XXX

Mergeback v4.31.0 refs/heads/releases/v4 into main

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node20
+  using: node24
   main: index.js

.github/sizeup.yml

@@ -0,0 +1,55 @@
+labeling:
+  applyCategoryLabels: true
+  categoryLabelPrefix: "size/"
+
+commenting:
+  addCommentWhenScoreThresholdHasBeenExceeded: false
+
+sizeup:
+  categories:
+    - name: extra small
+      lte: 25
+      label:
+        name: XS
+        description: Should be very easy to review
+        color: 3cbf00
+    - name: small
+      lte: 100
+      label:
+        name: S
+        description: Should be easy to review
+        color: 5d9801
+    - name: medium
+      lte: 250
+      label:
+        name: M
+        description: Should be of average difficulty to review
+        color: 7f7203
+    - name: large
+      lte: 500
+      label:
+        name: L
+        description: May be hard to review
+        color: a14c05
+    - name: extra large
+      lte: 1000
+      label:
+        name: XL
+        description: May be very hard to review
+        color: c32607
+    - name: extra extra large
+      label:
+        name: XXL
+        description: May be extremely hard to review
+        color: e50009
+  ignoredFilePatterns:
+    - ".github/workflows/__*"
+    - "lib/**/*"
+    - "package-lock.json"
+  testFilePatterns:
+    - "**/*.test.ts"
+  scoring:
+    # This formula and the aliases below it are written in prefix notation.
+    # For an explanation of how this works, please see:
+    # https://github.com/lerebear/sizeup-core/blob/main/README.md#prefix-notation
+    formula: "- - + additions deletions comments whitespace"

.github/workflows/__analyze-ref-input.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__bundle-from-toolcache.yml

@@ -67,10 +67,9 @@ jobs:
             if (allCodeqlVersions.length === 0) {
               throw new Error(`CodeQL could not be found in the toolcache`);
             }
-      - id: init
-        uses: ./../action/init
+      - id: setup-codeql
+        uses: ./../action/setup-codeql
         with:
-          languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Check CodeQL is installed within the toolcache
         uses: actions/github-script@v8

.github/workflows/__config-input.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__local-bundle.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Fetch latest CodeQL bundle
         run: |
           wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

.github/workflows/__multi-language-autodetect.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -104,6 +114,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Use Xcode 16
         if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
         run: sudo xcode-select -s "/Applications/Xcode_16.app"

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -63,7 +73,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm
@@ -81,6 +91,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-config-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__packaging-inputs-js.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v5
       - name: Install Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.x
           cache: npm

.github/workflows/__quality-queries.yml

@@ -80,6 +80,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
           upload-database: false
+          post-processed-sarif-path: ${{ runner.temp }}/post-processed
       - name: Upload security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/upload-artifact@v4
@@ -96,6 +97,14 @@ jobs:
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
+      - name: Upload post-processed SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          name: |
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+          path: ${{ runner.temp }}/post-processed
+          retention-days: 7
+          if-no-files-found: error
       - name: Check quality query does not appear in security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v8

.github/workflows/__remote-config.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -72,6 +82,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__unset-environment.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -72,6 +82,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         id: init
         with:

.github/workflows/__upload-ref-sha-input.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__upload-sarif.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -77,6 +87,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - uses: ./../action/init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__with-checkout-path.yml

@@ -27,6 +27,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
   workflow_call:
     inputs:
       go-version:
@@ -34,6 +39,11 @@ on:
         description: The version of Go to install
         required: false
         default: '>=1.21.0'
+      python-version:
+        type: string
+        description: The version of Python to install
+        required: false
+        default: '3.13'
 defaults:
   run:
     shell: bash
@@ -70,6 +80,11 @@ jobs:
         with:
           go-version: ${{ inputs.go-version || '>=1.21.0' }}
           cache: false
+      - name: Install Python
+        if: matrix.version != 'nightly-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ inputs.python-version || '3.13' }}
       - name: Delete original checkout
         run: |
           # delete the original checkout so we don't accidentally use it.

.github/workflows/codescanning-config-cli.yml

@@ -56,7 +56,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Set up Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
       with:
         node-version: 24
         cache: 'npm'

.github/workflows/label-pr-size.yml

@@ -0,0 +1,26 @@
+name: Label PR with size
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - edited
+      - ready_for_review
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  sizeup:
+    name: Label PR with size
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Run sizeup
+        uses: lerebear/sizeup-action@b7beb3dd273e36039e16e48e7bc690c189e61951 # 0.8.12
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-file-path: ".github/sizeup.yml"

.github/workflows/post-release-mergeback.yml

@@ -47,7 +47,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
 
       - name: Update git config
         run: |
@@ -146,6 +146,7 @@ jobs:
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
       - name: Create the GitHub release
+        if: steps.check.outputs.exists != 'true'
         env:
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
           VERSION: "${{ steps.getVersion.outputs.version }}"

.github/workflows/pr-checks.yml

@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'

.github/workflows/query-filters.yml

@@ -32,7 +32,7 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Install Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
       with:
         node-version: 24
         cache: npm

.github/workflows/update-bundle.yml

@@ -41,7 +41,7 @@ jobs:
           git config --global user.name "github-actions[bot]"
 
       - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 24
           cache: 'npm'

CHANGELOG.md

@@ -2,14 +2,28 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
-## 3.30.8 - 10 Oct 2025
+## [UNRELEASED]
 
 No user facing changes.
 
-## 3.30.7 - 06 Oct 2025
+## 4.31.0 - 24 Oct 2025
+
+- Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)
+- When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://github.com/github/codeql-action/pull/3222)
+
+## 4.30.9 - 17 Oct 2025
+
+- Update default CodeQL bundle version to 2.23.3. [#3205](https://github.com/github/codeql-action/pull/3205)
+- Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://github.com/github/codeql-action/pull/3204)
+
+## 4.30.8 - 10 Oct 2025
 
 No user facing changes.
 
+## 4.30.7 - 06 Oct 2025
+
+- [v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://github.com/github/codeql-action/pull/3169)
+
 ## 3.30.6 - 02 Oct 2025
 
 - Update default CodeQL bundle version to 2.23.2. [#3168](https://github.com/github/codeql-action/pull/3168)
@@ -244,13 +258,17 @@ No user facing changes.
 ## 3.26.12 - 07 Oct 2024
 
 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
+
   - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
+
   - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
 
 ## 3.26.11 - 03 Oct 2024
 
 - _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
+
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
+
   This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
@@ -373,9 +391,12 @@ No user facing changes.
 ## 3.25.0 - 15 Apr 2024
 
 - The deprecated feature for extracting dependencies for a Python analysis has been removed. [#2224](https://github.com/github/codeql-action/pull/2224)
+
   As a result, the following inputs and environment variables are now ignored:
+
   - The `setup-python-dependencies` input to the `init` Action
   - The `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION` environment variable
+
   We recommend removing any references to these from your workflows. For more information, see the release notes for CodeQL Action v3.23.0 and v2.23.0.
 - Automatically overwrite an existing database if found on the filesystem. [#2229](https://github.com/github/codeql-action/pull/2229)
 - Bump the minimum CodeQL bundle version to 2.12.6. [#2232](https://github.com/github/codeql-action/pull/2232)

README.md

@@ -34,6 +34,7 @@ Actions with special purposes and unlikely to be used directly:
 - `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
 - `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
 - `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
+- `setup-codeql`: [Experimental] Similar to `init`, except it only installs the CodeQL CLI and does not initialize a database.
 
 ### Workflow Permissions
 

analyze/action.yml

@@ -6,7 +6,7 @@ inputs:
     description: The name of the check run to add text to.
     required: false
   output:
-    description: The path of the directory in which to save the SARIF results
+    description: The path of the directory in which to save the SARIF results from the CodeQL CLI.
     required: false
     default: "../results"
   upload:
@@ -70,6 +70,12 @@ inputs:
     description: Whether to upload the resulting CodeQL database
     required: false
     default: "true"
+  post-processed-sarif-path:
+    description: >-
+      Before uploading the SARIF files produced by the CodeQL CLI, the CodeQL Action may perform some post-processing
+      on them. Ordinarily, these post-processed SARIF files are not saved to disk. However, if a path is provided as an
+      argument for this input, they are written to the specified directory.
+    required: false
   wait-for-processing:
     description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
     required: true
@@ -92,6 +98,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: node20
+  using: node24
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -15,5 +15,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: node20
+  using: node24
   main: '../lib/autobuild-action.js'

eslint.config.mjs

@@ -131,6 +131,7 @@ export default [
       "no-sequences": "error",
       "no-shadow": "off",
       "@typescript-eslint/no-shadow": "error",
+      "@typescript-eslint/prefer-optional-chain": "error",
       "one-var": ["error", "never"],
     },
   },

init/action.yml

@@ -165,6 +165,6 @@ outputs:
   codeql-version:
     description: The version of the CodeQL binary used for analysis
 runs:
-  using: node20
+  using: node24
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.2",
-  "cliVersion": "2.23.2",
-  "priorBundleVersion": "codeql-bundle-v2.23.1",
-  "priorCliVersion": "2.23.1"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }

lib/upload-lib.js

@@ -20885,19 +20885,19 @@ var require_validator = __commonJS({
     var SchemaError = helpers.SchemaError;
     var SchemaContext = helpers.SchemaContext;
     var anonymousBase = "/";
-    var Validator2 = function Validator3() {
-      this.customFormats = Object.create(Validator3.prototype.customFormats);
+    var Validator3 = function Validator4() {
+      this.customFormats = Object.create(Validator4.prototype.customFormats);
       this.schemas = {};
       this.unresolvedRefs = [];
       this.types = Object.create(types);
       this.attributes = Object.create(attribute.validators);
     };
-    Validator2.prototype.customFormats = {};
-    Validator2.prototype.schemas = null;
-    Validator2.prototype.types = null;
-    Validator2.prototype.attributes = null;
-    Validator2.prototype.unresolvedRefs = null;
-    Validator2.prototype.addSchema = function addSchema(schema2, base) {
+    Validator3.prototype.customFormats = {};
+    Validator3.prototype.schemas = null;
+    Validator3.prototype.types = null;
+    Validator3.prototype.attributes = null;
+    Validator3.prototype.unresolvedRefs = null;
+    Validator3.prototype.addSchema = function addSchema(schema2, base) {
       var self2 = this;
       if (!schema2) {
         return null;
@@ -20915,25 +20915,25 @@ var require_validator = __commonJS({
       });
       return this.schemas[ourUri];
     };
-    Validator2.prototype.addSubSchemaArray = function addSubSchemaArray(baseuri, schemas) {
+    Validator3.prototype.addSubSchemaArray = function addSubSchemaArray(baseuri, schemas) {
       if (!Array.isArray(schemas)) return;
       for (var i = 0; i < schemas.length; i++) {
         this.addSubSchema(baseuri, schemas[i]);
       }
     };
-    Validator2.prototype.addSubSchemaObject = function addSubSchemaArray(baseuri, schemas) {
+    Validator3.prototype.addSubSchemaObject = function addSubSchemaArray(baseuri, schemas) {
       if (!schemas || typeof schemas != "object") return;
       for (var p in schemas) {
         this.addSubSchema(baseuri, schemas[p]);
       }
     };
-    Validator2.prototype.setSchemas = function setSchemas(schemas) {
+    Validator3.prototype.setSchemas = function setSchemas(schemas) {
       this.schemas = schemas;
     };
-    Validator2.prototype.getSchema = function getSchema(urn) {
+    Validator3.prototype.getSchema = function getSchema(urn) {
       return this.schemas[urn];
     };
-    Validator2.prototype.validate = function validate(instance, schema2, options, ctx) {
+    Validator3.prototype.validate = function validate(instance, schema2, options, ctx) {
       if (typeof schema2 !== "boolean" && typeof schema2 !== "object" || schema2 === null) {
         throw new SchemaError("Expected `schema` to be an object or boolean");
       }
@@ -20971,7 +20971,7 @@ var require_validator = __commonJS({
       if (typeof ref == "string") return ref;
       return false;
     }
-    Validator2.prototype.validateSchema = function validateSchema(instance, schema2, options, ctx) {
+    Validator3.prototype.validateSchema = function validateSchema(instance, schema2, options, ctx) {
       var result = new ValidatorResult(instance, schema2, options, ctx);
       if (typeof schema2 === "boolean") {
         if (schema2 === true) {
@@ -21021,17 +21021,17 @@ var require_validator = __commonJS({
       }
       return result;
     };
-    Validator2.prototype.schemaTraverser = function schemaTraverser(schemaobj, s) {
+    Validator3.prototype.schemaTraverser = function schemaTraverser(schemaobj, s) {
       schemaobj.schema = helpers.deepMerge(schemaobj.schema, this.superResolve(s, schemaobj.ctx));
     };
-    Validator2.prototype.superResolve = function superResolve(schema2, ctx) {
+    Validator3.prototype.superResolve = function superResolve(schema2, ctx) {
       var ref = shouldResolve(schema2);
       if (ref) {
         return this.resolve(schema2, ref, ctx).subschema;
       }
       return schema2;
     };
-    Validator2.prototype.resolve = function resolve6(schema2, switchSchema, ctx) {
+    Validator3.prototype.resolve = function resolve6(schema2, switchSchema, ctx) {
       switchSchema = ctx.resolve(switchSchema);
       if (ctx.schemas[switchSchema]) {
         return { subschema: ctx.schemas[switchSchema], switchSchema };
@@ -21048,7 +21048,7 @@ var require_validator = __commonJS({
       }
       return { subschema, switchSchema };
     };
-    Validator2.prototype.testType = function validateType(instance, schema2, options, ctx, type2) {
+    Validator3.prototype.testType = function validateType(instance, schema2, options, ctx, type2) {
       if (type2 === void 0) {
         return;
       } else if (type2 === null) {
@@ -21063,7 +21063,7 @@ var require_validator = __commonJS({
       }
       return true;
     };
-    var types = Validator2.prototype.types = {};
+    var types = Validator3.prototype.types = {};
     types.string = function testString(instance) {
       return typeof instance == "string";
     };
@@ -21091,7 +21091,7 @@ var require_validator = __commonJS({
     types.object = function testObject(instance) {
       return instance && typeof instance === "object" && !Array.isArray(instance) && !(instance instanceof Date);
     };
-    module2.exports = Validator2;
+    module2.exports = Validator3;
   }
 });
 
