Merge pull request #2563 from github/backport-v2.27.0-662472033

Merge releases/v3 into releases/v2

.eslintignore

@@ -1,4 +0,0 @@
-**/webpack.config.js
-lib/**
-src/testdata/**
-tests/**

.eslintrc.json

@@ -1,76 +0,0 @@
-
-{
-    "parser": "@typescript-eslint/parser",
-    "parserOptions": {
-        "project": "./tsconfig.json"
-    },
-    "plugins": ["@typescript-eslint", "filenames", "github", "import", "no-async-foreach"],
-    "extends": [
-        "eslint:recommended",
-        "plugin:@typescript-eslint/recommended",
-        "plugin:@typescript-eslint/recommended-requiring-type-checking",
-        "plugin:github/recommended",
-        "plugin:github/typescript",
-        "plugin:import/typescript"
-    ],
-    "rules": {
-        "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
-        "i18n-text/no-en": "off",
-        "import/extensions": ["error", {
-            // Allow importing JSON files
-            "json": {}
-        }],
-        "import/no-amd": "error",
-        "import/no-commonjs": "error",
-        "import/no-dynamic-require": "error",
-        // Disable the rule that checks that devDependencies aren't imported since we use a single
-        // linting configuration file for both source and test code.
-        "import/no-extraneous-dependencies": ["error", {"devDependencies": true}],
-        "import/no-namespace": "off",
-        "import/no-unresolved": "error",
-        "import/no-webpack-loader-syntax": "error",
-        "import/order": ["error", {
-            "alphabetize": {"order": "asc"},
-            "newlines-between": "always"
-        }],
-        "max-len": ["error", {
-            "code": 120,
-            "ignoreUrls": true,
-            "ignoreStrings": true,
-            "ignoreTemplateLiterals": true
-        }],
-        "no-async-foreach/no-async-foreach": "error",
-        "no-console": "off",
-        "no-sequences": "error",
-        "no-shadow": "off",
-        "@typescript-eslint/no-shadow": ["error"],
-        "one-var": ["error", "never"]
-    },
-    "overrides": [{
-        // "temporarily downgraded during transition to eslint
-        "files": "**",
-        "rules": {
-            "@typescript-eslint/ban-types": "off",
-            "@typescript-eslint/explicit-module-boundary-types": "off",
-            "@typescript-eslint/no-explicit-any": "off",
-            "@typescript-eslint/no-unsafe-assignment": "off",
-            "@typescript-eslint/no-unsafe-call": "off",
-            "@typescript-eslint/no-unsafe-member-access": "off",
-            "@typescript-eslint/no-unsafe-return": "off",
-            "@typescript-eslint/no-var-requires": "off",
-            "@typescript-eslint/prefer-regexp-exec": "off",
-            "@typescript-eslint/require-await": "off",
-            "@typescript-eslint/restrict-template-expressions": "off",
-            "func-style": "off",
-            "sort-imports": "off"
-        }
-    }],
-    "settings": {
-        "import/resolver": {
-            "node": {
-                "moduleDirectory": ["node_modules", "src"]
-            },
-            "typescript": {}
-        }
-    }
-}

.git-blame-ignore-revs

@@ -0,0 +1,3 @@
+# .git-blame-ignore-revs
+# Added trailing commas to adhere to new eslint rules
+b16296be30e150034524d6dd0b0418fc6b184267

.github/actions/check-codescanning-config/action.yml

@@ -0,0 +1,71 @@
+name: Check Code-Scanning Config
+description: |
+    Checks the code scanning configuration file generated by the
+    action to ensure it contains the expected contents
+inputs:
+  languages:
+    required: false
+    description: The languages field passed to the init action.
+
+  packs:
+    required: false
+    description: The packs field passed to the init action.
+
+  queries:
+    required: false
+    description: The queries field passed to the init action.
+
+  config-file-test:
+    required: false
+    description: |
+      The location of the config file to use. If empty,
+      then no config file is used.
+
+  expected-config-file-contents:
+    required: true
+    description: |
+      A JSON string containing the exact contents of the config file.
+
+  tools:
+    required: true
+    description: |
+      The version of CodeQL passed to the `tools` input of the init action.
+      This can be any of the following:
+
+      - A local path to a tarball containing the CodeQL tools, or
+      - A URL to a GitHub release assets containing the CodeQL tools, or
+      - A special value `linked` which is forcing the use of the CodeQL tools
+        that the action has been bundled with.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
+
+runs:
+  using: composite
+  steps:
+    - uses: ./../action/init
+      with:
+        languages: ${{ inputs.languages }}
+        config-file: ${{ inputs.config-file-test }}
+        queries: ${{ inputs.queries }}
+        packs: ${{ inputs.packs }}
+        tools: ${{ inputs.tools }}
+        db-location: ${{ runner.temp }}/codescanning-config-cli-test
+      env:
+        CODEQL_ACTION_TEST_MODE: 'true'
+
+    - name: Install dependencies
+      shell: bash
+      run: npm install --location=global ts-node js-yaml
+
+    - name: Check config
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
+
+    - name: Clean up
+      shell: bash
+      if: always()
+      run: |
+        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
+        rm -rf ${{ runner.temp }}/user-config.yaml

.github/actions/check-sarif/action.yml

@@ -0,0 +1,20 @@
+name: Check SARIF
+description: Checks a SARIF file to see if certain queries were run and others were not run.
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+runs:
+  using: node16
+  main: index.js

.github/actions/prepare-test/action.yml

@@ -0,0 +1,79 @@
+name: "Prepare test"
+description: Performs some preparation to run tests
+inputs:
+  version:
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
+    required: true
+  use-all-platform-bundle:
+    description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
+    default: 'false'
+    required: false
+  setup-kotlin:
+    description: "If true, we setup kotlin"
+    default: 'true'
+    required: true
+outputs:
+  tools-url:
+    description: "The value that should be passed as the 'tools' input of the 'init' step."
+    value: ${{ steps.get-url.outputs.tools-url }}
+runs:
+  using: composite
+  steps:
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
+        mv ../action/.github/workflows .github
+    - id: get-url
+      name: Determine URL
+      shell: bash
+      run: |
+        set -e # Fail this Action if `gh release list` fails.
+
+        if [[ ${{ inputs.version }} == "linked" ]]; then
+          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ ${{ inputs.version }} == "default" ]]; then
+          echo "tools-url=" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+          extension="tar.zst"
+        else
+          extension="tar.gz"
+        fi
+
+        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
+          artifact_name="codeql-bundle.$extension"
+        elif [[ "$RUNNER_OS" == "Linux" ]]; then
+          artifact_name="codeql-bundle-linux64.$extension"
+        elif [[ "$RUNNER_OS" == "macOS" ]]; then
+          artifact_name="codeql-bundle-osx64.$extension"
+        elif [[ "$RUNNER_OS" == "Windows" ]]; then
+          artifact_name="codeql-bundle-win64.$extension"
+        else
+          echo "::error::Unrecognized OS $RUNNER_OS"
+          exit 1
+        fi
+
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+          tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
+          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+        else
+          echo "::error::Unrecognized version specified!"
+          exit 1
+        fi
+
+    - uses: fwilhe2/setup-kotlin@9c245a6425255f5e98ba1ce6c15d31fce7eca9da
+      if: ${{ inputs.setup-kotlin == 'true' }}
+      with:
+        version: 1.8.21

.github/actions/query-filter-test/action.yml

@@ -0,0 +1,62 @@
+name: Query Filter Test
+description: Runs a test of query filters using the check SARIF action
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+  config-file:
+    required: true
+    description: |
+      The location of the codeql configuration file to use.
+
+  tools:
+    required: true
+    description: |
+      The version of CodeQL passed to the `tools` input of the init action.
+      This can be any of the following:
+
+      - A local path to a tarball containing the CodeQL tools, or
+      - A URL to a GitHub release assets containing the CodeQL tools, or
+      - A special value `linked` which is forcing the use of the CodeQL tools
+        that the action has been bundled with.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
+
+runs:
+  using: composite
+  steps:
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ${{ inputs.config-file }}
+        tools: ${{ inputs.tools }}
+        db-location: ${{ runner.temp }}/query-filter-test
+      env:
+        CODEQL_ACTION_TEST_MODE: "true"
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload: never
+      env:
+        CODEQL_ACTION_TEST_MODE: "true"
+    - name: Check SARIF
+      uses: ./../action/.github/actions/check-sarif
+      with:
+        sarif-file:  ${{ inputs.sarif-file }}
+        queries-run: ${{ inputs.queries-run}}
+        queries-not-run: ${{ inputs.queries-not-run}}
+    - name: Cleanup after test
+      shell: bash
+      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP/query-filter-test"

.github/actions/release-branches/action.yml

@@ -0,0 +1,25 @@
+name: 'Release branches'
+description: 'Determine branches for release & backport'
+inputs:
+  major_version:
+    description: 'The version as extracted from the package.json file'
+    required: true
+  latest_tag:
+    description: 'The most recent tag published to the repository'
+    required: true
+outputs:
+  backport_source_branch:
+    description: "The release branch for the given tag"
+    value: ${{ steps.branches.outputs.backport_source_branch }}
+  backport_target_branches:
+    description: "JSON encoded list of branches to target with backports"
+    value: ${{ steps.branches.outputs.backport_target_branches }}
+runs:
+  using: "composite"
+  steps:
+    - id: branches
+      run: |
+        python ${{ github.action_path }}/release-branches.py \
+            --major-version ${{ inputs.major_version }} \
+            --latest-tag ${{ inputs.latest_tag }}
+      shell: bash

.github/actions/release-branches/release-branches.py

@@ -0,0 +1,55 @@
+import argparse
+import json
+import os
+import configparser
+
+# Name of the remote
+ORIGIN = 'origin'
+
+script_dir = os.path.dirname(os.path.realpath(__file__))
+grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
+
+config = configparser.ConfigParser()
+with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
+    config.read_string('[default]\n' + stream.read())
+
+OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
+
+def main():
+
+  parser = argparse.ArgumentParser()
+  parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
+  parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
+  args = parser.parse_args()
+
+  major_version = args.major_version
+  latest_tag = args.latest_tag
+
+  print("major_version: " + major_version)
+  print("latest_tag: " + latest_tag)
+
+  # If this is a primary release, we backport to all supported branches,
+  # so we check whether the major_version taken from the package.json
+  # is greater than or equal to the latest tag pulled from the repo.
+  # For example...
+  #     'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
+  #     'v2' >= 'v2' is True  # the normal case where we're updating the current version
+  #     'v3' >= 'v2' is True  # in this case we are making the first release of a new major version
+  consider_backports = ( major_version >= latest_tag.split(".")[0] )
+
+  with open(os.environ["GITHUB_OUTPUT"], "a") as f:
+
+    f.write(f"backport_source_branch=releases/{major_version}\n")
+
+    backport_target_branches = []
+
+    if consider_backports:
+      for i in range(int(major_version.strip("v"))-1, 0, -1):
+        branch_name = f"releases/v{i}"
+        if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
+          backport_target_branches.append(branch_name)
+
+    f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
+
+if __name__ == "__main__":
+  main()

.github/actions/release-initialise/action.yml

@@ -0,0 +1,33 @@
+name: 'Prepare release job'
+description: 'Prepare for updating a release branch'
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Dump environment
+      run: env
+      shell: bash
+
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: '${{ toJson(github) }}'
+      run: echo "$GITHUB_CONTEXT"
+      shell: bash
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: 3.12
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install PyGithub==2.3.0 requests
+      shell: bash
+
+    - name: Update git config
+      run: |
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git config --global user.name "github-actions[bot]"
+      shell: bash

.github/actions/setup-swift/action.yml

@@ -0,0 +1,39 @@
+name: "Set up Swift on Linux"
+description: Sets up an appropriate Swift version on Linux.
+inputs:
+  codeql-path:
+    description: Path to the CodeQL CLI executable.
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Swift version
+      id: get_swift_version
+      if: runner.os == 'Linux'
+      shell: bash
+      env:
+        CODEQL_PATH: ${{ inputs.codeql-path }}
+      run: |
+        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
+          VERSION="null"
+        else
+          VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
+          if [ $VERSION = "5.7" ]; then
+            VERSION="5.7.0"
+          elif [ $VERSION = "5.8" ]; then
+            VERSION="5.8.0"
+          elif [ $VERSION = "5.9" ]; then
+            VERSION="5.9.0"
+          # setup-swift does not yet support v5.9.1 Remove this when it does.
+          elif [ $VERSION = "5.9.1" ]; then
+            VERSION="5.9.0"
+          fi
+        fi
+        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+
+    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+      if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
+      with:
+        swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/actions/update-bundle/action.yml

@@ -0,0 +1,14 @@
+name: Update default CodeQL bundle
+description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
+
+runs:
+  using: composite
+  steps:
+    - name: Install ts-node
+      shell: bash
+      run: npm install -g ts-node
+
+    - name: Run update script
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts

.github/actions/update-bundle/index.ts

@@ -0,0 +1,67 @@
+import * as fs from 'fs';
+import * as github from '@actions/github';
+
+interface BundleInfo {
+  bundleVersion: string;
+  cliVersion: string;
+}
+
+interface Defaults {
+  bundleVersion: string;
+  cliVersion: string;
+  priorBundleVersion: string;
+  priorCliVersion: string;
+}
+
+function getCodeQLCliVersionForRelease(release): string {
+  // We do not currently tag CodeQL bundles based on the CLI version they contain.
+  // Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
+  // This marker file is uploaded as a release asset for all new CodeQL bundles.
+  const cliVersionsFromMarkerFiles = release.assets
+    .map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
+    .filter((v) => v)
+    .map((v) => v as string);
+  if (cliVersionsFromMarkerFiles.length > 1) {
+    throw new Error(
+      `Release ${release.tag_name} has multiple CLI version marker files.`
+    );
+  } else if (cliVersionsFromMarkerFiles.length === 0) {
+    throw new Error(
+      `Failed to find the CodeQL CLI version for release ${release.tag_name}.`
+    );
+  }
+  return cliVersionsFromMarkerFiles[0];
+}
+
+async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
+  return {
+    bundleVersion: release.tag_name,
+    cliVersion: getCodeQLCliVersionForRelease(release)
+  };
+}
+
+async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
+  const release = github.context.payload.release;
+  console.log('Updating default bundle as a result of the following release: ' +
+    `${JSON.stringify(release)}.`)
+
+  const bundleInfo = await getBundleInfoFromRelease(release);
+  return {
+    bundleVersion: bundleInfo.bundleVersion,
+    cliVersion: bundleInfo.cliVersion,
+    priorBundleVersion: currentDefaults.bundleVersion,
+    priorCliVersion: currentDefaults.cliVersion
+  };
+}
+
+async function main() {
+  const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
+  const newDefaults = await getNewDefaults(previousDefaults);
+  // Update the source file in the repository. Calling workflows should subsequently rebuild
+  // the Action to update `lib/defaults.json`.
+  fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
+}
+
+// Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
+// So instead we rely on the fact that Node won't exit until the event loop is empty.
+main();

.github/check-codescanning-config/action.yml

@@ -1,62 +0,0 @@
-name: Check Code-Scanning Config
-description: |
-    Checks the code scanning configuration file generated by the
-    action to ensure it contains the expected contents
-inputs:
-  languages:
-    required: false
-    description: The languages field passed to the init action.
-
-  packs:
-    required: false
-    description: The packs field passed to the init action.
-
-  queries:
-    required: false
-    description: The queries field passed to the init action.
-
-  config-file-test:
-    required: false
-    description: |
-      The location of the config file to use. If empty,
-      then no config file is used.
-
-  expected-config-file-contents:
-    required: true
-    description: |
-      A JSON string containing the exact contents of the config file.
-
-  tools:
-    required: true
-    description: |
-      The url of codeql to use.
-
-runs:
-  using: composite
-  steps:
-    - uses: ./../action/init
-      with:
-        languages: ${{ inputs.languages }}
-        config-file: ${{ inputs.config-file-test }}
-        queries: ${{ inputs.queries }}
-        packs: ${{ inputs.packs }}
-        tools: ${{ inputs.tools }}
-        db-location: ${{ runner.temp }}/codescanning-config-cli-test
-      env:
-        CODEQL_ACTION_TEST_MODE: 'true'
-
-    - name: Install dependencies
-      shell: bash
-      run: npm install --location=global ts-node js-yaml
-
-    - name: Check config
-      working-directory: ${{ github.action_path }}
-      shell: bash
-      run: ts-node ./index.ts "${{ runner.temp }}/user-config.yaml" '${{ inputs.expected-config-file-contents }}'
-
-    - name: Clean up
-      shell: bash
-      if: always()
-      run: |
-        rm -rf ${{ runner.temp }}/codescanning-config-cli-test
-        rm -rf ${{ runner.temp }}/user-config.yaml

