Merge pull request #1028 from github/update-v1.1.8-1ed14374

Merge v2 into v1
Update checked-in dependencies
2025-12-07 00:08:06 +08:00 · 2022-04-08 10:55:32 +01:00 · 2022-04-08 08:58:43 +00:00 · 2022-04-08 08:46:06 +00:00 · 2022-04-08 08:46:06 +00:00 · 2022-04-08 08:46:06 +00:00
124 changed files with 2106 additions and 653 deletions
--- a/.github/update-release-branch.py
+++ b/.github/update-release-branch.py
@@ -1,12 +1,9 @@
+import argparse
 import datetime
 from github import Github
-import random
-import requests
-import subprocess
-import sys
 import json
-import datetime
 import os
+import subprocess

 EMPTY_CHANGELOG = """# CodeQL Action and CodeQL Runner Changelog

@@ -16,12 +13,12 @@ No user facing changes.

 """

-# The branch being merged from.
-# This is the one that contains day-to-day development work.
-MAIN_BRANCH = 'main'
-# The branch being merged into.
-# This is the release branch that users reference.
-LATEST_RELEASE_BRANCH = 'v1'
+# Value of the mode flag for a v1 release
+V1_MODE = 'v1-release'
+
+# Value of the mode flag for a v2 release
+V2_MODE = 'v2-release'
+
 # Name of the remote
 ORIGIN = 'origin'

@@ -38,8 +35,8 @@ def run_git(*args):
 def branch_exists_on_remote(branch_name):
  return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''

-# Opens a PR from the given branch to the release branch
-def open_pr(repo, all_commits, short_main_sha, branch_name):
+# Opens a PR from the given branch to the target branch
+def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, source_branch, target_branch, conductor, is_v2_release, labels):
  # Sort the commits into the pull requests that introduced them,
  # and any commits that don't have a pull request
  pull_requests = []
@@ -61,9 +58,8 @@ def open_pr(repo, all_commits, short_main_sha, branch_name):

  # Start constructing the body text
  body = []
-  body.append('Merging ' + short_main_sha + ' into ' + LATEST_RELEASE_BRANCH)
+  body.append('Merging ' + source_branch_short_sha + ' into ' + target_branch)

-  conductor = get_conductor(repo, pull_requests, commits_without_pull_requests)
  body.append('')
  body.append('Conductor for this PR is @' + conductor)

@@ -80,43 +76,40 @@ def open_pr(repo, all_commits, short_main_sha, branch_name):
    body.append('')
    body.append('Contains the following commits not from a pull request:')
    for commit in commits_without_pull_requests:
-      body.append('- ' + commit.sha + ' - ' + get_truncated_commit_message(commit) + ' (@' + commit.author.login + ')')
+      author_description = ' (@' + commit.author.login + ')' if commit.author is not None else ''
+      body.append('- ' + commit.sha + ' - ' + get_truncated_commit_message(commit) + author_description)

  body.append('')
  body.append('Please review the following:')
  body.append(' - [ ] The CHANGELOG displays the correct version and date.')
  body.append(' - [ ] The CHANGELOG includes all relevant, user-facing changes since the last release.')
-  body.append(' - [ ] There are no unexpected commits being merged into the ' + LATEST_RELEASE_BRANCH + ' branch.')
+  body.append(' - [ ] There are no unexpected commits being merged into the ' + target_branch + ' branch.')
  body.append(' - [ ] The docs team is aware of any documentation changes that need to be released.')
-  body.append(' - [ ] The mergeback PR is merged back into ' + MAIN_BRANCH + ' after this PR is merged.')
+  if is_v2_release:
+    body.append(' - [ ] The mergeback PR is merged back into ' + source_branch + ' after this PR is merged.')
+    body.append(' - [ ] The v1 release PR is merged after this PR is merged.')

-  title = 'Merge ' + MAIN_BRANCH + ' into ' + LATEST_RELEASE_BRANCH
+  title = 'Merge ' + source_branch + ' into ' + target_branch

  # Create the pull request
  # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
  # a maintainer can take the PR out of draft, thereby triggering the PR checks.
-  pr = repo.create_pull(title=title, body='\n'.join(body), head=branch_name, base=LATEST_RELEASE_BRANCH, draft=True)
+  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
+  pr.add_to_labels(*labels)
  print('Created PR #' + str(pr.number))

  # Assign the conductor
  pr.add_to_assignees(conductor)
  print('Assigned PR to ' + conductor)

-# Gets the person who should be in charge of the mergeback PR
-def get_conductor(repo, pull_requests, other_commits):
-  # If there are any PRs then use whoever merged the last one
-  if len(pull_requests) > 0:
-    return get_merger_of_pr(repo, pull_requests[-1])
-
-  # Otherwise take the author of the latest commit
-  return other_commits[-1].author.login
-
-# Gets a list of the SHAs of all commits that have happened on main
-# since the release branched off.
-# This will not include any commits that exist on the release branch
-# that aren't on main.
-def get_commit_difference(repo):
-  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + LATEST_RELEASE_BRANCH + '..' + ORIGIN + '/' + MAIN_BRANCH).strip().split('\n')
+# Gets a list of the SHAs of all commits that have happened on the source branch
+# since the last release to the target branch.
+# This will not include any commits that exist on the target branch
+# that aren't on the source branch.
+def get_commit_difference(repo, source_branch, target_branch):
+  # Passing split nothing means that the empty string splits to nothing: compare `''.split() == []`
+  # to `''.split('\n') == ['']`.
+  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + target_branch + '..' + ORIGIN + '/' + source_branch).strip().split()

  # Convert to full-fledged commit objects
  commits = [repo.get_commit(c) for c in commits]
@@ -136,7 +129,7 @@ def get_truncated_commit_message(commit):
  else:
    return message

-# Converts a commit into the PR that introduced it to the main branch.
+# Converts a commit into the PR that introduced it to the source branch.
 # Returns the PR object, or None if no PR could be found.
 def get_pr_for_commit(repo, commit):
  prs = commit.get_pulls()
@@ -179,29 +172,69 @@ def update_changelog(version):


 def main():
-  if len(sys.argv) != 3:
-    raise Exception('Usage: update-release.branch.py <github token> <repository nwo>')
-  github_token = sys.argv[1]
-  repository_nwo = sys.argv[2]
+  parser = argparse.ArgumentParser('update-release-branch.py')

-  repo = Github(github_token).get_repo(repository_nwo)
+  parser.add_argument(
+    '--github-token',
+    type=str,
+    required=True,
+    help='GitHub token, typically from GitHub Actions.'
+  )
+  parser.add_argument(
+    '--repository-nwo',
+    type=str,
+    required=True,
+    help='The nwo of the repository, for example github/codeql-action.'
+  )
+  parser.add_argument(
+    '--mode',
+    type=str,
+    required=True,
+    choices=[V2_MODE, V1_MODE],
+    help=f"Which release to perform. '{V2_MODE}' uses main as the source branch and v2 as the target branch. " +
+      f"'{V1_MODE}' uses v2 as the source branch and v1 as the target branch."
+  )
+  parser.add_argument(
+    '--conductor',
+    type=str,
+    required=True,
+    help='The GitHub handle of the person who is conducting the release process.'
+  )
+
+  args = parser.parse_args()
+
+  if args.mode == V2_MODE:
+    source_branch = 'main'
+    target_branch = 'v2'
+  elif args.mode == V1_MODE:
+    source_branch = 'v2'
+    target_branch = 'v1'
+  else:
+    raise ValueError(f"Unexpected value for release mode: '{args.mode}'")
+
+  repo = Github(args.github_token).get_repo(args.repository_nwo)
  version = get_current_version()

+  if args.mode == V1_MODE:
+    # Change the version number to a v1 equivalent
+    version = get_current_version()
+    version = f'1{version[1:]}'
+
  # Print what we intend to go
-  print('Considering difference between ' + MAIN_BRANCH + ' and ' + LATEST_RELEASE_BRANCH)
-  short_main_sha = run_git('rev-parse', '--short', ORIGIN + '/' + MAIN_BRANCH).strip()
-  print('Current head of ' + MAIN_BRANCH + ' is ' + short_main_sha)
+  print('Considering difference between ' + source_branch + ' and ' + target_branch)
+  source_branch_short_sha = run_git('rev-parse', '--short', ORIGIN + '/' + source_branch).strip()
+  print('Current head of ' + source_branch + ' is ' + source_branch_short_sha)

  # See if there are any commits to merge in
-  commits = get_commit_difference(repo)
+  commits = get_commit_difference(repo=repo, source_branch=source_branch, target_branch=target_branch)
  if len(commits) == 0:
-    print('No commits to merge from ' + MAIN_BRANCH + ' to ' + LATEST_RELEASE_BRANCH)
+    print('No commits to merge from ' + source_branch + ' to ' + target_branch)
    return

  # The branch name is based off of the name of branch being merged into
  # and the SHA of the branch being merged from. Thus if the branch already
  # exists we can assume we don't need to recreate it.
-  new_branch_name = 'update-v' + version + '-' + short_main_sha
+  new_branch_name = 'update-v' + version + '-' + source_branch_short_sha
  print('Branch name is ' + new_branch_name)

  # Check if the branch already exists. If so we can abort as this script
@@ -212,19 +245,79 @@ def main():

  # Create the new branch and push it to the remote
  print('Creating branch ' + new_branch_name)
-  run_git('checkout', '-b', new_branch_name, ORIGIN + '/' + MAIN_BRANCH)

-  print('Updating changelog')
-  update_changelog(version)
+  if args.mode == V1_MODE:
+    # If we're performing a backport, start from the v1 branch
+    print(f'Creating {new_branch_name} from the {ORIGIN}/v1 branch')
+    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/v1')

-  # Create a commit that updates the CHANGELOG
-  run_git('add', 'CHANGELOG.md')
-  run_git('commit', '-m', version)
+    # Revert the commit that we made as part of the last release that updated the version number and
+    # changelog to refer to 1.x.x variants. This avoids merge conflicts in the changelog and
+    # package.json files when we merge in the v2 branch.
+    # This commit will not exist the first time we release the v1 branch from the v2 branch, so we
+    # use `git log --grep` to conditionally revert the commit.
+    print('Reverting the 1.x.x version number and changelog updates from the last release to avoid conflicts')
+    v1_update_commits = run_git('log', '--grep', '^Update version and changelog for v', '--format=%H').split()
+
+    if len(v1_update_commits) > 0:
+      print(f'  Reverting {v1_update_commits[0]}')
+      # Only revert the newest commit as older ones will already have been reverted in previous
+      # releases.
+      run_git('revert', v1_update_commits[0], '--no-edit')
+
+      # Also revert the "Update checked-in dependencies" commit created by Actions.
+      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
+      print(f'  Reverting {update_dependencies_commit}')
+      run_git('revert', update_dependencies_commit, '--no-edit')
+
+    else:
+      print('  Nothing to revert.')
+
+    print(f'Merging {ORIGIN}/{source_branch} into the release prep branch')
+    run_git('merge', f'{ORIGIN}/{source_branch}', '--no-edit')
+
+    # Migrate the package version number from a v2 version number to a v1 version number
+    print(f'Setting version number to {version}')
+    subprocess.run(['npm', 'version', version, '--no-git-tag-version'])
+    run_git('add', 'package.json', 'package-lock.json')
+
+    # Migrate the changelog notes from v2 version numbers to v1 version numbers
+    print('Migrating changelog notes from v2 to v1')
+    subprocess.run(['sed', '-i', 's/^## 2\./## 1./g', 'CHANGELOG.md'])
+
+    # Remove changelog notes from v2 that don't apply to v1
+    subprocess.run(['sed', '-i', '/^- \[v2+ only\]/d', 'CHANGELOG.md'])
+
+    # Amend the commit generated by `npm version` to update the CHANGELOG
+    run_git('add', 'CHANGELOG.md')
+    run_git('commit', '-m', f'Update version and changelog for v{version}')
+  else:
+    # If we're performing a standard release, there won't be any new commits on the target branch,
+    # as these will have already been merged back into the source branch. Therefore we can just
+    # start from the source branch.
+    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{source_branch}')
+
+    print('Updating changelog')
+    update_changelog(version)
+
+    # Create a commit that updates the CHANGELOG
+    run_git('add', 'CHANGELOG.md')
+    run_git('commit', '-m', f'Update changelog for v{version}')

  run_git('push', ORIGIN, new_branch_name)

  # Open a PR to update the branch
-  open_pr(repo, commits, short_main_sha, new_branch_name)
+  open_pr(
+    repo,
+    commits,
+    source_branch_short_sha,
+    new_branch_name,
+    source_branch=source_branch,
+    target_branch=target_branch,
+    conductor=args.conductor,
+    is_v2_release=args.mode == V2_MODE,
+    labels=['Update dependencies'] if args.mode == V1_MODE else [],
+  )

