness
- * @returns A short SHA-256 hash (first 16 characters) of the components
- */
-function createCacheKeyHash(components: Record<string, any>): string {
-  // From https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify
-  //
-  // "Properties are visited using the same algorithm as Object.keys(), which
-  // has a well-defined order and is stable across implementations. For example,
-  // JSON.stringify on the same object will always produce the same string, and
-  // JSON.parse(JSON.stringify(obj)) would produce an object with the same key
-  // ordering as the original (assuming the object is completely
-  // JSON-serializable)."
-  const componentsJson = JSON.stringify(components);
-  return crypto
-    .createHash("sha256")
-    .update(componentsJson)
-    .digest("hex")
-    .substring(0, 16);
-}
--- a/src/status-report.ts
+++ b/src/status-report.ts
@@ -252,7 +252,7 @@ export interface EventReport {
 *
 * @param actionName The name of the action, e.g. 'init', 'finish', 'upload-sarif'
 * @param status The status. Must be 'success', 'failure', or 'starting'
- * @param startedAt The time this action started executing.
+ * @param actionStartedAt The time this action started executing.
 * @param cause  Cause of failure (only supply if status is 'failure')
 * @param exception Exception (only supply if status is 'failure')
 * @returns undefined if an exception was thrown.
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -738,7 +738,7 @@ export async function postProcessSarifFiles(
 * @param logger The logger to use.
 * @param pathInput The input provided for `post-processed-sarif-path`.
 * @param uploadTarget The upload target.
- * @param processingResults The results of post-processing SARIF files.
+ * @param postProcessingResults The results of post-processing SARIF files.
 */
 export async function writePostProcessedFiles(
  logger: Logger,
--- a/src/util.test.ts
+++ b/src/util.test.ts
@@ -447,13 +447,21 @@ const CHECK_ACTION_VERSION_TESTS: Array<[string, util.GitHubVersion, boolean]> =
    ["2.2.1", { type: util.GitHubVariant.DOTCOM }, true],
    ["2.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, true],
    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.10" }, false],
-    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, true],
-    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, true],
-    ["3.2.1", { type: util.GitHubVariant.DOTCOM }, false],
-    ["3.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, false],
+    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, false],
+    ["2.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, false],
+    ["3.2.1", { type: util.GitHubVariant.DOTCOM }, true],
+    ["3.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, true],
    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.10" }, false],
    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.11" }, false],
    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.12" }, false],
+    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.19" }, false],
+    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.20" }, true],
+    ["3.2.1", { type: util.GitHubVariant.GHES, version: "3.21" }, true],
+    ["4.2.1", { type: util.GitHubVariant.DOTCOM }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHE_DOTCOM }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.19" }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.20" }, false],
+    ["4.2.1", { type: util.GitHubVariant.GHES, version: "3.21" }, false],
  ];

 for (const [
@@ -480,9 +488,7 @@ for (const [
    if (shouldReportError) {
      t.true(
        warningSpy.calledOnceWithExactly(
-          sinon.match(
-            "CodeQL Action major versions v1 and v2 have been deprecated.",
-          ),
+          sinon.match("CodeQL Action v3 will be deprecated in December 2026."),
        ),
      );
    } else {
--- a/src/util.ts
+++ b/src/util.ts
@@ -1114,38 +1114,38 @@ export async function checkDiskUsage(
 }

 /**
- * Prompt the customer to upgrade to CodeQL Action v3, if appropriate.
+ * Prompt the customer to upgrade to CodeQL Action v4, if appropriate.
 *
- * Check whether a customer is running v1 or v2. If they are, and we can determine that the GitHub
- * instance supports v3, then log an error prompting the customer to upgrade to v3.
+ * Check whether a customer is running v3. If they are, and we can determine that the GitHub
+ * instance supports v4, then log an error prompting the customer to upgrade to v4.