.github/check-sarif/action.yml

@@ -1,20 +0,0 @@
-name: Check SARIF
-description: Checks a SARIF file to see if certain queries were run and others were not run.
-inputs:
-  sarif-file:
-    required: true
-    description: The SARIF file to check
-
-  queries-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should be included in this SARIF file.
-
-  queries-not-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should NOT be included in this SARIF file.
-
-runs:
-  using: node12
-  main: index.js

.github/dependabot.yml

@@ -2,20 +2,45 @@ version: 2
 updates:
   - package-ecosystem: npm
     directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     labels:
       - Update dependencies
+    # Ignore incompatible dependency updates
     ignore:
-      - dependency-name: "*"
-        update-types:
-          - version-update:semver-minor
-          - version-update:semver-patch
+      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
+      - dependency-name: "@octokit/plugin-retry"
+        versions: ["~6.0.0"]
+      # v7 requires ESM
+      - dependency-name: "del"
+        versions: ["^7.0.0"]
+      # This is broken due to the way configuration files have changed. 
+      # This might be fixed when we move to eslint v9.
+      - dependency-name: "eslint-plugin-import"
+        versions: [">=2.30.0"]
+    groups:
+      npm:
+        patterns:
+          - "*"
   - package-ecosystem: github-actions
     directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
+    groups:
+      actions:
+        patterns:
+          - "*"
   - package-ecosystem: github-actions
-    directory: "/.github/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
+    groups:
+      actions-setup-swift:
+        patterns:
+          - "*"

.github/prepare-test/action.yml

@@ -1,42 +0,0 @@
-name: "Prepare test"
-description: Performs some preparation to run tests
-inputs:
-  version:
-    description: "The version of the CodeQL CLI to use. Can be 'latest', 'cached', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
-    required: true
-outputs:
-  tools-url:
-    description: "The value that should be passed as the 'tools' input of the 'init' step."
-    value: ${{ steps.get-url.outputs.tools-url }}
-runs:
-  using: composite
-  steps:
-    - name: Move codeql-action
-      shell: bash
-      run: |
-        mkdir ../action
-        mv * .github ../action/
-        mv ../action/tests/multi-language-repo/{*,.github} .
-        mv ../action/.github/workflows .github
-    - id: get-url
-      name: Determine URL
-      shell: bash
-      run: |
-        set -e # Fail this Action if `gh release list` fails.
-        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
-          export LATEST=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
-          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$VERSION-manual/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
-          export VERSION=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$VERSION/codeql-bundle.tar.gz" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == "latest" ]]; then
-          echo "tools-url=latest" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == "cached" ]]; then
-          echo "tools-url=" >> $GITHUB_OUTPUT
-        else
-          echo "::error::Unrecognized version specified!"
-          exit 1
-        fi

.github/query-filter-test/action.yml

@@ -1,54 +0,0 @@
-name: Query Filter Test
-description: Runs a test of query filters using the check SARIF action
-inputs:
-  sarif-file:
-    required: true
-    description: The SARIF file to check
-
-  queries-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should be included in this SARIF file.
-
-  queries-not-run:
-    required: true
-    description: |
-      Comma separated list of query ids that should NOT be included in this SARIF file.
-
-  config-file:
-    required: true
-    description: |
-      The location of the codeql configuration file to use.
-
-  tools:
-    required: true
-    description: |
-      The url of codeql to use.
-
-runs:
-  using: composite
-  steps:
-    - uses: ./../action/init
-      with:
-        languages: javascript
-        config-file: ${{ inputs.config-file }}
-        tools: ${{ inputs.tools }}
-        db-location: ${{ runner.temp }}/query-filter-test
-      env:
-        CODEQL_ACTION_TEST_MODE: "true"
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
-        upload-database: false
-        upload: false
-      env:
-        CODEQL_ACTION_TEST_MODE: "true"
-    - name: Check SARIF
-      uses: ./../action/.github/check-sarif
-      with:
-        sarif-file:  ${{ inputs.sarif-file }}
-        queries-run: ${{ inputs.queries-run}}
-        queries-not-run: ${{ inputs.queries-not-run}}
-    - name: Cleanup after test
-      shell: bash
-      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP/query-filter-test"

.github/releases.ini

@@ -0,0 +1 @@
+OLDEST_SUPPORTED_MAJOR_VERSION=2

.github/setup-swift/action.yml

@@ -1,32 +0,0 @@
-name: "Set up Swift"
-description: Performs necessary steps to set up appropriate Swift version.
-inputs:
-  codeql-path:
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Get Swift version
-      id: get_swift_version
-      # We don't support Swift on Windows or prior versions of CLI.
-      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
-      shell: bash
-      env: 
-        CODEQL_PATH: ${{inputs.codeql-path}}
-      run: |
-        if [ $RUNNER_OS = "macOS" ]; then
-          PLATFORM="osx64"
-        else # We do not run this step on Windows.
-          PLATFORM="linux64"
-        fi 
-        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
-        VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
-        # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
-        if [ $VERSION = "5.7" ]; then
-          VERSION="5.7.0"
-        fi
-        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
-    - uses: swift-actions/setup-swift@da0e3e04b5e3e15dbc3861bd835ad9f0afe56296 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
-      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
-      with:
-        swift-version: "${{steps.get_swift_version.outputs.version}}"

.github/update-release-branch.py

@@ -1,5 +1,7 @@
 import argparse
 import datetime
+import fileinput
+import re
 from github import Github
 import json
 import os
@@ -13,8 +15,9 @@ No user facing changes.
 
 """
 
-SOURCE_BRANCH = 'main'
-TARGET_BRANCH = 'releases/v2'
+# NB: This exact commit message is used to find commits for reverting during backports.
+# Changing it requires a transition period where both old and new versions are supported.
+BACKPORT_COMMIT_MESSAGE = 'Update version and changelog for v'
 
 # Name of the remote
 ORIGIN = 'origin'
@@ -34,7 +37,9 @@ def branch_exists_on_remote(branch_name):
   return run_git('ls-remote', '--heads', ORIGIN, branch_name).strip() != ''
 
 # Opens a PR from the given branch to the target branch
-def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conductor):
+def open_pr(
+  repo, all_commits, source_branch_short_sha, new_branch_name, source_branch, target_branch,
+  conductor, is_primary_release, conflicted_files):
   # Sort the commits into the pull requests that introduced them,
   # and any commits that don't have a pull request
   pull_requests = []
@@ -56,7 +61,7 @@ def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conduct
 
   # Start constructing the body text
   body = []
-  body.append(f'Merging {source_branch_short_sha} into {TARGET_BRANCH}.')
+  body.append(f'Merging {source_branch_short_sha} into `{target_branch}`.')
 
   body.append('')
   body.append(f'Conductor for this PR is @{conductor}.')
@@ -79,20 +84,38 @@ def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conduct
 
   body.append('')
   body.append('Please do the following:')
+  if len(conflicted_files) > 0:
+    body.append(' - [ ] Ensure `package.json` file contains the correct version.')
+    body.append(' - [ ] Add commits to this branch to resolve the merge conflicts ' +
+      'in the following files:')
+    body.extend([f'    - [ ] `{file}`' for file in conflicted_files])
+    body.append(' - [ ] Ensure another maintainer has reviewed the additional commits you added to this ' +
+      'branch to resolve the merge conflicts.')
   body.append(' - [ ] Ensure the CHANGELOG displays the correct version and date.')
   body.append(' - [ ] Ensure the CHANGELOG includes all relevant, user-facing changes since the last release.')
-  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the {TARGET_BRANCH} branch.')
+  body.append(f' - [ ] Check that there are not any unexpected commits being merged into the `{target_branch}` branch.')
   body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')
-  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
-  body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.')
 
-  title = f'Merge {SOURCE_BRANCH} into {TARGET_BRANCH}'
+  if not is_primary_release:
+    body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.')
+    body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.')
+
+  body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
+  body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
+
+  if is_primary_release:
+    body.append(' - [ ] Merge the mergeback PR that will automatically be created once this PR is merged.')
+    body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')
+
+  title = f'Merge {source_branch} into {target_branch}'
+  labels = ['Update dependencies'] if not is_primary_release else []
 
   # Create the pull request
   # PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
   # a maintainer can take the PR out of draft, thereby triggering the PR checks.
-  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=TARGET_BRANCH, draft=True)
-  print(f'Created PR #{pr.number}')
+  pr = repo.create_pull(title=title, body='\n'.join(body), head=new_branch_name, base=target_branch, draft=True)
+  pr.add_to_labels(*labels)
+  print(f'Created PR #{str(pr.number)}')
 
   # Assign the conductor
   pr.add_to_assignees(conductor)
@@ -102,10 +125,10 @@ def open_pr(repo, all_commits, source_branch_short_sha, new_branch_name, conduct
 # since the last release to the target branch.
 # This will not include any commits that exist on the target branch
 # that aren't on the source branch.
-def get_commit_difference(repo):
+def get_commit_difference(repo, source_branch, target_branch):
   # Passing split nothing means that the empty string splits to nothing: compare `''.split() == []`
   # to `''.split('\n') == ['']`.
-  commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{TARGET_BRANCH}..{ORIGIN}/{SOURCE_BRANCH}').strip().split()
+  commits = run_git('log', '--pretty=format:%H', f'{ORIGIN}/{target_branch}..{ORIGIN}/{source_branch}').strip().split()
 
   # Convert to full-fledged commit objects
   commits = [repo.get_commit(c) for c in commits]
@@ -149,10 +172,78 @@ def get_current_version():
   with open('package.json', 'r') as f:
     return json.load(f)['version']
 
+# `npm version` doesn't always work because of merge conflicts, so we
+# replace the version in package.json textually.
+def replace_version_package_json(prev_version, new_version):
+  prev_line_is_codeql = False
+  for line in fileinput.input('package.json', inplace = True, encoding='utf-8'):
+    if prev_line_is_codeql and f'\"version\": \"{prev_version}\"' in line:
+      print(line.replace(prev_version, new_version), end='')
+    else:
+      prev_line_is_codeql = False
+      print(line, end='') 
+    if '\"name\": \"codeql\",' in line:
+        prev_line_is_codeql = True 
+
 def get_today_string():
   today = datetime.datetime.today()
   return '{:%d %b %Y}'.format(today)
 
+def process_changelog_for_backports(source_branch_major_version, target_branch_major_version):
+
+  # changelog entries can use the following format to indicate
+  # that they only apply to newer versions
+  some_versions_only_regex = re.compile(r'\[v(\d+)\+ only\]')
+
+  output = ''
+
+  with open('CHANGELOG.md', 'r') as f:
+
+    # until we find the first section, just duplicate all lines
+    found_first_section = False
+    while not found_first_section:
+      line = f.readline()
+      if not line:
+        raise Exception('Could not find any change sections in CHANGELOG.md') # EOF
+
+      if line.startswith('## '):
+        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
+        found_first_section = True
+
+      output += line
+
+    # found_content tracks whether we hit two headings in a row
+    found_content = False
+    output += '\n'
+    while True:
+      line = f.readline()
+      if not line:
+        break # EOF
+      line = line.rstrip('\n')
+
+      # filter out changenote entries that apply only to newer versions
+      match = some_versions_only_regex.search(line)
+      if match:
+        if int(target_branch_major_version) < int(match.group(1)):
+          continue
+
+      if line.startswith('## '):
+        line = line.replace(f'## {source_branch_major_version}', f'## {target_branch_major_version}')
+        if found_content == False:
+          # we have found two headings in a row, so we need to add the placeholder message.
+          output += 'No user facing changes.\n'
+        found_content = False
+        output += f'\n{line}\n\n'
+      else:
+        if line.strip() != '':
+          found_content = True
+          # we use the original line here, rather than the stripped version
+          # so that we preserve indentation
+          output += line + '\n'
+
+    with open('CHANGELOG.md', 'w') as f:
+      f.write(output)
+
 def update_changelog(version):
   if (os.path.exists('CHANGELOG.md')):
     content = ''
@@ -182,6 +273,24 @@ def main():
     required=True,
     help='The nwo of the repository, for example github/codeql-action.'
   )
+  parser.add_argument(
+    '--source-branch',
+    type=str,
+    required=True,
+    help='Source branch for release branch update.'
+  )
+  parser.add_argument(
+    '--target-branch',
+    type=str,
+    required=True,
+    help='Target branch for release branch update.'
+  )
+  parser.add_argument(
+    '--is-primary-release',
+    action='store_true',
+    default=False,
+    help='Whether this update is the primary release for the current major version.'
+  )
   parser.add_argument(
     '--conductor',
     type=str,
@@ -191,24 +300,38 @@ def main():
 
   args = parser.parse_args()
 
+  source_branch = args.source_branch
+  target_branch = args.target_branch
+  is_primary_release = args.is_primary_release
+
   repo = Github(args.github_token).get_repo(args.repository_nwo)
-  version = get_current_version()
+
+  # the target branch will be of the form releases/vN, where N is the major version number
+  target_branch_major_version = target_branch.strip('releases/v')
+
+  # split version into major, minor, patch
+  _, v_minor, v_patch = get_current_version().split('.')
+
+  version = f"{target_branch_major_version}.{v_minor}.{v_patch}"
 
   # Print what we intend to go
-  print(f'Considering difference between {SOURCE_BRANCH} and {TARGET_BRANCH}...')
-  source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{SOURCE_BRANCH}').strip()
-  print(f'Current head of {SOURCE_BRANCH} is {source_branch_short_sha}.')
+  print(f'Considering difference between {source_branch} and {target_branch}...')
+  source_branch_short_sha = run_git('rev-parse', '--short', f'{ORIGIN}/{source_branch}').strip()
+  print(f'Current head of {source_branch} is {source_branch_short_sha}.')
 
   # See if there are any commits to merge in
-  commits = get_commit_difference(repo=repo)
+  commits = get_commit_difference(repo=repo, source_branch=source_branch, target_branch=target_branch)
   if len(commits) == 0:
-    print(f'No commits to merge from {SOURCE_BRANCH} to {TARGET_BRANCH}.')
+    print(f'No commits to merge from {source_branch} to {target_branch}.')
     return
 
+  # define distinct prefix in order to support specific pr checks on backports
+  branch_prefix = 'update' if is_primary_release else 'backport'
+
   # The branch name is based off of the name of branch being merged into
   # and the SHA of the branch being merged from. Thus if the branch already
   # exists we can assume we don't need to recreate it.
-  new_branch_name = f'update-v{version}-{source_branch_short_sha}'
+  new_branch_name = f'{branch_prefix}-v{version}-{source_branch_short_sha}'
   print(f'Branch name is {new_branch_name}.')
 
   # Check if the branch already exists. If so we can abort as this script
@@ -220,17 +343,74 @@ def main():
   # Create the new branch and push it to the remote
   print(f'Creating branch {new_branch_name}.')
 