 if __name__ == '__main__':
  main()
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -65,10 +66,11 @@ jobs:
        - os: windows-2022
          version: nightly-latest
    name: "Analyze: 'ref' and 'sha' from inputs"
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__debug-artifacts.yml
+++ b/.github/workflows/__debug-artifacts.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -49,10 +50,11 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Debug artifact upload
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
@@ -69,7 +71,7 @@ jobs:
      run: ./build.sh
    - uses: ./../action/analyze
      id: analysis
-    - uses: actions/download-artifact@v2
+    - uses: actions/download-artifact@v3
      with:
        name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
    - shell: bash
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -27,10 +28,11 @@ jobs:
        - os: ubuntu-latest
          version: latest
    name: Extractor ram and threads options test
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -65,16 +66,17 @@ jobs:
        - os: windows-2022
          version: nightly-latest
    name: 'Go: Custom queries'
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
--- a/.github/workflows/__go-custom-tracing-autobuild.yml
+++ b/.github/workflows/__go-custom-tracing-autobuild.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -49,16 +50,17 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: 'Go: Autobuild custom tracing'
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
--- a/.github/workflows/__go-custom-tracing.yml
+++ b/.github/workflows/__go-custom-tracing.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -65,16 +66,17 @@ jobs:
        - os: windows-2022
          version: nightly-latest
    name: 'Go: Custom tracing'
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
      with:
        version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
      with:
        go-version: ^1.13.1
    - uses: ./../action/init
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -31,10 +32,11 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: Custom source root
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__ml-powered-queries.yml
+++ b/.github/workflows/__ml-powered-queries.yml
@@ -0,0 +1,119 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - ML-powered queries
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - v1
+    - v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  ml-powered-queries:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: ML-powered queries
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        queries: security-extended
+        source-root: ./../action/tests/ml-powered-queries-repo
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+      env:
+        TEST_MODE: true
+
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+
+    - name: Check results
+      env:
+        IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should run at least the ML-powered queries in `expected_rules`.
+        expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
+
+        for rule in ${expected_rules}; do
+          found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
+            flatten | .[].id] | any(. == $rule)' javascript.sarif)
+          echo "Did find rule '${rule}': ${found_rule}"
+          if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
+            echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
+            exit 1
+          elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
+            echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
+            exit 1
+          fi
+        done
+
+        # We should have at least one alert from an ML-powered query.
+        num_alerts=$(jq '[.runs[0].results[] |
+          select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
+          javascript.sarif)
+        echo "Found ${num_alerts} alerts from ML-powered queries.";
+        if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
+          echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
+          exit 1
+        elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
+          echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
+          exit 1
+        fi
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -49,10 +50,11 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Multi-language repository
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -29,10 +30,11 @@ jobs:
        - os: macos-latest
          version: nightly-20210831
    name: 'Packaging: Config and input'
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -29,10 +30,11 @@ jobs:
        - os: macos-latest
          version: nightly-20210831
    name: 'Packaging: Config file'
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -29,10 +30,11 @@ jobs:
        - os: macos-latest
          version: nightly-20210831
    name: 'Packaging: Action input'
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -65,10 +66,11 @@ jobs:
        - os: windows-2022
          version: nightly-latest
    name: Remote config file
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -37,10 +38,11 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: RuboCop multi-language
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -29,10 +30,11 @@ jobs:
        - os: macos-latest
          version: nightly-20210831
    name: Split workflow
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -27,10 +28,11 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: Local CodeQL bundle
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -27,10 +28,11 @@ jobs:
        - os: ubuntu-latest
          version: latest
    name: Proxy test
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__test-ruby.yml
+++ b/.github/workflows/__test-ruby.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -37,10 +38,11 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Ruby analysis
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -37,10 +38,11 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: Test unsetting environment variables
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -12,6 +12,7 @@ on:
    branches:
    - main
    - v1
+    - v2
  pull_request:
    types:
    - opened
@@ -65,10 +66,11 @@ jobs:
        - os: windows-2022
          version: nightly-latest
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
    - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
    - name: Prepare test
      id: prepare-test
      uses: ./.github/prepare-test
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -0,0 +1,146 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Use a custom `checkout_path`
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - v1
+    - v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  with-checkout-path:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
+    name: Use a custom `checkout_path`
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/checkout@v3
+      with:
+        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        path: x/y/z/some-path
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      # it's enough to test one compiled language and one interpreted language
+        languages: csharp,javascript
+        source-path: x/y/z/some-path/tests/multi-language-repo
+        debug: true
+    - name: Build code (non-windows)
+      shell: bash
+      if: ${{ runner.os != 'Windows' }}
+      run: |
+        $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
+    - name: Build code (windows)
+      shell: bash
+      if: ${{ runner.os == 'Windows' }}
+      run: |
+        x/y/z/some-path/tests/multi-language-repo/build.sh
+    - uses: ./../action/analyze
+      with:
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        upload: false
+      env:
+        TEST_MODE: true
+
+    - uses: ./../action/upload-sarif
+      with:
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+      env:
+        TEST_MODE: true
+
+    - name: Verify SARIF after upload
+      shell: bash
+      run: |
+        EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+        EXPECTED_REF="v1.1.0"
+        EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+
+        ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+        ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+        ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+
+        if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+          echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
+
+        if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+          echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
+
+        if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+          echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -15,11 +15,11 @@ jobs:

    steps:
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Check Expected Release Files
        run: |
          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
          set -x
-          for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz" "codeql-runner-linux" "codeql-runner-macos" "codeql-runner-win.exe"; do
+          for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz"; do
            curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
          done
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -2,9 +2,9 @@ name: "CodeQL action"

 on:
  push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
  pull_request:
-    branches: [main, v1]
+    branches: [main, v1, v2]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
@@ -20,7 +20,7 @@ jobs:
      security-events: write

    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
@@ -75,7 +75,7 @@ jobs:
      security-events: write

    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - uses: ./init
      id: init
      with:
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -15,6 +15,7 @@ on:
  push:
    branches:
      - v1
+      - v2

 jobs:
  merge-back:
@@ -25,13 +26,16 @@ jobs:
      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

    steps:
-      - name: Dump GitHub Event context
-        env:
-          GITHUB_EVENT_CONTEXT: "${{ toJson(github.event) }}"
-        run: echo "$GITHUB_EVENT_CONTEXT"
+      - name: Dump environment
+        run: env

-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - name: Dump GitHub context
+        env:
+          GITHUB_CONTEXT: '${{ toJson(github) }}'
+        run: echo "$GITHUB_CONTEXT"
+
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3

      - name: Update git config
        run: |
@@ -90,7 +94,7 @@ jobs:
          git push origin --follow-tags "$VERSION"

      - name: Create mergeback branch
-        if: steps.check.outputs.exists != 'true'
+        if: steps.check.outputs.exists != 'true' && contains(github.ref, 'v2')
        env:
          VERSION: "${{ steps.getVersion.outputs.version }}"
          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
@@ -100,11 +104,13 @@ jobs:
          PR_TITLE="Mergeback $VERSION $HEAD_BRANCH into $BASE_BRANCH"
          PR_BODY="Updates version and changelog."

+          # Update the version number ready for the next release
+          npm version patch --no-git-tag-version
+
          # Update the changelog
          perl -i -pe 's/^/## \[UNRELEASED\]\n\nNo user facing changes.\n\n/ if($.==3)' CHANGELOG.md
          git add .
          git commit -m "Update changelog and version after $VERSION"
-          npm version patch

          git push origin "$NEW_BRANCH"

--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -2,7 +2,7 @@ name: PR Checks (Basic Checks and Runner)

 on:
  push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
@@ -13,37 +13,69 @@ jobs:
  lint-js:
    name: Lint
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Run Lint
        run: npm run-script lint

  check-js:
    runs-on: ubuntu-latest
+    timeout-minutes: 45
+
+    strategy:
+      fail-fast: true
+      matrix:
+        node-types-version: [12.12, current]

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
+
      - name: Check generated JS
        run: .github/workflows/script/check-js.sh

  check-node-modules:
    name: Check modules up to date
    runs-on: macos-latest
+    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Check node modules up to date
        run: .github/workflows/script/check-node-modules.sh

  verify-pr-checks:
    name: Verify PR checks up to date
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
        with:
          python-version: 3.8
      - name: Install dependencies
@@ -60,19 +92,21 @@ jobs:
      matrix:
        os: [ubuntu-latest, macos-latest]
    runs-on: ${{ matrix.os }}
+    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: npm run-script test
        run: npm run-script test

  runner-analyze-javascript-ubuntu:
    name: Runner ubuntu JS analyze
    needs: [check-js, check-node-modules]
+    timeout-minutes: 45
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Build runner
        run: |
@@ -97,10 +131,11 @@ jobs:
  runner-analyze-javascript-windows:
    name: Runner windows JS analyze
    needs: [check-js, check-node-modules]
+    timeout-minutes: 45
    runs-on: windows-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Build runner
        run: |
@@ -121,10 +156,11 @@ jobs:
  runner-analyze-javascript-macos:
    name: Runner macos JS analyze
    needs: [check-js, check-node-modules]
+    timeout-minutes: 45
    runs-on: macos-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Build runner
        run: |
@@ -145,10 +181,11 @@ jobs:
  runner-analyze-csharp-ubuntu:
    name: Runner ubuntu C# analyze
    needs: [check-js, check-node-modules]
+    timeout-minutes: 45
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Move codeql-action
        shell: bash
@@ -184,10 +221,11 @@ jobs:
    needs: [check-js, check-node-modules]
    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
    # `windows-latest`.
+    timeout-minutes: 45
    runs-on: windows-2019

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Move codeql-action
        shell: bash
@@ -215,7 +253,7 @@ jobs:
          & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false

      - name: Upload tracer logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
        with:
          name: tracer-logs
          path: ./codeql-runner/compound-build-tracer.log
@@ -228,11 +266,12 @@ jobs:

  runner-analyze-csharp-macos:
    name: Runner macos C# analyze
+    timeout-minutes: 45
    needs: [check-js, check-node-modules]
    runs-on: macos-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Move codeql-action
        shell: bash
@@ -266,11 +305,12 @@ jobs:

  runner-analyze-csharp-autobuild-ubuntu:
    name: Runner ubuntu autobuild C# analyze
+    timeout-minutes: 45
    needs: [check-js, check-node-modules]
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Move codeql-action
        shell: bash
@@ -301,6 +341,7 @@ jobs:
          TEST_MODE: true

  runner-analyze-csharp-autobuild-windows:
+    timeout-minutes: 45
    name: Runner windows autobuild C# analyze
    needs: [check-js, check-node-modules]
    # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
@@ -308,7 +349,7 @@ jobs:
    runs-on: windows-2019

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Move codeql-action
        shell: bash
@@ -343,9 +384,10 @@ jobs:
    name: Runner macos autobuild C# analyze
    needs: [check-js, check-node-modules]
    runs-on: macos-latest
+    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Move codeql-action
        shell: bash
@@ -380,11 +422,12 @@ jobs:
    name: Runner upload sarif
    needs: [check-js, check-node-modules]
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Build runner
        run: |
@@ -402,9 +445,10 @@ jobs:
    name: Runner ubuntu extractor RAM and threads options
    needs: [check-js, check-node-modules]
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3

      - name: Build runner
        run: |
--- a/.github/workflows/python-deps.yml
+++ b/.github/workflows/python-deps.yml
@@ -2,7 +2,7 @@ name: Test Python Package Installation on Linux and Mac

 on:
  push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
  pull_request:
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
@@ -10,6 +10,7 @@ on:

 jobs:
  test-setup-python-scripts:
+    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    strategy:
        fail-fast: false
@@ -24,7 +25,7 @@ jobs:

    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3

    - name: Initialize CodeQL
      uses: ./init
@@ -70,7 +71,7 @@ jobs:

    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3

    - name: Initialize CodeQL
      uses: ./init
@@ -121,9 +122,9 @@ jobs:

    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3

-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v3
      with:
        python-version: ${{ matrix.python_version }}

--- a/.github/workflows/release-runner.yml
+++ b/.github/workflows/release-runner.yml
@@ -1,54 +0,0 @@
-name: Release runner
-
-on:
-  workflow_dispatch:
-    inputs:
-      bundle-tag:
-        description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
-        required: false
-
-jobs:
-  release-runner:
-    runs-on: ubuntu-latest
-    env:
-      RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
-
-    strategy:
-      matrix:
-        extension: ["linux", "macos", "win.exe"]
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-runner-${{matrix.extension}}
-          path: runner/dist/codeql-runner-${{matrix.extension}}
-
-      - name: Resolve Upload URL for the release
-        if: ${{ github.event.inputs.bundle-tag != null }}
-        id: save_url
-        run: |
-          UPLOAD_URL=$(curl -sS \
-                "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
-                -H "Accept: application/json" \
-                -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
-          echo ${UPLOAD_URL}
-          echo "::set-output name=upload_url::${UPLOAD_URL}"
-
-      - name: Upload Platform Package
-        if: ${{ github.event.inputs.bundle-tag != null }}
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.save_url.outputs.upload_url }}
-          asset_path: runner/dist/codeql-runner-${{matrix.extension}}
-          asset_name: codeql-runner-${{matrix.extension}}
-          asset_content_type: application/octet-stream
--- a/.github/workflows/split.yml
+++ b/.github/workflows/split.yml
@@ -1,73 +0,0 @@
-#
-# Split the CodeQL Bundle into platform bundles
-#
-# Instructions:
-#  1. Upload the new codeql-bundle (codeql-bundle.tar.gz) as an asset of the
-#     release (codeql-bundle-20200826)
-#  2. Take note of the CLI Release used by the bundle (e.g., v2.2.5)
-#  3. Manually launch this workflow file (via the Actions UI) specifying
-#     - The CLI Release (e.g., v2.2.5)
-#     - The release tag (e.g., codeql-bundle-20200826)
-#  4. If everything succeeds you should see 3 new assets.
-#
-
-name: Split Bundle
-
-on:
- workflow_dispatch:
-    inputs:
-      cli-release:
-        description: 'CodeQL CLI Release (e.g., "v2.2.5")'
-        required: true
-      bundle-tag:
-        description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
-        required: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    env:
-      CLI_RELEASE: "${{ github.event.inputs.cli-release }}"
-      RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
-
-    strategy:
-      fail-fast: false
-      matrix:
-        platform: ["linux64", "osx64", "win64"]
-
-    steps:
-      - name: Resolve Upload URL for the release
-        id: save_url
-        run: |
-          UPLOAD_URL=$(curl -sS \
-               "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
-               -H "Accept: application/json" \
-               -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
-          echo ${UPLOAD_URL}
-          echo "::set-output name=upload_url::${UPLOAD_URL}"
-
-      - name: Download CodeQL CLI and Bundle
-        run: |
-          wget --no-verbose "https://github.com/${GITHUB_REPOSITORY}/releases/download/${RELEASE_TAG}/codeql-bundle.tar.gz"
-          wget --no-verbose "https://github.com/github/codeql-cli-binaries/releases/download/${CLI_RELEASE}/codeql-${{matrix.platform}}.zip"
-
-      - name: Create Platform Package
-        # Replace the codeql-binaries with the platform specific ones
-        run: |
-          gunzip codeql-bundle.tar.gz
-          tar -f codeql-bundle.tar --delete codeql
-          unzip -q codeql-${{matrix.platform}}.zip
-          tar -f codeql-bundle.tar --append codeql
-          gzip codeql-bundle.tar
-          mv codeql-bundle.tar.gz codeql-bundle-${{matrix.platform}}.tar.gz
-          du -sh codeql-bundle-${{matrix.platform}}.tar.gz
-
-      - name: Upload Platform Package
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.save_url.outputs.upload_url }}
-          asset_path: ./codeql-bundle-${{matrix.platform}}.tar.gz
-          asset_name: codeql-bundle-${{matrix.platform}}.tar.gz
-          asset_content_type: application/tar+gzip
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -6,11 +6,12 @@ on:
 jobs:
  update:
    name: Update dependencies
+    timeout-minutes: 45
    runs-on: macos-latest
    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3

    - name: Remove PR label
      env:
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -1,24 +1,35 @@
 name: Update release branch
 on:
-  repository_dispatch:
-    # Example of how to trigger this:
-    # curl -H "Authorization: Bearer <token>" -X POST https://api.github.com/repos/github/codeql-action/dispatches -d '{"event_type":"update-release-branch"}'
-    # Replace <token> with a personal access token from this page: https://github.com/settings/tokens
-    types: [update-release-branch]
+  # You can trigger this workflow via workflow dispatch to start a release.
+  # This will open a PR to update the v2 release branch.
  workflow_dispatch:

+  # When the v2 release is complete, this workflow will open a PR to update the v1 release branch.
+  push:
+    branches:
+      - v2
+
 jobs:
  update:
+    timeout-minutes: 45
    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'github/codeql-action' }}
+    if: github.repository == 'github/codeql-action'
    steps:
-    - uses: actions/checkout@v2
+    - name: Dump environment
+      run: env
+
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: '${{ toJson(github) }}'
+      run: echo "$GITHUB_CONTEXT"
+
+    - uses: actions/checkout@v3
      with:
        # Need full history so we calculate diffs
        fetch-depth: 0

    - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8

@@ -32,5 +43,20 @@ jobs:
        git config --global user.email "github-actions@github.com"
        git config --global user.name "github-actions[bot]"

-    - name: Update release branch
-      run: python .github/update-release-branch.py ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }}
+    - name: Update v2 release branch
+      if: github.event_name == 'workflow_dispatch'
+      run: |
+        python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
+          --repository-nwo ${{ github.repository }} \
+          --mode v2-release \
+          --conductor ${GITHUB_ACTOR}
+
+    - name: Update v1 release branch
+      if: github.event_name == 'push'
+      run: |
+        python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
+          --repository-nwo ${{ github.repository }} \
+          --mode v1-release \
+          --conductor ${GITHUB_ACTOR}
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -6,18 +6,20 @@ on:

 jobs:
  update-supported-enterprise-server-versions:
+    name: Update Supported Enterprise Server Versions
+    timeout-minutes: 45
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'github/codeql-action' }}

    steps:
      - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
        with:
          python-version: "3.7"
      - name: Checkout CodeQL Action
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Checkout Enterprise Releases
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          repository: github/enterprise-releases
          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,26 @@
-# CodeQL Action and CodeQL Runner Changelog
+# CodeQL Action Changelog
+
+## 1.1.8 - 08 Apr 2022
+
+- Update default CodeQL bundle version to 2.8.5. [#1014](https://github.com/github/codeql-action/pull/1014)
+- Fix error where the init action would fail due to a GitHub API request that was taking too long to complete [#1025](https://github.com/github/codeql-action/pull/1025)
+
+## 1.1.7 - 05 Apr 2022
+
+- A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. [#1018](https://github.com/github/codeql-action/pull/1018)
+
+## 1.1.6 - 30 Mar 2022
+
+- Update default CodeQL bundle version to 2.8.4. [#990](https://github.com/github/codeql-action/pull/990)
+- Fix a bug where an invalid `commit_oid` was being sent to code scanning when a custom checkout path was being used. [#956](https://github.com/github/codeql-action/pull/956)
+
+## 1.1.5 - 15 Mar 2022
+
+- Update default CodeQL bundle version to 2.8.3.
+- The CodeQL runner is now deprecated and no longer being released. For more information, see [CodeQL runner deprecation](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/).
+- Fix two bugs that cause action failures with GHES 3.3 or earlier. [#978](https://github.com/github/codeql-action/pull/978)
+  - Fix `not a permitted key` invalid requests with GHES 3.1 or earlier
+  - Fix `RUNNER_ARCH environment variable must be set` errors with GHES 3.3 or earlier

 ## 1.1.4 - 07 Mar 2022

@@ -7,7 +29,7 @@

 ## 1.1.3 - 23 Feb 2022

- Fix bug where the CLR traces can continue tracing even after tracing should be stopped. [#938](https://github.com/github/codeql-action/pull/938)
+- Fix a bug where the CLR traces can continue tracing even after tracing should be stopped. [#938](https://github.com/github/codeql-action/pull/938)

 ## 1.1.2 - 17 Feb 2022

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,16 +61,41 @@ Here are a few things you can do that will increase the likelihood of your pull
 ## Releasing (write access required)

 1. The first step of releasing a new version of the `codeql-action` is running the "Update release branch" workflow.
-    This workflow goes through the pull requests that have been merged to `main` since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into the `v1` release branch.
+    This workflow goes through the pull requests that have been merged to `main` since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into the `v2` release branch.

-    A release is automatically started every Monday via a scheduled run of this workflow, however you can start a release manually by triggering a run via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml). 
-1. The workflow run will open a pull request titled "Merge main into v1". Mark the pull request as [ready for review](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review) to trigger the PR checks.
+    You can start a release by triggering this workflow via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
+1. The workflow run will open a pull request titled "Merge main into v2". Mark the pull request as [ready for review](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review) to trigger the PR checks.
 1. Review the checklist items in the pull request description.
-    Once you've checked off all but the last of these, approve the PR and automerge it.
-1. When the "Merge main into v1" pull request is merged into the `v1` branch, the "Tag release and merge back" workflow will create a mergeback PR.
-    This mergeback incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into v1" pull request, and bumps the patch version of the CodeQL Action.
+    Once you've checked off all but the last two of these, approve the PR and automerge it.
+1. When the "Merge main into v2" pull request is merged into the `v2` branch, the "Tag release and merge back" workflow will create a mergeback PR.
+    This mergeback incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into v2" pull request, and bumps the patch version of the CodeQL Action.

-    Approve the mergeback PR and automerge it. Once the mergeback has been merged into main, the release is complete.
+    Approve the mergeback PR and automerge it.
+1. When the "Merge main into v2" pull request is merged into the `v2` branch, the "Update release branch" workflow will create a "Merge v2 into v1" pull request to merge the changes since the last release into the `v1` release branch.
+    This ensures we keep both the `v1` and `v2` release branches up to date and fully supported.
+
+    Review the checklist items in the pull request description.
+    Once you've checked off all the items, approve the PR and automerge it.
+1. Once the mergeback has been merged to `main` and the "Merge v2 into v1" PR has been merged to `v1`, the release is complete.
+
+## Keeping the PR checks up to date (admin access required)
+
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. Managing these PR checks manually is time consuming and complex. Here is a semi-automated approach.
+
+To regenerate the PR jobs for the action:
+
+1. From a terminal, run the following commands (replace `SHA` with the sha of the commit whose checks you want to use, typically this should be the latest from `main`):
+
+    ```sh
+    SHA= ####
+    CHECKS="$(gh api repos/github/codeql-action/commits/${SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "Update dependencies" or . == "Update Supported Enterprise Server Versions" | not)]')"
+    echo "{\"contexts\": ${CHECKS}}" > checks.json
+    gh api -X "PATCH" repos/github/codeql-action/branches/main/protection/required_status_checks --input checks.json
+    gh api -X "PATCH" repos/github/codeql-action/branches/v2/protection/required_status_checks --input checks.json
+    gh api -X "PATCH" repos/github/codeql-action/branches/v1/protection/required_status_checks --input checks.json
+    ````
+
+2. Go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules have been updated.

 ## Resources

--- a/README.md
+++ b/README.md
@@ -39,8 +39,7 @@ on:

 jobs:
  CodeQL-Build:
-    # If you're only analyzing JavaScript or Python, CodeQL runs on ubuntu-latest, windows-latest, and macos-latest.
-    # If you're analyzing C/C++, C#, Go, or Java, CodeQL runs on ubuntu-latest, windows-2019, and macos-latest.
+    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
    runs-on: ubuntu-latest

    permissions:
@@ -53,11 +52,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
        # Override language selection by uncommenting this and choosing your languages
        # with:
        #   languages: go, javascript, csharp, python, cpp, java
@@ -65,7 +64,7 @@ jobs:
      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below).
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 https://git.io/JvXDl
@@ -79,14 +78,14 @@ jobs:
      #     make release

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
 ```

 If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:

 ```yaml
 - name: Initialize CodeQL
-  uses: github/codeql-action/init@v1
+  uses: github/codeql-action/init@v2
  with:
    languages: go, javascript

@@ -96,7 +95,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
    make release

 - name: Perform CodeQL Analysis
-  uses: github/codeql-action/analyze@v1
+  uses: github/codeql-action/analyze@v2
 ```

 ### Configuration file
@@ -104,7 +103,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
 Use the `config-file` parameter of the `init` action to enable the configuration file. The value of `config-file` is the path to the configuration file you want to use. This example loads the configuration file `./.github/codeql/codeql-config.yml`.

 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    config-file: ./.github/codeql/codeql-config.yml
 ```
@@ -112,7 +111,7 @@ Use the `config-file` parameter of the `init` action to enable the configuration
 The configuration file can be located in a different repository. This is useful if you want to share the same configuration across multiple repositories. If the configuration file is in a private repository you can also specify an `external-repository-token` option. This should be a personal access token that has read access to any repositories containing referenced config files and queries.

 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    config-file: owner/repo/codeql-config.yml@branch
    external-repository-token: ${{ secrets.EXTERNAL_REPOSITORY_TOKEN }}
@@ -123,7 +122,7 @@ For information on how to write a configuration file, see "[Using a custom confi
 If you only want to customise the queries used, you can specify them in your workflow instead of creating a config file, using the `queries` property of the `init` action:

 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    queries: <local-or-remote-query>,<another-query>
 ```
@@ -131,7 +130,7 @@ If you only want to customise the queries used, you can specify them in your wor
 By default, this will override any queries specified in a config file. If you wish to use both sets of queries, prefix the list of queries in the workflow with `+`:

 ```yaml
- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
  with:
    queries: +<local-or-remote-query>,<another-query>
 ```
--- a/lib/actions-util.js
+++ b/lib/actions-util.js
@@ -30,6 +30,8 @@ const yaml = __importStar(require("js-yaml"));
 const api = __importStar(require("./api-client"));
 const sharedEnv = __importStar(require("./shared-environment"));
 const util_1 = require("./util");
+// eslint-disable-next-line import/no-commonjs
+const pkg = require("../package.json");
 /**
 * The utils in this module are meant to be run inside of the action only.
 * Code paths from the runner should not enter this module.
@@ -74,7 +76,7 @@ exports.getToolCacheDirectory = getToolCacheDirectory;
 /**
 * Gets the SHA of the commit that is currently checked out.
 */
-const getCommitOid = async function (ref = "HEAD") {
+const getCommitOid = async function (checkoutPath, ref = "HEAD") {
    // Try to use git to get the current commit SHA. If that fails then
    // log but otherwise silently fall back to using the SHA from the environment.
    // The only time these two values will differ is during analysis of a PR when
@@ -94,6 +96,7 @@ const getCommitOid = async function (ref = "HEAD") {
                    process.stderr.write(data);
                },
            },
+            cwd: checkoutPath,
        }).exec();
        return commitOid.trim();
    }
@@ -113,6 +116,7 @@ const determineMergeBaseCommitOid = async function () {
        return undefined;
    }
    const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
+    const checkoutPath = (0, exports.getOptionalInput)("checkout_path");
    try {
        let commitOid = "";
        let baseOid = "";
@@ -137,6 +141,7 @@ const determineMergeBaseCommitOid = async function () {
                    process.stderr.write(data);
                },
            },
+            cwd: checkoutPath,
        }).exec();
        // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
        if (commitOid === mergeSha &&
@@ -352,7 +357,7 @@ async function getWorkflowPath() {
    const repo = repo_nwo[1];
    const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
    const apiClient = api.getActionsApiClient();
-    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id", {
+    const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
        owner,
        repo,
        run_id,
@@ -425,6 +430,9 @@ async function getRef() {
    // or in the form "refs/pull/N/merge" on a pull_request event
    const refInput = (0, exports.getOptionalInput)("ref");
    const shaInput = (0, exports.getOptionalInput)("sha");
+    const checkoutPath = (0, exports.getOptionalInput)("checkout_path") ||
+        (0, exports.getOptionalInput)("source-root") ||
+        (0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE");
    const hasRefInput = !!refInput;
    const hasShaInput = !!shaInput;
    // If one of 'ref' or 'sha' are provided, both are required
@@ -446,15 +454,14 @@ async function getRef() {
    if (!pull_ref_regex.test(ref)) {
        return ref;
    }
-    const head = await (0, exports.getCommitOid)("HEAD");
-    // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+    const head = await (0, exports.getCommitOid)(checkoutPath, "HEAD");
+    // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
    // in actions/checkout@v1 this may not be true as it checks out the repository
    // using GITHUB_REF. There is a subtle race condition where
    // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
    // git git-parse GITHUB_REF == git rev-parse HEAD instead.
    const hasChangedRef = sha !== head &&
-        (await (0, exports.getCommitOid)(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
-            head;
+        (await (0, exports.getCommitOid)(checkoutPath, ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !== head;
    if (hasChangedRef) {
        const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
        core.debug(`No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`);
@@ -500,7 +507,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
        core.exportVariable(sharedEnv.CODEQL_WORKFLOW_STARTED_AT, workflowStartedAt);
    }
    const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
-    const runnerArch = (0, util_1.getRequiredEnvParam)("RUNNER_ARCH");
+    const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
    // If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action
    // See https://github.com/actions/runner/issues/803
    const actionRef = isRunningLocalAction()
@@ -520,7 +527,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
        action_started_at: actionStartedAt.toISOString(),
        status,
        runner_os: runnerOs,
-        runner_arch: runnerArch,
+        action_version: pkg.version,
    };
    // Add optional parameters
    if (cause) {
@@ -539,9 +546,17 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
    if (matrix) {
        statusReport.matrix_vars = matrix;
    }
+    if ("RUNNER_ARCH" in process.env) {
+        // RUNNER_ARCH is available only in GHES 3.4 and later
+        // Values other than X86, X64, ARM, or ARM64 are discarded server side
+        statusReport.runner_arch = process.env["RUNNER_ARCH"];
+    }
    if (runnerOs === "Windows" || runnerOs === "macOS") {
        statusReport.runner_os_release = os.release();
    }
+    if (codeQlCliVersion !== undefined) {
+        statusReport.codeql_version = codeQlCliVersion;
+    }
    return statusReport;
 }
 exports.createStatusReportBase = createStatusReportBase;
@@ -559,6 +574,13 @@ const INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code sc
 * Returns whether sending the status report was successful of not.
 */
 async function sendStatusReport(statusReport) {
+    const gitHubVersion = await api.getGitHubVersionActionsOnly();
+    if ((0, util_1.isGitHubGhesVersionBelow)(gitHubVersion, "3.2.0")) {
+        // GHES 3.1 and earlier versions reject unexpected properties, which means
+        // that they will reject status reports with newly added properties.
+        // Inhibiting status reporting for GHES < 3.2 avoids such failures.
+        return true;
+    }
    const statusReportJSON = JSON.stringify(statusReport);
    core.debug(`Sending status report: ${statusReportJSON}`);
    // If in test mode we don't want to upload the results
@@ -656,7 +678,7 @@ async function isAnalyzingDefaultBranch() {
    // Get the current ref and trim and refs/heads/ prefix
    let currentRef = await getRef();
    currentRef = currentRef.startsWith("refs/heads/")
-        ? currentRef.substr("refs/heads/".length)
+        ? currentRef.slice("refs/heads/".length)
        : currentRef;
    const event = getWorkflowEvent();
    const defaultBranch = (_a = event === null || event === void 0 ? void 0 : event.repository) === null || _a === void 0 ? void 0 : _a.default_branch;
--- a/lib/actions-util.js.map
+++ b/lib/actions-util.js.map
--- a/lib/actions-util.test.js
+++ b/lib/actions-util.test.js
@@ -39,74 +39,93 @@ function errorCodes(actual, expected) {
    await t.throwsAsync(actionsutil.getRef);
 });
 (0, ava_1.default)("getRef() returns merge PR ref if GITHUB_SHA still checked out", async (t) => {
-    const expectedRef = "refs/pull/1/merge";
-    const currentSha = "a".repeat(40);
-    process.env["GITHUB_REF"] = expectedRef;
-    process.env["GITHUB_SHA"] = currentSha;
-    const callback = sinon.stub(actionsutil, "getCommitOid");
-    callback.withArgs("HEAD").resolves(currentSha);
-    const actualRef = await actionsutil.getRef();
-    t.deepEqual(actualRef, expectedRef);
-    callback.restore();
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/merge";
+        const currentSha = "a".repeat(40);
+        process.env["GITHUB_REF"] = expectedRef;
+        process.env["GITHUB_SHA"] = currentSha;
+        const callback = sinon.stub(actionsutil, "getCommitOid");
+        callback.withArgs("HEAD").resolves(currentSha);
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+        callback.restore();
+    });
 });
 (0, ava_1.default)("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
-    const expectedRef = "refs/pull/1/merge";
-    process.env["GITHUB_REF"] = expectedRef;
-    process.env["GITHUB_SHA"] = "b".repeat(40);
-    const sha = "a".repeat(40);
-    const callback = sinon.stub(actionsutil, "getCommitOid");
-    callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
-    callback.withArgs("HEAD").resolves(sha);
-    const actualRef = await actionsutil.getRef();
-    t.deepEqual(actualRef, expectedRef);
-    callback.restore();
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const expectedRef = "refs/pull/1/merge";
+        process.env["GITHUB_REF"] = expectedRef;
+        process.env["GITHUB_SHA"] = "b".repeat(40);
+        const sha = "a".repeat(40);
+        const callback = sinon.stub(actionsutil, "getCommitOid");
+        callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+        callback.withArgs("HEAD").resolves(sha);
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+        callback.restore();
+    });
 });
 (0, ava_1.default)("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
-    process.env["GITHUB_REF"] = "refs/pull/1/merge";
-    process.env["GITHUB_SHA"] = "a".repeat(40);
-    const callback = sinon.stub(actionsutil, "getCommitOid");
-    callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
-    callback.withArgs("HEAD").resolves("b".repeat(40));
-    const actualRef = await actionsutil.getRef();
-    t.deepEqual(actualRef, "refs/pull/1/head");
-    callback.restore();
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        process.env["GITHUB_REF"] = "refs/pull/1/merge";
+        process.env["GITHUB_SHA"] = "a".repeat(40);
+        const callback = sinon.stub(actionsutil, "getCommitOid");
+        callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(40));
+        callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(40));
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, "refs/pull/1/head");
+        callback.restore();
+    });
 });
 (0, ava_1.default)("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
-    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
-    getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
-    // These values are be ignored
-    process.env["GITHUB_REF"] = "refs/pull/1/merge";
-    process.env["GITHUB_SHA"] = "a".repeat(40);
-    const callback = sinon.stub(actionsutil, "getCommitOid");
-    callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
-    callback.withArgs("HEAD").resolves("b".repeat(40));
-    const actualRef = await actionsutil.getRef();
-    t.deepEqual(actualRef, "refs/pull/2/merge");
-    callback.restore();
-    getAdditionalInputStub.restore();
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+        getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+        getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+        // These values are be ignored
+        process.env["GITHUB_REF"] = "refs/pull/1/merge";
+        process.env["GITHUB_SHA"] = "a".repeat(40);
+        const callback = sinon.stub(actionsutil, "getCommitOid");
+        callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+        callback.withArgs("HEAD").resolves("b".repeat(40));
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, "refs/pull/2/merge");
+        callback.restore();
+        getAdditionalInputStub.restore();
+    });
 });
 (0, ava_1.default)("getRef() throws an error if only `ref` is provided as an input", async (t) => {
-    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
-    await t.throwsAsync(async () => {
-        await actionsutil.getRef();
-    }, {
-        instanceOf: Error,
-        message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+        getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
+        await t.throwsAsync(async () => {
+            await actionsutil.getRef();
+        }, {
+            instanceOf: Error,
+            message: "Both 'ref' and 'sha' are required if one of them is provided.",
+        });
+        getAdditionalInputStub.restore();
    });
-    getAdditionalInputStub.restore();
 });
 (0, ava_1.default)("getRef() throws an error if only `sha` is provided as an input", async (t) => {
-    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-    getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
-    await t.throwsAsync(async () => {
-        await actionsutil.getRef();
-    }, {
-        instanceOf: Error,
-        message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        process.env["GITHUB_WORKSPACE"] = "/tmp";
+        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+        getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
+        await t.throwsAsync(async () => {
+            await actionsutil.getRef();
+        }, {
+            instanceOf: Error,
+            message: "Both 'ref' and 'sha' are required if one of them is provided.",
+        });
+        getAdditionalInputStub.restore();
    });
-    getAdditionalInputStub.restore();
 });
 (0, ava_1.default)("computeAutomationID()", async (t) => {
    let actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", '{"language": "javascript", "os": "linux"}');
@@ -461,6 +480,7 @@ on: ["push"]
 });
 (0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
        const envFile = path.join(tmpDir, "event.json");
        fs.writeFileSync(envFile, JSON.stringify({
            repository: {
--- a/lib/actions-util.test.js.map
+++ b/lib/actions-util.test.js.map
--- a/lib/analysis-paths.test.js
+++ b/lib/analysis-paths.test.js
@@ -45,6 +45,7 @@ const util = __importStar(require("./util"));
            debugMode: false,
            debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
            debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+            injectedMlQueries: false,
        };
        analysisPaths.includeAndExcludeAnalysisPaths(config);
        t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);
@@ -69,6 +70,7 @@ const util = __importStar(require("./util"));
            debugMode: false,
            debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
            debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+            injectedMlQueries: false,
        };
        analysisPaths.includeAndExcludeAnalysisPaths(config);
        t.is(process.env["LGTM_INDEX_INCLUDE"], "path1\npath2");
@@ -94,6 +96,7 @@ const util = __importStar(require("./util"));
            debugMode: false,
            debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
            debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+            injectedMlQueries: false,
        };
        analysisPaths.includeAndExcludeAnalysisPaths(config);
        t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);
--- a/lib/analysis-paths.test.js.map
+++ b/lib/analysis-paths.test.js.map
@@ -1 +1 @@
-{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,gEAAkD;AAClD,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;SACpD,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;SACpD,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kBAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,YAAY,EAAE,EAAE;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,oBAAoB,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO;YACP,YAAY;YACZ,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,CAAC;YACrD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;SACpD,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAC9D,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"analysis-paths.test.js","sourceRoot":"","sources":["../src/analysis-paths.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AAEvB,gEAAkD;AAClD,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7B,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,KAAK;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,eAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YACrC,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC;YAC3C,iBAAiB,EAAE,EAAE;YACrB,OAAO,EAAE,MAAM;YACf,YAAY,EAAE,MAAM;YACpB,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,kBAAkB,CAAC;YACpD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,KAAK;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC,CAAC,EAAE,CACF,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EACjC,gGAAgG,CACjG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kBAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnC,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,YAAY,EAAE,EAAE;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,oBAAoB,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG;YACb,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,EAAE;YACf,KAAK,EAAE,EAAE;YACT,iBAAiB,EAAE,EAAE;YACrB,OAAO;YACP,YAAY;YACZ,SAAS,EAAE,EAAE;YACb,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,EAAwB;YACxE,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,CAAC;YACrD,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,IAAI,CAAC,2BAA2B;YACnD,iBAAiB,EAAE,KAAK;SACzB,CAAC;QACF,aAAa,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC;QACrD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAC9D,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/analyze.js
+++ b/lib/analyze.js
@@ -131,11 +131,11 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        if (!hasBuiltinQueries && !hasCustomQueries && !hasPackWithCustomQueries) {
            throw new Error(`Unable to analyse ${language} as no queries were selected for this language`);
        }
+        const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
        try {
            if (hasPackWithCustomQueries) {
                logger.info("Performing analysis with custom CodeQL Packs.");
                logger.startGroup(`Downloading custom packs for ${language}`);
-                const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
                const results = await codeql.packDownload(packsWithVersion);
                logger.info(`Downloaded packs: ${results.packs
                    .map((r) => `${r.name}@${r.version || "latest"}`)