 */
 export function checkActionVersion(
  version: string,
  githubVersion: GitHubVersion,
 ) {
  if (
-    !semver.satisfies(version, ">=3") && // do not log error if the customer is already running v3
+    !semver.satisfies(version, ">=4") && // do not log error if the customer is already running v4
    !process.env[EnvVar.LOG_VERSION_DEPRECATION] // do not log error if we have already
  ) {
-    // Only error for versions of GHES that are compatible with CodeQL Action version 3.
+    // Only error for versions of GHES that are compatible with CodeQL Action version 4.
    //
-    // GHES 3.11 shipped without the v3 tag, but it also shipped without this warning message code.
-    // Therefore users who are seeing this warning message code have pulled in a new version of the
-    // Action, and with it the v3 tag.
+    // GHES 3.20 is the first version to ship with the v4 tag and this warning message code.
+    // Therefore, users who are seeing this warning message code are running on GHES 3.20 or newer,
+    // and should update to CodeQL Action v4.
    if (
      githubVersion.type === GitHubVariant.DOTCOM ||
      githubVersion.type === GitHubVariant.GHE_DOTCOM ||
      (githubVersion.type === GitHubVariant.GHES &&
        semver.satisfies(
          semver.coerce(githubVersion.version) ?? "0.0.0",
-          ">=3.11",
+          ">=3.20",
        ))
    ) {
      core.error(
-        "CodeQL Action major versions v1 and v2 have been deprecated. " +
-          "Please update all occurrences of the CodeQL Action in your workflow files to v3. " +
+        "CodeQL Action v3 will be deprecated in December 2026. " +
+          "Please update all occurrences of the CodeQL Action in your workflow files to v4. " +
          "For more information, see " +
-          "https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/",
+          "https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/",
      );
      // set LOG_VERSION_DEPRECATION env var to prevent the warning from being logged multiple times
      core.exportVariable(EnvVar.LOG_VERSION_DEPRECATION, "true");
--- a/tests/multi-language-repo/global.json
+++ b/tests/multi-language-repo/global.json
@@ -0,0 +1,6 @@
+{
+  "sdk": {
+    "version": "9.0.307",
+    "rollForward": "latestFeature"
+  }
+}
Author	SHA1	Message	Date
Henry Mercer	228f988153	Remove push trigger from manual checks To avoid issues with concurrency groups	2025-11-13 20:53:54 +00:00
Michael B. Gale	8c10e89c78	Merge pull request #3288 from github/update-bundle/codeql-bundle-v2.23.5 Update default bundle to 2.23.5	2025-11-13 20:50:51 +00:00
Michael B. Gale	9777b01a49	Merge branch 'main' into update-bundle/codeql-bundle-v2.23.5	2025-11-13 20:11:59 +00:00
Henry Mercer	456a74a6fa	Merge pull request #3289 from github/mbg/ci/setup-dotnet Add support for adding `setup-dotnet` steps to `sync.sh`	2025-11-13 20:11:33 +00:00
Michael B. Gale	3fac49c140	Update remaining workflows	2025-11-13 19:53:24 +00:00
Michael B. Gale	38a3a7258f	Enable `installDotNet` in all workflows that analyse C#	2025-11-13 19:48:37 +00:00
Michael B. Gale	58c9eb6c03	Add `global.json`	2025-11-13 19:48:37 +00:00
Michael B. Gale	f20e02164a	Add support for adding `setup-dotnet` steps to `sync.sh`	2025-11-13 18:58:54 +00:00
github-actions[bot]	8d3d4001e3	Add changelog note	2025-11-13 18:40:00 +00:00
github-actions[bot]	362f8d1d2d	Update default bundle to codeql-bundle-v2.23.5	2025-11-13 18:39:52 +00:00
Michael B. Gale	ba454b8ab4	Merge pull request #3284 from github/mbg/ci/fix-enterprise-workflow Fix `update-supported-enterprise-server-versions.yml` workflow	2025-11-12 15:35:56 +00:00