-  # If we're performing a standard release, there won't be any new commits on the target branch,
-  # as these will have already been merged back into the source branch. Therefore we can just
-  # start from the source branch.
-  run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{SOURCE_BRANCH}')
+  # The process of creating the v{Older} release can run into merge conflicts. We commit the unresolved
+  # conflicts so a maintainer can easily resolve them (vs erroring and requiring maintainers to
+  # reconstruct the release manually)
+  conflicted_files = []
 
-  print('Updating changelog')
-  update_changelog(version)
+  if not is_primary_release:
 
-  # Create a commit that updates the CHANGELOG
-  run_git('add', 'CHANGELOG.md')
-  run_git('commit', '-m', f'Update changelog for v{version}')
+    # the source branch will be of the form releases/vN, where N is the major version number
+    source_branch_major_version = source_branch.strip('releases/v')
+
+    # If we're performing a backport, start from the target branch
+    print(f'Creating {new_branch_name} from the {ORIGIN}/{target_branch} branch')
+    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{target_branch}')
+
+    # Revert the commit that we made as part of the last release that updated the version number and
+    # changelog to refer to {older}.x.x variants. This avoids merge conflicts in the changelog and
+    # package.json files when we merge in the v{latest} branch.
+    # This commit will not exist the first time we release the v{N-1} branch from the v{N} branch, so we
+    # use `git log --grep` to conditionally revert the commit.
+    print('Reverting the version number and changelog updates from the last release to avoid conflicts')
+    vOlder_update_commits = run_git('log', '--grep', f'^{BACKPORT_COMMIT_MESSAGE}', '--format=%H').split()
+
+    if len(vOlder_update_commits) > 0:
+      print(f'  Reverting {vOlder_update_commits[0]}')
+      # Only revert the newest commit as older ones will already have been reverted in previous
+      # releases.
+      run_git('revert', vOlder_update_commits[0], '--no-edit')
+
+      # Also revert the "Update checked-in dependencies" commit created by Actions.
+      update_dependencies_commit = run_git('log', '--grep', '^Update checked-in dependencies', '--format=%H').split()[0]
+      print(f'  Reverting {update_dependencies_commit}')
+      run_git('revert', update_dependencies_commit, '--no-edit')
+
+    else:
+      print('  Nothing to revert.')
+
+    print(f'Merging {ORIGIN}/{source_branch} into the release prep branch')
+    # Commit any conflicts (see the comment for `conflicted_files`)
+    run_git('merge', f'{ORIGIN}/{source_branch}', allow_non_zero_exit_code=True)
+    conflicted_files = run_git('diff', '--name-only', '--diff-filter', 'U').splitlines()
+    if len(conflicted_files) > 0:
+      run_git('add', '.')
+      run_git('commit', '--no-edit')
+
+    # Migrate the package version number from a vLatest version number to a vOlder version number
+    print(f'Setting version number to {version} in package.json')
+    replace_version_package_json(get_current_version(), version) # We rely on the `Update dependencies` workflow to update package-lock.json
+    run_git('add', 'package.json')
+
+    # Migrate the changelog notes from vLatest version numbers to vOlder version numbers
+    print(f'Migrating changelog notes from v{source_branch_major_version} to v{target_branch_major_version}')
+    process_changelog_for_backports(source_branch_major_version, target_branch_major_version)
+
+    # Amend the commit generated by `npm version` to update the CHANGELOG
+    run_git('add', 'CHANGELOG.md')
+    run_git('commit', '-m', f'{BACKPORT_COMMIT_MESSAGE}{version}')
+  else:
+    # If we're performing a standard release, there won't be any new commits on the target branch,
+    # as these will have already been merged back into the source branch. Therefore we can just
+    # start from the source branch.
+    run_git('checkout', '-b', new_branch_name, f'{ORIGIN}/{source_branch}')
+
+    print('Updating changelog')
+    update_changelog(version)
+
+    # Create a commit that updates the CHANGELOG
+    run_git('add', 'CHANGELOG.md')
+    run_git('commit', '-m', f'Update changelog for v{version}')
 
   run_git('push', ORIGIN, new_branch_name)
 
@@ -240,7 +420,11 @@ def main():
     commits,
     source_branch_short_sha,
     new_branch_name,
+    source_branch=source_branch,
+    target_branch=target_branch,
     conductor=args.conductor,
+    is_primary_release=is_primary_release,
+    conflicted_files=conflicted_files
   )
 
 if __name__ == '__main__':

.github/workflows/__all-platform-bundle.yml

@@ -0,0 +1,64 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - All-platform bundle
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  all-platform-bundle:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: All-platform bundle
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'true'
+          setup-kotlin: 'true'
+      - id: init
+        uses: ./../action/init
+        with:
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          languages: cpp,csharp,go,java,javascript,python,ruby
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__analyze-ref-input.yml

@@ -1,94 +1,71 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   analyze-ref-input:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: windows-2019
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: windows-2019
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: windows-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
     name: "Analyze: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-        languages: cpp,csharp,java,javascript,python
-        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-          github.sha }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        ref: refs/heads/main
-        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: cpp,csharp,java,javascript,python
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-action.yml

@@ -1,68 +1,80 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - autobuild-action
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   autobuild-action:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
     name: autobuild-action
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        languages: csharp
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/autobuild
-      env:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: csharp
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/autobuild
+        env:
       # Explicitly disable the CLR tracer.
-        COR_ENABLE_PROFILING: ''
-        COR_PROFILER: ''
-        COR_PROFILER_PATH_64: ''
-        CORECLR_ENABLE_PROFILING: ''
-        CORECLR_PROFILER: ''
-        CORECLR_PROFILER_PATH_64: ''
-    - uses: ./../action/analyze
-    - name: Check database
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/codeql_databases"
-        if [[ ! -d csharp ]]; then
-          echo "Did not find a C# database"
-          exit 1
-        fi
+          COR_ENABLE_PROFILING: ''
+          COR_PROFILER: ''
+          COR_PROFILER_PATH_64: ''
+          CORECLR_ENABLE_PROFILING: ''
+          CORECLR_PROFILER: ''
+          CORECLR_PROFILER_PATH_64: ''
+      - uses: ./../action/analyze
+      - name: Check database
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d csharp ]]; then
+            echo "Did not find a C# database"
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -0,0 +1,85 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Autobuild direct tracing (custom working directory)
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  autobuild-direct-tracing-with-working-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Autobuild direct tracing (custom working directory)
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Test setup
+        shell: bash
+        run: |
+          # Make sure that Gradle build succeeds in autobuild-dir ...
+          cp -a ../action/tests/java-repo autobuild-dir
+          # ... and fails if attempted in the current directory
+          echo > build.gradle
+      - uses: ./../action/init
+        with:
+          build-mode: autobuild
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Check that indirect tracing is disabled
+        shell: bash
+        run: |
+          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+            echo "Expected indirect tracing to be disabled, but the" \
+              "CODEQL_RUNNER environment variable is set."
+            exit 1
+          fi
+      - uses: ./../action/autobuild
+        with:
+          working-directory: autobuild-dir
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-direct-tracing.yml

@@ -0,0 +1,86 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Autobuild direct tracing
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  autobuild-direct-tracing:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Autobuild direct tracing
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Set up Java test repo configuration
+        shell: bash
+        run: |
+          mv * .github ../action/tests/multi-language-repo/
+          mv ../action/tests/multi-language-repo/.github/workflows .github
+          mv ../action/tests/java-repo/* .
+
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: autobuild
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Check that indirect tracing is disabled
+        shell: bash
+        run: |
+          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+            echo "Expected indirect tracing to be disabled, but the" \
+              "CODEQL_RUNNER environment variable is set."
+            exit 1
+          fi
+
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-autobuild.yml

@@ -0,0 +1,78 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Build mode autobuild
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  build-mode-autobuild:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Build mode autobuild
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Set up Java test repo configuration
+        run: |
+          mv * .github ../action/tests/multi-language-repo/
+          mv ../action/tests/multi-language-repo/.github/workflows .github
+          mv ../action/tests/java-repo/* .
+
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: autobuild
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Validate database build mode
+        run: |
+          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+          build_mode=$(yq eval '.buildMode' "$metadata_path")
+          if [[ "$build_mode" != "autobuild" ]]; then
+            echo "Expected build mode to be 'autobuild' but was $build_mode"
+            exit 1
+          fi
+
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-manual.yml

@@ -0,0 +1,76 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Build mode manual
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  build-mode-manual:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Build mode manual
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: manual
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Validate database build mode
+        run: |
+          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+          build_mode=$(yq eval '.buildMode' "$metadata_path")
+          if [[ "$build_mode" != "manual" ]]; then
+            echo "Expected build mode to be 'manual' but was $build_mode"
+            exit 1
+          fi
+
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-none.yml

@@ -0,0 +1,78 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Build mode none
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  build-mode-none:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Build mode none
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: none
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Validate database build mode
+        run: |
+          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+          build_mode=$(yq eval '.buildMode' "$metadata_path")
+          if [[ "$build_mode" != "none" ]]; then
+            echo "Expected build mode to be 'none' but was $build_mode"
+            exit 1
+          fi
+
+  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+      - uses: ./../action/autobuild
+        if: matrix.version != 'nightly-latest'
+
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__build-mode-rollback.yml

@@ -0,0 +1,79 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Build mode rollback
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  build-mode-rollback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Build mode rollback
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Set up Java test repo configuration
+        run: |
+          mv * .github ../action/tests/multi-language-repo/
+          mv ../action/tests/multi-language-repo/.github/workflows .github
+          mv ../action/tests/java-repo/* .
+
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: none
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Validate database build mode
+        run: |
+          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+          build_mode=$(yq eval '.buildMode' "$metadata_path")
+          if [[ "$build_mode" != "autobuild" ]]; then
+            echo "Expected build mode to be 'autobuild' but was $build_mode"
+            exit 1
+          fi
+
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -0,0 +1,74 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Clean up database cluster directory
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  cleanup-db-cluster-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Clean up database cluster directory
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Add a file to the database cluster directory
+        run: |
+          mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
+          touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
+
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: none
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Validate file cleaned up
+        run: |
+          if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
+            echo "File was not cleaned up"
+            exit 1
+          fi
+          echo "File was cleaned up"
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-export.yml

@@ -0,0 +1,105 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Config export
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  config-export:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Config export
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: javascript
+          queries: security-extended
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check config properties appear in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+            const configSummary = run.properties.codeqlConfigSummary;
+
+            if (configSummary === undefined) {
+              core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
+            }
+            if (configSummary.disableDefaultQueries !== false) {
+              core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
+                `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
+            }
+            const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
+            // Use JSON.stringify to deep-equal the arrays.
+            if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
+              core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
+                `${JSON.stringify(configSummary.queries)}.`);
+            }
+            core.info('Finished config export tests.');
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-input.yml

@@ -0,0 +1,82 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Config input
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  config-input:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Config input
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Copy queries into workspace
+        run: |
+          cp -a ../action/queries .
+
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: javascript
+          build-mode: none
+          config: |
+            disable-default-queries: true
+            queries:
+              - name: Run custom query
+                uses: ./queries/default-setup-environment-variables.ql
+            paths-ignore:
+              - tests
+              - lib
+
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+
+      - name: Check SARIF
+        uses: ./../action/.github/actions/check-sarif
+        with:
+          sarif-file: ${{ runner.temp }}/results/javascript.sarif
+          queries-run: javascript/codeql-action/default-setup-env-vars
+          queries-not-run: javascript/codeql-action/default-setup-context-properties
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-disabled.yml

@@ -0,0 +1,78 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  cpp-deptrace-disabled:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'C/C++: disabling autoinstalling dependencies (Linux)'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Test setup
+        shell: bash
+        run: |
+          cp -a ../action/tests/cpp-autobuild autobuild-dir
+      - uses: ./../action/init
+        with:
+          languages: cpp
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/autobuild
+        with:
+          working-directory: autobuild-dir
+        env:
+          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
+      - shell: bash
+        run: |
+          if ls /usr/bin/errno; then
+            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
+            exit 1
+          fi
+    env:
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -0,0 +1,76 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  cpp-deptrace-enabled-on-macos:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: nightly-latest
+    name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Test setup
+        shell: bash
+        run: |
+          cp -a ../action/tests/cpp-autobuild autobuild-dir
+      - uses: ./../action/init
+        with:
+          languages: cpp
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/autobuild
+        with:
+          working-directory: autobuild-dir
+        env:
+          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
+      - shell: bash
+        run: |
+          if ! ls /usr/bin/errno; then
+            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
+          else
+            echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
+            exit 1
+          fi
+    env:
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cpp-deptrace-enabled.yml

@@ -0,0 +1,78 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  cpp-deptrace-enabled:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: 'C/C++: autoinstalling dependencies (Linux)'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Test setup
+        shell: bash
+        run: |
+          cp -a ../action/tests/cpp-autobuild autobuild-dir
+      - uses: ./../action/init
+        with:
+          languages: cpp
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/autobuild
+        with:
+          working-directory: autobuild-dir
+        env:
+          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
+      - shell: bash
+        run: |
+          if ! ls /usr/bin/errno; then
+            echo "Did not autoinstall errno"
+            exit 1
+          fi
+    env:
+      DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__diagnostics-export.yml

@@ -0,0 +1,142 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Diagnostic export
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  diagnostics-export:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Diagnostic export
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Add test diagnostics
+        shell: bash
+        env:
+          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
+        run: |
+          "$CODEQL_PATH" database add-diagnostic \
+            "$RUNNER_TEMP/codeql_databases/javascript" \
+            --file-path /path/to/file \
+            --plaintext-message "Plaintext message" \
+            --source-id "lang/diagnostics/example" \
+            --source-name "Diagnostic name" \
+            --ready-for-status-page
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check diagnostics appear in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            function checkStatusPageNotification(n) {
+              const expectedMessage = 'Plaintext message';
+              if (n.message.text !== expectedMessage) {
+                core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
+              }
+              if (n.locations.length !== 1) {
+                core.setFailed(`Expected the status page diagnostic to have exactly 1 location, but found ${n.locations.length}.`);
+              }
+            }
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const statusPageNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'lang/diagnostics/example' && n.properties?.visibility?.statusPage
+            );
+            if (statusPageNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+            checkStatusPageNotification(statusPageNotifications[0]);
+
+            const notifications = run.tool.driver.notifications;
+            const diagnosticNotification = notifications.filter(n =>
+              n.id === 'lang/diagnostics/example' && n.name === 'lang/diagnostics/example' &&
+                n.fullDescription.text === 'Diagnostic name'
+            );
+            if (diagnosticNotification.length !== 1) {
+              core.setFailed(
+                'Expected exactly one notification for this diagnostic in the ' +
+                  `'runs[].tool.driver.notifications[]' SARIF property, but found ` +
+                  `${diagnosticNotification.length}. All notifications: ` +
+                  `${JSON.stringify(notifications)}.`
+              );
+            }
+
+            core.info('Finished diagnostic export test');
+    env:
+      CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__export-file-baseline-information.yml

@@ -1,88 +1,99 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Export file baseline information
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   export-file-baseline-information:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
     name: Export file baseline information
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      id: init
-      with:
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-      env:
-        CODEQL_FILE_BASELINE_INFORMATION: true
-    - uses: ./../action/.github/setup-swift
-      with:
-        codeql-path: ${{steps.init.outputs.codeql-path}}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
-      env:
-        CODEQL_FILE_BASELINE_INFORMATION: true
-    - name: Upload SARIF
-      uses: actions/upload-artifact@v3
-      with:
-        name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-        path: ${{ runner.temp }}/results/javascript.sarif
-        retention-days: 7
-    - name: Check results
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/results"
-        expected_baseline_languages="cpp cs go java js py rb swift"
-
-        for lang in ${expected_baseline_languages}; do
-          rule_name="${lang}/baseline/expected-extracted-files"
-          found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
-            select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
-          if [[ "${found_notification}" != "true" ]]; then
-            echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
-            exit 1
-          else
-            echo "Found notification '${rule_name}'."
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
+          if [[ $RUNNER_OS == "macOS" ]]; then
+            expected_baseline_languages+=" swift"
           fi
-        done
+
+          for lang in ${expected_baseline_languages}; do
+            rule_name="cli/expected-extracted-files/${lang}"
+            found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+              select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+            if [[ "${found_notification}" != "true" ]]; then
+              echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+              exit 1
+            else
+              echo "Found notification '${rule_name}'."
+            fi
+          done
     env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
+      CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__extractor-ram-threads.yml

