hack: add python job to see if there are any alerts

Merge pull request #3091 from github/redsun82/fix-windows-ci
Set `shell: bash` by default on all workflows
2025-12-07 08:18:08 +08:00 · 2025-09-15 14:47:03 +02:00 · 2025-09-12 18:47:08 +02:00 · 2025-09-12 18:20:44 +02:00 · 2025-09-12 16:06:42 +02:00 · 2025-09-12 13:09:42 +01:00
149 changed files with 3049 additions and 439 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,4 @@
-
+<!-- For GitHub staff: Remember that this is a public repository. -->

 ### Risk assessment

--- a/.github/workflows/__all-platform-bundle.yml
+++ b/.github/workflows/__all-platform-bundle.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  all-platform-bundle:
    strategy:
@@ -70,7 +73,6 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  analyze-ref-input:
    strategy:
@@ -74,7 +77,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  autobuild-action:
    strategy:
@@ -67,7 +70,6 @@ jobs:
          CORECLR_PROFILER_PATH_64: ''
      - uses: ./../action/analyze
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d csharp ]]; then
--- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
+++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
+defaults:
+  run:
+    shell: bash
 jobs:
  autobuild-direct-tracing-with-working-dir:
    strategy:
@@ -70,7 +73,6 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Test setup
-        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -82,7 +84,6 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check that indirect tracing is disabled
-        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
--- a/.github/workflows/__autobuild-direct-tracing.yml
+++ b/.github/workflows/__autobuild-direct-tracing.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Java to install
        required: false
        default: '17'
+defaults:
+  run:
+    shell: bash
 jobs:
  autobuild-direct-tracing:
    strategy:
@@ -70,7 +73,6 @@ jobs:
          java-version: ${{ inputs.java-version || '17' }}
          distribution: temurin
      - name: Set up Java test repo configuration
-        shell: bash
        run: |
          mv * .github ../action/tests/multi-language-repo/
          mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -85,7 +87,6 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Check that indirect tracing is disabled
-        shell: bash
        run: |
          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
            echo "Expected indirect tracing to be disabled, but the" \
--- a/.github/workflows/__build-mode-autobuild.yml
+++ b/.github/workflows/__build-mode-autobuild.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-autobuild:
    strategy:
--- a/.github/workflows/__build-mode-manual.yml
+++ b/.github/workflows/__build-mode-manual.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-manual:
    strategy:
@@ -81,7 +84,6 @@ jobs:
          fi

      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
--- a/.github/workflows/__build-mode-none.yml
+++ b/.github/workflows/__build-mode-none.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-none:
    strategy:
--- a/.github/workflows/__build-mode-rollback.yml
+++ b/.github/workflows/__build-mode-rollback.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  build-mode-rollback:
    strategy:
--- a/.github/workflows/__bundle-toolcache.yml
+++ b/.github/workflows/__bundle-toolcache.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  bundle-toolcache:
    strategy:
--- a/.github/workflows/__bundle-zstd.yml
+++ b/.github/workflows/__bundle-zstd.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  bundle-zstd:
    strategy:
--- a/.github/workflows/__cleanup-db-cluster-dir.yml
+++ b/.github/workflows/__cleanup-db-cluster-dir.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cleanup-db-cluster-dir:
    strategy:
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  config-export:
    strategy:
--- a/.github/workflows/__config-input.yml
+++ b/.github/workflows/__config-input.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  config-input:
    strategy:
--- a/.github/workflows/__cpp-deptrace-disabled.yml
+++ b/.github/workflows/__cpp-deptrace-disabled.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cpp-deptrace-disabled:
    strategy:
@@ -53,7 +56,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -65,8 +67,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-      - shell: bash
-        run: |
+      - run: |
          if ls /usr/bin/errno; then
            echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
            exit 1
--- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
+++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cpp-deptrace-enabled-on-macos:
    strategy:
@@ -51,7 +54,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -63,8 +65,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
          else
--- a/.github/workflows/__cpp-deptrace-enabled.yml
+++ b/.github/workflows/__cpp-deptrace-enabled.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  cpp-deptrace-enabled:
    strategy:
@@ -53,7 +56,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          cp -a ../action/tests/cpp-autobuild autobuild-dir
      - uses: ./../action/init
@@ -65,8 +67,7 @@ jobs:
          working-directory: autobuild-dir
        env:
          CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-      - shell: bash
-        run: |
+      - run: |
          if ! ls /usr/bin/errno; then
            echo "Did not autoinstall errno"
            exit 1
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  diagnostics-export:
    strategy:
@@ -64,7 +67,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Add test diagnostics
-        shell: bash
        env:
          CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
        run: |
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  export-file-baseline-information:
    strategy:
@@ -73,7 +76,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -85,7 +87,6 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          expected_baseline_languages="c csharp go java kotlin javascript python ruby"
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  extractor-ram-threads:
    strategy:
@@ -54,7 +57,6 @@ jobs:
          ram: 230
          threads: 1
      - name: Assert Results
-        shell: bash
        run: |
          if [ "${CODEQL_RAM}" != "230" ]; then
            echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-custom-queries:
    strategy:
@@ -71,7 +74,6 @@ jobs:
          config-file: ./.github/codeql/custom-queries.yml
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
--- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-indirect-tracing-workaround-diagnostic:
    strategy:
@@ -72,7 +75,6 @@ jobs:
        with:
          go-version: '1.20'
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
--- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-indirect-tracing-workaround-no-file-program:
    strategy:
@@ -73,7 +76,6 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
        with:
--- a/.github/workflows/__go-indirect-tracing-workaround.yml
+++ b/.github/workflows/__go-indirect-tracing-workaround.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-indirect-tracing-workaround:
    strategy:
@@ -68,11 +71,9 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
            echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
              "CODEQL_ACTION_GO_BINARY environment variable is not set."
--- a/.github/workflows/__go-tracing-autobuilder.yml
+++ b/.github/workflows/__go-tracing-autobuilder.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-tracing-autobuilder:
    strategy:
@@ -99,8 +102,7 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/autobuild
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
            echo "Expected the Go autobuilder to be run, but the" \
              "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-tracing-custom-build-steps:
    strategy:
@@ -98,11 +101,9 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: go build main.go
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          # Once we start running Bash 4.2 in all environments, we can replace the
          # `! -z` flag with the more elegant `-v` which confirms that the variable
          # is actually unset and not potentially set to a blank value.
--- a/.github/workflows/__go-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-tracing-legacy-workflow.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  go-tracing-legacy-workflow:
    strategy:
@@ -98,8 +101,7 @@ jobs:
          languages: go
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - uses: ./../action/analyze
-      - shell: bash
-        run: |
+      - run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d go ]]; then
            echo "Did not find a Go database"
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  init-with-registries:
    strategy:
@@ -78,7 +81,6 @@ jobs:
              token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Verify packages installed
-        shell: bash
        run: |
          PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
          CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
@@ -100,7 +102,6 @@ jobs:
          fi