Michael B. Gale	7a7cd8565c	Don't push for PR event	2025-11-12 15:09:25 +00:00
Michael B. Gale	fd830db27b	Trigger on PR for relevant changes	2025-11-12 15:05:11 +00:00
Michael B. Gale	a7e52b690b	Perform sparse checkout	2025-11-12 15:04:21 +00:00
Michael B. Gale	71c3720f43	Run `npm ci` in `update-supported-enterprise-server-versions.yml`	2025-11-12 14:57:05 +00:00
Michael B. Gale	534824ea1b	Merge pull request #3117 from github/mbg/csharp/new-cache-key-calculation Support non-lock files for C# cache key computation	2025-11-12 11:03:09 +00:00
Henry Mercer	1d9f357d01	Merge pull request #3281 from github/dependabot/npm_and_yarn/npm-minor-9dd9c1a8e4 Bump the npm-minor group with 4 updates	2025-11-11 10:21:24 +00:00
github-actions[bot]	3d7be7bf78	Rebuild	2025-11-10 17:49:58 +00:00
dependabot[bot]	63bb415fff	Bump the npm-minor group with 4 updates Bumps the npm-minor group with 4 updates: [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js), [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin), [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) and [esbuild](https://github.com/evanw/esbuild). Updates `@eslint/js` from 9.39.0 to 9.39.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v9.39.1/packages/js) Updates `@typescript-eslint/eslint-plugin` from 8.46.3 to 8.46.4 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.46.4/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.46.3 to 8.46.4 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.46.4/packages/parser) Updates `esbuild` from 0.25.12 to 0.27.0 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](https://github.com/evanw/esbuild/compare/v0.25.12...v0.27.0) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 9.39.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.46.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: "@typescript-eslint/parser" dependency-version: 8.46.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: esbuild dependency-version: 0.27.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2025-11-10 17:48:25 +00:00
Michael B. Gale	04bd5c6aab	Merge pull request #3279 from github/mbg/lint/jsdoc-param-names Linter: check JSDoc parameter names exist	2025-11-10 11:36:02 +00:00
Michael B. Gale	48a56f6b93	Add some tests for `downloadDependencyCaches` related to feature prefixes	2025-11-09 12:03:18 +00:00
Michael B. Gale	4885eb2ad9	Insert new `featurePrefix` after general cache key `prefix`	2025-11-09 11:17:02 +00:00
Michael B. Gale	a47d5507cf	Restore earlier log messages for `checkHashPatterns`	2025-11-09 11:11:10 +00:00
Michael B. Gale	b0e9dfce55	Restore missing `status.push` resulting from a bad merge	2025-11-09 11:10:27 +00:00
Michael B. Gale	35c91ef0af	Add tests for `getCsharpHashPatterns` - Make the function more easily testable by allowing `makePatternCheck` to be stubbed. - Use `makePatternCheck` for base patterns as well.	2025-11-09 11:03:15 +00:00
Michael B. Gale	71abac76d2	Fix comment in `getCsharpHashPatterns`	2025-11-09 10:32:10 +00:00
Michael B. Gale	5b58b8f9c5	Linter: check JSDoc parameter names exist	2025-11-09 10:26:36 +00:00
Michael B. Gale	46e03b48bc	Fix JSDoc param name	2025-11-09 10:05:18 +00:00
Henry Mercer	71d0a56d44	Merge pull request #3278 from github/henrymercer/type-fun Use generic types for durations in status report	2025-11-06 10:47:44 +00:00
Henry Mercer	04285cbe85	Use generic types for durations in status report This means we don't need to update this interface for every new language.	2025-11-05 18:54:44 +00:00