@@ -1,66 +1,78 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Extractor ram and threads options test
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   extractor-ram-threads:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
+          - os: ubuntu-latest
+            version: linked
     name: Extractor ram and threads options test
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        languages: java
-        ram: 230
-        threads: 1
-    - name: Assert Results
-      shell: bash
-      run: |
-        if [ "${CODEQL_RAM}" != "230" ]; then
-          echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
-          exit 1
-        fi
-        if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
-          echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
-          exit 1
-        fi
-        if [ "${CODEQL_THREADS}" != "1" ]; then
-          echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
-          exit 1
-        fi
-        if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
-          echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: java
+          ram: 230
+          threads: 1
+      - name: Assert Results
+        shell: bash
+        run: |
+          if [ "${CODEQL_RAM}" != "230" ]; then
+            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
+            exit 1
+          fi
+          if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
+            echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
+            exit 1
+          fi
+          if [ "${CODEQL_THREADS}" != "1" ]; then
+            echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
+            exit 1
+          fi
+          if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
+            echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-custom-queries.yml

@@ -1,91 +1,69 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: Custom queries'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   go-custom-queries:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: windows-2019
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: windows-2019
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: windows-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
     name: 'Go: Custom queries'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        languages: go
-        config-file: ./.github/codeql/custom-queries.yml
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '>=1.21.0'
+      - uses: ./../action/init
+        with:
+          languages: go
+          config-file: ./.github/codeql/custom-queries.yml
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -0,0 +1,96 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - Go: diagnostic when Go is changed after init step'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  go-indirect-tracing-workaround-diagnostic:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+    name: 'Go: diagnostic when Go is changed after init step'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+      # We need a Go version that ships with statically linked binaries on Linux
+          go-version: '>=1.21.0'
+      - uses: ./../action/init
+        with:
+          languages: go
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+  # Deliberately change Go after the `init` step
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.20'
+      - name: Build code
+        shell: bash
+        run: go build main.go
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Check diagnostic appears in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const statusPageNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
+            );
+            if (statusPageNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -0,0 +1,97 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - Go: diagnostic when `file` is not installed'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  go-indirect-tracing-workaround-no-file-program:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+    name: 'Go: diagnostic when `file` is not installed'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+      # We need a Go version that ships with statically linked binaries on Linux
+          go-version: '>=1.21.0'
+      - name: Remove `file` program
+        run: |
+          echo $(which file)
+          sudo rm -rf $(which file)
+          echo $(which file)
+      - uses: ./../action/init
+        with:
+          languages: go
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: go build main.go
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Check diagnostic appears in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const statusPageNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'go/workflow/file-program-unavailable' && n.properties?.visibility?.statusPage
+            );
+            if (statusPageNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -0,0 +1,92 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - Go: workaround for indirect tracing'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  go-indirect-tracing-workaround:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+    name: 'Go: workaround for indirect tracing'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+      # We need a Go version that ships with statically linked binaries on Linux
+          go-version: '>=1.21.0'
+      - uses: ./../action/init
+        with:
+          languages: go
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: go build main.go
+      - uses: ./../action/analyze
+      - shell: bash
+        run: |
+          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
+            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
+              "CODEQL_ACTION_GO_BINARY environment variable is not set."
+            exit 1
+          fi
+          if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
+            echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
+            exit 1
+          fi
+
+
+          # Once we start running Bash 4.2 in all environments, we can replace the
+          # `! -z` flag with the more elegant `-v` which confirms that the variable
+          # is actually unset and not potentially set to a blank value.
+          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+            echo "Expected the Go autobuilder not to be run, but the" \
+              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+            exit 1
+          fi
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d go ]]; then
+            echo "Did not find a Go database"
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-autobuilder.yml

@@ -1,88 +1,109 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with autobuilder step'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   go-tracing-autobuilder:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-12
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.16.6
+          - os: macos-latest
+            version: stable-v2.16.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
     name: 'Go: tracing with autobuilder step'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        languages: go
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/autobuild
-    - uses: ./../action/analyze
-    - shell: bash
-      run: |
-        if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
-          echo "Expected the Go autobuilder to be run, but the" \
-            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
-          exit 1
-        fi
-        cd "$RUNNER_TEMP/codeql_databases"
-        if [[ ! -d go ]]; then
-          echo "Did not find a Go database"
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ~1.23.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
+          cache: false
+      - uses: ./../action/init
+        with:
+          languages: go
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/autobuild
+      - uses: ./../action/analyze
+      - shell: bash
+        run: |
+          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
+            echo "Expected the Go autobuilder to be run, but the" \
+              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
+            exit 1
+          fi
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d go ]]; then
+            echo "Did not find a Go database"
+            exit 1
+          fi
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -1,92 +1,113 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with custom build steps'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   go-tracing-custom-build-steps:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-12
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.16.6
+          - os: macos-latest
+            version: stable-v2.16.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
     name: 'Go: tracing with custom build steps'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        languages: go
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-      run: go build main.go
-    - uses: ./../action/analyze
-    - shell: bash
-      run: |
-        # Once we start running Bash 4.2 in all environments, we can replace the
-        # `! -z` flag with the more elegant `-v` which confirms that the variable
-        # is actually unset and not potentially set to a blank value.
-        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
-          echo "Expected the Go autobuilder not to be run, but the" \
-            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
-          exit 1
-        fi
-        cd "$RUNNER_TEMP/codeql_databases"
-        if [[ ! -d go ]]; then
-          echo "Did not find a Go database"
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ~1.23.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
+          cache: false
+      - uses: ./../action/init
+        with:
+          languages: go
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: go build main.go
+      - uses: ./../action/analyze
+      - shell: bash
+        run: |
+          # Once we start running Bash 4.2 in all environments, we can replace the
+          # `! -z` flag with the more elegant `-v` which confirms that the variable
+          # is actually unset and not potentially set to a blank value.
+          if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+            echo "Expected the Go autobuilder not to be run, but the" \
+              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+            exit 1
+          fi
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d go ]]; then
+            echo "Did not find a Go database"
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -1,82 +1,103 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with legacy workflow'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   go-tracing-legacy-workflow:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-12
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.16.6
+          - os: macos-latest
+            version: stable-v2.16.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
     name: 'Go: tracing with legacy workflow'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        languages: go
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/analyze
-    - shell: bash
-      run: |
-        cd "$RUNNER_TEMP/codeql_databases"
-        if [[ ! -d go ]]; then
-          echo "Did not find a Go database"
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ~1.23.0
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
+          cache: false
+      - uses: ./../action/init
+        with:
+          languages: go
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+      - shell: bash
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d go ]]; then
+            echo "Did not find a Go database"
+            exit 1
+          fi
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__init-with-registries.yml

@@ -1,121 +1,134 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Download using registries'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   init-with-registries:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
     name: 'Packaging: Download using registries'
+    permissions:
+      contents: read
+      packages: read
+
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Init with registries
-      uses: ./../action/init
-      with:
-        db-location: ${{ runner.temp }}/customDbLocation
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-        config-file: ./.github/codeql/codeql-config-registries.yml
-        languages: javascript
-        registries: |
-          - url: "https://ghcr.io/v2/"
-            packages: "*/*"
-            token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Init with registries
+        uses: ./../action/init
+        with:
+          db-location: ${{ runner.temp }}/customDbLocation
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          config-file: ./.github/codeql/codeql-config-registries.yml
+          languages: javascript
+          registries: |
+            - url: "https://ghcr.io/v2/"
+              packages: "*/*"
+              token: "${{ secrets.GITHUB_TOKEN }}"
 
-    - name: Verify packages installed
-      shell: bash
-      run: |
-        PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
-        CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
+      - name: Verify packages installed
+        shell: bash
+        run: |
+          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
+          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
 
-        if [[ -d $PRIVATE_PACK ]]
-        then
-            echo "$PRIVATE_PACK was installed."
-        else
-            echo "::error $PRIVATE_PACK pack was not installed."
-            exit 1
-        fi
+          if [[ -d $PRIVATE_PACK ]]
+          then
+              echo "$PRIVATE_PACK was installed."
+          else
+              echo "::error $PRIVATE_PACK pack was not installed."
+              exit 1
+          fi
 
-        if [[ -d $CODEQL_PACK1 ]]
-        then
-            echo "$CODEQL_PACK1 was installed."
-        else
-            echo "::error $CODEQL_PACK1 pack was not installed."
-            exit 1
-        fi
+          if [[ -d $CODEQL_PACK1 ]]
+          then
+              echo "$CODEQL_PACK1 was installed."
+          else
+              echo "::error $CODEQL_PACK1 pack was not installed."
+              exit 1
+          fi
 
-    - name: Verify qlconfig.yml file was created
-      shell: bash
-      run: |
-        QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-        echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
-        if [[ -f $QLCONFIG_PATH ]]
-        then
-            echo "qlconfig.yml file was created."
-        else
-            echo "::error qlconfig.yml file was not created."
-            exit 1
-        fi
+      - name: Verify qlconfig.yml file was created
+        shell: bash
+        run: |
+          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
+          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
+          if [[ -f $QLCONFIG_PATH ]]
+          then
+              echo "qlconfig.yml file was created."
+          else
+              echo "::error qlconfig.yml file was not created."
+              exit 1
+          fi
 
-    - name: Verify contents of qlconfig.yml
+      - name: Verify contents of qlconfig.yml
     # yq is not available on windows
-      if: runner.os != 'Windows'
-      shell: bash
-      run: |
-        QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
-        cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
-        if [[ $? -eq 0 ]]
-        then
-            echo "Registry was added to qlconfig.yml file."
-        else
-            echo "::error Registry was not added to qlconfig.yml file."
-            echo "Contents of qlconfig.yml file:"
-            cat $QLCONFIG_PATH
-            exit 1
-        fi
+        if: runner.os != 'Windows'
+        shell: bash
+        run: |
+          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
+          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
+          if [[ $? -eq 0 ]]
+          then
+              echo "Registry was added to qlconfig.yml file."
+          else
+              echo "::error Registry was not added to qlconfig.yml file."
+              echo "Contents of qlconfig.yml file:"
+              cat $QLCONFIG_PATH
+              exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__javascript-source-root.yml

@@ -1,68 +1,79 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Custom source root
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   javascript-source-root:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
     name: Custom source root
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Move codeql-action
-      shell: bash
-      run: |
-        mkdir ../new-source-root
-        mv * ../new-source-root
-    - uses: ./../action/init
-      with:
-        languages: javascript
-        source-root: ../new-source-root
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/analyze
-      with:
-        skip-queries: true
-        upload: false
-    - name: Assert database exists
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/codeql_databases"
-        if [[ ! -d javascript ]]; then
-          echo "Did not find a JavaScript database"
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Move codeql-action
+        shell: bash
+        run: |
+          mkdir ../new-source-root
+          mv * ../new-source-root
+      - uses: ./../action/init
+        with:
+          languages: javascript
+          source-root: ../new-source-root
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          skip-queries: true
+      - name: Assert database exists
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d javascript ]]; then
+            echo "Did not find a JavaScript database"
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__job-run-uuid-sarif.yml

@@ -0,0 +1,79 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Job run UUID added to SARIF
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  job-run-uuid-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Job run UUID added to SARIF
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
+          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
+            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
+            exit 1
+          else
+            echo "Found job run UUID '$actual'."
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__language-aliases.yml

@@ -0,0 +1,69 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Language aliases
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  language-aliases:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Language aliases
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: C#,java-kotlin,swift,typescript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Check languages
+        run: |
+          expected_languages="csharp,java,swift,javascript"
+          actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
+
+          if [ "$expected_languages" != "$actual_languages" ]; then
+            echo "Resolved languages did not match expected list. " \
+              "Expected languages: $expected_languages. Actual languages: $actual_languages."
+            exit 1
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__ml-powered-queries.yml

@@ -1,135 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
-# to regenerate this file.
-
-name: PR Check - ML-powered queries
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
-on:
-  push:
-    branches:
-    - main
-    - releases/v2
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  workflow_dispatch: {}
-jobs:
-  ml-powered-queries:
-    strategy:
-      matrix:
-        include:
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: windows-2019
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
-    name: ML-powered queries
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        languages: javascript
-        queries: security-extended
-        source-root: ./../action/tests/ml-powered-queries-repo
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
-        upload-database: false
-
-    - name: Upload SARIF
-      uses: actions/upload-artifact@v3
-      with:
-        name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
-        path: ${{ runner.temp }}/results/javascript.sarif
-        retention-days: 7
-
-    - name: Check sarif
-      uses: ./../action/.github/check-sarif
-    # Running on Windows requires CodeQL CLI 2.9.0+.
-      if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
-      with:
-        sarif-file: ${{ runner.temp }}/results/javascript.sarif
-        queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
-        queries-not-run: foo,bar
-
-    - name: Check results
-      env:
-      # Running on Windows requires CodeQL CLI 2.9.0+.
-        SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220120' &&
-          runner.os == 'Windows') }}
-      shell: bash
-      run: |
-        echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
-
-        cd "$RUNNER_TEMP/results"
-        # We should run at least the ML-powered queries in `expected_rules`.
-        expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
-
-        for rule in ${expected_rules}; do
-          found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
-            flatten | .[].id] | any(. == $rule)' javascript.sarif)
-          echo "Did find rule '${rule}': ${found_rule}"
-          if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
-            echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
-            exit 1
-          elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
-            echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
-            exit 1
-          fi
-        done
-
-        # We should have at least one alert from an ML-powered query.
-        num_alerts=$(jq '[.runs[0].results[] |
-          select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
-          javascript.sarif)
-        echo "Found ${num_alerts} alerts from ML-powered queries.";
-        if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
-          echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
-          exit 1
-        elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
-          echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
-          exit 1
-        fi
-    env:
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__multi-language-autodetect.yml

@@ -1,142 +1,159 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Multi-language repository
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   multi-language-autodetect:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+          - os: macos-12
+            version: stable-v2.14.6
+          - os: ubuntu-latest
+            version: stable-v2.14.6
+          - os: macos-latest
+            version: stable-v2.15.5
+          - os: ubuntu-latest
+            version: stable-v2.15.5
+          - os: macos-latest
+            version: stable-v2.16.6
+          - os: ubuntu-latest
+            version: stable-v2.16.6
+          - os: macos-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: nightly-latest
+          - os: ubuntu-latest
+            version: nightly-latest
     name: Multi-language repository
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      id: init
-      with:
-        db-location: ${{ runner.temp }}/customDbLocation
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '>=1.21.0'
 
-    - uses: ./../action/.github/setup-swift
-      with:
-        codeql-path: ${{steps.init.outputs.codeql-path}}
+      - uses: ./../action/init
+        id: init
+        with:
+          db-location: ${{ runner.temp }}/customDbLocation
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
+            || '' }}
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - name: Build code
-      shell: bash
-      run: ./build.sh
+      - uses: ./../action/.github/actions/setup-swift
+        if: runner.os == 'macOS'
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
 
-    - uses: ./../action/analyze
-      id: analysis
+      - name: Build code
+        shell: bash
+        run: ./build.sh
 
-    - name: Check language autodetect for all languages excluding Ruby, Swift
-      shell: bash
-      run: |
-        CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
-        if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for CPP, or created it in the wrong location."
-          exit 1
-        fi
-        CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
-        if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for C Sharp, or created it in the wrong location."
-          exit 1
-        fi
-        GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
-        if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Go, or created it in the wrong location."
-          exit 1
-        fi
-        JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
-        if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Java, or created it in the wrong location."
-          exit 1
-        fi
-        JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
-        if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Javascript, or created it in the wrong location."
-          exit 1
-        fi
-        PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
-        if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Python, or created it in the wrong location."
-          exit 1
-        fi
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
 
-    - name: Check language autodetect for Ruby
-      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
-        == 'nightly-latest')
-      shell: bash
-      run: |
-        RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
-        if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Ruby, or created it in the wrong location."
-          exit 1
-        fi
+      - name: Check language autodetect for all languages excluding Swift
+        shell: bash
+        run: |
+          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
+          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for CPP, or created it in the wrong location."
+            exit 1
+          fi
+          CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
+          if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for C Sharp, or created it in the wrong location."
+            exit 1
+          fi
+          GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
+          if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for Go, or created it in the wrong location."
+            exit 1
+          fi
+          JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
+          if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for Java, or created it in the wrong location."
+            exit 1
+          fi
+          JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
+          if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for Javascript, or created it in the wrong location."
+            exit 1
+          fi
+          PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
+          if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for Python, or created it in the wrong location."
+            exit 1
+          fi
+          RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
+          if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for Ruby, or created it in the wrong location."
+            exit 1
+          fi
 