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/lib/analyze.test.js
+++ b/lib/analyze.test.js
@@ -128,6 +128,7 @@ const util = __importStar(require("./util"));
                debugMode: false,
                debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
                debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+                injectedMlQueries: false,
            };
            fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
                recursive: true,
--- a/lib/analyze.test.js.map
+++ b/lib/analyze.test.js.map
--- a/lib/api-client.js
+++ b/lib/api-client.js
@@ -22,12 +22,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getActionsApiClient = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
+exports.getGitHubVersionActionsOnly = exports.getActionsApiClient = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
 const path = __importStar(require("path"));
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const retry = __importStar(require("@octokit/plugin-retry"));
 const console_log_level_1 = __importDefault(require("console-log-level"));
 const actions_util_1 = require("./actions-util");
+const util = __importStar(require("./util"));
 const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
@@ -57,15 +58,36 @@ function getApiUrl(githubUrl) {
    url.pathname = path.join(url.pathname, "api", "v3");
    return url.toString();
 }
+function getApiDetails() {
+    return {
+        auth: (0, actions_util_1.getRequiredInput)("token"),
+        url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
+    };
+}
 // Temporary function to aid in the transition to running on and off of github actions.
 // Once all code has been converted this function should be removed or made canonical
 // and called only from the action entrypoints.
 function getActionsApiClient() {
-    const apiDetails = {
-        auth: (0, actions_util_1.getRequiredInput)("token"),
-        url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
-    };
-    return (0, exports.getApiClient)(apiDetails);
+    return (0, exports.getApiClient)(getApiDetails());
 }
 exports.getActionsApiClient = getActionsApiClient;
+let cachedGitHubVersion = undefined;
+/**
+ * Report the GitHub server version. This is a wrapper around
+ * util.getGitHubVersion() that automatically supplies GitHub API details using
+ * GitHub Action inputs. If you need to get the GitHub server version from the
+ * Runner, please call util.getGitHubVersion() instead.
+ *
+ * @returns GitHub version
+ */
+async function getGitHubVersionActionsOnly() {
+    if (!util.isActions()) {
+        throw new Error("getGitHubVersionActionsOnly() works only in an action");
+    }
+    if (cachedGitHubVersion === undefined) {
+        cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
+    }
+    return cachedGitHubVersion;
+}
+exports.getGitHubVersionActionsOnly = getGitHubVersionActionsOnly;
 //# sourceMappingURL=api-client.js.map
--- a/lib/api-client.js.map
+++ b/lib/api-client.js.map
@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,iCAAsD;AAEtD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAdW,QAAA,YAAY,gBAcvB;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,IAAA,oBAAY,EAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAPD,kDAOC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAdW,QAAA,YAAY,gBAcvB;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}
--- a/lib/api-compatibility.json
+++ b/lib/api-compatibility.json
@@ -1 +1 @@
-{ "maximumVersion": "3.4", "minimumVersion": "3.1" }
+{ "maximumVersion": "3.5", "minimumVersion": "3.1" }
--- a/lib/codeql.js
+++ b/lib/codeql.js
@@ -27,7 +27,6 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
-const yaml = __importStar(require("js-yaml"));
 const query_string_1 = __importDefault(require("query-string"));
 const semver = __importStar(require("semver"));
 const actions_util_1 = require("./actions-util");
@@ -76,7 +75,6 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
 const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
 exports.CODEQL_VERSION_COUNTS_LINES = "2.6.2";
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
-const CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
 exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
 /**
 * This variable controls using the new style of tracing from the CodeQL
@@ -196,6 +194,19 @@ async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
    }
    return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }
+/**
+ * Set up CodeQL CLI access.
+ *
+ * @param codeqlURL
+ * @param apiDetails
+ * @param tempDir
+ * @param toolCacheDir
+ * @param variant
+ * @param logger
+ * @param checkVersion Whether to check that CodeQL CLI meets the minimum
+ *        version requirement. Must be set to true outside tests.
+ * @returns
+ */
 async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolCacheDir, variant, logger, checkVersion) {
    try {
        // We use the special value of 'latest' to prioritize the version in the
@@ -367,16 +378,26 @@ async function getCodeQLForTesting() {
    return getCodeQLForCmd("codeql-for-testing", false);
 }
 exports.getCodeQLForTesting = getCodeQLForTesting;
+/**
+ * Return a CodeQL object for CodeQL CLI access.
+ *
+ * @param cmd Path to CodeQL CLI
+ * @param checkVersion Whether to check that CodeQL CLI meets the minimum
+ *        version requirement. Must be set to true outside tests.
+ * @returns A new CodeQL object
+ */
 async function getCodeQLForCmd(cmd, checkVersion) {
-    let cachedVersion = undefined;
    const codeql = {
        getPath() {
            return cmd;
        },
        async getVersion() {
-            if (cachedVersion === undefined)
-                cachedVersion = runTool(cmd, ["version", "--format=terse"]);
-            return await cachedVersion;
+            let result = util.getCachedCodeQlVersion();
+            if (result === undefined) {
+                result = await runTool(cmd, ["version", "--format=terse"]);
+                util.cacheCodeQlVersion(result);
+            }
+            return result;
        },
        async printVersion() {
            await runTool(cmd, ["version", "--format=json"]);
@@ -445,11 +466,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                    extraArgs.push(`--trace-process-level=${processLevel || 3}`);
                }
            }
-            if (await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES)) {
-                const configLocation = path.resolve(config.tempDir, "user-config.yaml");
-                fs.writeFileSync(configLocation, yaml.dump(config.originalUserInput));
-                extraArgs.push(`--codescanning-config=${configLocation}`);
-            }
            await runTool(cmd, [
                "database",
                "init",
@@ -570,9 +586,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (extraSearchPath !== undefined) {
                codeqlArgs.push("--additional-packs", extraSearchPath);
            }
-            if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
-                codeqlArgs.push(querySuitePath);
-            }
+            codeqlArgs.push(querySuitePath);
            await runTool(cmd, codeqlArgs);
        },
        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, automationDetailsId) {
@@ -599,9 +613,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                codeqlArgs.push("--sarif-category", automationDetailsId);
            }
            codeqlArgs.push(databasePath);
-            if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
-                codeqlArgs.push(...querySuitePaths);
-            }
+            codeqlArgs.push(...querySuitePaths);
            // capture stdout, which contains analysis summaries
            return await runTool(cmd, codeqlArgs);
        },
@@ -672,6 +684,14 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            await new toolrunner.ToolRunner(cmd, args).exec();
        },
    };
+    // To ensure that status reports include the CodeQL CLI version whereever
+    // possbile, we want to call getVersion(), which populates the version value
+    // used by status reporting, at the earliest opportunity. But invoking
+    // getVersion() directly here breaks tests that only pretend to create a
+    // CodeQL object. So instead we rely on the assumption that all non-test
+    // callers would set checkVersion to true, and util.codeQlVersionAbove()
+    // would call getVersion(), so the CLI version would be cached as soon as the
+    // CodeQL object is created.
    if (checkVersion &&
        !(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION))) {
        throw new Error(`Expected a CodeQL CLI with version at least ${CODEQL_MINIMUM_VERSION} but got version ${await codeql.getVersion()}`);
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@@ -118,9 +118,11 @@ const builtinSuites = ["security-extended", "security-and-quality"];
 /**
 * Determine the set of queries associated with suiteName's suites and add them to resultMap.
 * Throws an error if suiteName is not a valid builtin suite.
+ * May inject ML queries, and the return value will declare if this was done.
 */
 async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suiteName, featureFlags, configFile) {
    var _a;
+    let injectedMlQueries = false;
    const found = builtinSuites.find((suite) => suite === suiteName);
    if (!found) {
        throw new Error(getQueryUsesInvalid(configFile, suiteName));
@@ -128,18 +130,23 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
    // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
    // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
    // pack, then add the ML-powered query pack so that we run ML-powered queries.
-    if (languages.includes("javascript") &&
+    if (
+    // Disable ML-powered queries on Windows
+    process.platform !== "win32" &&
+        languages.includes("javascript") &&
        (found === "security-extended" || found === "security-and-quality") &&
-        !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK.packName)) &&
+        !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK_NAME)) &&
        (await featureFlags.getValue(feature_flags_1.FeatureFlag.MlPoweredQueriesEnabled)) &&
        (await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES))) {
        if (!packs.javascript) {
            packs.javascript = [];
        }
-        packs.javascript.push(util_1.ML_POWERED_JS_QUERIES_PACK);
+        packs.javascript.push(await (0, util_1.getMlPoweredJsQueriesPack)(codeQL));
+        injectedMlQueries = true;
    }
    const suites = languages.map((l) => `${l}-${suiteName}.qls`);
    await runResolveQueries(codeQL, resultMap, suites, undefined);
+    return injectedMlQueries;
 }
 /**
 * Retrieve the set of queries at localQueryPath and add them to resultMap.
@@ -196,6 +203,11 @@ async function addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetail
 * parsing the 'uses' actions in the workflow file. So it can handle
 * local paths starting with './', or references to remote repos, or
 * a finite set of hardcoded terms for builtin suites.
+ *
+ * This may inject ML queries into the packs to use, and the return value will
+ * declare if this was done.
+ *
+ * @returns whether or not we injected ML queries into the packs
 */
 async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, tempDir, workspacePath, apiDetails, featureFlags, logger, configFile) {
    queryUses = queryUses.trim();
@@ -205,15 +217,15 @@ async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, te
    // Check for the local path case before we start trying to parse the repository name
    if (queryUses.startsWith("./")) {
        await addLocalQueries(codeQL, resultMap, queryUses.slice(2), workspacePath, configFile);
-        return;
+        return false;
    }
    // Check for one of the builtin suites
    if (queryUses.indexOf("/") === -1 && queryUses.indexOf("@") === -1) {
-        await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureFlags, configFile);
-        return;
+        return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureFlags, configFile);
    }
    // Otherwise, must be a reference to another repo
    await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
+    return false;
 }
 // Regex validating stars in paths or paths-ignore entries.
 // The intention is to only allow ** to appear when immediately
@@ -422,12 +434,15 @@ async function getLanguages(codeQL, languagesInput, repository, apiDetails, logg
    return parsedLanguages;
 }
 async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, resultMap, packs, tempDir, workspacePath, apiDetails, featureFlags, logger) {
+    let injectedMlQueries = false;
    queriesInput = queriesInput.trim();
    // "+" means "don't override config file" - see shouldAddConfigFileQueries
    queriesInput = queriesInput.replace(/^\+/, "");
    for (const query of queriesInput.split(",")) {
-        await parseQueryUses(languages, codeQL, resultMap, packs, query, tempDir, workspacePath, apiDetails, featureFlags, logger);
+        const didInject = await parseQueryUses(languages, codeQL, resultMap, packs, query, tempDir, workspacePath, apiDetails, featureFlags, logger);
+        injectedMlQueries = injectedMlQueries || didInject;
    }
+    return injectedMlQueries;
 }
 // Returns true if either no queries were provided in the workflow.
 // or if the queries in the workflow were provided in "additive" mode,
@@ -435,7 +450,7 @@ async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, r
 // should instead be added in addition
 function shouldAddConfigFileQueries(queriesInput) {
    if (queriesInput) {
-        return queriesInput.trimStart().substr(0, 1) === "+";
+        return queriesInput.trimStart().slice(0, 1) === "+";
    }
    return true;
 }
@@ -454,8 +469,9 @@ async function getDefaultConfig(languagesInput, queriesInput, packsInput, dbLoca
    }
    await addDefaultQueries(codeQL, languages, queries);
    const packs = (_a = parsePacksFromInput(packsInput, languages)) !== null && _a !== void 0 ? _a : {};
+    let injectedMlQueries = false;
    if (queriesInput) {
-        await addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureFlags, logger);
+        injectedMlQueries = await addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureFlags, logger);
    }
    return {
        languages,
@@ -472,6 +488,7 @@ async function getDefaultConfig(languagesInput, queriesInput, packsInput, dbLoca
        debugMode,
        debugArtifactName,
        debugDatabaseName,
+        injectedMlQueries,
    };
 }
 exports.getDefaultConfig = getDefaultConfig;
@@ -524,8 +541,9 @@ async function loadConfig(languagesInput, queriesInput, packsInput, configFile,
    // they should take precedence over the queries in the config file
    // unless they're prefixed with "+", in which case they supplement those
    // in the config file.
+    let injectedMlQueries = false;
    if (queriesInput) {
-        await addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureFlags, logger);
+        injectedMlQueries = await addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureFlags, logger);
    }
    if (shouldAddConfigFileQueries(queriesInput) &&
        QUERIES_PROPERTY in parsedYAML) {
@@ -578,6 +596,7 @@ async function loadConfig(languagesInput, queriesInput, packsInput, configFile,
        debugMode,
        debugArtifactName,
        debugDatabaseName,
+        injectedMlQueries,
    };
 }
 /**
--- a/lib/config-utils.js.map
+++ b/lib/config-utils.js.map
--- a/lib/config-utils.test.js
+++ b/lib/config-utils.test.js
@@ -221,6 +221,7 @@ function mockListLanguages(languages) {
            debugMode: false,
            debugArtifactName: "my-artifact",
            debugDatabaseName: "my-db",
+            injectedMlQueries: false,
        };
        const languages = "javascript";
        const configFilePath = createConfigFile(inputFileContents, tmpDir);
@@ -910,11 +911,20 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
        ? `${expectedVersionString} are`
        : "aren't"} loaded for packs: ${packsInput}, queries: ${queriesInput} using CLI v${codeQLVersion} when feature flag is ${isMlPoweredQueriesFlagEnabled ? "enabled" : "disabled"}`,
 });
-// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
+// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
+// Test that ML-powered queries aren't run on v2.7.4 of the CLI.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined);
+// Test that ML-powered queries aren't run when the feature flag is off.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined);
+// Test that ML-powered queries aren't run when the user hasn't specified that we should run the
+// `security-extended` or `security-and-quality` query suite.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", "~0.0.2");
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", "~0.0.2");
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", "0.0.1");
+// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
+// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", process.platform === "win32" ? undefined : "~0.1.0");
+// Test that we don't inject an ML-powered query pack if the user has already specified one.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", process.platform === "win32" ? undefined : "0.0.1");
+// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.8.4", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.2.0");
 //# sourceMappingURL=config-utils.test.js.map
--- a/lib/config-utils.test.js.map
+++ b/lib/config-utils.test.js.map
--- a/lib/database-upload.test.js
+++ b/lib/database-upload.test.js
@@ -58,6 +58,7 @@ function getTestConfig(tmpDir) {
        debugMode: false,
        debugArtifactName: util_1.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util_1.DEFAULT_DEBUG_DATABASE_NAME,
+        injectedMlQueries: false,
    };
 }
 async function mockHttpRequests(databaseUploadStatusCode) {
--- a/lib/database-upload.test.js.map