      - name: Verify qlconfig.yml file was created
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
@@ -115,7 +116,6 @@ jobs:
      - name: Verify contents of qlconfig.yml
    # yq is not available on windows
        if: runner.os != 'Windows'
-        shell: bash
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  javascript-source-root:
    strategy:
@@ -53,7 +56,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Move codeql-action
-        shell: bash
        run: |
          mkdir ../new-source-root
          mv * ../new-source-root
@@ -66,7 +68,6 @@ jobs:
        with:
          skip-queries: true
      - name: Assert database exists
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d javascript ]]; then
--- a/.github/workflows/__job-run-uuid-sarif.yml
+++ b/.github/workflows/__job-run-uuid-sarif.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  job-run-uuid-sarif:
    strategy:
@@ -63,7 +66,6 @@ jobs:
          path: ${{ runner.temp }}/results/javascript.sarif
          retention-days: 7
      - name: Check results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
--- a/.github/workflows/__language-aliases.yml
+++ b/.github/workflows/__language-aliases.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  language-aliases:
    strategy:
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  multi-language-autodetect:
    strategy:
@@ -94,7 +97,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
-        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"

@@ -107,7 +109,6 @@ jobs:
          tools: ${{ steps.prepare-test.outputs.tools-url }}

      - name: Build code
-        shell: bash
        run: ./build.sh

      - uses: ./../action/analyze
@@ -116,7 +117,6 @@ jobs:
          upload-database: false

      - name: Check language autodetect for all languages excluding Swift
-        shell: bash
        run: |
          CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
          if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -156,7 +156,6 @@ jobs:

      - name: Check language autodetect for Swift on macOS
        if: runner.os == 'macOS'
-        shell: bash
        run: |
          SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
          if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
@@ -164,4 +163,5 @@ jobs:
            exit 1
          fi
    env:
+      CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__overlay-init-fallback.yml
+++ b/.github/workflows/__overlay-init-fallback.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  overlay-init-fallback:
    strategy:
@@ -61,7 +64,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases/actions"
          if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-codescanning-config-inputs-js:
    strategy:
@@ -93,7 +96,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -109,7 +111,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-config-inputs-js:
    strategy:
@@ -93,7 +96,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -109,7 +111,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-config-js:
    strategy:
@@ -92,7 +95,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -108,7 +110,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  packaging-inputs-js:
    strategy:
@@ -93,7 +96,6 @@ jobs:
          packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -108,7 +110,6 @@ jobs:
          queries-not-run: foo,bar

      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
--- a/.github/workflows/__quality-queries.yml
+++ b/.github/workflows/__quality-queries.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  quality-queries:
    strategy:
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  remote-config:
    strategy:
@@ -72,7 +75,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
--- a/.github/workflows/__resolve-environment-action.yml
+++ b/.github/workflows/__resolve-environment-action.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  resolve-environment-action:
    strategy:
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  rubocop-multi-language:
    strategy:
@@ -53,13 +56,10 @@ jobs:
        with:
          ruby-version: 2.6
      - name: Install Code Scanning integration
-        shell: bash
        run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
      - name: Install dependencies
-        shell: bash
        run: bundle install
      - name: RuboCop run
-        shell: bash
        run: |
          bash -c "
            bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
--- a/.github/workflows/__ruby.yml
+++ b/.github/workflows/__ruby.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  ruby:
    strategy:
@@ -67,7 +70,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
          if [[ ! -d "$RUBY_DB" ]]; then
--- a/.github/workflows/__rust.yml
+++ b/.github/workflows/__rust.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  rust:
    strategy:
@@ -65,7 +68,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          RUST_DB="${{ fromJson(steps.analysis.outputs.db-locations).rust }}"
          if [[ ! -d "$RUST_DB" ]]; then
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  split-workflow:
    strategy:
@@ -80,7 +83,6 @@ jobs:
          languages: javascript
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        with:
@@ -89,7 +91,6 @@ jobs:
          upload-database: false

      - name: Assert No Results
-        shell: bash
        run: |
          if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
            echo "Expected results directory to be empty after skipping query execution!"
@@ -100,7 +101,6 @@ jobs:
          output: ${{ runner.temp }}/results
          upload-database: false
      - name: Assert Results
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/results"
          # We should have 4 hits from these rules
--- a/.github/workflows/__start-proxy.yml
+++ b/.github/workflows/__start-proxy.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  start-proxy:
    strategy:
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  submit-sarif-failure:
    strategy:
--- a/.github/workflows/__swift-autobuild.yml
+++ b/.github/workflows/__swift-autobuild.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  swift-autobuild:
    strategy:
@@ -55,7 +58,6 @@ jobs:
          build-mode: autobuild
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
-        shell: bash
        run: pwd
      - uses: ./../action/autobuild
        timeout-minutes: 30
@@ -64,7 +66,6 @@ jobs:
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  swift-custom-build:
    strategy:
@@ -68,7 +71,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Use Xcode 16
-        shell: bash
        if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
        run: sudo xcode-select -s "/Applications/Xcode_16.app"
      - uses: ./../action/init
@@ -77,17 +79,14 @@ jobs:
          languages: swift
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Check working directory
-        shell: bash
        run: pwd
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
      - name: Check database
-        shell: bash
        run: |
          SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
          if [[ ! -d "$SWIFT_DB" ]]; then
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  test-autobuild-working-dir:
    strategy:
@@ -49,7 +52,6 @@ jobs:
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
      - name: Test setup
-        shell: bash
        run: |
          # Make sure that Gradle build succeeds in autobuild-dir ...
          cp -a ../action/tests/java-repo autobuild-dir
@@ -64,7 +66,6 @@ jobs:
          working-directory: autobuild-dir
      - uses: ./../action/analyze
      - name: Check database
-        shell: bash
        run: |
          cd "$RUNNER_TEMP/codeql_databases"
          if [[ ! -d java ]]; then
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  test-local-codeql:
    strategy:
@@ -64,7 +67,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Fetch a CodeQL bundle
-        shell: bash
        env:
          CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
        run: |
@@ -76,7 +78,6 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
    env:
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -24,6 +24,9 @@ on:
    inputs: {}
  workflow_call:
    inputs: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  test-proxy:
    strategy:
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  unset-environment:
    strategy:
@@ -73,14 +76,12 @@ jobs:
          languages: cpp,csharp,go,java,javascript,python,ruby
          tools: ${{ steps.prepare-test.outputs.tools-url }}
      - name: Build code
-        shell: bash
        run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
      - uses: ./../action/analyze
        id: analysis
        with:
          upload-database: false
-      - shell: bash
-        run: |
+      - run: |
          CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
          if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
            echo "::error::Did not create a database for CPP, or created it in the wrong location." \
--- a/.github/workflows/__upload-quality-sarif.yml
+++ b/.github/workflows/__upload-quality-sarif.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  upload-quality-sarif:
    strategy:
@@ -75,7 +78,6 @@ jobs:
            github.sha }}
          analysis-kinds: code-scanning,code-quality
      - name: Build code
-        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  upload-ref-sha-input:
    strategy:
@@ -74,7 +77,6 @@ jobs:
          config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
            github.sha }}
      - name: Build code
-        shell: bash
        run: ./build.sh
  # Generate some SARIF we can upload with the upload-sarif step
      - uses: ./../action/analyze
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -34,6 +34,9 @@ on:
        description: The version of Go to install
        required: false
        default: '>=1.21.0'
+defaults:
+  run:
+    shell: bash
 jobs:
  with-checkout-path:
    strategy:
@@ -68,7 +71,6 @@ jobs:
          go-version: ${{ inputs.go-version || '>=1.21.0' }}
          cache: false
      - name: Delete original checkout
-        shell: bash
        run: |
          # delete the original checkout so we don't accidentally use it.
          # Actions does not support deleting the current working directory, so we
@@ -89,7 +91,6 @@ jobs:
          source-root: x/y/z/some-path/tests/multi-language-repo