Michael B. Gale	26804552e4	Use `undefined` instead of `NoMatchingFilesError` Add tests for `makePatternCheck` and `checkHashPatterns`	2025-11-05 17:23:22 +00:00
Michael B. Gale	03b2dc2a3f	Add and use `getFeaturePrefix` for dependency caching	2025-11-05 16:33:21 +00:00
Michael B. Gale	0cbd930deb	Move `createCacheKeyHash` to `caching-utils`	2025-11-05 16:15:26 +00:00
Michael B. Gale	0324490286	Use additional files for C# key hashes if `Feature.CsharpNewCacheKey` is enabled	2025-11-05 16:03:41 +00:00
Michael B. Gale	6b48207907	Move check whether there are files for hashing into `getHashPatterns`	2025-11-05 16:03:39 +00:00
Mario Campos	320a6b661b	Merge pull request #3272 from github/mario-campos/v4-warning Update deprecation warnings for CodeQL Action to v4	2025-11-05 10:01:33 -06:00
Michael B. Gale	ab1c84236a	Change `hash` to be a function that can use `Features`	2025-11-05 15:57:57 +00:00
Michael B. Gale	2a7680fca6	Change `getDefaultCacheConfig` to be a `const` by turning `paths` into a function Changing `paths` to be a function is necessary to allow `getTemporaryDirectory` to be called	2025-11-05 15:57:55 +00:00
Michael B. Gale	2aa1f55f3d	Propagate `features` into `cachePrefix` function	2025-11-05 15:54:28 +00:00
Michael B. Gale	1ca20ab026	Add `CsharpNewCacheKey` FF	2025-11-05 15:48:04 +00:00
Mario Campos	b5e5a258e6	Merge branch 'main' into mario-campos/v4-warning	2025-11-05 09:39:54 -06:00
Mario Campos	74f662193b	Reformat with eslint	2025-11-05 09:37:42 -06:00
Mario Campos	ecee3ea8f5	Update CHANGELOG.md.	2025-11-05 09:18:30 -06:00
Mario Campos	6a63bc6af3	Change warning message to just v3 (exclude v1, v2).	2025-11-05 09:15:53 -06:00
Henry Mercer	e2ef519c75	Merge pull request #3224 from github/henrymercer/clean-up-resolve-languages-ff Clean up `resolve_supported_languages_using_cli` FF	2025-11-05 11:57:35 +00:00
Michael B. Gale	423d14e583	Merge pull request #3277 from github/mbg/ci/update-bundle-python Install Python in `update-bundle` workflow	2025-11-05 11:53:17 +00:00
Michael B. Gale	6dd11f73d3	Update .github/workflows/script/bundle_changelog.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-11-05 11:34:26 +00:00
Michael B. Gale	c9f82f2adf	Move python script to file	2025-11-05 11:22:38 +00:00
Michael B. Gale	33684ef869	Add `setup-python` step to `update-bundle` workflow	2025-11-05 11:20:06 +00:00
Michael B. Gale	5aa2d63d5b	Merge branch 'main' into mario-campos/v4-warning	2025-11-05 11:03:25 +00:00
Mario Campos	a570795dfc	Clarify the CHANGELOG.md entry to reflect the whole action, and not just `init`.	2025-11-04 12:02:15 -06:00
Mario Campos	9366f80399	Reference GHES 3.20 in the comment, not 3.19. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-11-04 12:00:11 -06:00
Mario Campos	c443dff433	Simplify warning language to not enumerate deprecated versions.	2025-11-04 11:57:44 -06:00
Mario Campos	b32a1e0627	Update test cases for GitHub Enterprise Server versions 3.11 and 3.12 to reflect correct deprecation status	2025-11-04 11:51:23 -06:00
Mario Campos	08dc635f27	Restore use of `sinon.match()`.	2025-11-04 11:11:08 -06:00
Mario Campos	f1ca6a4f47	Update tests to reflect deprecation status of CodeQL Action v3	2025-11-04 11:07:15 -06:00
Mario Campos	ba82f9bd34	Fix deprecation warning to reflect that v3 is not actually deprecated yet.	2025-11-04 10:13:07 -06:00
Mario Campos	5a9b49de7e	Update CHANGELOG to reflect warning for v3 users migrating to v4 of CodeQL Action	2025-11-04 10:09:47 -06:00
Mario Campos	1aade295bc	Update deprecation warnings for CodeQL Action to v4	2025-11-04 09:59:16 -06:00
Henry Mercer	a691497d40	Clean up `resolve_supported_languages_using_cli` FF	2025-10-22 17:04:42 +01:00