+++ b/lib/database-upload.test.js.map
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20220224"
+    "bundleVersion": "codeql-bundle-20220401"
 }
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -22,6 +22,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
 const actions_util_1 = require("./actions-util");
+const api_client_1 = require("./api-client");
 const codeql_1 = require("./codeql");
 const feature_flags_1 = require("./feature-flags");
 const init_1 = require("./init");
@@ -48,7 +49,7 @@ async function sendSuccessStatusReport(startedAt, config, toolsVersion) {
    }
    if (queriesInput !== undefined) {
        queriesInput = queriesInput.startsWith("+")
-            ? queriesInput.substr(1)
+            ? queriesInput.slice(1)
            : queriesInput;
        queries.push(...queriesInput.split(","));
    }
@@ -78,7 +79,7 @@ async function run() {
        externalRepoAuth: (0, actions_util_1.getOptionalInput)("external-repository-token"),
        url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
    };
-    const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails);
+    const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
    (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions);
    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
    const featureFlags = new feature_flags_1.GitHubFeatureFlags(gitHubVersion, apiDetails, repositoryNwo, logger);
--- a/lib/init-action.js.map
+++ b/lib/init-action.js.map
--- a/lib/testing-utils.js
+++ b/lib/testing-utils.js
@@ -90,6 +90,7 @@ exports.setupTests = setupTests;
 function setupActionsVars(tempDir, toolsDir) {
    process.env["RUNNER_TEMP"] = tempDir;
    process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+    process.env["GITHUB_WORKSPACE"] = tempDir;
 }
 exports.setupActionsVars = setupActionsVars;
 function getRecordingLogger(messages) {
--- a/lib/testing-utils.js.map
+++ b/lib/testing-utils.js.map
@@ -1 +1 @@
-{"version":3,"file":"testing-utils.js","sourceRoot":"","sources":["../src/testing-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,wDAA0C;AAE1C,6CAA+B;AAE/B,wDAA0C;AAC1C,iDAAmC;AAEnC,iCAAmC;AASnC,SAAS,UAAU,CAAC,OAAoB;IACtC,8CAA8C;IAC9C,gCAAgC;IAChC,2EAA2E;IAC3E,2FAA2F;IAC3F,OAAO,CACL,KAA0B,EAC1B,QAAiB,EACjB,EAA0B,EACjB,EAAE;QACX,2CAA2C;QAC3C,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE;YACtD,EAAE,GAAG,QAAQ,CAAC;YACd,QAAQ,GAAG,SAAS,CAAC;SACtB;QAED,oBAAoB;QACpB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YAC7B,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;SAC7B;aAAM;YACL,OAAO,CAAC,UAAU,IAAI,IAAI,WAAW,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;SAC1E;QAED,iDAAiD;QACjD,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YAChD,EAAE,EAAE,CAAC;SACN;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAgB,UAAU,CAAC,IAAiB;IAC1C,MAAM,SAAS,GAAG,IAA2B,CAAC;IAE9C,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;QACzB,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAErB,iEAAiE;QACjE,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC;QAC1B,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QACpD,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QAEpD,mEAAmE;QACnE,wEAAwE;QACxE,kEAAkE;QAClE,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,4BAA4B;QAC5B,0DAA0D;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;SAC5C;QAED,uCAAuC;QACvC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEhB,oCAAoC;QACpC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAvCD,gCAuCC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,SAAgB,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,QAAQ,CAAC;AAC9C,CAAC;AAHD,4CAGC;AAOD,SAAgB,kBAAkB,CAAC,QAAyB;IAC1D,OAAO;QACL,KAAK,EAAE,CAAC,OAAe,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,EAAE,CAAC,OAAe,EAAE,EAAE;YACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,EAAE,CAAC,OAAuB,EAAE,EAAE;YACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,KAAK,EAAE,CAAC,OAAuB,EAAE,EAAE;YACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI;QACnB,UAAU,EAAE,GAAG,EAAE,CAAC,SAAS;QAC3B,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAtBD,gDAsBC;AAED,0EAA0E;AAC1E,SAAgB,0BAA0B,CACxC,kBAA0B,EAC1B,QAAyC;IAEzC,kEAAkE;IAClE,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAClC,8DAA8D,CAC/D,CAAC;IACF,IAAI,kBAAkB,GAAG,GAAG,EAAE;QAC5B,QAAQ,CAAC,QAAQ,CAAC;YAChB,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,GAAG,EAAE,8DAA8D;SACpE,CAAC,CAAC;KACJ;SAAM;QACL,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAS,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC,CAAC;KAC1E;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;AAC5D,CAAC;AAxBD,gEAwBC"}
+{"version":3,"file":"testing-utils.js","sourceRoot":"","sources":["../src/testing-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,wDAA0C;AAE1C,6CAA+B;AAE/B,wDAA0C;AAC1C,iDAAmC;AAEnC,iCAAmC;AASnC,SAAS,UAAU,CAAC,OAAoB;IACtC,8CAA8C;IAC9C,gCAAgC;IAChC,2EAA2E;IAC3E,2FAA2F;IAC3F,OAAO,CACL,KAA0B,EAC1B,QAAiB,EACjB,EAA0B,EACjB,EAAE;QACX,2CAA2C;QAC3C,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE;YACtD,EAAE,GAAG,QAAQ,CAAC;YACd,QAAQ,GAAG,SAAS,CAAC;SACtB;QAED,oBAAoB;QACpB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YAC7B,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;SAC7B;aAAM;YACL,OAAO,CAAC,UAAU,IAAI,IAAI,WAAW,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;SAC1E;QAED,iDAAiD;QACjD,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YAChD,EAAE,EAAE,CAAC;SACN;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAgB,UAAU,CAAC,IAAiB;IAC1C,MAAM,SAAS,GAAG,IAA2B,CAAC;IAE9C,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;QACzB,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAErB,iEAAiE;QACjE,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC;QAC1B,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QACpD,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QAEpD,mEAAmE;QACnE,wEAAwE;QACxE,kEAAkE;QAClE,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,4BAA4B;QAC5B,0DAA0D;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;SAC5C;QAED,uCAAuC;QACvC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEhB,oCAAoC;QACpC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAvCD,gCAuCC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,SAAgB,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,QAAQ,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,GAAG,OAAO,CAAC;AAC5C,CAAC;AAJD,4CAIC;AAOD,SAAgB,kBAAkB,CAAC,QAAyB;IAC1D,OAAO;QACL,KAAK,EAAE,CAAC,OAAe,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,EAAE,CAAC,OAAe,EAAE,EAAE;YACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,EAAE,CAAC,OAAuB,EAAE,EAAE;YACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,KAAK,EAAE,CAAC,OAAuB,EAAE,EAAE;YACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI;QACnB,UAAU,EAAE,GAAG,EAAE,CAAC,SAAS;QAC3B,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAtBD,gDAsBC;AAED,0EAA0E;AAC1E,SAAgB,0BAA0B,CACxC,kBAA0B,EAC1B,QAAyC;IAEzC,kEAAkE;IAClE,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAClC,8DAA8D,CAC/D,CAAC;IACF,IAAI,kBAAkB,GAAG,GAAG,EAAE;QAC5B,QAAQ,CAAC,QAAQ,CAAC;YAChB,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,GAAG,EAAE,8DAA8D;SACpE,CAAC,CAAC;KACJ;SAAM;QACL,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAS,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC,CAAC;KAC1E;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;AAC5D,CAAC;AAxBD,gEAwBC"}
--- a/lib/tracer-config.test.js
+++ b/lib/tracer-config.test.js
@@ -47,6 +47,7 @@ function getTestConfig(tmpDir) {
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+        injectedMlQueries: false,
    };
 }
 // A very minimal setup
--- a/lib/tracer-config.test.js.map
+++ b/lib/tracer-config.test.js.map
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -95,7 +95,10 @@ async function uploadPayload(payload, repositoryNwo, apiDetails, logger) {
    // If in test mode we don't want to upload the results
    const testMode = process.env["TEST_MODE"] === "true" || false;
    if (testMode) {
-        logger.debug("In test mode. Results are not uploaded.");
+        const payloadSaveFile = path.join(actionsUtil.getTemporaryDirectory(), "payload.json");
+        logger.info(`In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`);
+        logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
+        fs.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
        return;
    }
    const client = api.getApiClient(apiDetails);
@@ -134,7 +137,7 @@ exports.findSarifFilesInDir = findSarifFilesInDir;
 // depending on what the path happens to refer to.
 // Returns true iff the upload occurred and succeeded
 async function uploadFromActions(sarifPath, gitHubVersion, apiDetails, logger) {
-    return await uploadFiles(getSarifFilePaths(sarifPath), (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), await actionsUtil.getCommitOid(), await actionsUtil.getRef(), await actionsUtil.getAnalysisKey(), actionsUtil.getOptionalInput("category"), util.getRequiredEnvParam("GITHUB_WORKFLOW"), actionsUtil.getWorkflowRunID(), actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getRequiredInput("matrix"), gitHubVersion, apiDetails, logger);
+    return await uploadFiles(getSarifFilePaths(sarifPath), (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), await actionsUtil.getCommitOid(actionsUtil.getRequiredInput("checkout_path")), await actionsUtil.getRef(), await actionsUtil.getAnalysisKey(), actionsUtil.getOptionalInput("category"), util.getRequiredEnvParam("GITHUB_WORKFLOW"), actionsUtil.getWorkflowRunID(), actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getRequiredInput("matrix"), gitHubVersion, apiDetails, logger);
 }
 exports.uploadFromActions = uploadFromActions;
 // Uploads a single sarif file or a directory of sarif files
--- a/lib/upload-lib.js.map
+++ b/lib/upload-lib.js.map
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -21,6 +21,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
+const api_client_1 = require("./api-client");
 const logging_1 = require("./logging");
 const repository_1 = require("./repository");
 const upload_lib = __importStar(require("./upload-lib"));
@@ -46,7 +47,7 @@ async function run() {
            auth: actionsUtil.getRequiredInput("token"),
            url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
        };
-        const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails);
+        const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
        const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), gitHubVersion, apiDetails, (0, logging_1.getActionsLogger)());
        core.setOutput("sarif-id", uploadResult.sarifID);
        if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
--- a/lib/upload-sarif-action.js.map
+++ b/lib/upload-sarif-action.js.map
@@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,uBAAgB,EAAC,UAAU,CAAC,CAAC;QAEzD,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAA2D;AAC3D,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAA0E;AAE1E,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,wCAA2B,GAAE,CAAC;QAE1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/util.js
+++ b/lib/util.js
@@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -500,6 +500,23 @@ function isHTTPError(arg) {
    return (arg === null || arg === void 0 ? void 0 : arg.status) !== undefined && Number.isInteger(arg.status);
 }
 exports.isHTTPError = isHTTPError;
+function isGitHubGhesVersionBelow(gitHubVersion, expectedVersion) {
+    return (gitHubVersion.type === GitHubVariant.GHES &&
+        semver.lt(gitHubVersion.version, expectedVersion));
+}
+exports.isGitHubGhesVersionBelow = isGitHubGhesVersionBelow;
+let cachedCodeQlVersion = undefined;
+function cacheCodeQlVersion(version) {
+    if (cachedCodeQlVersion !== undefined) {
+        throw new Error("cacheCodeQlVersion() should be called only once");
+    }
+    cachedCodeQlVersion = version;
+}
+exports.cacheCodeQlVersion = cacheCodeQlVersion;
+function getCachedCodeQlVersion() {
+    return cachedCodeQlVersion;
+}
+exports.getCachedCodeQlVersion = getCachedCodeQlVersion;
 async function codeQlVersionAbove(codeql, requiredVersion) {
    return semver.gte(await codeql.getVersion(), requiredVersion);
 }
@@ -528,24 +545,26 @@ function isGoodVersion(versionSpec) {
    return !BROKEN_VERSIONS.includes(versionSpec);
 }
 exports.isGoodVersion = isGoodVersion;
+exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-queries";
 /**
- * The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
+ * Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
 * queries beta.
 */
-exports.ML_POWERED_JS_QUERIES_PACK = {
-    packName: "codeql/javascript-experimental-atm-queries",
-    version: "~0.0.2",
-};
+async function getMlPoweredJsQueriesPack(codeQL) {
+    if (await codeQlVersionAbove(codeQL, "2.8.4")) {
+        return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
+    }
+    return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
+}
+exports.getMlPoweredJsQueriesPack = getMlPoweredJsQueriesPack;
 /**
 * Get information about ML-powered JS queries to populate status reports with.
 *
 * This will be:
 *
- * - The version string if the analysis is using the ML-powered query pack that will be added to the
- *   analysis if the repo is opted into the ML-powered queries beta, i.e.
- *   {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
- *   {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
- *   "latest", however this shouldn't occur in practice (see comment below).
+ * - The version string if the analysis is using a single version of the ML-powered query pack.
+ * - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
+ *   occur in practice (see comment below).
 * - "false" if the analysis won't run any ML-powered JS queries.
 * - "other" in all other cases.
 *
@@ -555,30 +574,25 @@ exports.ML_POWERED_JS_QUERIES_PACK = {
 * version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
 * version strings.
 *
- * We restrict the set of strings we report here by excluding other version strings and combinations
- * of version strings. We do this to limit the cardinality of the ML-powered JS queries status
- * report field, since some platforms that ingest this status report bill based on the cardinality
- * of its fields.
- *
 * This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
 * `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
 * explanation as to why this is.
 */
 function getMlPoweredJsQueriesStatus(config) {
-    const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK.packName);
-    if (mlPoweredJsQueryPacks.length === 0) {
-        return "false";
+    const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK_NAME);
+    switch (mlPoweredJsQueryPacks.length) {
+        case 1:
+            // We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
+            // otherwise we won't be able to make changes to the pack unless those changes are compatible
+            // with each version of the CodeQL Action. Therefore in practice we should only hit the
+            // `latest` case here when customers have explicitly added the ML-powered query pack to their
+            // CodeQL config.
+            return mlPoweredJsQueryPacks[0].version || "latest";
+        case 0:
+            return "false";
+        default:
+            return "other";
    }
-    const firstVersionString = mlPoweredJsQueryPacks[0].version;
-    if (mlPoweredJsQueryPacks.length === 1 &&
-        exports.ML_POWERED_JS_QUERIES_PACK.version === firstVersionString) {
-        // We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
-        // otherwise we won't be able to make changes to the pack unless those changes are compatible
-        // with each version of the CodeQL Action. Therefore in practice, we should never hit the
-        // `latest` case here.
-        return exports.ML_POWERED_JS_QUERIES_PACK.version || "latest";
-    }
-    return "other";
 }
 exports.getMlPoweredJsQueriesStatus = getMlPoweredJsQueriesStatus;
 //# sourceMappingURL=util.js.map
--- a/lib/util.js.map
+++ b/lib/util.js.map
--- a/lib/util.test.js
+++ b/lib/util.test.js
@@ -205,32 +205,43 @@ async function mockStdInForAuthExpectError(t, mockLogger, ...text) {
    await t.throwsAsync(async () => util.getGitHubAuth(mockLogger, undefined, true, stdin));
 }
 const ML_POWERED_JS_STATUS_TESTS = [
+    // If no packs are loaded, status is false.
    [[], "false"],
+    // If another pack is loaded but not the ML-powered query pack, status is false.
    [[{ packName: "someOtherPack" }], "false"],
+    // If the ML-powered query pack is loaded with a specific version, status is that version.
    [
-        [{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
-        util.ML_POWERED_JS_QUERIES_PACK.version,
-    ],
-    [[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version],
-    [[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
-    [
-        [{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
-        "other",
-    ],
-    [
-        [
-            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
-            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
-        ],
-        "other",
+        [{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
+        "~0.1.0",
    ],
+    // If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
+    // status is the version of the ML-powered query pack.
    [
        [
            { packName: "someOtherPack" },
-            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
+        ],
+        "~0.1.0",
+    ],
+    // If the ML-powered query pack is loaded without a version, the status is "latest".
+    [[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
+    // If the ML-powered query pack is loaded with two different versions, the status is "other".
+    [
+        [
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
        ],
        "other",
    ],
+    // If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
+    // the status is "latest".
+    [
+        [
+            { packName: "someOtherPack" },
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