@@ -21099,7 +21099,7 @@ var require_validator = __commonJS({
 var require_lib2 = __commonJS({
   "node_modules/jsonschema/lib/index.js"(exports2, module2) {
     "use strict";
-    var Validator2 = module2.exports.Validator = require_validator();
+    var Validator3 = module2.exports.Validator = require_validator();
     module2.exports.ValidatorResult = require_helpers().ValidatorResult;
     module2.exports.ValidatorResultError = require_helpers().ValidatorResultError;
     module2.exports.ValidationError = require_helpers().ValidationError;
@@ -21107,7 +21107,7 @@ var require_lib2 = __commonJS({
     module2.exports.SchemaScanResult = require_scan().SchemaScanResult;
     module2.exports.scan = require_scan().scan;
     module2.exports.validate = function(instance, schema2, options) {
-      var v = new Validator2();
+      var v = new Validator3();
       return v.validate(instance, schema2, options);
     };
   }
@@ -21899,14 +21899,14 @@ var require_dist_node4 = __commonJS({
     var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
     var dist_src_exports = {};
     __export2(dist_src_exports, {
-      RequestError: () => RequestError2
+      RequestError: () => RequestError
     });
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_deprecation = require_dist_node3();
     var import_once = __toESM2(require_once());
     var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
     var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError2 = class extends Error {
+    var RequestError = class extends Error {
       constructor(message, statusCode, options) {
         super(message);
         if (Error.captureStackTrace) {
@@ -21998,7 +21998,7 @@ var require_dist_node5 = __commonJS({
       const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
       return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
     }
-    var import_request_error2 = require_dist_node4();
+    var import_request_error = require_dist_node4();
     function getBufferResponse(response) {
       return response.arrayBuffer();
     }
@@ -22050,7 +22050,7 @@ var require_dist_node5 = __commonJS({
           if (status < 400) {
             return;
           }
-          throw new import_request_error2.RequestError(response.statusText, status, {
+          throw new import_request_error.RequestError(response.statusText, status, {
             response: {
               url: url2,
               status,
@@ -22061,7 +22061,7 @@ var require_dist_node5 = __commonJS({
           });
         }
         if (status === 304) {
-          throw new import_request_error2.RequestError("Not modified", status, {
+          throw new import_request_error.RequestError("Not modified", status, {
             response: {
               url: url2,
               status,
@@ -22073,7 +22073,7 @@ var require_dist_node5 = __commonJS({
         }
         if (status >= 400) {
           const data = await getResponseData(response);
-          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
             response: {
               url: url2,
               status,
@@ -22093,7 +22093,7 @@ var require_dist_node5 = __commonJS({
           data
         };
       }).catch((error2) => {
-        if (error2 instanceof import_request_error2.RequestError)
+        if (error2 instanceof import_request_error.RequestError)
           throw error2;
         else if (error2.name === "AbortError")
           throw error2;
@@ -22105,7 +22105,7 @@ var require_dist_node5 = __commonJS({
             message = error2.cause;
           }
         }
-        throw new import_request_error2.RequestError(message, 500, {
+        throw new import_request_error.RequestError(message, 500, {
           request: requestOptions
         });
       });
@@ -22547,14 +22547,14 @@ var require_dist_node7 = __commonJS({
     var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
     var dist_src_exports = {};
     __export2(dist_src_exports, {
-      RequestError: () => RequestError2
+      RequestError: () => RequestError
     });
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_deprecation = require_dist_node3();
     var import_once = __toESM2(require_once());
     var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
     var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError2 = class extends Error {
+    var RequestError = class extends Error {
       constructor(message, statusCode, options) {
         super(message);
         if (Error.captureStackTrace) {
@@ -22646,7 +22646,7 @@ var require_dist_node8 = __commonJS({
       const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
       return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
     }
-    var import_request_error2 = require_dist_node7();
+    var import_request_error = require_dist_node7();
     function getBufferResponse(response) {
       return response.arrayBuffer();
     }
@@ -22698,7 +22698,7 @@ var require_dist_node8 = __commonJS({
           if (status < 400) {
             return;
           }
-          throw new import_request_error2.RequestError(response.statusText, status, {
+          throw new import_request_error.RequestError(response.statusText, status, {
             response: {
               url: url2,
               status,
@@ -22709,7 +22709,7 @@ var require_dist_node8 = __commonJS({
           });
         }
         if (status === 304) {
-          throw new import_request_error2.RequestError("Not modified", status, {
+          throw new import_request_error.RequestError("Not modified", status, {
             response: {
               url: url2,
               status,
@@ -22721,7 +22721,7 @@ var require_dist_node8 = __commonJS({
         }
         if (status >= 400) {
           const data = await getResponseData(response);
-          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
             response: {
               url: url2,
               status,
@@ -22741,7 +22741,7 @@ var require_dist_node8 = __commonJS({
           data
         };
       }).catch((error2) => {
-        if (error2 instanceof import_request_error2.RequestError)
+        if (error2 instanceof import_request_error.RequestError)
           throw error2;
         else if (error2.name === "AbortError")
           throw error2;
@@ -22753,7 +22753,7 @@ var require_dist_node8 = __commonJS({
             message = error2.cause;
           }
         }
-        throw new import_request_error2.RequestError(message, 500, {
+        throw new import_request_error.RequestError(message, 500, {
           request: requestOptions
         });
       });
@@ -33606,7 +33606,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.8",
+      version: "4.31.1",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -33654,7 +33654,7 @@ var require_package = __commonJS({
         jsonschema: "1.4.1",
         long: "^5.3.2",
         "node-forge": "^1.3.1",
-        octokit: "^5.0.3",
+        octokit: "^5.0.4",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
@@ -33662,7 +33662,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.0",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.37.0",
+        "@eslint/js": "^9.38.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
@@ -33673,10 +33673,10 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.0",
+        "@typescript-eslint/eslint-plugin": "^8.46.1",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.10",
+        esbuild: "^0.25.11",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -35065,14 +35065,14 @@ var require_dist_node14 = __commonJS({
     var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
     var dist_src_exports = {};
     __export2(dist_src_exports, {
-      RequestError: () => RequestError2
+      RequestError: () => RequestError
     });
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_deprecation = require_dist_node3();
     var import_once = __toESM2(require_once());
     var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
     var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError2 = class extends Error {
+    var RequestError = class extends Error {
       constructor(message, statusCode, options) {
         super(message);
         if (Error.captureStackTrace) {
@@ -35174,7 +35174,7 @@ var require_dist_node15 = __commonJS({
       throw error2;
     }
     var import_light = __toESM2(require_light());
-    var import_request_error2 = require_dist_node14();
+    var import_request_error = require_dist_node14();
     async function wrapRequest(state, octokit, request, options) {
       const limiter = new import_light.default();
       limiter.on("failed", function(error2, info4) {
@@ -35195,7 +35195,7 @@ var require_dist_node15 = __commonJS({
       if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
         response.data.errors[0].message
       )) {
-        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
           request: options,
           response
         });
@@ -80921,14 +80921,14 @@ var require_tool_cache = __commonJS({
     var assert_1 = require("assert");
     var exec_1 = require_exec();
     var retry_helper_1 = require_retry_helper();
-    var HTTPError = class extends Error {
+    var HTTPError2 = class extends Error {
       constructor(httpStatusCode) {
         super(`Unexpected HTTP response: ${httpStatusCode}`);
         this.httpStatusCode = httpStatusCode;
         Object.setPrototypeOf(this, new.target.prototype);
       }
     };
-    exports2.HTTPError = HTTPError;
+    exports2.HTTPError = HTTPError2;
     var IS_WINDOWS = process.platform === "win32";
     var IS_MAC = process.platform === "darwin";
     var userAgent = "actions/tool-cache";
@@ -80945,7 +80945,7 @@ var require_tool_cache = __commonJS({
         return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
           return yield downloadToolAttempt(url2, dest || "", auth, headers);
         }), (err) => {
-          if (err instanceof HTTPError && err.httpStatusCode) {
+          if (err instanceof HTTPError2 && err.httpStatusCode) {
             if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
               return false;
             }
@@ -80972,7 +80972,7 @@ var require_tool_cache = __commonJS({
         }
         const response = yield http.get(url2, headers);
         if (response.message.statusCode !== 200) {
-          const err = new HTTPError(response.message.statusCode);
+          const err = new HTTPError2(response.message.statusCode);
           core12.debug(`Failed to download from "${url2}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
           throw err;
         }
@@ -84847,6 +84847,7 @@ __export(upload_lib_exports, {
   getGroupedSarifFilePaths: () => getGroupedSarifFilePaths,
   getSarifFilePaths: () => getSarifFilePaths,
   populateRunAutomationDetails: () => populateRunAutomationDetails,
+  postProcessSarifFiles: () => postProcessSarifFiles,
   readSarifFile: () => readSarifFile,
   shouldConsiderConfigurationError: () => shouldConsiderConfigurationError,
   shouldConsiderInvalidRequest: () => shouldConsiderInvalidRequest,
@@ -84854,10 +84855,11 @@ __export(upload_lib_exports, {
   throwIfCombineSarifFilesDisabled: () => throwIfCombineSarifFilesDisabled,
   uploadFiles: () => uploadFiles,
   uploadPayload: () => uploadPayload,
-  uploadSpecifiedFiles: () => uploadSpecifiedFiles,
+  uploadPostProcessedFiles: () => uploadPostProcessedFiles,
   validateSarifFileSchema: () => validateSarifFileSchema,
   validateUniqueCategory: () => validateUniqueCategory,
-  waitForProcessing: () => waitForProcessing
+  waitForProcessing: () => waitForProcessing,
+  writePostProcessedFiles: () => writePostProcessedFiles
 });
 module.exports = __toCommonJS(upload_lib_exports);
 var fs13 = __toESM(require("fs"));
@@ -84865,7 +84867,7 @@ var path14 = __toESM(require("path"));
 var url = __toESM(require("url"));
 var import_zlib = __toESM(require("zlib"));
 var core11 = __toESM(require_core());
-var jsonschema = __toESM(require_lib2());
+var jsonschema2 = __toESM(require_lib2());
 
 // src/actions-util.ts
 var fs4 = __toESM(require("fs"));
@@ -88328,13 +88330,35 @@ function getRequiredEnvParam(paramName) {
   }
   return value;
 }
+function getOptionalEnvVar(paramName) {
+  const value = process.env[paramName];
+  if (value?.trim().length === 0) {
+    return void 0;
+  }
+  return value;
+}
+var HTTPError = class extends Error {
+  constructor(message, status) {
+    super(message);
+    this.status = status;
+  }
+};
 var ConfigurationError = class extends Error {
   constructor(message) {
     super(message);
   }
 };
-function isHTTPError(arg) {
-  return arg?.status !== void 0 && Number.isInteger(arg.status);
+function asHTTPError(arg) {
+  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
+    return void 0;
+  }
+  if (Number.isInteger(arg.status)) {
+    return new HTTPError(arg.message, arg.status);
+  }
+  if (Number.isInteger(arg.httpStatusCode)) {
+    return new HTTPError(arg.message, arg.httpStatusCode);
+  }
+  return void 0;
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -88747,14 +88771,24 @@ function computeAutomationID(analysis_key, environment) {
   return automationID;
 }
 function wrapApiConfigurationError(e) {
-  if (isHTTPError(e)) {
-    if (e.message.includes("API rate limit exceeded for installation") || e.message.includes("commit not found") || e.message.includes("Resource not accessible by integration") || /ref .* not found in this repository/.test(e.message)) {
-      return new ConfigurationError(e.message);
-    } else if (e.message.includes("Bad credentials") || e.message.includes("Not Found")) {
+  const httpError = asHTTPError(e);
+  if (httpError !== void 0) {
+    if ([
+      /API rate limit exceeded/,
+      /commit not found/,
+      /Resource not accessible by integration/,
+      /ref .* not found in this repository/
+    ].some((pattern) => pattern.test(httpError.message))) {
+      return new ConfigurationError(httpError.message);
+    }
+    if (httpError.message.includes("Bad credentials") || httpError.message.includes("Not Found")) {
       return new ConfigurationError(
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write"
       );
     }
+    if (httpError.status === 429) {
+      return new ConfigurationError("API rate limit exceeded");
+    }
   }
   return e;
 }
@@ -88765,45 +88799,6 @@ var path12 = __toESM(require("path"));
 var core10 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());
 
-// node_modules/@octokit/request-error/dist-src/index.js
-var RequestError = class extends Error {
-  name;
-  /**
-   * http status code
-   */
-  status;
-  /**
-   * Request options that lead to the error.
-   */
-  request;
-  /**
-   * Response object if a response was received
-   */
-  response;
-  constructor(message, statusCode, options) {
-    super(message);
-    this.name = "HttpError";
-    this.status = Number.parseInt(statusCode);
-    if (Number.isNaN(this.status)) {
-      this.status = 0;
-    }
-    if ("response" in options) {
-      this.response = options.response;
-    }
-    const requestCopy = Object.assign({}, options.request);
-    if (options.request.headers.authorization) {
-      requestCopy.headers = Object.assign({}, options.request.headers, {
-        authorization: options.request.headers.authorization.replace(
-          /(?<! ) .*$/,
-          " [REDACTED]"
-        )
-      });
-    }
-    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
-    this.request = requestCopy;
-  }
-};
-
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
   ["linux", "x64"],
@@ -88971,6 +88966,9 @@ var cliErrorsConfig = {
     cliErrorMessageCandidates: [
       new RegExp(
         "Query pack .* cannot be found\\. Check the spelling of the pack\\."
+      ),
+      new RegExp(
+        "is not a .ql file, .qls file, a directory, or a query pack specification."
       )
     ]
   },
@@ -89049,6 +89047,7 @@ var path9 = __toESM(require("path"));
 var core6 = __toESM(require_core());
 
 // src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
 var semver2 = __toESM(require_semver2());
 var PACK_IDENTIFIER_PATTERN = (function() {
   const alphaNumeric = "[a-z0-9]";
@@ -89065,8 +89064,8 @@ var path8 = __toESM(require("path"));
 var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89286,7 +89285,7 @@ function formatDuration(durationMs) {
 