      - name: Build code
-        shell: bash
        working-directory: x/y/z/some-path/tests/multi-language-repo
        run: |
          ./build.sh
@@ -101,7 +102,6 @@ jobs:
          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6

      - name: Verify SARIF after upload
-        shell: bash
        run: |
          EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
          EXPECTED_REF="v1.1.0"
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -9,6 +9,10 @@ on:
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  check-expected-release-files:
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,6 +13,10 @@ on:
    - cron: '30 1 * * 0'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

@@ -95,7 +99,10 @@ jobs:
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
-      run: ${{steps.init.outputs.codeql-path}} version --format=json
+      run: >
+        "$CODEQL" version --format=json
+      env:
+        CODEQL: ${{steps.init.outputs.codeql-path}}
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
@@ -124,3 +131,26 @@ jobs:
      uses: ./analyze
      with:
        category: "/language:actions"
+
+  analyze-python:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Initialize CodeQL
+        uses: ./init
+        with:
+          languages: python
+          config-file: ./.github/codeql/codeql-actions-config.yml
+      - name: Perform CodeQL Analysis
+        uses: ./analyze
+        with:
+          category: "/language:python"
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -22,6 +22,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

+defaults:
+  run:
+    shell: bash
+
 jobs:
  code-scanning-config-tests:
    continue-on-error: true
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -17,6 +17,11 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  upload-artifacts:
    strategy:
@@ -55,7 +60,6 @@ jobs:
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -75,7 +79,6 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
-        shell: bash
        run: |
          LANGUAGES="cpp csharp go java javascript python"
          for version in $VERSIONS; do
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -16,6 +16,11 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  upload-artifacts:
    strategy:
@@ -54,7 +59,6 @@ jobs:
          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
          languages: cpp,csharp,go,java,javascript,python,ruby
      - name: Build code
-        shell: bash
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
@@ -69,7 +73,6 @@ jobs:
      - name: Download all artifacts
        uses: actions/download-artifact@v5
      - name: Check expected artifacts exist
-        shell: bash
        run: |
          VERSIONS="stable-v2.20.3 default linked nightly-latest"
          LANGUAGES="cpp csharp go java javascript python"
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -18,6 +18,10 @@ on:
    branches:
      - releases/v*

+defaults:
+  run:
+    shell: bash
+
 jobs:
  merge-back:
    runs-on: ubuntu-latest
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -8,6 +8,10 @@ on:
    types: [opened, synchronize, reopened, ready_for_review]
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  unit-tests:
    name: Unit Tests
@@ -22,6 +26,10 @@ jobs:
    timeout-minutes: 45

    steps:
+      - name: Prepare git (Windows)
+        if: runner.os == 'Windows'
+        run: git config --global core.autocrlf false
+
      - uses: actions/checkout@v5
      
      - name: Set up Node.js
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -22,6 +22,10 @@ on:
    paths:
      - .github/workflows/prepare-release.yml

+defaults:
+  run:
+    shell: bash
+
 jobs:
  prepare:
    name: "Prepare release"
--- a/.github/workflows/publish-immutable-action.yml
+++ b/.github/workflows/publish-immutable-action.yml
@@ -4,6 +4,10 @@ on:
  release:
    types: [published]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  publish:
    runs-on: ubuntu-latest
--- a/.github/workflows/python312-windows.yml
+++ b/.github/workflows/python312-windows.yml
@@ -12,6 +12,10 @@ on:
    - cron: '0 0 * * 1'
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  test-setup-python-scripts:
    env:
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -15,6 +15,10 @@ on:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

+defaults:
+  run:
+    shell: bash
+
 jobs:
  query-filters:
    name: Query Filters Tests
--- a/.github/workflows/rebuild.yml
+++ b/.github/workflows/rebuild.yml
@@ -5,6 +5,10 @@ on:
    types: [labeled]
  workflow_dispatch:

+defaults:
+  run:
+    shell: bash
+
 jobs:
  rebuild:
    name: Rebuild Action
--- a/.github/workflows/rollback-release.yml
+++ b/.github/workflows/rollback-release.yml
@@ -14,6 +14,10 @@ on:
      - .github/workflows/rollback-release.yml
      - .github/actions/prepare-mergeback-branch/**

+defaults:
+  run:
+    shell: bash
+
 jobs:
  prepare:
    name: "Prepare release"
@@ -53,7 +57,6 @@ jobs:

      - name: Create tag for testing
        if: github.event_name != 'workflow_dispatch'
-        shell: bash
        run: git tag v0.0.0

      # We start by preparing the mergeback branch, mainly so that we have the updated changelog
@@ -96,7 +99,6 @@ jobs:
          echo "::endgroup::"

      - name: Create tags
-        shell: bash
        env:
          # We usually expect to checkout `inputs.rollback-tag` (required for `workflow_dispatch`),
          # but use `v0.0.0` for testing.
@@ -111,7 +113,6 @@ jobs:
      - name: Push tags
        # skip when testing
        if: github.event_name == 'workflow_dispatch'
-        shell: bash
        env:
          RELEASE_TAG: ${{ needs.prepare.outputs.version }}
          MAJOR_VERSION_TAG: ${{ needs.prepare.outputs.major_version }}
@@ -160,7 +161,6 @@ jobs:
          echo "Created draft rollback release at $RELEASE_URL" >> $GITHUB_STEP_SUMMARY