-    - name: Check language autodetect for Swift
-      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
-        == 'nightly-latest')
-      shell: bash
-      run: |
-        SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
-        if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
-          echo "Did not create a database for Swift, or created it in the wrong location."
-          exit 1
-        fi
+      - name: Check language autodetect for Swift on MacOS
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
+          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
+            echo "Did not create a database for Swift, or created it in the wrong location."
+            exit 1
+          fi
     env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -1,94 +1,106 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input passed to the CLI'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   packaging-codescanning-config-inputs-js:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          config-file: .github/codeql/codeql-config-packaging3.yml
+          packs: +codeql-testing/codeql-pack1@1.0.0
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
 
-    - name: Check results
-      uses: ./../action/.github/check-sarif
-      with:
-        sarif-file: ${{ runner.temp }}/results/javascript.sarif
-        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-        queries-not-run: foo,bar
+      - name: Check results
+        uses: ./../action/.github/actions/check-sarif
+        with:
+          sarif-file: ${{ runner.temp }}/results/javascript.sarif
+          queries-run: 
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-not-run: foo,bar
 
-    - name: Assert Results
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/results"
-        # We should have 4 hits from these rules
-        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+      - name: Assert Results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          # We should have 4 hits from these rules
+          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-        echo "Found matching rules '$RULES'"
-        if [ "$RULES" != "$EXPECTED_RULES" ]; then
-          echo "Did not match expected rules '$EXPECTED_RULES'."
-          exit 1
-        fi
+          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+          echo "Found matching rules '$RULES'"
+          if [ "$RULES" != "$EXPECTED_RULES" ]; then
+            echo "Did not match expected rules '$EXPECTED_RULES'."
+            exit 1
+          fi
     env:
-      CODEQL_PASS_CONFIG_TO_CLI: true
-
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-config-inputs-js.yml

@@ -1,92 +1,106 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   packaging-config-inputs-js:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
     name: 'Packaging: Config and input'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          config-file: .github/codeql/codeql-config-packaging3.yml
+          packs: +codeql-testing/codeql-pack1@1.0.0
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
 
-    - name: Check results
-      uses: ./../action/.github/check-sarif
-      with:
-        sarif-file: ${{ runner.temp }}/results/javascript.sarif
-        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-        queries-not-run: foo,bar
+      - name: Check results
+        uses: ./../action/.github/actions/check-sarif
+        with:
+          sarif-file: ${{ runner.temp }}/results/javascript.sarif
+          queries-run: 
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-not-run: foo,bar
 
-    - name: Assert Results
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/results"
-        # We should have 4 hits from these rules
-        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+      - name: Assert Results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          # We should have 4 hits from these rules
+          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-        echo "Found matching rules '$RULES'"
-        if [ "$RULES" != "$EXPECTED_RULES" ]; then
-          echo "Did not match expected rules '$EXPECTED_RULES'."
-          exit 1
-        fi
+          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+          echo "Found matching rules '$RULES'"
+          if [ "$RULES" != "$EXPECTED_RULES" ]; then
+            echo "Did not match expected rules '$EXPECTED_RULES'."
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-config-js.yml

@@ -1,91 +1,105 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config file'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   packaging-config-js:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
     name: 'Packaging: Config file'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        config-file: .github/codeql/codeql-config-packaging.yml
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          config-file: .github/codeql/codeql-config-packaging.yml
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
 
-    - name: Check results
-      uses: ./../action/.github/check-sarif
-      with:
-        sarif-file: ${{ runner.temp }}/results/javascript.sarif
-        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-        queries-not-run: foo,bar
+      - name: Check results
+        uses: ./../action/.github/actions/check-sarif
+        with:
+          sarif-file: ${{ runner.temp }}/results/javascript.sarif
+          queries-run: 
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-not-run: foo,bar
 
-    - name: Assert Results
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/results"
-        # We should have 4 hits from these rules
-        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+      - name: Assert Results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          # We should have 4 hits from these rules
+          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-        echo "Found matching rules '$RULES'"
-        if [ "$RULES" != "$EXPECTED_RULES" ]; then
-          echo "Did not match expected rules '$EXPECTED_RULES'."
-          exit 1
-        fi
+          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+          echo "Found matching rules '$RULES'"
+          if [ "$RULES" != "$EXPECTED_RULES" ]; then
+            echo "Did not match expected rules '$EXPECTED_RULES'."
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__packaging-inputs-js.yml

@@ -1,92 +1,105 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Action input'
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   packaging-inputs-js:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
     name: 'Packaging: Action input'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        config-file: .github/codeql/codeql-config-packaging2.yml
-        languages: javascript
-        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          config-file: .github/codeql/codeql-config-packaging2.yml
+          languages: javascript
+          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
 
-    - name: Check results
-      uses: ./../action/.github/check-sarif
-      with:
-        sarif-file: ${{ runner.temp }}/results/javascript.sarif
-        queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
-        queries-not-run: foo,bar
+      - name: Check results
+        uses: ./../action/.github/actions/check-sarif
+        with:
+          sarif-file: ${{ runner.temp }}/results/javascript.sarif
+          queries-run: 
+            javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
+          queries-not-run: foo,bar
 
-    - name: Assert Results
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/results"
-        # We should have 4 hits from these rules
-        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+      - name: Assert Results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          # We should have 4 hits from these rules
+          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-        echo "Found matching rules '$RULES'"
-        if [ "$RULES" != "$EXPECTED_RULES" ]; then
-          echo "Did not match expected rules '$EXPECTED_RULES'."
-          exit 1
-        fi
+          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+          echo "Found matching rules '$RULES'"
+          if [ "$RULES" != "$EXPECTED_RULES" ]; then
+            echo "Did not match expected rules '$EXPECTED_RULES'."
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__remote-config.yml

@@ -1,91 +1,66 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Remote config file
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   remote-config:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: windows-2019
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: windows-2019
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: windows-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
     name: Remote config file
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-        languages: cpp,csharp,java,javascript,python
-        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-          github.sha }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: cpp,csharp,java,javascript,python
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__resolve-environment-action.yml

@@ -0,0 +1,95 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Resolve environment
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  resolve-environment-action:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Resolve environment
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: go,javascript-typescript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Resolve environment for Go
+        uses: ./../action/resolve-environment
+        id: resolve-environment-go
+        with:
+          language: go
+
+      - name: Fail if Go configuration missing
+        if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
+        run: exit 1
+
+      - name: Resolve environment for JavaScript/TypeScript
+        uses: ./../action/resolve-environment
+        id: resolve-environment-js
+        with:
+          language: javascript-typescript
+
+      - name: Fail if JavaScript/TypeScript configuration present
+        if: 
+          fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
+        run: exit 1
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__rubocop-multi-language.yml

@@ -1,62 +1,74 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - RuboCop multi-language
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   rubocop-multi-language:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: cached
+          - os: ubuntu-latest
+            version: default
     name: RuboCop multi-language
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: 2.6
-    - name: Install Code Scanning integration
-      shell: bash
-      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
-    - name: Install dependencies
-      shell: bash
-      run: bundle install
-    - name: RuboCop run
-      shell: bash
-      run: |
-        bash -c "
-          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
-          [[ $? -ne 2 ]]
-        "
-    - uses: ./../action/upload-sarif
-      with:
-        sarif_file: rubocop.sarif
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 2.6
+      - name: Install Code Scanning integration
+        shell: bash
+        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+      - name: Install dependencies
+        shell: bash
+        run: bundle install
+      - name: RuboCop run
+        shell: bash
+        run: |
+          bash -c "
+            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+            [[ $? -ne 2 ]]
+          "
+      - uses: ./../action/upload-sarif
+        with:
+          sarif_file: rubocop.sarif
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__ruby.yml

@@ -1,66 +1,80 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Ruby analysis
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   ruby:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
     name: Ruby analysis
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        languages: ruby
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/analyze
-      id: analysis
-    - name: Check database
-      shell: bash
-      run: |
-        RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
-        if [[ ! -d "$RUBY_DB" ]]; then
-          echo "Did not create a database for Ruby."
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          languages: ruby
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        shell: bash
+        run: |
+          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
+          if [[ ! -d "$RUBY_DB" ]]; then
+            echo "Did not create a database for Ruby."
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__split-workflow.yml

@@ -1,91 +1,104 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Split workflow
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   split-workflow:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
     name: Split workflow
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        skip-queries: true
-        output: ${{ runner.temp }}/results
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          config-file: .github/codeql/codeql-config-packaging3.yml
+          packs: +codeql-testing/codeql-pack1@1.0.0
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        with:
+          skip-queries: true
+          output: ${{ runner.temp }}/results
+          upload-database: false
 
-    - name: Assert No Results
-      shell: bash
-      run: |
-        if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
-          echo "Expected results directory to be empty after skipping query execution!"
-          exit 1
-        fi
-    - uses: ./../action/analyze
-      with:
-        output: ${{ runner.temp }}/results
-        upload-database: false
-    - name: Assert Results
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/results"
-        # We should have 4 hits from these rules
-        EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
+      - name: Assert No Results
+        shell: bash
+        run: |
+          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
+            echo "Expected results directory to be empty after skipping query execution!"
+            exit 1
+          fi
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Assert Results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          # We should have 4 hits from these rules
+          EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
 
-        # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
-        RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
-        echo "Found matching rules '$RULES'"
-        if [ "$RULES" != "$EXPECTED_RULES" ]; then
-          echo "Did not match expected rules '$EXPECTED_RULES'."
-          exit 1
-        fi
+          # use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
+          RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
+          echo "Found matching rules '$RULES'"
+          if [ "$RULES" != "$EXPECTED_RULES" ]; then
+            echo "Did not match expected rules '$EXPECTED_RULES'."
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__submit-sarif-failure.yml

@@ -1,64 +1,77 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Submit SARIF after failure
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   submit-sarif-failure:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: nightly-latest
     name: Submit SARIF after failure
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: actions/checkout@v3
-    - uses: ./init
-      with:
-        languages: javascript
-    - name: Fail
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: actions/checkout@v4
+      - uses: ./init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Fail
     # We want this job to pass if the Action correctly uploads the SARIF file for
     # the failed run.
     # Setting this step to continue on error means that it is marked as completing
     # successfully, so will not fail the job.
-      continue-on-error: true
-      run: exit 1
-    - uses: ./analyze
+        continue-on-error: true
+        run: exit 1
+      - uses: ./analyze
     # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
     # above, we manually disable it with an `if` condition.
-      if: false
-      with:
-        category: /test-codeql-version:${{ matrix.version }}
+        if: false
+        with:
+          category: /test-codeql-version:${{ matrix.version }}
     env:
   # Internal-only environment variable used to indicate that the post-init Action
   # should expect to upload a SARIF file for the failed run.

.github/workflows/__swift-autobuild.yml

@@ -1,70 +1,80 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Swift analysis using autobuild
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   swift-autobuild:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: macos-latest
-          version: latest
-        - os: macos-latest
-          version: cached
-        - os: macos-latest
-          version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
     name: Swift analysis using autobuild
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      id: init
-      with:
-        languages: swift
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/.github/setup-swift
-      with:
-        codeql-path: ${{steps.init.outputs.codeql-path}}
-    - name: Check working directory
-      shell: bash
-      run: pwd
-    - uses: ./../action/autobuild
-      timeout-minutes: 10
-    - uses: ./../action/analyze
-      id: analysis
-    - name: Check database
-      shell: bash
-      run: |
-        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-        if [[ ! -d "$SWIFT_DB" ]]; then
-          echo "Did not create a database for Swift."
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: swift
+          build-mode: autobuild
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{steps.init.outputs.codeql-path}}
+      - name: Check working directory
+        shell: bash
+        run: pwd
+      - uses: ./../action/autobuild
+        timeout-minutes: 30
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        shell: bash
+        run: |
+          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
+          if [[ ! -d "$SWIFT_DB" ]]; then
+            echo "Did not create a database for Swift."
+            exit 1
+          fi
     env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__swift-custom-build.yml

@@ -1,78 +1,85 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Swift analysis using a custom build command
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   swift-custom-build:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+          - os: macos-latest
+            version: linked
+          - os: macos-latest
+            version: default
+          - os: macos-latest
+            version: nightly-latest
     name: Swift analysis using a custom build command
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      id: init
-      with:
-        languages: swift
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/.github/setup-swift
-      with:
-        codeql-path: ${{steps.init.outputs.codeql-path}}
-    - name: Check working directory
-      shell: bash
-      run: pwd
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      id: analysis
-    - name: Check database
-      shell: bash
-      run: |
-        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-        if [[ ! -d "$SWIFT_DB" ]]; then
-          echo "Did not create a database for Swift."
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: swift
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{steps.init.outputs.codeql-path}}
+      - name: Check working directory
+        shell: bash
+        run: pwd
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - name: Check database
+        shell: bash
+        run: |
+          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
+          if [[ ! -d "$SWIFT_DB" ]]; then
+            echo "Did not create a database for Swift."
+            exit 1
+          fi
     env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-autobuild-working-dir.yml

@@ -1,65 +1,77 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Autobuild working directory
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   test-autobuild-working-dir:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
+          - os: ubuntu-latest
+            version: linked
     name: Autobuild working directory
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Test setup
-      shell: bash
-      run: |
-        # Make sure that Gradle build succeeds in autobuild-dir ...
-        cp -a ../action/tests/java-repo autobuild-dir
-        # ... and fails if attempted in the current directory
-        echo > build.gradle
-    - uses: ./../action/init
-      with:
-        languages: java
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/autobuild
-      with:
-        working-directory: autobuild-dir
-    - uses: ./../action/analyze
-    - name: Check database
-      shell: bash
-      run: |
-        cd "$RUNNER_TEMP/codeql_databases"
-        if [[ ! -d java ]]; then
-          echo "Did not find a Java database"
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Test setup
+        shell: bash
+        run: |
+          # Make sure that Gradle build succeeds in autobuild-dir ...
+          cp -a ../action/tests/java-repo autobuild-dir
+          # ... and fails if attempted in the current directory
+          echo > build.gradle
+      - uses: ./../action/init
+        with:
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/autobuild
+        with:
+          working-directory: autobuild-dir
+      - uses: ./../action/analyze
+      - name: Check database
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/codeql_databases"
+          if [[ ! -d java ]]; then
+            echo "Did not find a Java database"
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-local-codeql.yml

@@ -1,55 +1,70 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Local CodeQL bundle
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   test-local-codeql:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: nightly-latest
     name: Local CodeQL bundle
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Fetch a CodeQL bundle
-      shell: bash
-      env:
-        CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
-      run: |
-        wget "$CODEQL_URL"
-    - uses: ./../action/init
-      with:
-        tools: ./codeql-bundle.tar.gz
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Fetch a CodeQL bundle
+        shell: bash
+        env:
+          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
+        run: |
+          wget "$CODEQL_URL"
+      - id: init
+        uses: ./../action/init
+        with:
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          languages: cpp,csharp,go,java,javascript,python,ruby
+          tools: ./codeql-bundle-linux64.tar.zst
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-proxy.yml

@@ -1,48 +1,60 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Proxy test
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   test-proxy:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-latest
-          version: latest
+          - os: ubuntu-latest
+            version: linked
     name: Proxy test
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      with:
-        languages: javascript
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/analyze
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'false'
+      - uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
     env:
       https_proxy: http://squid-proxy:3128
       CODEQL_ACTION_TEST_MODE: true
@@ -53,4 +65,4 @@ jobs:
       squid-proxy:
         image: ubuntu/squid:latest
         ports:
-        - 3128:3128
+          - 3128:3128