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
   const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -89359,6 +89358,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
     minimumVersion: void 0
   },
+  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
+    minimumVersion: void 0
+  },
   ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -89530,6 +89534,11 @@ var featureConfig = {
     defaultValue: false,
     envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
     minimumVersion: "2.23.0"
+  },
+  ["validate_db_config" /* ValidateDbConfig */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
+    minimumVersion: void 0
   }
 };
 
@@ -89708,13 +89717,13 @@ async function getTarVersion() {
   }
   if (stdout.includes("GNU tar")) {
     const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
       throw new Error("Failed to parse output of tar --version.");
     }
     return { type: "gnu", version: match[1] };
   } else if (stdout.includes("bsdtar")) {
     const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
       throw new Error("Failed to parse output of tar --version.");
     }
     return { type: "bsd", version: match[1] };
@@ -90094,7 +90103,7 @@ function tryGetTagNameFromUrl(url2, logger) {
     return void 0;
   }
   const match = matches[matches.length - 1];
-  if (match === null || match.length !== 2) {
+  if (match?.length !== 2) {
     logger.debug(
       `Could not determine tag name for URL ${url2}. Matched ${JSON.stringify(
         match
@@ -90554,7 +90563,7 @@ async function shouldEnableIndirectTracing(codeql, config) {
 
 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.16.6";
+var CODEQL_MINIMUM_VERSION = "2.17.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -90598,9 +90607,9 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
       toolsVersion,
       zstdAvailability
     };
-  } catch (e) {
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
-    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
+  } catch (rawError) {
+    const e = wrapApiConfigurationError(rawError);
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
     throw new ErrorClass(
       `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `
 
@@ -90889,12 +90898,6 @@ ${output}`
       } else {
         codeqlArgs.push("--no-sarif-include-diagnostics");
       }
-      if (!isSupportedToolsFeature(
-        await this.getVersion(),
-        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
-      )) {
-        codeqlArgs.push("--new-analysis-summary");
-      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);
@@ -92444,24 +92447,6 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
     );
     codeQL = initCodeQLResult.codeql;
   }
-  if (!await codeQL.supportsFeature(
-    "sarifMergeRunsFromEqualCategory" /* SarifMergeRunsFromEqualCategory */
-  )) {
-    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
-    logger.warning(
-      "The CodeQL CLI does not support merging SARIF files. Merging files in the action."
-    );
-    if (await shouldShowCombineSarifFilesDeprecationWarning(
-      sarifObjects,
-      gitHubVersion
-    )) {
-      logger.warning(
-        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`
-      );
-      core11.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
-    }
-    return combineSarifFiles(sarifFiles, logger);
-  }
   const baseTempDir = path14.resolve(tempDir, "combined-sarif");
   fs13.mkdirSync(baseTempDir, { recursive: true });
   const outputDirectory = fs13.mkdtempSync(path14.resolve(baseTempDir, "output-"));
@@ -92520,16 +92505,17 @@ async function uploadPayload(payload, repositoryNwo, logger, analysis) {
     logger.info("Successfully uploaded results");
     return response.data.id;
   } catch (e) {
-    if (isHTTPError(e)) {
-      switch (e.status) {
+    const httpError = asHTTPError(e);
+    if (httpError !== void 0) {
+      switch (httpError.status) {
         case 403:
-          core11.warning(e.message || GENERIC_403_MSG);
+          core11.warning(httpError.message || GENERIC_403_MSG);
           break;
         case 404:
-          core11.warning(e.message || GENERIC_404_MSG);
+          core11.warning(httpError.message || GENERIC_404_MSG);
           break;
         default:
-          core11.warning(e.message);
+          core11.warning(httpError.message);
           break;
       }
     }
@@ -92651,7 +92637,7 @@ function validateSarifFileSchema(sarif, sarifFilePath, logger) {
   }
   logger.info(`Validating ${sarifFilePath}`);
   const schema2 = require_sarif_schema_2_1_0();
-  const result = new jsonschema.Validator().validate(sarif, schema2);
+  const result = new jsonschema2.Validator().validate(sarif, schema2);
   const warningAttributes = ["uri-reference", "uri"];
   const errors = (result.errors ?? []).filter(
     (err) => !(err.name === "format" && typeof err.argument === "string" && warningAttributes.includes(err.argument))
@@ -92711,26 +92697,11 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
-  const sarifPaths = getSarifFilePaths(
-    inputSarifPath,
-    uploadTarget.sarifPredicate
-  );
-  return uploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget
-  );
-}
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths, category, analysis) {
+  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
   let sarif;
-  category = uploadTarget.fixCategory(logger, category);
+  category = analysis.fixCategory(logger, category);
   if (sarifPaths.length > 1) {
     for (const sarifPath of sarifPaths) {
       const parsedSarif = readSarifFile(sarifPath);
@@ -92758,28 +92729,73 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     analysisKey,
     environment
   );
+  return { sarif, analysisKey, environment };
+}
+async function writePostProcessedFiles(logger, pathInput, uploadTarget, postProcessingResults) {
+  const outputPath = pathInput || getOptionalEnvVar("CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */);
+  logger.info(`Post-processed SARIF output path: ${outputPath}`);
+  if (outputPath !== void 0) {
+    dumpSarifFile(
+      JSON.stringify(postProcessingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget
+    );
+  } else {
+    logger.debug(`Not writing post-processed SARIF files.`);
+  }
+}
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
+  const sarifPaths = getSarifFilePaths(
+    inputSarifPath,
+    uploadTarget.sarifPredicate
+  );
+  return uploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget
+  );
+}
+async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
+  const processingResults = await postProcessSarifFiles(
+    logger,
+    features,
+    checkoutPath,
+    sarifPaths,
+    category,
+    uploadTarget
+  );
+  return uploadPostProcessedFiles(
+    logger,
+    checkoutPath,
+    uploadTarget,
+    processingResults
+  );
+}
+async function uploadPostProcessedFiles(logger, checkoutPath, uploadTarget, postProcessingResults) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  const sarif = postProcessingResults.sarif;
   const toolNames = getToolNames(sarif);
   logger.debug(`Validating that each SARIF run has a unique category`);
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
   const payload = buildPayload(
     await getCommitOid(checkoutPath),
     await getRef(),
-    analysisKey,
+    postProcessingResults.analysisKey,
     getRequiredEnvParam("GITHUB_WORKFLOW"),
     zippedSarif,
     getWorkflowRunID(),
     getWorkflowRunAttempt(),
     checkoutURI,
-    environment,
+    postProcessingResults.environment,
     toolNames,
     await determineBaseBranchHeadCommitOid()
   );
@@ -92810,14 +92826,14 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
     fs13.mkdirSync(outputDir, { recursive: true });
   } else if (!fs13.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`
     );
   }
   const outputFile = path14.resolve(
     outputDir,
     `upload${uploadTarget.sarifExtension}`
   );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
   fs13.writeFileSync(outputFile, sarifPayload);
 }
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
@@ -92979,6 +92995,7 @@ function filterAlertsByDiffRange(logger, sarif) {
   getGroupedSarifFilePaths,
   getSarifFilePaths,
   populateRunAutomationDetails,
+  postProcessSarifFiles,
   readSarifFile,
   shouldConsiderConfigurationError,
   shouldConsiderInvalidRequest,
@@ -92986,10 +93003,11 @@ function filterAlertsByDiffRange(logger, sarif) {
   throwIfCombineSarifFilesDisabled,
   uploadFiles,
   uploadPayload,
-  uploadSpecifiedFiles,
+  uploadPostProcessedFiles,
   validateSarifFileSchema,
   validateUniqueCategory,
-  waitForProcessing
+  waitForProcessing,
+  writePostProcessedFiles
 });
 /*! Bundled license information:
 