      - name: Update changelog
-        shell: bash
        env:
          NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
          NEW_BRANCH: "${{ steps.mergeback-branch.outputs.new-branch }}"
--- a/.github/workflows/test-codeql-bundle-all.yml
+++ b/.github/workflows/test-codeql-bundle-all.yml
@@ -16,6 +16,9 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}
+defaults:
+  run:
+    shell: bash
 jobs:
  test-codeql-bundle-all:
    strategy:
@@ -46,7 +49,6 @@ jobs:
        languages: cpp,csharp,go,java,javascript,python,ruby 
        tools: ${{ steps.prepare-test.outputs.tools-url }}
    - name: Build code
-      shell: bash
      run: ./build.sh
    - uses: ./../action/analyze
    env:
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -13,6 +13,10 @@ on:
    # to filter pre-release attribute.
    types: [published]

+defaults:
+  run:
+    shell: bash
+
 jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
--- a/.github/workflows/update-proxy-release.yml
+++ b/.github/workflows/update-proxy-release.yml
@@ -7,6 +7,10 @@ on:
        type: string
        required: true

+defaults:
+  run:
+    shell: bash
+
 jobs:
  update:
    name: Update code and create PR
@@ -20,7 +24,6 @@ jobs:
    steps:
      - name: Check release tag format
        id: checks
-        shell: bash
        run: |
          if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format."
@@ -30,7 +33,6 @@ jobs:
          echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT

      - name: Check that the release exists
-        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: |
@@ -46,20 +48,17 @@ jobs:
          ref: main

      - name: Update git config
-        shell: bash
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

      - name: Update release tag and version
-        shell: bash
        run: |
          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
          sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts
          sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts

      - name: Compile TypeScript and commit changes
-        shell: bash
        env:
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
        run: |
@@ -72,7 +71,6 @@ jobs:
          git commit -m "Update release used by \`start-proxy\` action"

      - name: Push changes and open PR
-        shell: bash
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }}
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -11,6 +11,10 @@ on:
    branches:
      - releases/*

+defaults:
+  run:
+    shell: bash
+
 jobs:

  prepare:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,15 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## [UNRELEASED]
+
+- We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100)
+- We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107)
+
+## 3.30.3 - 10 Sep 2025
+
+No user facing changes.
+
 ## 3.30.2 - 09 Sep 2025

 - Fixed a bug which could cause language autodetection to fail. [#3084](https://github.com/github/codeql-action/pull/3084)
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -77685,7 +77686,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117686,7 +117687,7 @@ function withGroup(groupName, f) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -117796,6 +117797,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -117912,6 +117919,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -117960,7 +117972,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs3.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  const augmentedConfig = cloneObject(cliConfig);
@@ -118206,13 +118229,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -118251,7 +118277,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -90811,7 +90812,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -91030,6 +91031,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -91146,6 +91153,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -91620,7 +91632,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs9.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  const augmentedConfig = cloneObject(cliConfig);
@@ -92769,13 +92792,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -92814,7 +92840,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
@@ -93222,7 +93247,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function uploadDependencyCaches(config, logger) {
+async function uploadDependencyCaches(config, logger, minimizeJavaJars) {
  for (const language of config.languages) {
    const cacheConfig = getDefaultCacheConfig()[language];
    if (cacheConfig === void 0) {
@@ -93245,7 +93270,7 @@ async function uploadDependencyCaches(config, logger) {
      );
      continue;
    }
-    const key = await cacheKey2(language, cacheConfig);
+    const key = await cacheKey2(language, cacheConfig, minimizeJavaJars);
    logger.info(
      `Uploading cache of size ${size} for ${language} with key ${key}...`
    );
@@ -93263,17 +93288,20 @@ async function uploadDependencyCaches(config, logger) {
    }
  }
 }
-async function cacheKey2(language, cacheConfig) {
+async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
  const hash2 = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language)}${hash2}`;
+  return `${await cachePrefix2(language, minimizeJavaJars)}${hash2}`;
 }
-async function cachePrefix2(language) {
+async function cachePrefix2(language, minimizeJavaJars) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
+  if (language === "java" /* java */ && minimizeJavaJars) {
+    prefix = `minify-${prefix}`;
+  }
  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }

@@ -93707,7 +93735,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
  async function runInterpretResultsFor(analysis, language, queries, enableDebugLogging) {
    logger.info(`Interpreting ${analysis.name} results for ${language}`);
    let category = automationDetailsId;
-    if (dbAnalysisConfig.kind === "code-quality" /* CodeQuality */) {
+    if (analysis.kind === "code-quality" /* CodeQuality */) {
      category = fixCodeQualityCategory(logger, automationDetailsId);
    }
    const sarifFile = path16.join(
@@ -95613,6 +95641,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -95651,6 +95683,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    sarifID
  };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs18.existsSync(outputDir)) {
+    fs18.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs18.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path18.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs18.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
@@ -96036,7 +96083,11 @@ async function run() {
      logger
    );
    if (shouldStoreCache(config.dependencyCachingEnabled)) {
-      await uploadDependencyCaches(config, logger);
+      const minimizeJavaJars = await features.getValue(
+        "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
+        codeql
+      );
+      await uploadDependencyCaches(config, logger, minimizeJavaJars);
    }
    if (isInTestMode()) {
      logger.debug("In test mode. Waiting for processing is disabled.");
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -78426,7 +78427,7 @@ function getActionsLogger() {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -78534,6 +78535,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -78650,6 +78657,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -78962,7 +78974,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs4.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  const augmentedConfig = cloneObject(cliConfig);
@@ -79241,13 +79264,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -79286,7 +79312,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -83534,7 +83535,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -129016,7 +129017,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -129129,6 +129130,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -129245,6 +129252,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -129575,7 +129587,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs9.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  const augmentedConfig = cloneObject(cliConfig);
@@ -130679,13 +130702,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -130724,7 +130750,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
@@ -133050,6 +133075,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -133088,6 +133117,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    sarifID
  };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs17.existsSync(outputDir)) {
+    fs17.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs17.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path17.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs17.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
@@ -133256,7 +133300,8 @@ function toCodedErrors(errors) {
 }
 var WorkflowErrors = toCodedErrors({
  MissingPushHook: `Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.`,
-  CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`
+  CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
+  InconsistentActionVersion: `Not all workflow steps that use \`github/codeql-action\` actions use the same version. Please ensure that all such steps use the same version to avoid compatibility issues.`
 });
 async function getWorkflow(logger) {
  const maybeWorkflow = process.env["CODE_SCANNING_WORKFLOW_FILE"];
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -86417,7 +86418,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -86629,6 +86630,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -86745,6 +86752,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -87196,11 +87208,22 @@ function getNoLanguagesError() {
 function getUnknownLanguagesError(languages) {
  return `Did not recognize the following languages: ${languages.join(", ")}`;
 }
-async function getSupportedLanguageMap(codeql) {
-  const resolveResult = await codeql.betterResolveLanguages();
+async function getSupportedLanguageMap(codeql, features, logger) {
+  const resolveSupportedLanguagesUsingCli = await features.getValue(
+    "resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */,
+    codeql
+  );
+  const resolveResult = await codeql.betterResolveLanguages({
+    filterToLanguagesWithQueries: resolveSupportedLanguagesUsingCli
+  });
+  if (resolveSupportedLanguagesUsingCli) {
+    logger.debug(
+      `The CodeQL CLI supports the following languages: ${Object.keys(resolveResult.extractors).join(", ")}`
+    );
+  }
  const supportedLanguages = {};
  for (const extractor of Object.keys(resolveResult.extractors)) {
-    if (KnownLanguage[extractor] !== void 0) {
+    if (resolveSupportedLanguagesUsingCli || KnownLanguage[extractor] !== void 0) {
      supportedLanguages[extractor] = extractor;
    }
  }
@@ -87236,14 +87259,14 @@ async function getRawLanguagesInRepo(repository, sourceRoot, logger) {
  logger.debug(`Raw languages in repository: ${result.join(", ")}`);
  return result;
 }
-async function getLanguages(codeql, languagesInput, repository, sourceRoot, logger) {
+async function getLanguages(codeql, languagesInput, repository, sourceRoot, features, logger) {
  const { rawLanguages, autodetected } = await getRawLanguages(
    languagesInput,
    repository,
    sourceRoot,
    logger
  );
-  const languageMap = await getSupportedLanguageMap(codeql);
+  const languageMap = await getSupportedLanguageMap(codeql, features, logger);
  const languagesSet = /* @__PURE__ */ new Set();
  const unknownLanguages = [];
  for (const language of rawLanguages) {
@@ -87311,6 +87334,7 @@ async function initActionState({
    languagesInput,
    repository,
    sourceRoot,
+    features,
    logger
  );
  const buildMode = await parseBuildModeInput(
@@ -87335,6 +87359,7 @@ async function initActionState({
    augmentationProperties
  );
  return {
+    version: getActionVersion(),
    analysisKinds,
    languages,
    buildMode,
@@ -87686,7 +87711,6 @@ async function initConfig(inputs) {
      exclude: { tags: "exclude-from-incremental" }
    });
  }
-  await saveConfig(config, logger);
  return config;
 }
 function parseRegistries(registriesInput) {
@@ -87950,7 +87974,7 @@ function getDefaultCacheConfig() {
 async function makeGlobber(patterns) {
  return glob.create(patterns.join("\n"));
 }
-async function downloadDependencyCaches(languages, logger) {
+async function downloadDependencyCaches(languages, logger, minimizeJavaJars) {
  const restoredCaches = [];
  for (const language of languages) {
    const cacheConfig = getDefaultCacheConfig()[language];
@@ -87967,8 +87991,10 @@ async function downloadDependencyCaches(languages, logger) {
      );
      continue;
    }
-    const primaryKey = await cacheKey2(language, cacheConfig);
-    const restoreKeys = [await cachePrefix2(language)];
+    const primaryKey = await cacheKey2(language, cacheConfig, minimizeJavaJars);
+    const restoreKeys = [
+      await cachePrefix2(language, minimizeJavaJars)
+    ];
    logger.info(
      `Downloading cache for ${language} with key ${primaryKey} and restore keys ${restoreKeys.join(
        ", "
@@ -87988,17 +88014,20 @@ async function downloadDependencyCaches(languages, logger) {
  }
  return restoredCaches;
 }
-async function cacheKey2(language, cacheConfig) {
+async function cacheKey2(language, cacheConfig, minimizeJavaJars = false) {
  const hash = await glob.hashFiles(cacheConfig.hash.join("\n"));
-  return `${await cachePrefix2(language)}${hash}`;
+  return `${await cachePrefix2(language, minimizeJavaJars)}${hash}`;
 }
-async function cachePrefix2(language) {
+async function cachePrefix2(language, minimizeJavaJars) {
  const runnerOs = getRequiredEnvParam("RUNNER_OS");
  const customPrefix = process.env["CODEQL_ACTION_DEPENDENCY_CACHE_PREFIX" /* DEPENDENCY_CACHING_PREFIX */];
  let prefix = CODEQL_DEPENDENCY_CACHE_PREFIX;
  if (customPrefix !== void 0 && customPrefix.length > 0) {
    prefix = `${prefix}-${customPrefix}`;
  }
+  if (language === "java" /* java */ && minimizeJavaJars) {
+    prefix = `minify-${prefix}`;
+  }
  return `${prefix}-${CODEQL_DEPENDENCY_CACHE_VERSION}-${runnerOs}-${language}-`;
 }

@@ -89363,13 +89392,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -89408,7 +89440,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
@@ -90110,7 +90141,8 @@ function toCodedErrors(errors) {
 }
 var WorkflowErrors = toCodedErrors({
  MissingPushHook: `Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.`,
-  CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`
+  CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
+  InconsistentActionVersion: `Not all workflow steps that use \`github/codeql-action\` actions use the same version. Please ensure that all such steps use the same version to avoid compatibility issues.`
 });
 async function groupLanguagesByExtractor(languages, codeql) {
  const resolveResult = await codeql.betterResolveLanguages();
@@ -90164,6 +90196,22 @@ async function getWorkflowErrors(doc, codeql) {
      }
    }
  }
+  const codeqlStepRefs = [];
+  for (const job of Object.values(doc?.jobs || {})) {
+    if (Array.isArray(job.steps)) {
+      for (const step of job.steps) {
+        if (step.uses?.startsWith("github/codeql-action/")) {
+          const parts = step.uses.split("@");
+          if (parts.length >= 2) {
+            codeqlStepRefs.push(parts[parts.length - 1]);
+          }
+        }
+      }
+    }
+  }
+  if (codeqlStepRefs.length > 0 && !codeqlStepRefs.every((ref) => ref === codeqlStepRefs[0])) {
+    errors.push(WorkflowErrors.InconsistentActionVersion);
+  }
  const hasPushTrigger = hasWorkflowTrigger("push", doc);
  const hasPullRequestTrigger = hasWorkflowTrigger("pull_request", doc);
  const hasWorkflowCallTrigger = hasWorkflowTrigger("workflow_call", doc);
@@ -90585,8 +90633,16 @@ exec ${goBinaryPath} "$@"`
        core13.exportVariable(envVar, "false");
      }
    }
+    const minimizeJavaJars = await features.getValue(
+      "java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */,
+      codeql
+    );
    if (shouldRestoreCache(config.dependencyCachingEnabled)) {
-      await downloadDependencyCaches(config.languages, logger);
+      await downloadDependencyCaches(
+        config.languages,
+        logger,
+        minimizeJavaJars
+      );
    }
    if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
    } else {
@@ -90619,6 +90675,16 @@ exec ${goBinaryPath} "$@"`
        core13.exportVariable("CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB", "true");
      }
    }
+    if (process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]) {
+      logger.debug(
+        `${"CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */} is already set to '${process.env["CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */]}', so the Action will not override it.`
+      );
+    } else if (minimizeJavaJars && config.buildMode === "none" /* None */ && config.languages.includes("java" /* java */)) {
+      core13.exportVariable(
+        "CODEQL_EXTRACTOR_JAVA_OPTION_MINIMIZE_DEPENDENCY_JARS" /* JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS */,
+        "true"
+      );
+    }
    const { registriesAuthTokens, qlconfigFile } = await generateRegistries(
      getOptionalInput("registries"),
      config.tempDir,
@@ -90684,6 +90750,7 @@ exec ${goBinaryPath} "$@"`
  } finally {
    logUnwrittenDiagnostics();
  }
+  await saveConfig(config, logger);
  await sendCompletedStatusReport(
    startedAt,
    config,
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -78419,7 +78420,7 @@ function getActionsLogger() {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -78525,6 +78526,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -78641,6 +78648,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -78689,7 +78701,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs3.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  const augmentedConfig = cloneObject(cliConfig);
@@ -78941,13 +78964,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -78986,7 +79012,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -76345,7 +76346,7 @@ var require_brace_expansion2 = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117158,7 +117159,7 @@ function getActionsLogger() {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tools-features.ts
@@ -117205,6 +117206,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -117321,6 +117328,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -117369,7 +117381,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }

 // src/debug-artifacts.ts
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -33584,7 +33584,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -33682,7 +33682,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -89114,7 +89115,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -89221,6 +89222,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -89337,6 +89344,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

@@ -89403,7 +89415,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs7.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  const augmentedConfig = cloneObject(cliConfig);
@@ -90507,13 +90530,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -90552,7 +90578,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
@@ -92422,6 +92447,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -92460,6 +92489,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    sarifID
  };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs13.existsSync(outputDir)) {
+    fs13.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs13.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path14.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs13.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -26438,7 +26438,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -26536,7 +26536,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -70467,7 +70468,7 @@ var require_brace_expansion = __commonJS({
        var isSequence = isNumericSequence || isAlphaSequence;
        var isOptions = m.body.indexOf(",") >= 0;
        if (!isSequence && !isOptions) {
-          if (m.post.match(/,.*\}/)) {
+          if (m.post.match(/,(?!,).*\}/)) {
            str2 = m.pre + "{" + m.body + escClose + m.post;
            return expand(str2);
          }
@@ -117319,7 +117320,7 @@ function withGroup(groupName, f) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;

 // src/tools-features.ts
@@ -117370,6 +117371,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -117486,6 +117493,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };

--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -32287,7 +32287,7 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.2",
+      version: "3.30.4",
      private: true,
      description: "CodeQL action",
      scripts: {
@@ -32385,7 +32385,8 @@ var require_package = __commonJS({
        },
        "eslint-plugin-jsx-a11y": {
          semver: ">=6.3.1"
-        }
+        },
+        "brace-expansion@2.0.1": "2.0.2"
      }
    };
  }
@@ -89108,7 +89109,7 @@ function formatDuration(durationMs) {

 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
  const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -89217,6 +89218,12 @@ var featureConfig = {
    legacyApi: true,
    minimumVersion: void 0
  },
+  ["resolve_supported_languages_using_cli" /* ResolveSupportedLanguagesUsingCli */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI",
+    minimumVersion: void 0,
+    toolsFeature: "builtinExtractorsSpecifyDefaultQueries" /* BuiltinExtractorsSpecifyDefaultQueries */
+  },
  ["overlay_analysis" /* OverlayAnalysis */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
@@ -89333,6 +89340,11 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_QA_TELEMETRY",
    legacyApi: true,
    minimumVersion: void 0
+  },
+  ["java_minimize_dependency_jars" /* JavaMinimizeDependencyJars */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
+    minimumVersion: "2.23.0"
  }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -89677,7 +89689,18 @@ async function getConfig(tempDir, logger) {
  const configString = fs8.readFileSync(configFile, "utf8");
  logger.debug("Loaded config:");
  logger.debug(configString);
-  return JSON.parse(configString);
+  const config = JSON.parse(configString);
+  if (config.version === void 0) {
+    throw new ConfigurationError(
+      `Loaded configuration file, but it does not contain the expected 'version' field.`
+    );
+  }
+  if (config.version !== getActionVersion()) {
+    throw new ConfigurationError(
+      `Loaded a configuration file for version '${config.version}', but running version '${getActionVersion()}'`
+    );
+  }
+  return config;
 }
 function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
  const augmentedConfig = cloneObject(cliConfig);
@@ -91208,13 +91231,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
        );
      }
    },
-    async betterResolveLanguages() {
+    async betterResolveLanguages({
+      filterToLanguagesWithQueries
+    } = { filterToLanguagesWithQueries: false }) {
      const codeqlArgs = [
        "resolve",
        "languages",
        "--format=betterjson",
        "--extractor-options-verbosity=4",
        "--extractor-include-aliases",
+        ...filterToLanguagesWithQueries ? ["--filter-to-languages-with-queries"] : [],
        ...getExtraOptionsFromEnv(["resolve", "languages"])
      ];
      const output = await runCli(cmd, codeqlArgs);
@@ -91253,7 +91279,6 @@ ${output}`
        "run-queries",
        ...flags,
        databasePath,
-        "--intra-layer-parallelism",
        "--min-disk-free=1024",
        // Try to leave at least 1GB free
        "-v",
@@ -93123,6 +93148,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -93161,6 +93190,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
    sarifID
  };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs14.existsSync(outputDir)) {
+    fs14.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs14.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path15.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs14.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "3.30.2",
+  "version": "3.30.4",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "3.30.2",
+      "version": "3.30.4",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^2.3.1",
@@ -3164,9 +3164,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -7792,9 +7792,9 @@
      }
    },
    "node_modules/readdir-glob/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "3.30.2",
+  "version": "3.30.4",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -98,6 +98,7 @@
    },
    "eslint-plugin-jsx-a11y": {
      "semver": ">=6.3.1"
-    }
+    },
+    "brace-expansion@2.0.1": "2.0.2"
  }
 }
--- a/pr-checks/checks/all-platform-bundle.yml
+++ b/pr-checks/checks/all-platform-bundle.yml
@@ -12,6 +12,5 @@ steps:
      languages: cpp,csharp,go,java,javascript,python,ruby
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
--- a/pr-checks/checks/analyze-ref-input.yml
+++ b/pr-checks/checks/analyze-ref-input.yml
@@ -9,7 +9,6 @@ steps:
      languages: cpp,csharp,java,javascript,python
      config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
    with:
--- a/pr-checks/checks/autobuild-action.yml
+++ b/pr-checks/checks/autobuild-action.yml
@@ -17,7 +17,6 @@ steps:
      CORECLR_PROFILER_PATH_64: ""
  - uses: ./../action/analyze
  - name: Check database
-    shell: bash
    run: |
      cd "$RUNNER_TEMP/codeql_databases"
      if [[ ! -d csharp ]]; then
--- a/pr-checks/checks/autobuild-direct-tracing-with-working-dir.yml
+++ b/pr-checks/checks/autobuild-direct-tracing-with-working-dir.yml
@@ -10,7 +10,6 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Test setup
-    shell: bash
    run: |
      # Make sure that Gradle build succeeds in autobuild-dir ...
      cp -a ../action/tests/java-repo autobuild-dir
@@ -22,7 +21,6 @@ steps:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Check that indirect tracing is disabled
-    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
--- a/pr-checks/checks/autobuild-direct-tracing.yml
+++ b/pr-checks/checks/autobuild-direct-tracing.yml
@@ -7,7 +7,6 @@ env:
  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
 steps:
  - name: Set up Java test repo configuration
-    shell: bash
    run: |
      mv * .github ../action/tests/multi-language-repo/
      mv ../action/tests/multi-language-repo/.github/workflows .github
@@ -22,7 +21,6 @@ steps:
      tools: ${{ steps.prepare-test.outputs.tools-url }}