+        ],
+        "latest",
+    ],
 ];
 for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
    const packDescriptions = `[${packs
@@ -257,9 +268,17 @@ for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
                debugMode: false,
                debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
                debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+                injectedMlQueries: false,
            };
            t.is(util.getMlPoweredJsQueriesStatus(config), expectedStatus);
        });
    });
 }
+(0, ava_1.default)("isGitHubGhesVersionBelow", async (t) => {
+    t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.DOTCOM }, "3.2.0"));
+    t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHAE }, "3.2.0"));
+    t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.3.0" }, "3.2.0"));
+    t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.2.0" }, "3.2.0"));
+    t.true(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.1.2" }, "3.2.0"));
+});
 //# sourceMappingURL=util.test.js.map
--- a/lib/util.test.js.map
+++ b/lib/util.test.js.map
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "1.1.4",
+  "version": "1.1.8",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
@@ -893,6 +893,14 @@
        "node": ">=8"
      }
    },
+    "node_modules/array-uniq": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
+      "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/array.prototype.flat": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@@ -2788,6 +2796,17 @@
        "loc": "dist/cli.js"
      }
    },
+    "node_modules/github-linguist/node_modules/array-union": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
+      "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
+      "dependencies": {
+        "array-uniq": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/github-linguist/node_modules/commander": {
      "version": "2.20.3",
      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
@@ -3593,8 +3612,9 @@
      }
    },
    "node_modules/minimist": {
-      "version": "1.2.5",
-      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
+      "version": "1.2.6",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
+      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
      "dev": true
    },
    "node_modules/ms": {
--- a/node_modules/array-uniq/index.js
+++ b/node_modules/array-uniq/index.js
@@ -0,0 +1,62 @@
+'use strict';
+
+// there's 3 implementations written in increasing order of efficiency
+
+// 1 - no Set type is defined
+function uniqNoSet(arr) {
+	var ret = [];
+
+	for (var i = 0; i < arr.length; i++) {
+		if (ret.indexOf(arr[i]) === -1) {
+			ret.push(arr[i]);
+		}
+	}
+
+	return ret;
+}
+
+// 2 - a simple Set type is defined
+function uniqSet(arr) {
+	var seen = new Set();
+	return arr.filter(function (el) {
+		if (!seen.has(el)) {
+			seen.add(el);
+			return true;
+		}
+
+		return false;
+	});
+}
+
+// 3 - a standard Set type is defined and it has a forEach method
+function uniqSetWithForEach(arr) {
+	var ret = [];
+
+	(new Set(arr)).forEach(function (el) {
+		ret.push(el);
+	});
+
+	return ret;
+}
+
+// V8 currently has a broken implementation
+// https://github.com/joyent/node/issues/8449
+function doesForEachActuallyWork() {
+	var ret = false;
+
+	(new Set([true])).forEach(function (el) {
+		ret = el;
+	});
+
+	return ret === true;
+}
+
+if ('Set' in global) {
+	if (typeof Set.prototype.forEach === 'function' && doesForEachActuallyWork()) {
+		module.exports = uniqSetWithForEach;
+	} else {
+		module.exports = uniqSet;
+	}
+} else {
+	module.exports = uniqNoSet;
+}
--- a/node_modules/array-uniq/license
+++ b/node_modules/array-uniq/license
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
--- a/node_modules/array-uniq/package.json
+++ b/node_modules/array-uniq/package.json
@@ -0,0 +1,37 @@
+{
+  "name": "array-uniq",
+  "version": "1.0.3",
+  "description": "Create an array without duplicates",
+  "license": "MIT",
+  "repository": "sindresorhus/array-uniq",
+  "author": {
+    "name": "Sindre Sorhus",
+    "email": "sindresorhus@gmail.com",
+    "url": "sindresorhus.com"
+  },
+  "engines": {
+    "node": ">=0.10.0"
+  },
+  "scripts": {
+    "test": "xo && ava"
+  },
+  "files": [
+    "index.js"
+  ],
+  "keywords": [
+    "array",
+    "arr",
+    "set",
+    "uniq",
+    "unique",
+    "es6",
+    "duplicate",
+    "remove"
+  ],
+  "devDependencies": {
+    "ava": "*",
+    "es6-set": "^0.1.0",
+    "require-uncached": "^1.0.2",
+    "xo": "*"
+  }
+}
--- a/node_modules/array-uniq/readme.md
+++ b/node_modules/array-uniq/readme.md
@@ -0,0 +1,30 @@
+# array-uniq [![Build Status](https://travis-ci.org/sindresorhus/array-uniq.svg?branch=master)](https://travis-ci.org/sindresorhus/array-uniq)
+
+> Create an array without duplicates
+
+It's already pretty fast, but will be much faster when [Set](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Set) becomes available in V8 (especially with large arrays).
+
+
+## Install
+
+```
+$ npm install --save array-uniq
+```
+
+
+## Usage
+
+```js
+const arrayUniq = require('array-uniq');
+
+arrayUniq([1, 1, 2, 3, 3]);
+//=> [1, 2, 3]
+
+arrayUniq(['foo', 'foo', 'bar', 'foo']);
+//=> ['foo', 'bar']
+```
+
+
+## License
+
+MIT © [Sindre Sorhus](https://sindresorhus.com)
--- a/node_modules/github-linguist/node_modules/array-union/index.js
+++ b/node_modules/github-linguist/node_modules/array-union/index.js
@@ -0,0 +1,6 @@
+'use strict';
+var arrayUniq = require('array-uniq');
+
+module.exports = function () {
+	return arrayUniq([].concat.apply([], arguments));
+};
--- a/node_modules/github-linguist/node_modules/array-union/license
+++ b/node_modules/github-linguist/node_modules/array-union/license
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
--- a/node_modules/github-linguist/node_modules/array-union/package.json
+++ b/node_modules/github-linguist/node_modules/array-union/package.json
@@ -0,0 +1,40 @@
+{
+  "name": "array-union",
+  "version": "1.0.2",
+  "description": "Create an array of unique values, in order, from the input arrays",
+  "license": "MIT",
+  "repository": "sindresorhus/array-union",
+  "author": {
+    "name": "Sindre Sorhus",
+    "email": "sindresorhus@gmail.com",
+    "url": "sindresorhus.com"
+  },
+  "engines": {
+    "node": ">=0.10.0"
+  },
+  "scripts": {
+    "test": "xo && ava"
+  },
+  "files": [
+    "index.js"
+  ],
+  "keywords": [
+    "array",
+    "arr",
+    "set",
+    "uniq",
+    "unique",
+    "duplicate",
+    "remove",
+    "union",
+    "combine",
+    "merge"
+  ],
+  "dependencies": {
+    "array-uniq": "^1.0.1"
+  },
+  "devDependencies": {
+    "ava": "*",
+    "xo": "*"
+  }
+}
--- a/node_modules/github-linguist/node_modules/array-union/readme.md
+++ b/node_modules/github-linguist/node_modules/array-union/readme.md
@@ -0,0 +1,28 @@
+# array-union [![Build Status](https://travis-ci.org/sindresorhus/array-union.svg?branch=master)](https://travis-ci.org/sindresorhus/array-union)
+
+> Create an array of unique values, in order, from the input arrays
+
+
+## Install
+
+```
+$ npm install --save array-union
+```
+
+
+## Usage
+
+```js
+const arrayUnion = require('array-union');
+
+arrayUnion([1, 1, 2, 3], [2, 3]);
+//=> [1, 2, 3]
+
+arrayUnion(['foo', 'foo', 'bar'], ['foo']);
+//=> ['foo', 'bar']
+```
+
+
+## License
+
+MIT © [Sindre Sorhus](https://sindresorhus.com)
--- a/node_modules/minimist/index.js
+++ b/node_modules/minimist/index.js
@@ -70,7 +70,7 @@ module.exports = function (args, opts) {
        var o = obj;
        for (var i = 0; i < keys.length-1; i++) {
            var key = keys[i];
-            if (key === '__proto__') return;
+            if (isConstructorOrProto(o, key)) return;
            if (o[key] === undefined) o[key] = {};
            if (o[key] === Object.prototype || o[key] === Number.prototype
                || o[key] === String.prototype) o[key] = {};
@@ -79,7 +79,7 @@ module.exports = function (args, opts) {
        }

        var key = keys[keys.length - 1];
-        if (key === '__proto__') return;
+        if (isConstructorOrProto(o, key)) return;
        if (o === Object.prototype || o === Number.prototype
            || o === String.prototype) o = {};
        if (o === Array.prototype) o = [];
@@ -243,3 +243,7 @@ function isNumber (x) {
    return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
 }

+
+function isConstructorOrProto (obj, key) {
+    return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
+}
--- a/node_modules/minimist/package.json
+++ b/node_modules/minimist/package.json
@@ -1,6 +1,6 @@
 {
  "name": "minimist",
-  "version": "1.2.5",
+  "version": "1.2.6",
  "description": "parse argument options",
  "main": "index.js",
  "devDependencies": {
--- a/node_modules/minimist/readme.markdown
+++ b/node_modules/minimist/readme.markdown
@@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -abc --beep=boop foo bar baz
 Previous versions had a prototype pollution bug that could cause privilege
 escalation in some circumstances when handling untrusted user input.

-Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+Please use version 1.2.6 or later:
+
+* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5)
+* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3)

 # methods

--- a/node_modules/minimist/test/proto.js
+++ b/node_modules/minimist/test/proto.js
@@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) {
    t.equal(argv.y, undefined);
    t.end();
 });
+
+test('proto pollution (constructor function)', function (t) {
+    var argv = parse(['--_.concat.constructor.prototype.y', '123']);
+    function fnToBeTested() {}
+    t.equal(fnToBeTested.y, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+});
+
+// powered by snyk - https://github.com/backstage/backstage/issues/10343
+test('proto pollution (constructor function) snyk', function (t) {
+    var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
+    t.equal((function(){}).foo, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+})
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "1.1.4",
+  "version": "1.1.8",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "1.1.4",
+      "version": "1.1.8",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^1.0.0",
@@ -946,6 +946,14 @@
        "node": ">=8"
      }
    },
+    "node_modules/array-uniq": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
+      "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/array.prototype.flat": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@@ -2841,6 +2849,17 @@
        "loc": "dist/cli.js"
      }
    },
+    "node_modules/github-linguist/node_modules/array-union": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
+      "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
+      "dependencies": {
+        "array-uniq": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/github-linguist/node_modules/commander": {
      "version": "2.20.3",
      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
@@ -3646,8 +3665,9 @@
      }
    },
    "node_modules/minimist": {
-      "version": "1.2.5",
-      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
+      "version": "1.2.6",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
+      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
      "dev": true
    },
    "node_modules/ms": {
@@ -6056,6 +6076,11 @@
      "version": "2.1.0",
      "integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw=="
    },
+    "array-uniq": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
+      "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY="
+    },
    "array.prototype.flat": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@@ -7421,6 +7446,14 @@
        "slash2": "^2.0.0"
      },
      "dependencies": {
+        "array-union": {
+          "version": "1.0.2",
+          "resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
+          "integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
+          "requires": {
+            "array-uniq": "^1.0.1"
+          }
+        },
        "commander": {
          "version": "2.20.3",
          "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
@@ -8003,8 +8036,9 @@
      }
    },
    "minimist": {
-      "version": "1.2.5",
-      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
+      "version": "1.2.6",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
+      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
      "dev": true
    },
    "ms": {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "1.1.4",
+  "version": "1.1.8",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -9,8 +9,7 @@
    "test-debug": "ava src/**.test.ts --serial --verbose --timeout=20m",
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 . --ext .js,.ts",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --ext .js,.ts --fix",
-    "removeNPMAbsolutePaths": "removeNPMAbsolutePaths . --force",
-    "version": "cd runner && npm version patch && cd .. && npm run removeNPMAbsolutePaths && git add runner"
+    "removeNPMAbsolutePaths": "removeNPMAbsolutePaths . --force"
  },
  "ava": {
    "typescript": {
@@ -75,4 +74,4 @@
  "resolutions": {
    "glob-parent": ">=5.1.2"
  }
-}
+}
--- a/pr-checks/checks/debug-artifacts.yml
+++ b/pr-checks/checks/debug-artifacts.yml
@@ -13,7 +13,7 @@ steps:
    run: ./build.sh
  - uses: ./../action/analyze
    id: analysis
-  - uses: actions/download-artifact@v2
+  - uses: actions/download-artifact@v3
    with:
      name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
  - shell: bash
--- a/pr-checks/checks/go-custom-queries.yml
+++ b/pr-checks/checks/go-custom-queries.yml
@@ -1,7 +1,7 @@
 name: "Go: Custom queries"
 description: "Checks that Go works in conjunction with a config file specifying custom queries"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
    with:
      go-version: "^1.13.1"
  - uses: ./../action/init
--- a/pr-checks/checks/go-custom-tracing-autobuild.yml
+++ b/pr-checks/checks/go-custom-tracing-autobuild.yml
@@ -4,7 +4,7 @@ os: ["ubuntu-latest", "macos-latest"]
 env:
  CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
    with:
      go-version: "^1.13.1"
  - uses: ./../action/init
--- a/pr-checks/checks/go-custom-tracing.yml
+++ b/pr-checks/checks/go-custom-tracing.yml
@@ -3,7 +3,7 @@ description: "Checks that Go tracing works"
 env:
  CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
    with:
      go-version: "^1.13.1"
  - uses: ./../action/init
--- a/pr-checks/checks/ml-powered-queries.yml
+++ b/pr-checks/checks/ml-powered-queries.yml
@@ -0,0 +1,67 @@
+name: "ML-powered queries"
+description: "Tests that ML-powered queries are run with the security-extended suite and that they produce alerts on a test DB"
+versions: [
+    # Latest release in 2.7.x series
+    "stable-20220120",
+    "cached",
+    "latest",
+    "nightly-latest",
+  ]
+# Test on all three platforms since ML-powered queries use native code
+os: ["ubuntu-latest", "macos-latest", "windows-latest"]
+steps:
+  - uses: ./../action/init
+    with:
+      languages: javascript
+      queries: security-extended
+      source-root: ./../action/tests/ml-powered-queries-repo
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+      upload-database: false
+    env:
+      TEST_MODE: true
+
+  - name: Upload SARIF
+    uses: actions/upload-artifact@v3
+    with:
+      name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+      path: "${{ runner.temp }}/results/javascript.sarif"
+      retention-days: 7
+
+  - name: Check results
+    env:
+      IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/results"
+      # We should run at least the ML-powered queries in `expected_rules`.
+      expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
+
+      for rule in ${expected_rules}; do
+        found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
+          flatten | .[].id] | any(. == $rule)' javascript.sarif)
+        echo "Did find rule '${rule}': ${found_rule}"
+        if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
+          echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
+          exit 1
+        elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
+          echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
+          exit 1
+        fi
+      done
+
+      # We should have at least one alert from an ML-powered query.
+      num_alerts=$(jq '[.runs[0].results[] |
+        select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
+        javascript.sarif)
+      echo "Found ${num_alerts} alerts from ML-powered queries.";
+      if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
+        echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
+        exit 1
+      elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
+        echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
+        exit 1
+      fi
--- a/pr-checks/checks/with-checkout-path.yml
+++ b/pr-checks/checks/with-checkout-path.yml
@@ -0,0 +1,75 @@
+name: "Use a custom `checkout_path`"
+description: "Checks that a custom `checkout_path` will find the proper commit_oid"
+# Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
+# `windows-latest`.
+# Must test on all three platforms since this test does path manipulation
+os: [ubuntu-latest, macos-latest, windows-2019]
+steps:
+  # Check out the actions repo again, but at a different location.
+  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+  - uses: actions/checkout@v3
+    with:
+      ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+      path: x/y/z/some-path
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      # it's enough to test one compiled language and one interpreted language
+      languages: csharp,javascript
+      source-path: x/y/z/some-path/tests/multi-language-repo
+      debug: true
+  - name: Build code (non-windows)
+    shell: bash
+    if: ${{ runner.os != 'Windows' }}
+    run: |
+      $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
+  - name: Build code (windows)