lib/upload-sarif-action.js

@@ -20602,14 +20602,14 @@ var require_dist_node4 = __commonJS({
     var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
     var dist_src_exports = {};
     __export2(dist_src_exports, {
-      RequestError: () => RequestError2
+      RequestError: () => RequestError
     });
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_deprecation = require_dist_node3();
     var import_once = __toESM2(require_once());
     var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
     var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError2 = class extends Error {
+    var RequestError = class extends Error {
       constructor(message, statusCode, options) {
         super(message);
         if (Error.captureStackTrace) {
@@ -20701,7 +20701,7 @@ var require_dist_node5 = __commonJS({
       const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
       return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
     }
-    var import_request_error2 = require_dist_node4();
+    var import_request_error = require_dist_node4();
     function getBufferResponse(response) {
       return response.arrayBuffer();
     }
@@ -20753,7 +20753,7 @@ var require_dist_node5 = __commonJS({
           if (status < 400) {
             return;
           }
-          throw new import_request_error2.RequestError(response.statusText, status, {
+          throw new import_request_error.RequestError(response.statusText, status, {
             response: {
               url: url2,
               status,
@@ -20764,7 +20764,7 @@ var require_dist_node5 = __commonJS({
           });
         }
         if (status === 304) {
-          throw new import_request_error2.RequestError("Not modified", status, {
+          throw new import_request_error.RequestError("Not modified", status, {
             response: {
               url: url2,
               status,
@@ -20776,7 +20776,7 @@ var require_dist_node5 = __commonJS({
         }
         if (status >= 400) {
           const data = await getResponseData(response);
-          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
             response: {
               url: url2,
               status,
@@ -20796,7 +20796,7 @@ var require_dist_node5 = __commonJS({
           data
         };
       }).catch((error2) => {
-        if (error2 instanceof import_request_error2.RequestError)
+        if (error2 instanceof import_request_error.RequestError)
           throw error2;
         else if (error2.name === "AbortError")
           throw error2;
@@ -20808,7 +20808,7 @@ var require_dist_node5 = __commonJS({
             message = error2.cause;
           }
         }
-        throw new import_request_error2.RequestError(message, 500, {
+        throw new import_request_error.RequestError(message, 500, {
           request: requestOptions
         });
       });
@@ -21250,14 +21250,14 @@ var require_dist_node7 = __commonJS({
     var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
     var dist_src_exports = {};
     __export2(dist_src_exports, {
-      RequestError: () => RequestError2
+      RequestError: () => RequestError
     });
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_deprecation = require_dist_node3();
     var import_once = __toESM2(require_once());
     var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
     var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError2 = class extends Error {
+    var RequestError = class extends Error {
       constructor(message, statusCode, options) {
         super(message);
         if (Error.captureStackTrace) {
@@ -21349,7 +21349,7 @@ var require_dist_node8 = __commonJS({
       const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
       return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
     }
-    var import_request_error2 = require_dist_node7();
+    var import_request_error = require_dist_node7();
     function getBufferResponse(response) {
       return response.arrayBuffer();
     }
@@ -21401,7 +21401,7 @@ var require_dist_node8 = __commonJS({
           if (status < 400) {
             return;
           }
-          throw new import_request_error2.RequestError(response.statusText, status, {
+          throw new import_request_error.RequestError(response.statusText, status, {
             response: {
               url: url2,
               status,
@@ -21412,7 +21412,7 @@ var require_dist_node8 = __commonJS({
           });
         }
         if (status === 304) {
-          throw new import_request_error2.RequestError("Not modified", status, {
+          throw new import_request_error.RequestError("Not modified", status, {
             response: {
               url: url2,
               status,
@@ -21424,7 +21424,7 @@ var require_dist_node8 = __commonJS({
         }
         if (status >= 400) {
           const data = await getResponseData(response);
-          const error2 = new import_request_error2.RequestError(toErrorMessage(data), status, {
+          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
             response: {
               url: url2,
               status,
@@ -21444,7 +21444,7 @@ var require_dist_node8 = __commonJS({
           data
         };
       }).catch((error2) => {
-        if (error2 instanceof import_request_error2.RequestError)
+        if (error2 instanceof import_request_error.RequestError)
           throw error2;
         else if (error2.name === "AbortError")
           throw error2;
@@ -21456,7 +21456,7 @@ var require_dist_node8 = __commonJS({
             message = error2.cause;
           }
         }
-        throw new import_request_error2.RequestError(message, 500, {
+        throw new import_request_error.RequestError(message, 500, {
           request: requestOptions
         });
       });
@@ -32309,7 +32309,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "codeql",
-      version: "3.30.8",
+      version: "4.31.1",
       private: true,
       description: "CodeQL action",
       scripts: {
@@ -32357,7 +32357,7 @@ var require_package = __commonJS({
         jsonschema: "1.4.1",
         long: "^5.3.2",
         "node-forge": "^1.3.1",
-        octokit: "^5.0.3",
+        octokit: "^5.0.4",
         semver: "^7.7.3",
         uuid: "^13.0.0"
       },
@@ -32365,7 +32365,7 @@ var require_package = __commonJS({
         "@ava/typescript": "6.0.0",
         "@eslint/compat": "^1.4.0",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "^9.37.0",
+        "@eslint/js": "^9.38.0",
         "@microsoft/eslint-formatter-sarif": "^3.1.0",
         "@octokit/types": "^15.0.0",
         "@types/archiver": "^6.0.3",
@@ -32376,10 +32376,10 @@ var require_package = __commonJS({
         "@types/node-forge": "^1.3.14",
         "@types/semver": "^7.7.1",
         "@types/sinon": "^17.0.4",
-        "@typescript-eslint/eslint-plugin": "^8.46.0",
+        "@typescript-eslint/eslint-plugin": "^8.46.1",
         "@typescript-eslint/parser": "^8.41.0",
         ava: "^6.4.1",
-        esbuild: "^0.25.10",
+        esbuild: "^0.25.11",
         eslint: "^8.57.1",
         "eslint-import-resolver-typescript": "^3.8.7",
         "eslint-plugin-filenames": "^1.3.2",
@@ -33768,14 +33768,14 @@ var require_dist_node14 = __commonJS({
     var __toCommonJS2 = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
     var dist_src_exports = {};
     __export2(dist_src_exports, {
-      RequestError: () => RequestError2
+      RequestError: () => RequestError
     });
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_deprecation = require_dist_node3();
     var import_once = __toESM2(require_once());
     var logOnceCode = (0, import_once.default)((deprecation) => console.warn(deprecation));
     var logOnceHeaders = (0, import_once.default)((deprecation) => console.warn(deprecation));
-    var RequestError2 = class extends Error {
+    var RequestError = class extends Error {
       constructor(message, statusCode, options) {
         super(message);
         if (Error.captureStackTrace) {
@@ -33877,7 +33877,7 @@ var require_dist_node15 = __commonJS({
       throw error2;
     }
     var import_light = __toESM2(require_light());
-    var import_request_error2 = require_dist_node14();
+    var import_request_error = require_dist_node14();
     async function wrapRequest(state, octokit, request, options) {
       const limiter = new import_light.default();
       limiter.on("failed", function(error2, info4) {
@@ -33898,7 +33898,7 @@ var require_dist_node15 = __commonJS({
       if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
         response.data.errors[0].message
       )) {
-        const error2 = new import_request_error2.RequestError(response.data.errors[0].message, 500, {
+        const error2 = new import_request_error.RequestError(response.data.errors[0].message, 500, {
           request: options,
           response
         });
@@ -80374,19 +80374,19 @@ var require_validator2 = __commonJS({
     var SchemaError = helpers.SchemaError;
     var SchemaContext = helpers.SchemaContext;
     var anonymousBase = "/";
-    var Validator2 = function Validator3() {
-      this.customFormats = Object.create(Validator3.prototype.customFormats);
+    var Validator3 = function Validator4() {
+      this.customFormats = Object.create(Validator4.prototype.customFormats);
       this.schemas = {};
       this.unresolvedRefs = [];
       this.types = Object.create(types);
       this.attributes = Object.create(attribute.validators);
     };
-    Validator2.prototype.customFormats = {};
-    Validator2.prototype.schemas = null;
-    Validator2.prototype.types = null;
-    Validator2.prototype.attributes = null;
-    Validator2.prototype.unresolvedRefs = null;
-    Validator2.prototype.addSchema = function addSchema(schema2, base) {
+    Validator3.prototype.customFormats = {};
+    Validator3.prototype.schemas = null;
+    Validator3.prototype.types = null;
+    Validator3.prototype.attributes = null;
+    Validator3.prototype.unresolvedRefs = null;
+    Validator3.prototype.addSchema = function addSchema(schema2, base) {
       var self2 = this;
       if (!schema2) {
         return null;
@@ -80404,25 +80404,25 @@ var require_validator2 = __commonJS({
       });
       return this.schemas[ourUri];
     };
-    Validator2.prototype.addSubSchemaArray = function addSubSchemaArray(baseuri, schemas) {
+    Validator3.prototype.addSubSchemaArray = function addSubSchemaArray(baseuri, schemas) {
       if (!Array.isArray(schemas)) return;
       for (var i = 0; i < schemas.length; i++) {
         this.addSubSchema(baseuri, schemas[i]);
       }
     };
-    Validator2.prototype.addSubSchemaObject = function addSubSchemaArray(baseuri, schemas) {
+    Validator3.prototype.addSubSchemaObject = function addSubSchemaArray(baseuri, schemas) {
       if (!schemas || typeof schemas != "object") return;
       for (var p in schemas) {
         this.addSubSchema(baseuri, schemas[p]);
       }
     };
-    Validator2.prototype.setSchemas = function setSchemas(schemas) {
+    Validator3.prototype.setSchemas = function setSchemas(schemas) {
       this.schemas = schemas;
     };
-    Validator2.prototype.getSchema = function getSchema(urn) {
+    Validator3.prototype.getSchema = function getSchema(urn) {
       return this.schemas[urn];
     };
-    Validator2.prototype.validate = function validate(instance, schema2, options, ctx) {
+    Validator3.prototype.validate = function validate(instance, schema2, options, ctx) {
       if (typeof schema2 !== "boolean" && typeof schema2 !== "object" || schema2 === null) {
         throw new SchemaError("Expected `schema` to be an object or boolean");
       }
@@ -80460,7 +80460,7 @@ var require_validator2 = __commonJS({
       if (typeof ref == "string") return ref;
       return false;
     }
-    Validator2.prototype.validateSchema = function validateSchema(instance, schema2, options, ctx) {
+    Validator3.prototype.validateSchema = function validateSchema(instance, schema2, options, ctx) {
       var result = new ValidatorResult(instance, schema2, options, ctx);
       if (typeof schema2 === "boolean") {
         if (schema2 === true) {
@@ -80510,17 +80510,17 @@ var require_validator2 = __commonJS({
       }
       return result;
     };
-    Validator2.prototype.schemaTraverser = function schemaTraverser(schemaobj, s) {
+    Validator3.prototype.schemaTraverser = function schemaTraverser(schemaobj, s) {
       schemaobj.schema = helpers.deepMerge(schemaobj.schema, this.superResolve(s, schemaobj.ctx));
     };
-    Validator2.prototype.superResolve = function superResolve(schema2, ctx) {
+    Validator3.prototype.superResolve = function superResolve(schema2, ctx) {
       var ref = shouldResolve(schema2);
       if (ref) {
         return this.resolve(schema2, ref, ctx).subschema;
       }
       return schema2;
     };
-    Validator2.prototype.resolve = function resolve6(schema2, switchSchema, ctx) {
+    Validator3.prototype.resolve = function resolve6(schema2, switchSchema, ctx) {
       switchSchema = ctx.resolve(switchSchema);
       if (ctx.schemas[switchSchema]) {
         return { subschema: ctx.schemas[switchSchema], switchSchema };
@@ -80537,7 +80537,7 @@ var require_validator2 = __commonJS({
       }
       return { subschema, switchSchema };
     };
-    Validator2.prototype.testType = function validateType(instance, schema2, options, ctx, type2) {
+    Validator3.prototype.testType = function validateType(instance, schema2, options, ctx, type2) {
       if (type2 === void 0) {
         return;
       } else if (type2 === null) {
@@ -80552,7 +80552,7 @@ var require_validator2 = __commonJS({
       }
       return true;
     };
-    var types = Validator2.prototype.types = {};
+    var types = Validator3.prototype.types = {};
     types.string = function testString(instance) {
       return typeof instance == "string";
     };
@@ -80580,7 +80580,7 @@ var require_validator2 = __commonJS({
     types.object = function testObject(instance) {
       return instance && typeof instance === "object" && !Array.isArray(instance) && !(instance instanceof Date);
     };
-    module2.exports = Validator2;
+    module2.exports = Validator3;
   }
 });
 