  - name: Check that indirect tracing is disabled
-    shell: bash
    run: |
      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
        echo "Expected indirect tracing to be disabled, but the" \
--- a/pr-checks/checks/build-mode-manual.yml
+++ b/pr-checks/checks/build-mode-manual.yml
@@ -22,7 +22,6 @@ steps:
      fi

  - name: Build code
-    shell: bash
    run: ./build.sh

  - uses: ./../action/analyze
--- a/pr-checks/checks/cpp-deptrace-disabled.yml
+++ b/pr-checks/checks/cpp-deptrace-disabled.yml
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
-  - shell: bash
-    run: |
+  - run: |
      if ls /usr/bin/errno; then
        echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
        exit 1
--- a/pr-checks/checks/cpp-deptrace-enabled-on-macos.yml
+++ b/pr-checks/checks/cpp-deptrace-enabled-on-macos.yml
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - shell: bash
-    run: |
+  - run: |
      if ! ls /usr/bin/errno; then
        echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
      else
--- a/pr-checks/checks/cpp-deptrace-enabled.yml
+++ b/pr-checks/checks/cpp-deptrace-enabled.yml
@@ -6,7 +6,6 @@ env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - name: Test setup
-    shell: bash
    run: |
      cp -a ../action/tests/cpp-autobuild autobuild-dir
  - uses: ./../action/init
@@ -18,8 +17,7 @@ steps:
      working-directory: autobuild-dir
    env:
      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
-  - shell: bash
-    run: |
+  - run: |
      if ! ls /usr/bin/errno; then
        echo "Did not autoinstall errno"
        exit 1
--- a/pr-checks/checks/diagnostics-export.yml
+++ b/pr-checks/checks/diagnostics-export.yml
@@ -10,7 +10,6 @@ steps:
      languages: javascript
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Add test diagnostics
-    shell: bash
    env:
      CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
    run: |
--- a/pr-checks/checks/export-file-baseline-information.yml
+++ b/pr-checks/checks/export-file-baseline-information.yml
@@ -11,7 +11,6 @@ steps:
      languages: javascript
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
    with:
@@ -23,7 +22,6 @@ steps:
      path: "${{ runner.temp }}/results/javascript.sarif"
      retention-days: 7
  - name: Check results
-    shell: bash
    run: |
      cd "$RUNNER_TEMP/results"
      expected_baseline_languages="c csharp go java kotlin javascript python ruby"
--- a/pr-checks/checks/extractor-ram-threads.yml
+++ b/pr-checks/checks/extractor-ram-threads.yml
@@ -9,7 +9,6 @@ steps:
      ram: 230
      threads: 1
  - name: Assert Results
-    shell: bash
    run: |
      if [ "${CODEQL_RAM}" != "230" ]; then
        echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
--- a/pr-checks/checks/go-custom-queries.yml
+++ b/pr-checks/checks/go-custom-queries.yml
@@ -16,6 +16,5 @@ steps:
      config-file: ./.github/codeql/custom-queries.yml
      tools: ${{ steps.prepare-test.outputs.tools-url }}
  - name: Build code
-    shell: bash
    run: ./build.sh
  - uses: ./../action/analyze
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mads Navntoft	2cdef7d057	hack: add python job to see if there are any alerts	2025-09-15 14:47:03 +02:00
Paolo Tranquilli	aa90e97ad2	Merge pull request #3091 from github/redsun82/fix-windows-ci Set `shell: bash` by default on all workflows	2025-09-12 18:47:08 +02:00
Paolo Tranquilli	2b7d487cf8	Update .github/workflows/codeql.yml Co-authored-by: Henry Mercer <henrymercer@github.com>	2025-09-12 18:20:44 +02:00
Paolo Tranquilli	f92cc3a0e7	Merge pull request #3065 from github/redsun82/update-brace-expansion Use brace-expansion >2.0.1	2025-09-12 16:06:42 +02:00
Nick Rolfe	185266a022	Merge pull request #3107 from github/nickrolfe/minimize-jars Add feature flag to roll out JAR minimization in the Java extractor	2025-09-12 13:09:42 +01:00
Paolo Tranquilli	a1244387b0	Merge branch 'main' into redsun82/update-brace-expansion	2025-09-12 13:44:46 +02:00
Michael B. Gale	dc9a47dceb	Merge pull request #3110 from github/mbg/proxy/fetch-from-release Fetch proxy binaries from `defaults.json` release	2025-09-12 12:38:15 +01:00
Nick Rolfe	3ca9525ddd	Add changelog entry for Java dependency minimization rollout	2025-09-12 12:10:05 +01:00
Nick Rolfe	0abf548bb3	Add feature flag to roll out JAR minimization in the Java extractor	2025-09-12 12:09:34 +01:00
Michael B. Gale	e2636d2e4f	Change "current release" to "linked release"	2025-09-12 11:15:03 +01:00
Henry Mercer	df1fe23118	Merge pull request #3083 from github/henrymercer/resolve-languages-default-queries Resolve supported languages using CodeQL CLI	2025-09-12 10:12:15 +01:00
Chuan-kai Lin	0d33fd9f26	Merge pull request #3109 from github/cklin/init-save-updated-config init-action: save updated config	2025-09-11 14:18:59 -07:00
Chuan-kai Lin	5c30ae46c1	Stop saving config in initConfig()	2025-09-11 12:31:29 -07:00
Michael B. Gale	9df23425dc	Search release pointed at by `defaults.json` for registry proxy artifact	2025-09-11 18:56:19 +01:00
Paolo Tranquilli	4e1dadc5b3	Fix accidental removal of `- shell: bash` lines	2025-09-11 17:54:28 +02:00
Paolo Tranquilli	856e1e5c78	Address review	2025-09-11 17:54:00 +02:00
Paolo Tranquilli	d797efbb26	Merge branch 'main' into redsun82/fix-windows-ci	2025-09-11 17:41:08 +02:00