+    shell: bash
+    if: ${{ runner.os == 'Windows' }}
+    run: |
+      x/y/z/some-path/tests/multi-language-repo/build.sh
+  - uses: ./../action/analyze
+    with:
+      checkout_path: x/y/z/some-path/tests/multi-language-repo
+      ref: v1.1.0
+      sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+      upload: false
+    env:
+      TEST_MODE: true
+
+  - uses: ./../action/upload-sarif
+    with:
+      ref: v1.1.0
+      sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+      checkout_path: x/y/z/some-path/tests/multi-language-repo
+    env:
+      TEST_MODE: true
+
+  - name: Verify SARIF after upload
+    shell: bash
+    run: |
+      EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+      EXPECTED_REF="v1.1.0"
+      EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+
+      ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+      ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+      ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+
+      if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+        echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+        echo "$RUNNER_TEMP/payload.json"
+        exit 1
+      fi
+
+      if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+        echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+        echo "$RUNNER_TEMP/payload.json"
+        exit 1
+      fi
+
+      if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+        echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+        echo "$RUNNER_TEMP/payload.json"
+        exit 1
+      fi
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@@ -49,7 +49,7 @@ for file in os.listdir('checks'):
    steps = [
        {
            'name': 'Check out repository',
-            'uses': 'actions/checkout@v2'
+            'uses': 'actions/checkout@v3'
        },
        {
            'name': 'Prepare test',
@@ -85,6 +85,7 @@ for file in os.listdir('checks'):
            }
        },
        'name': checkSpecification['name'],
+        'timeout-minutes': 45,
        'runs-on': '${{ matrix.os }}',
        'steps': steps
    }
@@ -107,7 +108,7 @@ for file in os.listdir('checks'):
            },
            'on': {
                'push': {
-                    'branches': ['main', 'v1']
+                    'branches': ['main', 'v1', 'v2']
                },
                'pull_request': {
                    'types': ["opened", "synchronize", "reopened", "ready_for_review"]
--- a/python-setup/install_tools.sh
+++ b/python-setup/install_tools.sh
@@ -28,7 +28,7 @@ python3 -m pip install --user 'virtualenv<20.11'
 python3 -m pip install --user poetry!=1.0.10
 python3 -m pip install --user pipenv

-if command -v python2 &> /dev/null; then
+if command -v python2 >/dev/null 2>&1; then
 	# Setup Python 2 dependency installation tools.
 	# The Ubuntu 20.04 GHA environment does not come with a Python 2 pip
 	curl --location --fail https://bootstrap.pypa.io/pip/2.7/get-pip.py | python2
--- a/runner/package-lock.json
+++ b/runner/package-lock.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql-runner",
-  "version": "1.1.4",
+  "version": "1.1.6",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
--- a/runner/package.json
+++ b/runner/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql-runner",
-  "version": "1.1.4",
+  "version": "1.1.6",
  "private": true,
  "description": "CodeQL runner",
  "scripts": {
@@ -14,4 +14,4 @@
    "webpack": "^5.50.0",
    "webpack-cli": "^4.7.2"
  }
-}
+}
--- a/src/actions-util.test.ts
+++ b/src/actions-util.test.ts
@@ -6,7 +6,7 @@ import * as yaml from "js-yaml";
 import * as sinon from "sinon";

 import * as actionsutil from "./actions-util";
-import { setupTests } from "./testing-utils";
+import { setupActionsVars, setupTests } from "./testing-utils";
 import { getMode, initializeEnvironment, Mode, withTmpDir } from "./util";

 function errorCodes(
@@ -24,96 +24,117 @@ test("getRef() throws on the empty string", async (t) => {
 });

 test("getRef() returns merge PR ref if GITHUB_SHA still checked out", async (t) => {
-  const expectedRef = "refs/pull/1/merge";
-  const currentSha = "a".repeat(40);
-  process.env["GITHUB_REF"] = expectedRef;
-  process.env["GITHUB_SHA"] = currentSha;
+  await withTmpDir(async (tmpDir: string) => {
+    setupActionsVars(tmpDir, tmpDir);
+    const expectedRef = "refs/pull/1/merge";
+    const currentSha = "a".repeat(40);
+    process.env["GITHUB_REF"] = expectedRef;
+    process.env["GITHUB_SHA"] = currentSha;

-  const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("HEAD").resolves(currentSha);
+    const callback = sinon.stub(actionsutil, "getCommitOid");
+    callback.withArgs("HEAD").resolves(currentSha);

-  const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, expectedRef);
-  callback.restore();
+    const actualRef = await actionsutil.getRef();
+    t.deepEqual(actualRef, expectedRef);
+    callback.restore();
+  });
 });

 test("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
-  const expectedRef = "refs/pull/1/merge";
-  process.env["GITHUB_REF"] = expectedRef;
-  process.env["GITHUB_SHA"] = "b".repeat(40);
-  const sha = "a".repeat(40);
+  await withTmpDir(async (tmpDir: string) => {
+    setupActionsVars(tmpDir, tmpDir);
+    const expectedRef = "refs/pull/1/merge";
+    process.env["GITHUB_REF"] = expectedRef;
+    process.env["GITHUB_SHA"] = "b".repeat(40);
+    const sha = "a".repeat(40);

-  const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
-  callback.withArgs("HEAD").resolves(sha);
+    const callback = sinon.stub(actionsutil, "getCommitOid");
+    callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+    callback.withArgs("HEAD").resolves(sha);

-  const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, expectedRef);
-  callback.restore();
+    const actualRef = await actionsutil.getRef();
+    t.deepEqual(actualRef, expectedRef);
+    callback.restore();
+  });
 });

 test("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
-  process.env["GITHUB_REF"] = "refs/pull/1/merge";
-  process.env["GITHUB_SHA"] = "a".repeat(40);
+  await withTmpDir(async (tmpDir: string) => {
+    setupActionsVars(tmpDir, tmpDir);
+    process.env["GITHUB_REF"] = "refs/pull/1/merge";
+    process.env["GITHUB_SHA"] = "a".repeat(40);

-  const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
-  callback.withArgs("HEAD").resolves("b".repeat(40));
+    const callback = sinon.stub(actionsutil, "getCommitOid");
+    callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(40));
+    callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(40));

-  const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, "refs/pull/1/head");
-  callback.restore();
+    const actualRef = await actionsutil.getRef();
+    t.deepEqual(actualRef, "refs/pull/1/head");
+    callback.restore();
+  });
 });

 test("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
-  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
-  getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+  await withTmpDir(async (tmpDir: string) => {
+    setupActionsVars(tmpDir, tmpDir);
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+    getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));

-  // These values are be ignored
-  process.env["GITHUB_REF"] = "refs/pull/1/merge";
-  process.env["GITHUB_SHA"] = "a".repeat(40);
+    // These values are be ignored
+    process.env["GITHUB_REF"] = "refs/pull/1/merge";
+    process.env["GITHUB_SHA"] = "a".repeat(40);

-  const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
-  callback.withArgs("HEAD").resolves("b".repeat(40));
+    const callback = sinon.stub(actionsutil, "getCommitOid");
+    callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+    callback.withArgs("HEAD").resolves("b".repeat(40));

-  const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, "refs/pull/2/merge");
-  callback.restore();
-  getAdditionalInputStub.restore();
+    const actualRef = await actionsutil.getRef();
+    t.deepEqual(actualRef, "refs/pull/2/merge");
+    callback.restore();
+    getAdditionalInputStub.restore();
+  });
 });

 test("getRef() throws an error if only `ref` is provided as an input", async (t) => {
-  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
+  await withTmpDir(async (tmpDir: string) => {
+    setupActionsVars(tmpDir, tmpDir);
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");

-  await t.throwsAsync(
-    async () => {
-      await actionsutil.getRef();
-    },
-    {
-      instanceOf: Error,
-      message: "Both 'ref' and 'sha' are required if one of them is provided.",
-    }
-  );
-  getAdditionalInputStub.restore();
+    await t.throwsAsync(
+      async () => {
+        await actionsutil.getRef();
+      },
+      {
+        instanceOf: Error,
+        message:
+          "Both 'ref' and 'sha' are required if one of them is provided.",
+      }
+    );
+    getAdditionalInputStub.restore();
+  });
 });

 test("getRef() throws an error if only `sha` is provided as an input", async (t) => {
-  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-  getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
+  await withTmpDir(async (tmpDir: string) => {
+    setupActionsVars(tmpDir, tmpDir);
+    process.env["GITHUB_WORKSPACE"] = "/tmp";
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));

-  await t.throwsAsync(
-    async () => {
-      await actionsutil.getRef();
-    },
-    {
-      instanceOf: Error,
-      message: "Both 'ref' and 'sha' are required if one of them is provided.",
-    }
-  );
-  getAdditionalInputStub.restore();
+    await t.throwsAsync(
+      async () => {
+        await actionsutil.getRef();
+      },
+      {
+        instanceOf: Error,
+        message:
+          "Both 'ref' and 'sha' are required if one of them is provided.",
+      }
+    );
+    getAdditionalInputStub.restore();
+  });
 });

 test("computeAutomationID()", async (t) => {
@@ -709,6 +730,7 @@ test("initializeEnvironment", (t) => {

 test("isAnalyzingDefaultBranch()", async (t) => {
  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
    const envFile = path.join(tmpDir, "event.json");
    fs.writeFileSync(
      envFile,
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@@ -10,12 +10,17 @@ import * as yaml from "js-yaml";
 import * as api from "./api-client";
 import * as sharedEnv from "./shared-environment";
 import {
+  getCachedCodeQlVersion,
  getRequiredEnvParam,
  GITHUB_DOTCOM_URL,
+  isGitHubGhesVersionBelow,
  isHTTPError,
  UserError,
 } from "./util";

+// eslint-disable-next-line import/no-commonjs
+const pkg = require("../package.json");
+
 /**
 * The utils in this module are meant to be run inside of the action only.
 * Code paths from the runner should not enter this module.
@@ -61,7 +66,10 @@ export function getToolCacheDirectory(): string {
 /**
 * Gets the SHA of the commit that is currently checked out.
 */
-export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
+export const getCommitOid = async function (
+  checkoutPath: string,
+  ref = "HEAD"
+): Promise<string> {
  // Try to use git to get the current commit SHA. If that fails then
  // log but otherwise silently fall back to using the SHA from the environment.
  // The only time these two values will differ is during analysis of a PR when
@@ -84,6 +92,7 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
            process.stderr.write(data);
          },
        },
+        cwd: checkoutPath,
      }
    ).exec();
    return commitOid.trim();
@@ -108,6 +117,7 @@ export const determineMergeBaseCommitOid = async function (): Promise<
  }

  const mergeSha = getRequiredEnvParam("GITHUB_SHA");
+  const checkoutPath = getOptionalInput("checkout_path");

  try {
    let commitOid = "";
@@ -135,6 +145,7 @@ export const determineMergeBaseCommitOid = async function (): Promise<
            process.stderr.write(data);
          },
        },
+        cwd: checkoutPath,
      }
    ).exec();

@@ -413,7 +424,7 @@ async function getWorkflowPath(): Promise<string> {

  const apiClient = api.getActionsApiClient();
  const runsResponse = await apiClient.request(
-    "GET /repos/:owner/:repo/actions/runs/:run_id",
+    "GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true",
    {
      owner,
      repo,
@@ -499,6 +510,10 @@ export async function getRef(): Promise<string> {
  // or in the form "refs/pull/N/merge" on a pull_request event
  const refInput = getOptionalInput("ref");
  const shaInput = getOptionalInput("sha");
+  const checkoutPath =
+    getOptionalInput("checkout_path") ||
+    getOptionalInput("source-root") ||
+    getRequiredEnvParam("GITHUB_WORKSPACE");

  const hasRefInput = !!refInput;
  const hasShaInput = !!shaInput;
@@ -527,17 +542,19 @@ export async function getRef(): Promise<string> {
    return ref;
  }

-  const head = await getCommitOid("HEAD");
+  const head = await getCommitOid(checkoutPath, "HEAD");

-  // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+  // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
  // in actions/checkout@v1 this may not be true as it checks out the repository
  // using GITHUB_REF. There is a subtle race condition where
  // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
  // git git-parse GITHUB_REF == git rev-parse HEAD instead.
  const hasChangedRef =
    sha !== head &&
-    (await getCommitOid(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
-      head;
+    (await getCommitOid(
+      checkoutPath,
+      ref.replace(/^refs\/pull\//, "refs/remotes/pull/")
+    )) !== head;

  if (hasChangedRef) {
    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
@@ -600,9 +617,13 @@ export interface StatusReportBase {
  /** Action runner operating system (context runner.os). */
  runner_os: string;
  /** Action runner hardware architecture (context runner.arch). */
-  runner_arch: string;
+  runner_arch?: string;
  /** Action runner operating system release (x.y.z from os.release()). */
  runner_os_release?: string;
+  /** Action version (x.y.z from package.json). */
+  action_version: string;
+  /** CodeQL CLI version (x.y.z from the CLI). */
+  codeql_version?: string;
 }

 export function getActionsStatus(
@@ -651,7 +672,7 @@ export async function createStatusReportBase(
    );
  }
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
-  const runnerArch = getRequiredEnvParam("RUNNER_ARCH");
+  const codeQlCliVersion = getCachedCodeQlVersion();

  // If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action
  // See https://github.com/actions/runner/issues/803
@@ -673,7 +694,7 @@ export async function createStatusReportBase(
    action_started_at: actionStartedAt.toISOString(),
    status,
    runner_os: runnerOs,
-    runner_arch: runnerArch,
+    action_version: pkg.version,
  };

  // Add optional parameters
@@ -695,9 +716,17 @@ export async function createStatusReportBase(
  if (matrix) {
    statusReport.matrix_vars = matrix;
  }
+  if ("RUNNER_ARCH" in process.env) {
+    // RUNNER_ARCH is available only in GHES 3.4 and later
+    // Values other than X86, X64, ARM, or ARM64 are discarded server side
+    statusReport.runner_arch = process.env["RUNNER_ARCH"];
+  }
  if (runnerOs === "Windows" || runnerOs === "macOS") {
    statusReport.runner_os_release = os.release();
  }
+  if (codeQlCliVersion !== undefined) {
+    statusReport.codeql_version = codeQlCliVersion;
+  }

  return statusReport;
 }
@@ -723,6 +752,14 @@ const INCOMPATIBLE_MSG =
 export async function sendStatusReport<S extends StatusReportBase>(
  statusReport: S
 ): Promise<boolean> {
+  const gitHubVersion = await api.getGitHubVersionActionsOnly();
+  if (isGitHubGhesVersionBelow(gitHubVersion, "3.2.0")) {
+    // GHES 3.1 and earlier versions reject unexpected properties, which means
+    // that they will reject status reports with newly added properties.
+    // Inhibiting status reporting for GHES < 3.2 avoids such failures.
+    return true;
+  }
+
  const statusReportJSON = JSON.stringify(statusReport);
  core.debug(`Sending status report: ${statusReportJSON}`);
  // If in test mode we don't want to upload the results
@@ -833,7 +870,7 @@ export async function isAnalyzingDefaultBranch(): Promise<boolean> {
  // Get the current ref and trim and refs/heads/ prefix
  let currentRef = await getRef();
  currentRef = currentRef.startsWith("refs/heads/")
-    ? currentRef.substr("refs/heads/".length)
+    ? currentRef.slice("refs/heads/".length)
    : currentRef;

  const event = getWorkflowEvent();
--- a/src/analysis-paths.test.ts
+++ b/src/analysis-paths.test.ts
@@ -25,6 +25,7 @@ test("emptyPaths", async (t) => {
      debugMode: false,
      debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
      debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+      injectedMlQueries: false,
    };
    analysisPaths.includeAndExcludeAnalysisPaths(config);
    t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);
@@ -50,6 +51,7 @@ test("nonEmptyPaths", async (t) => {
      debugMode: false,
      debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
      debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+      injectedMlQueries: false,
    };
    analysisPaths.includeAndExcludeAnalysisPaths(config);
    t.is(process.env["LGTM_INDEX_INCLUDE"], "path1\npath2");
@@ -79,6 +81,7 @@ test("exclude temp dir", async (t) => {
      debugMode: false,
      debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
      debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+      injectedMlQueries: false,
    };
    analysisPaths.includeAndExcludeAnalysisPaths(config);
    t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);
--- a/src/analyze.test.ts
+++ b/src/analyze.test.ts
@@ -122,6 +122,7 @@ test("status report fields and search path setting", async (t) => {
        debugMode: false,
        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+        injectedMlQueries: false,
      };
      fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
        recursive: true,
--- a/Show More
+++ b/Show More