@@ -80588,7 +80588,7 @@ var require_validator2 = __commonJS({
 var require_lib2 = __commonJS({
   "node_modules/jsonschema/lib/index.js"(exports2, module2) {
     "use strict";
-    var Validator2 = module2.exports.Validator = require_validator2();
+    var Validator3 = module2.exports.Validator = require_validator2();
     module2.exports.ValidatorResult = require_helpers3().ValidatorResult;
     module2.exports.ValidatorResultError = require_helpers3().ValidatorResultError;
     module2.exports.ValidationError = require_helpers3().ValidationError;
@@ -80596,7 +80596,7 @@ var require_lib2 = __commonJS({
     module2.exports.SchemaScanResult = require_scan2().SchemaScanResult;
     module2.exports.scan = require_scan2().scan;
     module2.exports.validate = function(instance, schema2, options) {
-      var v = new Validator2();
+      var v = new Validator3();
       return v.validate(instance, schema2, options);
     };
   }
@@ -80921,14 +80921,14 @@ var require_tool_cache = __commonJS({
     var assert_1 = require("assert");
     var exec_1 = require_exec();
     var retry_helper_1 = require_retry_helper();
-    var HTTPError = class extends Error {
+    var HTTPError2 = class extends Error {
       constructor(httpStatusCode) {
         super(`Unexpected HTTP response: ${httpStatusCode}`);
         this.httpStatusCode = httpStatusCode;
         Object.setPrototypeOf(this, new.target.prototype);
       }
     };
-    exports2.HTTPError = HTTPError;
+    exports2.HTTPError = HTTPError2;
     var IS_WINDOWS = process.platform === "win32";
     var IS_MAC = process.platform === "darwin";
     var userAgent = "actions/tool-cache";
@@ -80945,7 +80945,7 @@ var require_tool_cache = __commonJS({
         return yield retryHelper.execute(() => __awaiter4(this, void 0, void 0, function* () {
           return yield downloadToolAttempt(url2, dest || "", auth, headers);
         }), (err) => {
-          if (err instanceof HTTPError && err.httpStatusCode) {
+          if (err instanceof HTTPError2 && err.httpStatusCode) {
             if (err.httpStatusCode < 500 && err.httpStatusCode !== 408 && err.httpStatusCode !== 429) {
               return false;
             }
@@ -80972,7 +80972,7 @@ var require_tool_cache = __commonJS({
         }
         const response = yield http.get(url2, headers);
         if (response.message.statusCode !== 200) {
-          const err = new HTTPError(response.message.statusCode);
+          const err = new HTTPError2(response.message.statusCode);
           core14.debug(`Failed to download from "${url2}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`);
           throw err;
         }
@@ -88444,13 +88444,35 @@ function getRequiredEnvParam(paramName) {
   }
   return value;
 }
+function getOptionalEnvVar(paramName) {
+  const value = process.env[paramName];
+  if (value?.trim().length === 0) {
+    return void 0;
+  }
+  return value;
+}
+var HTTPError = class extends Error {
+  constructor(message, status) {
+    super(message);
+    this.status = status;
+  }
+};
 var ConfigurationError = class extends Error {
   constructor(message) {
     super(message);
   }
 };
-function isHTTPError(arg) {
-  return arg?.status !== void 0 && Number.isInteger(arg.status);
+function asHTTPError(arg) {
+  if (typeof arg !== "object" || arg === null || typeof arg.message !== "string") {
+    return void 0;
+  }
+  if (Number.isInteger(arg.status)) {
+    return new HTTPError(arg.message, arg.status);
+  }
+  if (Number.isInteger(arg.httpStatusCode)) {
+    return new HTTPError(arg.message, arg.httpStatusCode);
+  }
+  return void 0;
 }
 var cachedCodeQlVersion = void 0;
 function cacheCodeQlVersion(version) {
@@ -88958,14 +88980,24 @@ function computeAutomationID(analysis_key, environment) {
   return automationID;
 }
 function wrapApiConfigurationError(e) {
-  if (isHTTPError(e)) {
-    if (e.message.includes("API rate limit exceeded for installation") || e.message.includes("commit not found") || e.message.includes("Resource not accessible by integration") || /ref .* not found in this repository/.test(e.message)) {
-      return new ConfigurationError(e.message);
-    } else if (e.message.includes("Bad credentials") || e.message.includes("Not Found")) {
+  const httpError = asHTTPError(e);
+  if (httpError !== void 0) {
+    if ([
+      /API rate limit exceeded/,
+      /commit not found/,
+      /Resource not accessible by integration/,
+      /ref .* not found in this repository/
+    ].some((pattern) => pattern.test(httpError.message))) {
+      return new ConfigurationError(httpError.message);
+    }
+    if (httpError.message.includes("Bad credentials") || httpError.message.includes("Not Found")) {
       return new ConfigurationError(
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write"
       );
     }
+    if (httpError.status === 429) {
+      return new ConfigurationError("API rate limit exceeded");
+    }
   }
   return e;
 }
@@ -88976,8 +89008,8 @@ var path8 = __toESM(require("path"));
 var semver3 = __toESM(require_semver2());
 
 // src/defaults.json
-var bundleVersion = "codeql-bundle-v2.23.2";
-var cliVersion = "2.23.2";
+var bundleVersion = "codeql-bundle-v2.23.3";
+var cliVersion = "2.23.3";
 
 // src/overlay-database-utils.ts
 var fs5 = __toESM(require("fs"));
@@ -89200,7 +89232,7 @@ function formatDuration(durationMs) {
 
 // src/overlay-database-utils.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
-var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15e3;
+var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
 async function writeBaseDatabaseOidsFile(config, sourceRoot) {
   const gitFileOids = await getFileOidsUnderPath(sourceRoot);
@@ -89275,6 +89307,11 @@ var featureConfig = {
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
     minimumVersion: void 0
   },
+  ["analyze_use_new_upload" /* AnalyzeUseNewUpload */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
+    minimumVersion: void 0
+  },
   ["cleanup_trap_caches" /* CleanupTrapCaches */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -89446,6 +89483,11 @@ var featureConfig = {
     defaultValue: false,
     envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
     minimumVersion: "2.23.0"
+  },
+  ["validate_db_config" /* ValidateDbConfig */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
+    minimumVersion: void 0
   }
 };
 var FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -89688,7 +89730,7 @@ var GitHubFeatureFlags = class {
         remoteFlags = { ...remoteFlags, ...chunkFlags };
       }
       this.logger.debug(
-        "Loaded the following default values for the feature flags from the Code Scanning API:"
+        "Loaded the following default values for the feature flags from the CodeQL Action API:"
       );
       for (const [feature, value] of Object.entries(remoteFlags).sort(
         ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -89698,9 +89740,10 @@ var GitHubFeatureFlags = class {
       this.hasAccessedRemoteFeatureFlags = true;
       return remoteFlags;
     } catch (e) {
-      if (isHTTPError(e) && e.status === 403) {
+      const httpError = asHTTPError(e);
+      if (httpError?.status === 403) {
         this.logger.warning(
-          `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`
+          `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
         );
         this.hasAccessedRemoteFeatureFlags = false;
         return {};
@@ -89725,6 +89768,7 @@ var path10 = __toESM(require("path"));
 var core8 = __toESM(require_core());
 
 // src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
 var semver4 = __toESM(require_semver2());
 var PACK_IDENTIFIER_PATTERN = (function() {
   const alphaNumeric = "[a-z0-9]";
@@ -89950,8 +89994,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
     return void 0;
   }
 }
-var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
-var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
+var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
+var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
 async function sendStatusReport(statusReport) {
   setJobStatusIfUnsuccessful(statusReport.status);
   const statusReportJSON = JSON.stringify(statusReport);
@@ -89972,19 +90016,22 @@ async function sendStatusReport(statusReport) {
       }
     );
   } catch (e) {
-    if (isHTTPError(e)) {
-      switch (e.status) {
+    const httpError = asHTTPError(e);
+    if (httpError !== void 0) {
+      switch (httpError.status) {
         case 403:
           if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
             core9.warning(
-              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
+              `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
             );
           } else {
-            core9.warning(e.message);
+            core9.warning(
+              `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
+            );
           }
           return;
         case 404:
-          core9.warning(e.message);
+          core9.warning(httpError.message);
           return;
         case 422:
           if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
@@ -89996,7 +90043,7 @@ async function sendStatusReport(statusReport) {
       }
     }
     core9.warning(
-      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
+      `An unexpected error occurred when sending a status report: ${getErrorMessage(
         e
       )}`
     );
@@ -90009,7 +90056,7 @@ var path15 = __toESM(require("path"));
 var url = __toESM(require("url"));
 var import_zlib = __toESM(require("zlib"));
 var core12 = __toESM(require_core());
-var jsonschema = __toESM(require_lib2());
+var jsonschema2 = __toESM(require_lib2());
 