.github/workflows/__unset-environment.yml

@@ -1,107 +1,111 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Test unsetting environment variables
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   unset-environment:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
     name: Test unsetting environment variables
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        db-location: ${{ runner.temp }}/customDbLocation
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - name: Build code
-      shell: bash
-    # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
-    # workaround for our PR checks.
-      run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME"
-        ./build.sh
-    - uses: ./../action/analyze
-      id: analysis
-    - shell: bash
-      run: |
-        CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
-        if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
-          echo "::error::Did not create a database for CPP, or created it in the wrong location." \
-            "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
-          exit 1
-        fi
-        CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
-        if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
-          echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
-            "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
-          exit 1
-        fi
-        GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
-        if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
-          echo "::error::Did not create a database for Go, or created it in the wrong location." \
-            "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
-          exit 1
-        fi
-        JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
-        if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
-          echo "::error::Did not create a database for Java, or created it in the wrong location." \
-            "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
-          exit 1
-        fi
-        JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
-        if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
-          echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
-            "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
-          exit 1
-        fi
-        PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
-        if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
-          echo "::error::Did not create a database for Python, or created it in the wrong location." \
-            "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
-          exit 1
-        fi
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          db-location: ${{ runner.temp }}/customDbLocation
+      # Swift is not supported on Ubuntu so we manually exclude it from the list here
+          languages: cpp,csharp,go,java,javascript,python,ruby
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '>=1.21.0'
+      - name: Build code
+        shell: bash
+        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+      - shell: bash
+        run: |
+          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
+          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
+            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
+              "Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
+            exit 1
+          fi
+          CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
+          if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
+            echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
+              "Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
+            exit 1
+          fi
+          GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
+          if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
+            echo "::error::Did not create a database for Go, or created it in the wrong location." \
+              "Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
+            exit 1
+          fi
+          JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
+          if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
+            echo "::error::Did not create a database for Java, or created it in the wrong location." \
+              "Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
+            exit 1
+          fi
+          JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
+          if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
+            echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
+              "Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
+            exit 1
+          fi
+          PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
+          if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
+            echo "::error::Did not create a database for Python, or created it in the wrong location." \
+              "Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__upload-ref-sha-input.yml

@@ -1,99 +1,77 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   upload-ref-sha-input:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: windows-2019
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: windows-2019
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: windows-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: default
+          - os: macos-latest
+            version: default
+          - os: windows-latest
+            version: default
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: ./../action/init
-      with:
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-        languages: cpp,csharp,java,javascript,python
-        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
-          github.sha }}
-    - name: Build code
-      shell: bash
-      run: ./build.sh
-    - uses: ./../action/analyze
-      with:
-        ref: refs/heads/main
-        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-        upload: false
-    - uses: ./../action/upload-sarif
-      with:
-        ref: refs/heads/main
-        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          languages: cpp,csharp,java,javascript,python
+          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+            github.sha }}
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
+      - uses: ./../action/analyze
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+          upload: never
+      - uses: ./../action/upload-sarif
+        with:
+          ref: refs/heads/main
+          sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__with-checkout-path.yml

@@ -1,143 +1,119 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Use a custom `checkout_path`
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
 on:
   push:
     branches:
-    - main
-    - releases/v2
+      - main
+      - releases/v*
   pull_request:
     types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   with-checkout-path:
     strategy:
+      fail-fast: false
       matrix:
         include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: windows-2019
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: windows-2019
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: windows-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: windows-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: windows-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
-        - os: windows-latest
-          version: nightly-latest
+          - os: ubuntu-latest
+            version: linked
+          - os: macos-latest
+            version: linked
+          - os: windows-latest
+            version: linked
     name: Use a custom `checkout_path`
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - name: Set up Go
-      if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
-      with:
-        go-version: ^1.13.1
-    - uses: actions/checkout@v3
-      with:
-        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-        path: x/y/z/some-path
-    - uses: ./../action/init
-      with:
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Delete original checkout
+        shell: bash
+        run: |
+          # delete the original checkout so we don't accidentally use it.
+          # Actions does not support deleting the current working directory, so we
+          # delete the contents of the directory instead.
+          rm -rf ./* .github .git
+  # Check out the actions repo again, but at a different location.
+  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+      - uses: actions/checkout@v4
+        with:
+          ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+          path: x/y/z/some-path
+
+      - uses: ./../action/init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
       # it's enough to test one compiled language and one interpreted language
-        languages: csharp,javascript
-        source-path: x/y/z/some-path/tests/multi-language-repo
-        debug: true
-    - name: Build code (non-windows)
-      shell: bash
-      if: ${{ runner.os != 'Windows' }}
-      run: |
-        $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
-    - name: Build code (windows)
-      shell: bash
-      if: ${{ runner.os == 'Windows' }}
-      run: |
-        x/y/z/some-path/tests/multi-language-repo/build.sh
-    - uses: ./../action/analyze
-      with:
-        checkout_path: x/y/z/some-path/tests/multi-language-repo
-        ref: v1.1.0
-        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-        upload: false
+          languages: csharp,javascript
+          source-root: x/y/z/some-path/tests/multi-language-repo
 
-    - uses: ./../action/upload-sarif
-      with:
-        ref: v1.1.0
-        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-        checkout_path: x/y/z/some-path/tests/multi-language-repo
+      - name: Build code
+        shell: bash
+        working-directory: x/y/z/some-path/tests/multi-language-repo
+        run: |
+          ./build.sh
 
-    - name: Verify SARIF after upload
-      shell: bash
-      run: |
-        EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
-        EXPECTED_REF="v1.1.0"
-        EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+      - uses: ./../action/analyze
+        with:
+          checkout_path: x/y/z/some-path/tests/multi-language-repo
+          ref: v1.1.0
+          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
 
-        ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
-        ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
-        ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+      - name: Verify SARIF after upload
+        shell: bash
+        run: |
+          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+          EXPECTED_REF="v1.1.0"
+          EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
 
-        if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
-          echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
-          echo "$RUNNER_TEMP/payload.json"
-          exit 1
-        fi
+          ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+          ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+          ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
 
-        if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
-          echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
-          echo "$RUNNER_TEMP/payload.json"
-          exit 1
-        fi
+          if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+            echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+            echo "$RUNNER_TEMP/payload.json"
+            exit 1
+          fi
 
-        if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
-          echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
-          echo "$RUNNER_TEMP/payload.json"
-          exit 1
-        fi
+          if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+            echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+            echo "$RUNNER_TEMP/payload.json"
+            exit 1
+          fi
+
+          if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+            echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+            echo "$RUNNER_TEMP/payload.json"
+            exit 1
+          fi
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle-fallback.yml

@@ -0,0 +1,123 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Zstandard bundle fallback
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  zstd-bundle-fallback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+    name: Zstandard bundle fallback
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check expected diagnostics
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            if (!toolsUrl.endsWith('.tar.gz')) {
+              core.setFailed(
+                `Expected the tools URL to be a .tar.gz file, but found '${toolsUrl}'.`
+              );
+            }
+
+            const zstdFailureReason = downloadTelemetryNotifications[0].properties.attributes.zstdFailureReason;
+            console.log(`Found zstd failure reason: ${zstdFailureReason}`);
+
+            const expectedZstdFailureReason = 'Failing since CODEQL_ACTION_FORCE_ZSTD_FAILURE is true.';
+            if (zstdFailureReason !== expectedZstdFailureReason) {
+              core.setFailed(
+                `Expected the zstd failure reason to be '${expectedZstdFailureReason}', but found '${zstdFailureReason}'.`
+              );
+            }
+    env:
+      CODEQL_ACTION_ZSTD_BUNDLE: true
+      CODEQL_ACTION_FORCE_ZSTD_FAILURE: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle-streaming.yml

@@ -0,0 +1,113 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Zstandard bundle (streaming)
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  zstd-bundle-streaming:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+    name: Zstandard bundle (streaming)
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check diagnostic with expected tools URL appears in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            if (!toolsUrl.endsWith('.tar.zst')) {
+              core.setFailed(
+                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_ZSTD_BUNDLE: true
+      CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle.yml

@@ -0,0 +1,116 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Zstandard bundle
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  zstd-bundle:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: Zstandard bundle
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check diagnostic with expected tools URL appears in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
+
+            if (!toolsUrl.endsWith(expectedExtension)) {
+              core.setFailed(
+                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_ZSTD_BUNDLE: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/check-expected-release-files.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check Expected Release Files
         run: |
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"

.github/workflows/codeql.yml

@@ -2,15 +2,16 @@ name: "CodeQL action"
 
 on:
   push:
-    branches: [main, releases/v2]
+    branches: [main, releases/v*]
   pull_request:
-    branches: [main, releases/v2]
+    branches: [main, releases/v*]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
   schedule:
     # Weekly on Sunday.
     - cron: '30 1 * * 0'
+  workflow_dispatch:
 
 env:
   CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
@@ -26,7 +27,7 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Init with default CodeQL bundle from the VM image
       id: init-default
       uses: ./init
@@ -40,7 +41,7 @@ jobs:
       id: init-latest
       uses: ./init
       with:
-        tools: latest
+        tools: linked
         languages: javascript
     - name: Compare default and latest CodeQL bundle versions
       id: compare
@@ -53,16 +54,16 @@ jobs:
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
         echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
 
-        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
+        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
         # be the same as `tools: null`. This allows us to make the job for each of the bundles a
         # required status check.
         #
-        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
         # the same as running with `tools: null`.
         if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
-          VERSIONS_JSON='[null, "latest"]'
+          VERSIONS_JSON='[null, "linked"]'
         fi
 
         # Output a JSON-encoded list with the distinct versions to test against.
@@ -72,8 +73,9 @@ jobs:
   build:
     needs: [check-codeql-versions]
     strategy:
+      fail-fast: false
       matrix:
-        os: [ubuntu-latest,windows-latest,macos-latest]
+        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-12,macos-13,macos-14]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
@@ -82,7 +84,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Initialize CodeQL
       uses: ./init
       id: init
@@ -95,3 +97,5 @@ jobs:
       run: ${{steps.init.outputs.codeql-path}} version --format=json
     - name: Perform CodeQL Analysis
       uses: ./analyze
+      with:
+        category: "/language:javascript"

.github/workflows/codescanning-config-cli.yml

@@ -3,19 +3,20 @@
 name: Code-Scanning config CLI tests
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  CODEQL_PASS_CONFIG_TO_CLI: true
 
 on:
   push:
     branches:
     - main
-    - releases/v2
+    - releases/v*
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
@@ -23,16 +24,17 @@ jobs:
     continue-on-error: true
 
     strategy:
+      fail-fast: false
       matrix:
         include:
         - os: ubuntu-latest
-          version: latest
+          version: linked
         - os: macos-latest
-          version: latest
+          version: linked
         - os: ubuntu-latest
-          version: cached
+          version: default
         - os: macos-latest
-          version: cached
+          version: default
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
@@ -44,15 +46,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
 
     - name: Empty file
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
@@ -60,31 +62,31 @@ jobs:
 
     - name: Packs from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -96,7 +98,7 @@ jobs:
 
     - name: Queries from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -108,27 +110,27 @@ jobs:
 
     - name: Queries and packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
         queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
-        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries and packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
             }
           }
         languages: javascript
@@ -137,7 +139,7 @@ jobs:
 
     - name: Queries and packs from config overriden by input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -152,7 +154,7 @@ jobs:
 
     - name: Queries and packs from config merging with input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -161,7 +163,7 @@ jobs:
               { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
             ],
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
             }
           }
         languages: javascript
@@ -172,12 +174,12 @@ jobs:
 
     - name: Multi-language packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
               "ruby": ["codeql/ruby-queries"]
             },
             "queries": [
@@ -190,7 +192,7 @@ jobs:
 
     - name: Other config properties
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -204,15 +206,3 @@ jobs:
         packs: + codeql/javascript-queries
         config-file-test: .github/codeql/other-config-properties.yml
         tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-    - name: Config not generated when env var is not set
-      if: success() || failure()
-      env:
-        CODEQL_PASS_CONFIG_TO_CLI: false
-      uses: ./../action/.github/check-codescanning-config
-      with:
-        expected-config-file-contents: ""
-        languages: javascript
-        packs: + codeql/javascript-queries
-        config-file-test: .github/codeql/other-config-properties.yml
-        tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/debug-artifacts-failure.yml

@@ -2,44 +2,41 @@
 # when the analyze step fails.
 name: PR Check - Debug artifacts after failure
 env:
-  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
-  # workaround for our PR checks.
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: true
 on:
   push:
     branches:
     - main
-    - releases/v2
+    - releases/v*
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   upload-artifacts:
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest]
     name: Upload debug artifacts after failure in analyze
     continue-on-error: true
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
     steps:
       - name: Dump GitHub event
         run: cat "${GITHUB_EVENT_PATH}"
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
-          version: latest
-      - uses: actions/setup-go@v3
+          version: linked
+      - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1
       - uses: ./../action/init
@@ -52,10 +49,12 @@ jobs:
         shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
-        id: analysis  
+        id: analysis
+        env: 
+          # Forces a failure in this step.
+          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
         with:
           expect-error: true
-          ram: 1
   download-and-check-artifacts:
     name: Download and check debug artifacts after failure in analyze
     needs: upload-artifacts
@@ -63,31 +62,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
       - name: Check expected artifacts exist
         shell: bash
         run: |
-          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
           LANGUAGES="cpp csharp go java javascript python"
-          for os in $OPERATING_SYSTEMS; do
-            pushd "./my-debug-artifacts-$os"
-            echo "Artifacts from run on $os:"
-            for language in $LANGUAGES; do
-              echo "- Checking $language"
-              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-                echo "Missing a partial database bundle for $language"
-                exit 1
-              fi
-              if [[ ! -d "log" ]] ; then
-                echo "Missing database initialization logs"
-                exit 1
-              fi
-              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-                echo "Missing logs for $language"
-                exit 1
-              fi
-            done
-            popd
+          cd "./my-debug-artifacts"
+          echo "Artifacts from run:"
+          for language in $LANGUAGES; do
+            echo "- Checking $language"
+            if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+              echo "Missing a partial database bundle for $language"
+              exit 1
+            fi
+            if [[ ! -d "log" ]] ; then
+              echo "Missing database initialization logs"
+              exit 1
+            fi
+            if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+              echo "Missing logs for $language"
+              exit 1
+            fi
           done
         env:
           GO111MODULE: auto

.github/workflows/debug-artifacts-legacy.yml

@@ -0,0 +1,99 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist and are accessible
+# with download-artifact@v3 when CODEQL_ACTION_ARTIFACT_V4_UPGRADE is set to false.
+name: PR Check - Debug artifact upload using artifact@v2
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: false
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.14.6
+        - stable-v2.15.5
+        - stable-v2.16.6
+        - stable-v2.17.6
+        - stable-v2.18.4
+        - default
+        - linked
+        - nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
+          languages: cpp,csharp,go,java,javascript,python,ruby 
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          VERSIONS="stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 default linked nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            pushd "./my-debug-artifacts-${version//./}"
+            echo "Artifacts from version $version:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "$language.sarif" ]] ; then
+                echo "Missing a SARIF file for $language"
+                exit 1
+              fi
+              if [[ ! -f "my-db-$language.zip" ]] ; then
+                echo "Missing a database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto

.github/workflows/debug-artifacts.yml

@@ -1,78 +1,66 @@
 # Checks logs, SARIF, and database bundle debug artifacts exist.
 name: PR Check - Debug artifact upload
 env:
-  # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
-  # workaround for our PR checks.
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: true
 on:
   push:
     branches:
     - main
-    - releases/v2
+    - releases/v*
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 jobs:
   upload-artifacts:
     strategy:
+      fail-fast: false
       matrix:
-        include:
-        - os: ubuntu-20.04
-          version: stable-20211005
-        - os: macos-latest
-          version: stable-20211005
-        - os: ubuntu-20.04
-          version: stable-20220120
-        - os: macos-latest
-          version: stable-20220120
-        - os: ubuntu-latest
-          version: stable-20220401
-        - os: macos-latest
-          version: stable-20220401
-        - os: ubuntu-latest
-          version: cached
-        - os: macos-latest
-          version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: macos-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest
+        version:
+        - stable-v2.14.6
+        - stable-v2.15.5
+        - stable-v2.16.6
+        - stable-v2.17.6
+        - stable-v2.18.4
+        - default
+        - linked
+        - nightly-latest
     name: Upload debug artifacts
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1
       - uses: ./../action/init
+        id: init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           debug: true
           debug-artifact-name: my-debug-artifacts
           debug-database-name: my-db
+          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
+          languages: cpp,csharp,go,java,javascript,python,ruby 
       - name: Build code
         shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
-        id: analysis  
+        id: analysis
   download-and-check-artifacts:
     name: Download and check debug artifacts
     needs: upload-artifacts
@@ -80,40 +68,31 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
       - name: Check expected artifacts exist
         shell: bash
         run: |
-          VERSIONS="stable-20211005 stable-20220120 stable-20220401 cached latest nightly-latest"
+          VERSIONS="stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 default linked nightly-latest"
           LANGUAGES="cpp csharp go java javascript python"
           for version in $VERSIONS; do
-            if [[ "$version" =~ stable-(20211005|20220120|20210809) ]]; then
-              # Note the absence of the period in "ubuntu-2004": this is present in the image name
-              # but not the artifact name
-              OPERATING_SYSTEMS="ubuntu-2004 macos-latest"
-            else
-              OPERATING_SYSTEMS="ubuntu-latest macos-latest"
-            fi
-            for os in $OPERATING_SYSTEMS; do
-              pushd "./my-debug-artifacts-$os-$version"
-              echo "Artifacts from version $version on $os:"
-              for language in $LANGUAGES; do
-                echo "- Checking $language"
-                if [[ ! -f "$language.sarif" ]] ; then
-                  echo "Missing a SARIF file for $language"
-                  exit 1
-                fi
-                if [[ ! -f "my-db-$language.zip" ]] ; then
-                  echo "Missing a database bundle for $language"
-                  exit 1
-                fi
-                if [[ ! -d "$language/log" ]] ; then
-                  echo "Missing logs for $language"
-                  exit 1
-                fi
-              done
-              popd
+            pushd "./my-debug-artifacts-${version//./}"
+            echo "Artifacts from version $version:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "$language.sarif" ]] ; then
+                echo "Missing a SARIF file for $language"
+                exit 1
+              fi
+              if [[ ! -f "my-db-$language.zip" ]] ; then
+                echo "Missing a database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
             done
+            popd
           done
         env:
           GO111MODULE: auto