Chuan-kai Lin	4e2e64a92a	init-action: save updated config This commit updates the init action to save the config again at the end of run(), so that config updates in run() are correctly propagated to the analyze action.	2025-09-11 08:07:50 -07:00
Michael B. Gale	ffcbb4c0c1	Move `UPDATEJOB_PROXY` constants to `start-proxy.ts`	2025-09-11 15:34:29 +01:00
Michael B. Gale	148e76abb6	Merge pull request #3108 from github/mbg/changelog/workflow-validation Add changelog entry for improved version consistency checks	2025-09-11 14:06:40 +01:00
Michael B. Gale	21a1feb391	Add changenote for improved version consistency checks	2025-09-11 12:03:09 +01:00
Michael B. Gale	1479235f5d	Merge pull request #3100 from github/mbg/config-version Store and check action version in `Config`	2025-09-11 11:56:05 +01:00
Michael B. Gale	0d058cdc59	Merge pull request #3099 from github/mbg/validate-action-version-in-workflow Validate workflow to check that all `codeql-action` versions are the same	2025-09-11 11:53:14 +01:00
Chuan-kai Lin	25e54dffab	Merge pull request #3105 from github/mergeback/v3.30.3-to-main-192325c8 Mergeback v3.30.3 refs/heads/releases/v3 into main	2025-09-10 10:55:01 -07:00
github-actions[bot]	25c32186df	Rebuild	2025-09-10 17:35:23 +00:00
github-actions[bot]	191d3de659	Update changelog and version after v3.30.3	2025-09-10 17:32:56 +00:00
Chuan-kai Lin	192325c861	Merge pull request #3104 from github/update-v3.30.3-b660efdcf Merge main into releases/v3	2025-09-10 10:32:26 -07:00
github-actions[bot]	e68956d90b	Update changelog for v3.30.3	2025-09-10 15:34:46 +00:00
Michael B. Gale	b660efdcfd	Merge pull request #3103 from github/mbg/fix/category-check Fix `runInterpretResultsFor` using the wrong `AnalysisConfig` for Code Quality `category` fix	2025-09-10 16:30:12 +01:00
Michael B. Gale	e49458befe	Fix `runInterpretResultsFor` using the wrong `AnalysisConfig` for `category` fix	2025-09-10 16:14:19 +01:00
Kasper Svendsen	f374a62c8b	Merge pull request #3098 from github/kaspersv/increase-overlay-base-size-limit Overlay: Increase size limit for cached overlay base database	2025-09-10 15:01:08 +02:00
Michael B. Gale	0487de31f2	Update src/config-utils.test.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-09-10 13:47:47 +01:00
Michael B. Gale	754f2e184f	Simplify `step.uses` condition	2025-09-10 13:35:39 +01:00
Michael B. Gale	4f56152a48	Store and check action version in `Config`	2025-09-10 13:33:17 +01:00
Michael B. Gale	5efa438e92	Merge pull request #3101 from github/mbg/public-repo-notice-in-pr-template Add a reminder to the PR template that this is a public repo	2025-09-10 13:29:04 +01:00
Michael B. Gale	bb98ff4838	Validate workflow to check that all `codeql-action` versions are the same	2025-09-10 13:02:28 +01:00
Kasper Svendsen	8a84a62542	Overlay: Increase size limit for cached overlay base database	2025-09-10 12:30:56 +02:00
Paolo Tranquilli	eb50a881d8	Merge pull request #3097 from github/redsun82/only-dump-sarif Dump soon to be uploaded SARIF on request	2025-09-10 12:07:32 +02:00
Paolo Tranquilli	4c534612bf	Tweak sarif dump log	2025-09-10 07:52:59 +02:00
Paolo Tranquilli	dae3742b0a	Dump soon to be uploaded SARIF on request This introduces a new internal environment variable flag (`CODEQL_ACTION_SARIF_DUMP_DIR`) that, when set to `true`, causes the SARIF file that will be uploaded to be dumped to the specified directory. The filename will be `upload.sarif` or `upload.quality.sarif` depending on the upload target.	2025-09-10 07:46:05 +02:00
Henry Mercer	31d3ae847e	Merge pull request #3095 from github/copilot/fix-9c4e2e82-c57a-4af0-8336-b8b24b72dba3 Remove --intra-layer-parallelism flag from CodeQL CLI commands	2025-09-09 20:18:54 +01:00
Michael B. Gale	3bf58bb047	Merge branch 'main' into redsun82/fix-windows-ci	2025-09-09 19:35:16 +01:00
copilot-swe-agent[bot]	2a4630c7f1	Remove --intra-layer-parallelism flag from CodeQL CLI commands Co-authored-by: henrymercer <14129055+henrymercer@users.noreply.github.com>	2025-09-09 16:53:28 +00:00
copilot-swe-agent[bot]	4366c13457	Initial plan	2025-09-09 16:33:51 +00:00
Henry Mercer	ed9d73bc6f	Alphabetically order `ToolsFeature`	2025-09-09 14:42:39 +01:00
Paolo Tranquilli	c778749ed4	fix `codeql.yml` codeql invocation on windows	2025-09-09 14:08:29 +02:00
Paolo Tranquilli	0c065fa4cf	Sort out windows CRLF mess	2025-09-09 14:00:28 +02:00
Michael B. Gale	52ddbe1e52	Merge pull request #3092 from github/mergeback/v3.30.2-to-main-d3678e23 Mergeback v3.30.2 refs/heads/releases/v3 into main	2025-09-09 12:10:43 +01:00
github-actions[bot]	6c261ed0c7	Rebuild	2025-09-09 10:36:55 +00:00
github-actions[bot]	deb055de7e	Update changelog and version after v3.30.2	2025-09-09 10:34:25 +00:00
Paolo Tranquilli	1b8f0ffedf	Set `shell: bash` by default on all workflows	2025-09-09 12:19:45 +02:00
Paolo Tranquilli	d42097d387	Build	2025-09-08 14:05:29 +02:00
Paolo Tranquilli	16f15bc9a7	Merge branch 'main' into redsun82/update-brace-expansion	2025-09-08 14:03:32 +02:00
Paolo Tranquilli	f11caf4aad	Override `brace-expansion` from `2.0.1` to `2.0.2`	2025-09-08 10:53:44 +02:00
Henry Mercer	71410c6e72	Enable feature in CI for testing	2025-09-05 16:56:51 +01:00
Henry Mercer	d981505040	Add log for supported languages	2025-09-05 16:56:15 +01:00
Henry Mercer	f8fb310547	Resolve supported languages using CodeQL CLI	2025-09-05 16:17:32 +01:00