 // src/codeql.ts
 var fs12 = __toESM(require("fs"));
@@ -90017,45 +90064,6 @@ var path13 = __toESM(require("path"));
 var core11 = __toESM(require_core());
 var toolrunner3 = __toESM(require_toolrunner());
 
-// node_modules/@octokit/request-error/dist-src/index.js
-var RequestError = class extends Error {
-  name;
-  /**
-   * http status code
-   */
-  status;
-  /**
-   * Request options that lead to the error.
-   */
-  request;
-  /**
-   * Response object if a response was received
-   */
-  response;
-  constructor(message, statusCode, options) {
-    super(message);
-    this.name = "HttpError";
-    this.status = Number.parseInt(statusCode);
-    if (Number.isNaN(this.status)) {
-      this.status = 0;
-    }
-    if ("response" in options) {
-      this.response = options.response;
-    }
-    const requestCopy = Object.assign({}, options.request);
-    if (options.request.headers.authorization) {
-      requestCopy.headers = Object.assign({}, options.request.headers, {
-        authorization: options.request.headers.authorization.replace(
-          /(?<! ) .*$/,
-          " [REDACTED]"
-        )
-      });
-    }
-    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]").replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
-    this.request = requestCopy;
-  }
-};
-
 // src/cli-errors.ts
 var SUPPORTED_PLATFORMS = [
   ["linux", "x64"],
@@ -90223,6 +90231,9 @@ var cliErrorsConfig = {
     cliErrorMessageCandidates: [
       new RegExp(
         "Query pack .* cannot be found\\. Check the spelling of the pack\\."
+      ),
+      new RegExp(
+        "is not a .ql file, .qls file, a directory, or a query pack specification."
       )
     ]
   },
@@ -90379,13 +90390,13 @@ async function getTarVersion() {
   }
   if (stdout.includes("GNU tar")) {
     const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
       throw new Error("Failed to parse output of tar --version.");
     }
     return { type: "gnu", version: match[1] };
   } else if (stdout.includes("bsdtar")) {
     const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
       throw new Error("Failed to parse output of tar --version.");
     }
     return { type: "bsd", version: match[1] };
@@ -90765,7 +90776,7 @@ function tryGetTagNameFromUrl(url2, logger) {
     return void 0;
   }
   const match = matches[matches.length - 1];
-  if (match === null || match.length !== 2) {
+  if (match?.length !== 2) {
     logger.debug(
       `Could not determine tag name for URL ${url2}. Matched ${JSON.stringify(
         match
@@ -91225,7 +91236,7 @@ async function shouldEnableIndirectTracing(codeql, config) {
 
 // src/codeql.ts
 var cachedCodeQL = void 0;
-var CODEQL_MINIMUM_VERSION = "2.16.6";
+var CODEQL_MINIMUM_VERSION = "2.17.6";
 var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
 var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
 var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
@@ -91269,9 +91280,9 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
       toolsVersion,
       zstdAvailability
     };
-  } catch (e) {
-    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") || // out of disk space
-    e instanceof RequestError && e.status === 429 ? ConfigurationError : Error;
+  } catch (rawError) {
+    const e = wrapApiConfigurationError(rawError);
+    const ErrorClass = e instanceof ConfigurationError || e instanceof Error && e.message.includes("ENOSPC") ? ConfigurationError : Error;
     throw new ErrorClass(
       `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}${e instanceof Error && e.stack ? `
 
@@ -91560,12 +91571,6 @@ ${output}`
       } else {
         codeqlArgs.push("--no-sarif-include-diagnostics");
       }
-      if (!isSupportedToolsFeature(
-        await this.getVersion(),
-        "analysisSummaryV2Default" /* AnalysisSummaryV2IsDefault */
-      )) {
-        codeqlArgs.push("--new-analysis-summary");
-      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);
@@ -93115,24 +93120,6 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo
     );
     codeQL = initCodeQLResult.codeql;
   }
-  if (!await codeQL.supportsFeature(
-    "sarifMergeRunsFromEqualCategory" /* SarifMergeRunsFromEqualCategory */
-  )) {
-    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
-    logger.warning(
-      "The CodeQL CLI does not support merging SARIF files. Merging files in the action."
-    );
-    if (await shouldShowCombineSarifFilesDeprecationWarning(
-      sarifObjects,
-      gitHubVersion
-    )) {
-      logger.warning(
-        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`
-      );
-      core12.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
-    }
-    return combineSarifFiles(sarifFiles, logger);
-  }
   const baseTempDir = path15.resolve(tempDir, "combined-sarif");
   fs14.mkdirSync(baseTempDir, { recursive: true });
   const outputDirectory = fs14.mkdtempSync(path15.resolve(baseTempDir, "output-"));
@@ -93191,16 +93178,17 @@ async function uploadPayload(payload, repositoryNwo, logger, analysis) {
     logger.info("Successfully uploaded results");
     return response.data.id;
   } catch (e) {
-    if (isHTTPError(e)) {
-      switch (e.status) {
+    const httpError = asHTTPError(e);
+    if (httpError !== void 0) {
+      switch (httpError.status) {
         case 403:
-          core12.warning(e.message || GENERIC_403_MSG);
+          core12.warning(httpError.message || GENERIC_403_MSG);
           break;
         case 404:
-          core12.warning(e.message || GENERIC_404_MSG);
+          core12.warning(httpError.message || GENERIC_404_MSG);
           break;
         default:
-          core12.warning(e.message);
+          core12.warning(httpError.message);
           break;
       }
     }
@@ -93305,7 +93293,7 @@ function validateSarifFileSchema(sarif, sarifFilePath, logger) {
   }
   logger.info(`Validating ${sarifFilePath}`);
   const schema2 = require_sarif_schema_2_1_0();
-  const result = new jsonschema.Validator().validate(sarif, schema2);
+  const result = new jsonschema2.Validator().validate(sarif, schema2);
   const warningAttributes = ["uri-reference", "uri"];
   const errors = (result.errors ?? []).filter(
     (err) => !(err.name === "format" && typeof err.argument === "string" && warningAttributes.includes(err.argument))
@@ -93365,12 +93353,11 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
   }
   return payloadObj;
 }
-async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths, category, analysis) {
+  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);
   const gitHubVersion = await getGitHubVersion();
   let sarif;
-  category = uploadTarget.fixCategory(logger, category);
+  category = analysis.fixCategory(logger, category);
   if (sarifPaths.length > 1) {
     for (const sarifPath of sarifPaths) {
       const parsedSarif = readSarifFile(sarifPath);
@@ -93398,28 +93385,43 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     analysisKey,
     environment
   );
+  return { sarif, analysisKey, environment };
+}
+async function writePostProcessedFiles(logger, pathInput, uploadTarget, postProcessingResults) {
+  const outputPath = pathInput || getOptionalEnvVar("CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */);
+  logger.info(`Post-processed SARIF output path: ${outputPath}`);
+  if (outputPath !== void 0) {
+    dumpSarifFile(
+      JSON.stringify(postProcessingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget
+    );
+  } else {
+    logger.debug(`Not writing post-processed SARIF files.`);
+  }
+}
+async function uploadPostProcessedFiles(logger, checkoutPath, uploadTarget, postProcessingResults) {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+  const sarif = postProcessingResults.sarif;
   const toolNames = getToolNames(sarif);
   logger.debug(`Validating that each SARIF run has a unique category`);
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
   const payload = buildPayload(
     await getCommitOid(checkoutPath),
     await getRef(),
-    analysisKey,
+    postProcessingResults.analysisKey,
     getRequiredEnvParam("GITHUB_WORKFLOW"),
     zippedSarif,
     getWorkflowRunID(),
     getWorkflowRunAttempt(),
     checkoutURI,
-    environment,
+    postProcessingResults.environment,
     toolNames,
     await determineBaseBranchHeadCommitOid()
   );
@@ -93450,14 +93452,14 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
     fs14.mkdirSync(outputDir, { recursive: true });
   } else if (!fs14.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`
     );
   }
   const outputFile = path15.resolve(
     outputDir,
     `upload${uploadTarget.sarifExtension}`
   );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
   fs14.writeFileSync(outputFile, sarifPayload);
 }
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
@@ -93613,7 +93615,8 @@ function filterAlertsByDiffRange(logger, sarif) {
 }
 
 // src/upload-sarif.ts
-async function uploadSarif(logger, features, checkoutPath, sarifPath, category) {
+async function postProcessAndUploadSarif(logger, features, uploadKind, checkoutPath, sarifPath, category, postProcessedOutputPath) {
+  logger.info("XXX at upload-sarif.ts|postProcessAndUploadSarif");
   const sarifGroups = await getGroupedSarifFilePaths(
     logger,
     sarifPath
@@ -93622,15 +93625,32 @@ async function uploadSarif(logger, features, checkoutPath, sarifPath, category)
   for (const [analysisKind, sarifFiles] of unsafeEntriesInvariant(
     sarifGroups
   )) {
+    logger.info(
+      `XXX at upload-sarif.ts|postProcessAndUploadSarif loop for analysisKind: ${analysisKind}`
+    );
     const analysisConfig = getAnalysisConfig(analysisKind);
-    uploadResults[analysisKind] = await uploadSpecifiedFiles(
-      sarifFiles,
-      checkoutPath,
-      category,
-      features,
+    const postProcessingResults = await postProcessSarifFiles(
       logger,
+      features,
+      checkoutPath,
+      sarifFiles,
+      category,
       analysisConfig
     );
+    await writePostProcessedFiles(
+      logger,
+      postProcessedOutputPath,
+      analysisConfig,
+      postProcessingResults
+    );
+    if (uploadKind === "always") {
+      uploadResults[analysisKind] = await uploadPostProcessedFiles(
+        logger,
+        checkoutPath,
+        analysisConfig,
+        postProcessingResults
+      );
+    }
   }
   return uploadResults;
 }
@@ -93682,9 +93702,10 @@ async function run() {
     const sarifPath = getRequiredInput("sarif_file");
     const checkoutPath = getRequiredInput("checkout_path");
     const category = getOptionalInput("category");
-    const uploadResults = await uploadSarif(
+    const uploadResults = await postProcessAndUploadSarif(
       logger,
       features,
+      "always",
       checkoutPath,
       sarifPath,
       category