.github/workflows/expected-queries-runs.yml

@@ -4,13 +4,15 @@ on:
   push:
     branches:
     - main
-    - releases/v2
+    - releases/v*
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
@@ -22,12 +24,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
-        version: latest
+        version: linked
     - uses: ./../action/init
       with:
         languages: javascript
@@ -35,11 +37,9 @@ jobs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
-        upload-database: false
-        upload: false
 
     - name: Check Sarif
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/incomplete-hostname-regexp,js/path-injection

.github/workflows/post-release-mergeback.yml

@@ -1,9 +1,9 @@
-# This workflow runs after a release of the action. It:
-# 1. Merges any changes from the release back into the main branch. Typically, this is just a single
-#    commit that updates the changelog.
-# 2. Tags the merge commit on the release branch that represents the new release with an `v2.x.y`
+# This workflow runs after a merge to any release branch of the action. It:
+# 1. Tags the merge commit on the release branch that represents the new release with an `vN.x.y`
 #    tag
-# 3. Updates the `v2` tag to refer to this merge commit.
+# 2. Updates the `vN` tag to refer to this merge commit.
+# 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
+#    Typically, this is two commits – one to update the version number and one to update dependencies.
 name: Tag release and merge back
 
 on:
@@ -16,7 +16,7 @@ on:
 
   push:
     branches:
-      - releases/v2
+      - releases/v*
 
 jobs:
   merge-back:
@@ -35,12 +35,14 @@ jobs:
           GITHUB_CONTEXT: '${{ toJson(github) }}'
         run: echo "${GITHUB_CONTEXT}"
 
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # ensure we have all tags and can push commits
+      - uses: actions/setup-node@v4
 
       - name: Update git config
         run: |
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Get version and new branch
@@ -51,6 +53,8 @@ jobs:
           short_sha="${GITHUB_SHA:0:8}"
           NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
           echo "newBranch=${NEW_BRANCH}" >> $GITHUB_OUTPUT
+          LATEST_RELEASE_BRANCH=$(git branch -r | grep -E "origin/releases/v[0-9]+$" | sed 's/origin\///g' | sort -V | tail -1 | xargs)
+          echo "latest_release_branch=${LATEST_RELEASE_BRANCH}" >> $GITHUB_OUTPUT
 
       - name: Dump branches
         env:
@@ -59,6 +63,8 @@ jobs:
           echo "BASE_BRANCH ${BASE_BRANCH}"
           echo "HEAD_BRANCH ${HEAD_BRANCH}"
           echo "NEW_BRANCH ${NEW_BRANCH}"
+          echo "LATEST_RELEASE_BRANCH ${LATEST_RELEASE_BRANCH}"
+          echo "GITHUB_REF ${GITHUB_REF}"
 
       - name: Create mergeback branch
         env:
@@ -89,8 +95,6 @@ jobs:
         env:
           VERSION: ${{ steps.getVersion.outputs.version }}
         run: |
-          # Unshallow the repo in order to allow pushes
-          git fetch --unshallow
           # Create the `vx.y.z` tag
           git tag --annotate "${VERSION}" --message "${VERSION}"
           # Update the `vx` tag
@@ -99,13 +103,24 @@ jobs:
           git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force
           # Push the tags, using:
           # - `--atomic` to make sure we either update both tags or neither (an intermediate state,
-          #   e.g. where we update the v2.x.y tag on the remote but not the v2 tag, could result in
-          #   unwanted Dependabot updates, e.g. from v2 to v2.x.y)
-          # - `--force` since we're overwriting the `vx` tag
+          #   e.g. where we update the vN.x.y tag on the remote but not the vN tag, could result in
+          #   unwanted Dependabot updates, e.g. from vN to vN.x.y)
+          # - `--force` since we're overwriting the `vN` tag
           git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"
 
+      - name: Prepare partial Changelog
+        env:
+          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
+        run: |
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
+
+          echo "::group::Partial CHANGELOG"
+          cat $PARTIAL_CHANGELOG
+          echo "::endgroup::"
+
       - name: Create mergeback branch
-        if: steps.check.outputs.exists != 'true'
+        if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
         env:
           VERSION: "${{ steps.getVersion.outputs.version }}"
           NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
@@ -129,8 +144,8 @@ jobs:
           # Update the version number ready for the next release
           npm version patch --no-git-tag-version
 
-          # Update the changelog
-          perl -i -pe 's/^/## \[UNRELEASED\]\n\nNo user facing changes.\n\n/ if($.==3)' CHANGELOG.md
+          # Update the changelog, adding a new version heading directly above the most recent existing one
+          awk '!f && /##/{print "'"## [UNRELEASED]\n\nNo user facing changes.\n"'"; f=1}1' CHANGELOG.md > temp && mv temp CHANGELOG.md
           git add .
           git commit -m "Update changelog and version after ${VERSION}"
 
@@ -146,3 +161,16 @@ jobs:
             --body "${pr_body}" \
             --assignee "${GITHUB_ACTOR}" \
             --draft
+
+      - name: Create the GitHub release
+        env:
+          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
+          gh release create \
+            "$VERSION" \
+            --latest=false \
+            --title "$VERSION" \
+            --notes-file "$PARTIAL_CHANGELOG"

.github/workflows/pr-checks.yml

@@ -2,7 +2,6 @@ name: PR Checks
 
 on:
   push:
-    branches: [main, releases/v2]
   pull_request:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
@@ -14,64 +13,150 @@ jobs:
     name: Check JS
     runs-on: ubuntu-latest
     timeout-minutes: 45
+    permissions:
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        node-types-version: [16.11, current] # we backport this matrix job in order to maintain the same check names
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Lint
-        run: npm run-script lint
+        id: lint
+        run: npm run-script lint-ci
+
+      - name: Upload sarif
+        uses: github/codeql-action/upload-sarif@v3
+        # Only upload SARIF for the latest version of Node.js
+        if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
+        with:
+          sarif_file: eslint.sarif
+          category: eslint
+
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
 
       - name: Check generated JS
+        if: matrix.node-types-version != 'current' # we do not need to test the newer node on the v2 branch
         run: .github/workflows/script/check-js.sh
 
   check-node-modules:
+    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check modules up to date
     runs-on: macos-latest
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check node modules up to date
         run: .github/workflows/script/check-node-modules.sh
 
   check-file-contents:
+    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check file contents
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.8
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install ruamel.yaml
+          # When updating this, update the autogenerated code header in `sync.py` too.
+          pip install ruamel.yaml==0.17.31
 
       # Ensure the generated PR check workflows are up to date.
       - name: Verify PR checks up to date
         run: .github/workflows/script/verify-pr-checks.sh
 
   npm-test:
+    if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Unit Test
     needs: [check-js, check-node-modules]
     strategy:
+      fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: npm test
         run: |
           # Run any commands referenced in package.json using Bash, otherwise
           # we won't be able to find them on Windows.
           npm config set script-shell bash
           npm test
+
+  check-node-version:
+    if: github.event.pull_request
+    name: Check Action Node versions
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      BASE_REF: ${{ github.base_ref }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - id: head-version
+        name: Verify all Actions use the same Node version
+        run: |
+          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          echo "NODE_VERSION: ${NODE_VERSION}"
+          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
+            echo "::error::More than one node version used in 'action.yml' files."
+            exit 1
+          fi
+          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
+
+      - id: checkout-base
+        name: 'Backport: Check out base ref'
+        if: ${{ startsWith(github.head_ref, 'backport-') }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.BASE_REF }}
+
+      - name: 'Backport: Verify Node versions unchanged'
+        if: steps.checkout-base.outcome == 'success'
+        env:
+          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
+        run: |
+          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          echo "HEAD_VERSION: ${HEAD_VERSION}"
+          echo "BASE_VERSION: ${BASE_VERSION}"
+          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
+            echo "::error::Cannot change the Node version of an Action in a backport PR."
+            exit 1
+          fi

.github/workflows/python-deps.yml

@@ -1,174 +0,0 @@
-name: Test Python Package Installation
-
-on:
-  push:
-    branches: [main, releases/v2]
-  pull_request:
-    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
-    # by other workflows.
-    types: [opened, synchronize, reopened, ready_for_review]
-    paths:
-      # Changes to this workflow.
-      - '.github/workflows/python-deps.yml'
-      # Changes to the Python package installation scripts and their tests.
-      - 'python-setup/**'
-      # Changes to the default CodeQL bundle version.
-      - '**/defaults.json'
-  schedule:
-    # Weekly on Monday.
-    - cron: '0 0 * * 1'
-  workflow_dispatch:
-
-jobs:
-  test-setup-python-scripts:
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    strategy:
-        fail-fast: false
-        matrix:
-          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
-          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [3]
-
-
-    env:
-      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
-      PYTHON_VERSION: ${{ matrix.python_version }}
-
-    steps:
-    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v3
-
-    - name: Initialize CodeQL
-      uses: ./init
-      id: init
-      with:
-        tools: latest
-        languages: python
-        setup-python-dependencies: false
-
-    - name: Test Auto Package Installation
-      run: |
-        set -x
-        $GITHUB_WORKSPACE/python-setup/install_tools.sh
-
-        cd $GITHUB_WORKSPACE/python-setup/tests/${PYTHON_DEPS_TYPE}/requests-${PYTHON_VERSION}
-
-        case ${{ matrix.os }} in
-            ubuntu-20.04*)     basePath="/opt";;
-            ubuntu-22.04*)     basePath="/opt";;
-            macos-latest*)    basePath="/Users/runner";;
-        esac
-        echo ${basePath}
-
-        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
-    - name: Setup for extractor
-      run: |
-        echo $CODEQL_PYTHON
-        # only run if $CODEQL_PYTHON is set
-        if [ ! -z $CODEQL_PYTHON ]; then
-            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
-        fi
-
-    - name: Verify packages installed
-      run: |
-        $GITHUB_WORKSPACE/python-setup/tests/check_requests_2_26_0.sh ${PYTHON_VERSION}
-
-  # This one shouldn't fail, but also won't install packages
-  test-setup-python-scripts-non-standard-location:
-    runs-on: ${{ matrix.os }}
-    strategy:
-        fail-fast: false
-        matrix:
-          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
-
-    steps:
-    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v3
-
-    - name: Initialize CodeQL
-      uses: ./init
-      id: init
-      with:
-        tools: latest
-        languages: python
-        setup-python-dependencies: false
-
-    - name: Test Auto Package Installation
-      run: |
-        set -x
-        $GITHUB_WORKSPACE/python-setup/install_tools.sh
-
-        cd $GITHUB_WORKSPACE/python-setup/tests/requirements/non-standard-location
-
-        case ${{ matrix.os }} in
-            ubuntu-20.04*)     basePath="/opt";;
-            ubuntu-22.04*)     basePath="/opt";;
-            macos-latest*)    basePath="/Users/runner";;
-        esac
-        echo ${basePath}
-
-        $GITHUB_WORKSPACE/python-setup/auto_install_packages.py "$(dirname ${{steps.init.outputs.codeql-path}})"
-
-    - name: Setup for extractor
-      run: |
-        echo $CODEQL_PYTHON
-        # only run if $CODEQL_PYTHON is set
-        if [ ! -z $CODEQL_PYTHON ]; then
-            $GITHUB_WORKSPACE/python-setup/tests/from_python_exe.py $CODEQL_PYTHON;
-        fi
-
-    - name: Verify packages installed
-      run: |
-        test -z $LGTM_INDEX_IMPORT_PATH
-
-  test-setup-python-scripts-windows:
-    runs-on: windows-latest
-    strategy:
-        fail-fast: false
-        matrix:
-          python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [3]
-
-    env:
-      CODEQL_ACTION_TEST_MODE: true
-      PYTHON_DEPS_TYPE: ${{ matrix.python_deps_type }}
-      PYTHON_VERSION: ${{ matrix.python_version }}
-
-    steps:
-    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v3
-
-    - uses: actions/setup-python@v4
-      with:
-        python-version: ${{ matrix.python_version }}
-
-    - name: Initialize CodeQL
-      id: init
-      uses: ./init
-      with:
-        tools: latest
-        languages: python
-        setup-python-dependencies: false
-
-    - name: Test Auto Package Installation
-      env:
-        CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
-      run: |
-        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\install_tools.ps1"
-        powershell -File $cmd
-
-        cd $Env:GITHUB_WORKSPACE\\python-setup/tests/$Env:PYTHON_DEPS_TYPE/requests-$Env:PYTHON_VERSION
-        $codeql_dist = (get-item $Env:CODEQL_PATH).Directory.FullName
-        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\auto_install_packages.py $codeql_dist
-
-    - name: Setup for extractor
-      run: |
-        echo $Env:CODEQL_PYTHON
-
-        py -3 $Env:GITHUB_WORKSPACE\\python-setup\\tests\\from_python_exe.py $Env:CODEQL_PYTHON
-
-    - name: Verify packages installed
-      run: |
-        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\tests\\check_requests_2_26_0.ps1"
-        powershell -File $cmd $Env:PYTHON_VERSION

.github/workflows/python312-windows.yml

@@ -0,0 +1,41 @@
+name: Test that the workaround for python 3.12 on windows works
+
+on:
+  push:
+    branches: [main, releases/v*]
+  pull_request:
+    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
+    # by other workflows.
+    types: [opened, synchronize, reopened, ready_for_review]
+  schedule:
+    # Weekly on Monday.
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  test-setup-python-scripts:
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: 3.12
+
+    - uses: actions/checkout@v4
+
+    - name: Prepare test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: default
+
+    - name: Initialize CodeQL
+      uses: ./../action/init
+      with:
+        tools: linked
+        languages: python
+
+    - name: Analyze
+      uses: ./../action/analyze

.github/workflows/query-filters.yml

@@ -4,13 +4,15 @@ on:
   push:
     branches:
     - main
-    - releases/v2
+    - releases/v*
   pull_request:
     types:
     - opened
     - synchronize
     - reopened
     - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
   workflow_dispatch: {}
 
 jobs:
@@ -20,15 +22,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
-        version: latest
+        version: linked
 
     - name: Check SARIF for default queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip
@@ -37,7 +39,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block
@@ -46,7 +48,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs and local queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs

.github/workflows/rebuild.yml

@@ -0,0 +1,79 @@
+name: Rebuild Action
+
+on:
+  pull_request:
+    types: [labeled]
+  workflow_dispatch:
+
+jobs:
+  rebuild:
+    name: Rebuild Action
+    runs-on: ubuntu-latest
+    if: github.event.label.name == 'Rebuild'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Remove label
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
+            --remove-label "Rebuild"
+
+      - name: Merge in changes from base branch
+        env:
+          BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
+        run: |
+          git fetch origin "$BASE_BRANCH"
+
+          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
+          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected"
+
+          # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
+          # since `node_modules/@types/semver/README.md` fails it.
+          if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
+            echo "Merge conflicts detected outside of lib/ directory. Please resolve them manually."
+            git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
+            exit 1
+          fi
+
+      - name: Compile TypeScript
+        run: |
+          npm install
+          npm run lint -- --fix
+          npm run build
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
+      - name: Generate workflows
+        run: |
+          cd pr-checks
+          python -m pip install --upgrade pip
+          pip install ruamel.yaml==0.17.31
+          python3 sync.py
+
+      - name: Check for changes and push
+        env:
+          BRANCH: ${{ github.event.pull_request.head.ref }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git config --global user.name "github-actions[bot]"
+            git add --all
+            git commit -m "Rebuild"
+            git push origin "HEAD:$BRANCH"
+            echo "Pushed a commit to rebuild the Action." \
+              "Please mark the PR as ready for review to trigger PR checks." |
+              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
+            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
+          fi

.github/workflows/script/prepare_changelog.py

@@ -0,0 +1,37 @@
+import os
+import sys
+
+EMPTY_CHANGELOG = 'No changes.\n\n'
+
+# Prepare the changelog for the new release
+# This function will extract the part of the changelog that
+# we want to include in the new release.
+def extract_changelog_snippet(changelog_file, version_tag):
+  output = ''
+  if (not os.path.exists(changelog_file)):
+    output = EMPTY_CHANGELOG
+
+  else:
+    with open('CHANGELOG.md', 'r') as f:
+      lines = f.readlines()
+
+      # Include everything up to, but excluding the second heading
+      found_first_section = False
+      for i, line in enumerate(lines):
+        if line.startswith('## '):
+          if found_first_section:
+            break
+          found_first_section = True
+        output += line
+
+  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
+
+  return output
+
+
+if len(sys.argv) < 3:
+  raise Exception('Expecting argument: changelog_file version_tag')
+changelog_file = sys.argv[1]
+version_tag = sys.argv[2]
+
+print(extract_changelog_snippet(changelog_file, version_tag))

.github/workflows/script/update-node-modules.sh

@@ -1,9 +1,12 @@
-if [ "$1" != "update" && "$1" != "check-only" ]; then
+#!/bin/bash
+set -eu
+
+if [ "$1" != "update" ] && [ "$1" != "check-only" ]; then
     >&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
     exit 1
 fi
 
-sudo npm install --force -g npm@9.2.0
+npm install --force -g npm@9.2.0
 
 # clean the npm cache to ensure we don't have any files owned by root
 sudo npm cache clean --force

.github/workflows/script/update-required-checks.sh

@@ -2,6 +2,11 @@
 # Update the required checks based on the current branch.
 # Typically, this will be main.
 
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+REPO_DIR="$(dirname "$SCRIPT_DIR")"
+GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
+source "$GRANDPARENT_DIR/releases.ini"
+
 if ! gh auth status 2>/dev/null; then
   gh auth status
   echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
@@ -22,14 +27,29 @@ fi
 
 echo "Getting checks for $GITHUB_SHA"
 
-# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 
 echo "{\"contexts\": ${CHECKS}}" > checks.json
 
-for BRANCH in main releases/v2; do
+echo "Updating main"
+gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
+
+# list all branchs on origin remote matching releases/v*
+BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
+
+for BRANCH in $BRANCHES; do
+
+  # strip exact 'releases/v' prefix from $BRANCH using count of characters
+  VERSION="${BRANCH:10}"
+
+  if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
+    echo "Skipping $BRANCH"
+    continue
+  fi
+
   echo "Updating $BRANCH"
   gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
 done

.github/workflows/test-codeql-bundle-all.yml

@@ -0,0 +1,53 @@
+name: 'PR Check - CodeQL Bundle All'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  test-codeql-bundle-all:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: nightly-latest
+    name: 'CodeQL Bundle All'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: true
+    - id: init
+      uses: ./../action/init
+      with:
+        # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
+        languages: cpp,csharp,go,java,javascript,python,ruby 
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/update-bundle.yml

@@ -0,0 +1,91 @@
+name: Update default CodeQL bundle
+
+on:
+  release:
+    # From https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release
+    # Note: The prereleased type will not trigger for pre-releases published
+    # from draft releases, but the published type will trigger. If you want a
+    # workflow to run when stable and pre-releases publish, subscribe to
+    # published instead of released and prereleased.
+    #
+    # From https://github.com/orgs/community/discussions/26281
+    # As a work around, in published type workflow,  you could add if condition
+    # to filter pre-release attribute.
+    types: [published]
+
+jobs:
+  update-bundle:
+    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump environment
+        run: env
+
+      - name: Dump GitHub context
+        env:
+          GITHUB_CONTEXT: '${{ toJson(github) }}'
+        run: echo "$GITHUB_CONTEXT"
+
+      - uses: actions/checkout@v4
+
+      - name: Update git config
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Update bundle
+        uses: ./.github/actions/update-bundle
+
+      - name: Rebuild Action
+        run: npm run build
+
+      - name: Commit and push changes
+        env:
+          RELEASE_TAG: "${{ github.event.release.tag_name }}"
+        run: |
+          git checkout -b "update-bundle/$RELEASE_TAG"
+          git commit -am "Update default bundle to $RELEASE_TAG"
+          git push --set-upstream origin "update-bundle/$RELEASE_TAG"
+
+      - name: Open pull request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          pr_url=$(gh pr create \
+            --title "Update default bundle to $cli_version" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
+            --assignee "$GITHUB_ACTOR" \
+            --draft \
+          )
+          echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
+          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
+
+      - name: Create changelog note
+        shell: python
+        run: |
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)
+
+      - name: Push changelog note
+        run: |
+          git commit -am "Add changelog note"
+          git push

.github/workflows/update-dependencies.yml

@@ -11,27 +11,32 @@ jobs:
     if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Remove PR label
       env:
+        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
         REPOSITORY: '${{ github.repository }}'
         PR_NUMBER: '${{ github.event.pull_request.number }}'
-        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
       run: |
         gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE
 
     - name: Push updated dependencies
       env:
         BRANCH: '${{ github.head_ref }}'
+        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
       run: |
         git fetch origin "$BRANCH" --depth=1
         git checkout "origin/$BRANCH"
         .github/workflows/script/update-node-modules.sh update
         if [ ! -z "$(git status --porcelain)" ]; then
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
           git add node_modules
           git commit -am "Update checked-in dependencies"
           git push origin "HEAD:$BRANCH"
+          echo "Pushed a commit to update the checked-in dependencies." \
+            "Please mark the PR as ready for review to trigger PR checks." |
+            gh pr comment --body-file - --repo github/codeql-action "${{ github.event.pull_request.number }}"
+          gh pr ready --undo --repo github/codeql-action "${{ github.event.pull_request.number }}"
         fi

.github/workflows/update-release-branch.yml

@@ -1,46 +1,141 @@
 name: Update release branch
 on:
   # You can trigger this workflow via workflow dispatch to start a release.
-  # This will open a PR to update the v2 release branch.
+  # This will open a PR to update the latest release branch.
   workflow_dispatch:
 
+  # When a release is complete this workflow will open up backport PRs to older release branches.
+  # NB while it will trigger on any release branch update, the backport job will not proceed for
+  # anything other than than releases/v{latest}
+  push:
+    branches:
+      - releases/*
+
 jobs:
+
+  prepare:
+    runs-on: ubuntu-latest
+    if: github.repository == 'github/codeql-action'
+    outputs:
+      version: ${{ steps.versions.outputs.version }}
+      major_version: ${{ steps.versions.outputs.major_version }}
+      latest_tag: ${{ steps.versions.outputs.latest_tag }}
+      backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
+      backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Need full history for calculation of diffs
+    - uses: ./.github/actions/release-initialise
+
+    - name: Get version tags
+      id: versions
+      run: |
+        VERSION="v$(jq '.version' -r 'package.json')"
+        echo "version=${VERSION}" >> $GITHUB_OUTPUT
+        MAJOR_VERSION=$(cut -d '.' -f1 <<< "${VERSION}")
+        echo "major_version=${MAJOR_VERSION}" >> $GITHUB_OUTPUT
+        LATEST_TAG=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+        echo "latest_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+
+    - id: branches
+      name: Determine older release branches
+      uses: ./.github/actions/release-branches
+      with:
+        major_version: ${{ steps.versions.outputs.major_version }}
+        latest_tag: ${{ steps.versions.outputs.latest_tag }}
+
+    - name: debug logging
+      run: |
+        echo 'version: ${{ steps.versions.outputs.version }}'
+        echo 'major_version: ${{ steps.versions.outputs.major_version }}'
+        echo 'latest_tag: ${{ steps.versions.outputs.latest_tag }}'
+        echo 'backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}'
+        echo 'backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}'
+
   update:
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql-action'
+    if: github.event_name == 'workflow_dispatch'
+    needs: [prepare]
+    env:
+      REF_NAME: "${{ github.ref_name }}"
+      REPOSITORY: "${{ github.repository }}"
+      MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
+      LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
     steps:
-    - name: Dump environment
-      run: env
-
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: '${{ toJson(github) }}'
-      run: echo "$GITHUB_CONTEXT"
-
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
-        # Need full history so we calculate diffs
-        fetch-depth: 0
+        fetch-depth: 0  # Need full history for calculation of diffs
+    - uses: ./.github/actions/release-initialise
 
-    - name: Set up Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: 3.8
-
-    - name: Install dependencies
+    # when the workflow has been manually triggered on main,
+    # we know that we definitely want the release branch to exist
+    - name: Ensure release branch exists
       run: |
-        python -m pip install --upgrade pip
-        pip install PyGithub==1.55 requests
+        echo "MAJOR_VERSION ${MAJOR_VERSION}"
+        RELEASE_BRANCH=releases/${MAJOR_VERSION}
+        if git checkout $RELEASE_BRANCH > /dev/null 2>&1; then
+            echo "Branch $RELEASE_BRANCH already exists"
+            echo ""
+        else
+            echo "Creating $RELEASE_BRANCH branch"
+            git checkout -b ${RELEASE_BRANCH} ${LATEST_TAG}
+            git push --set-upstream origin ${RELEASE_BRANCH}
+            git branch --show-current
+            echo ""
+        fi
+        echo "Returning to branch: ${REF_NAME}"
+        git checkout ${REF_NAME}
 
-    - name: Update git config
-      run: |
-        git config --global user.email "github-actions@github.com"
-        git config --global user.name "github-actions[bot]"
-
-    - name: Update release branch
+    - name: Update current release branch
+      if: github.event_name == 'workflow_dispatch'
       run: |
+        echo SOURCE_BRANCH=${REF_NAME}
+        echo TARGET_BRANCH=releases/${MAJOR_VERSION}
         python .github/update-release-branch.py \
           --github-token ${{ secrets.GITHUB_TOKEN }} \
           --repository-nwo ${{ github.repository }} \
+          --source-branch '${{ env.REF_NAME }}' \
+          --target-branch 'releases/${{ env.MAJOR_VERSION }}' \
+          --is-primary-release \
+          --conductor ${GITHUB_ACTOR}
+
+  backport:
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    environment: Automation
+    needs: [prepare]
+    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        target_branch: ${{ fromJson(needs.prepare.outputs.backport_target_branches) }}
+    env:
+      SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
+      TARGET_BRANCH: ${{ matrix.target_branch }}
+    steps:
+    - name: Generate token
+      uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69
+      id: app-token
+      with:
+        app-id: ${{ vars.AUTOMATION_APP_ID }}
+        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Need full history for calculation of diffs
+        token: ${{ steps.app-token.outputs.token }}
+    - uses: ./.github/actions/release-initialise
+
+    - name: Update older release branch
+      run: |
+        echo SOURCE_BRANCH=${SOURCE_BRANCH}
+        echo TARGET_BRANCH=${TARGET_BRANCH}
+        python .github/update-release-branch.py \
+          --github-token ${{ secrets.GITHUB_TOKEN }} \
+          --repository-nwo ${{ github.repository }} \
+          --source-branch ${SOURCE_BRANCH} \
+          --target-branch ${TARGET_BRANCH} \
           --conductor ${GITHUB_ACTOR}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -3,6 +3,7 @@ name: Update Supported Enterprise Server Versions
 on:
   schedule:
     - cron: "0 0 * * *"
+  workflow_dispatch:
 
 jobs:
   update-supported-enterprise-server-versions:
@@ -13,13 +14,13 @@ jobs:
 
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.7"
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Checkout Enterprise Releases
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: github/enterprise-releases
           ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
@@ -34,14 +35,31 @@ jobs:
           npm run build
         env:
           ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
-      - name: Commit Changes
-        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
-        with:
-          commit-message: Update supported GitHub Enterprise Server versions.
-          title: Update supported GitHub Enterprise Server versions.
-          body: ""
-          author: GitHub <noreply@github.com>
-          branch: update-supported-enterprise-server-versions
-          draft: true
+
+      - name: Update git config
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Commit changes and open PR
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ -z $(git status --porcelain) ]]; then
+            echo "No changes to commit"
+          else
+            git checkout -b update-supported-enterprise-server-versions
+            git add .
+            git commit --message "Update supported GitHub Enterprise Server versions"
+            git push origin update-supported-enterprise-server-versions
+
+            body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
+            body+="version is about to be feature frozen, or because an old release has been deprecated."
+            body+=$'\n\n'
+            body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
+            body+="deprecate the corresponding version of CodeQL."
+
+            gh pr create --draft \
+              --title "Update supported GitHub Enterprise Server versions" \
+              --body "$body"
+          fi

.github/workflows/update-supported-enterprise-server-versions/update.py

@@ -15,6 +15,11 @@ def main():
 	api_compatibility_data = json.loads(_API_COMPATIBILITY_PATH.read_text())
 
 	releases = json.loads(_RELEASE_FILE_PATH.read_text())
+
+	# Remove GHES version using a previous version numbering scheme.
+	if "11.10" in releases:
+		del releases["11.10"]
+
 	oldest_supported_release = None
 	newest_supported_release = semver.VersionInfo.parse(api_compatibility_data["maximumVersion"] + ".0")
 
@@ -30,7 +35,10 @@ def main():
 
 		if oldest_supported_release is None or release_version < oldest_supported_release:
 			end_of_life_date = datetime.date.fromisoformat(release_data["end"])
-			if end_of_life_date > datetime.date.today():
+			# The GHES version is not actually end of life until the end of the day specified by
+			# `end_of_life_date`. Wait an extra week to be safe.
+			is_end_of_life = datetime.date.today() > end_of_life_date + datetime.timedelta(weeks=1)
+			if not is_end_of_life:
 				oldest_supported_release = release_version
 
 	api_compatibility_data = {

.gitignore

@@ -1,2 +1,11 @@
 # Ignore for example failing-tests.json from AVA
-node_modules/.cache
+node_modules/.cache/
+# Java build files
+.gradle/
+*.class
+# macOS
+.DS_Store
+# eslint sarif report
+eslint.sarif
+# for local incremental compilation
+tsconfig.tsbuildinfo

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+  - repo: local
+    hooks:
+      - id: compile-ts
+        name: Compile typescript
+        files: \.[tj]s$
+        language: system
+        entry: npm run build
+        pass_filenames: false
+      - id: lint-ts
+        name: Lint typescript code
+        files: \.ts$
+        language: system
+        entry: npm run lint -- --fix
+      - id: pr-checks-sync
+        name: Synchronize PR check workflows
+        files: ^.github/workflows/__.*\.yml$|^pr-checks
+        language: system
+        entry: python3 pr-checks/sync.py
+        pass_filenames: false

.vscode/settings.json

@@ -6,5 +6,14 @@
 
     // transpiled JavaScript
     "lib": true,
-  }
+  },
+  // Installing a new Node package often triggers VS Code's git limit warnings as there is typically
+  // an intermediate stage where many files are modified. This setting suppresses these warnings.
+  "git.ignoreLimitWarning": true,
+  // Use the vendored TypeScript version to have a consistent development experience across
+  // machines.
+  "typescript.tsdk": "node_modules/typescript/lib",
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
 }