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.30.8",
+  "version": "4.31.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -48,7 +48,7 @@
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.1",
-    "octokit": "^5.0.3",
+    "octokit": "^5.0.4",
     "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },
@@ -56,7 +56,7 @@
     "@ava/typescript": "6.0.0",
     "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.37.0",
+    "@eslint/js": "^9.38.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@octokit/types": "^15.0.0",
     "@types/archiver": "^6.0.3",
@@ -67,10 +67,10 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.0",
+    "@typescript-eslint/eslint-plugin": "^8.46.1",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.25.10",
+    "esbuild": "^0.25.11",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",

pr-checks/checks/analyze-ref-input.yml

@@ -2,6 +2,7 @@ name: "Analyze: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/bundle-from-toolcache.yml

@@ -15,10 +15,9 @@ steps:
         if (allCodeqlVersions.length === 0) {
           throw new Error(`CodeQL could not be found in the toolcache`);
         }
-  - id: init
-    uses: ./../action/init
+  - id: setup-codeql
+    uses: ./../action/setup-codeql
     with:
-      languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Check CodeQL is installed within the toolcache
     uses: actions/github-script@v8

pr-checks/checks/local-bundle.yml

@@ -2,6 +2,7 @@ name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
   - name: Fetch latest CodeQL bundle
     run: |

pr-checks/checks/multi-language-autodetect.yml

@@ -4,6 +4,7 @@ operatingSystems: ["macos", "ubuntu"]
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
+installPython: true
 steps:
   - name: Use Xcode 16
     if: runner.os == 'macOS' && matrix.version != 'nightly-latest'

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -3,6 +3,7 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
 installGo: true
 installNode: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/quality-queries.yml

@@ -36,6 +36,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
       upload-database: false
+      post-processed-sarif-path: "${{ runner.temp }}/post-processed"
   - name: Upload security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/upload-artifact@v4
@@ -52,6 +53,14 @@ steps:
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
+  - name: Upload post-processed SARIF
+    uses: actions/upload-artifact@v4
+    with:
+      name: |
+        post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+      path: "${{ runner.temp }}/post-processed"
+      retention-days: 7
+      if-no-files-found: error
   - name: Check quality query does not appear in security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
     uses: actions/github-script@v8

pr-checks/checks/remote-config.yml

@@ -6,6 +6,7 @@ versions:
   - linked
   - nightly-latest
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/unset-environment.yml

@@ -6,6 +6,7 @@ versions:
   - linked
   - nightly-latest
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     id: init

pr-checks/checks/upload-ref-sha-input.yml

@@ -2,6 +2,7 @@ name: "Upload-sarif: 'ref' and 'sha' from inputs"
 description: "Checks that specifying 'ref' and 'sha' as inputs works"
 versions: ["default"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/upload-sarif.yml

@@ -3,6 +3,7 @@ description: "Checks that uploading SARIFs to the code quality endpoint works"
 versions: ["default"]
 analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"]
 installGo: true
+installPython: true
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/with-checkout-path.yml

@@ -2,6 +2,7 @@ name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
 versions: ["linked"]
 installGo: true
+installPython: true
 steps:
   # This ensures we don't accidentally use the original checkout for any part of the test.
   - name: Delete original checkout

pr-checks/sync.py

@@ -117,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
         steps.extend([
             {
                 'name': 'Install Node.js',
-                'uses': 'actions/setup-node@v5',
+                'uses': 'actions/setup-node@v6',
                 'with': {
                     'node-version': '20.x',
                     'cache': 'npm',
@@ -184,6 +184,26 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
             }
         })
 
+    installPython = is_truthy(checkSpecification.get('installPython', ''))
+
+    if installPython:
+        basePythonVersionExpr = '3.13'
+        workflowInputs['python-version'] = {
+            'type': 'string',
+            'description': 'The version of Python to install',
+            'required': False,
+            'default': basePythonVersionExpr,
+        }
+
+        steps.append({
+            'name': 'Install Python',
+            'if': 'matrix.version != \'nightly-latest\'',
+            'uses': 'actions/setup-python@v6',
+            'with': {
+                'python-version': '${{ inputs.python-version || \'' + basePythonVersionExpr + '\' }}'
+            }
+        })
+
     # If container initialisation steps are present in the check specification,
     # make sure to execute them first.
     if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:

resolve-environment/action.yml

@@ -21,5 +21,5 @@ outputs:
   environment:
     description: The inferred build environment configuration.
 runs:
-  using: node20
+  using: node24
   main: '../lib/resolve-environment-action.js'

setup-codeql/action.yml

@@ -0,0 +1,39 @@
+name: 'CodeQL: Setup'
+description: 'Installs the CodeQL CLI'
+author: 'GitHub'
+inputs:
+  tools:
+    description: >-
+      By default, the Action will use the recommended version of the CodeQL
+      Bundle to analyze your project. You can override this choice using this
+      input. One of:
+
+      - A local path to a CodeQL Bundle tarball, or
+      - The URL of a CodeQL Bundle tarball GitHub release asset, or
+      - A special value `linked` which uses the version of the CodeQL tools
+        that the Action has been bundled with.
+      - A special value `nightly` which uses the latest nightly version of the
+        CodeQL tools. Note that this is unstable and not recommended for
+        production use.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
+    required: false
+  token:
+    description: GitHub token to use for authenticating with this instance of GitHub.
+    default: ${{ github.token }}
+    required: false
+  matrix:
+    default: ${{ toJson(matrix) }}
+    required: false
+  external-repository-token:
+    description: A token for fetching additional files from private repositories in the same GitHub instance that is running this action.
+    required: false
+outputs:
+  codeql-path:
+    description: The path of the CodeQL binary that was installed.
+  codeql-version:
+    description: The version of the CodeQL binary that was installed.
+runs:
+  using: node24
+  main: '../lib/setup-codeql-action.js'

src/analyses.test.ts

@@ -1,12 +1,19 @@
 import test from "ava";
+import * as sinon from "sinon";
 
+import * as actionsUtil from "./actions-util";
 import {
   AnalysisKind,
+  getAnalysisKinds,
   parseAnalysisKinds,
   supportedAnalysisKinds,
 } from "./analyses";
+import { getRunnerLogger } from "./logging";
+import { setupTests } from "./testing-utils";
 import { ConfigurationError } from "./util";
 
+setupTests(test);
+
 test("All known analysis kinds can be parsed successfully", async (t) => {
   for (const analysisKind of supportedAnalysisKinds) {
     t.deepEqual(await parseAnalysisKinds(analysisKind), [analysisKind]);
@@ -34,3 +41,29 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
     instanceOf: ConfigurationError,
   });
 });
+
+test("getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub
+    .withArgs("analysis-kinds")
+    .returns("code-scanning,code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
+  const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
+  optionalInputStub.withArgs("quality-queries").returns("code-quality");
+  const result = await getAnalysisKinds(getRunnerLogger(true), true);
+  t.assert(result.includes(AnalysisKind.CodeScanning));
+  t.assert(result.includes(AnalysisKind.CodeQuality));
+});
+
+test("getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => {
+  const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+  requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
+  await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+});

src/analyses.ts

@@ -1,4 +1,8 @@
-import { fixCodeQualityCategory } from "./actions-util";
+import {
+  fixCodeQualityCategory,
+  getOptionalInput,
+  getRequiredInput,
+} from "./actions-util";
 import { Logger } from "./logging";
 import { ConfigurationError } from "./util";
 
@@ -41,6 +45,55 @@ export async function parseAnalysisKinds(
   );
 }
 
+// Used to avoid re-parsing the input after we have done it once.
+let cachedAnalysisKinds: AnalysisKind[] | undefined;
+
+/**
+ * Initialises the analysis kinds for the analysis based on the `analysis-kinds` input.
+ * This function will also use the deprecated `quality-queries` input as an indicator to enable `code-quality`.
+ * If the `analysis-kinds` input cannot be parsed, a `ConfigurationError` is thrown.
+ *
+ * @param logger The logger to use.
+ * @param skipCache For testing, whether to ignore the cached values (default: false).
+ *
+ * @returns The array of enabled analysis kinds.
+ * @throws A `ConfigurationError` if the `analysis-kinds` input cannot be parsed.
+ */
+export async function getAnalysisKinds(
+  logger: Logger,
+  skipCache: boolean = false,
+): Promise<AnalysisKind[]> {
+  if (!skipCache && cachedAnalysisKinds !== undefined) {
+    return cachedAnalysisKinds;
+  }
+
+  cachedAnalysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds"),
+  );
+
+  // Warn that `quality-queries` is deprecated if there is an argument for it.
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+
+  if (qualityQueriesInput !== undefined) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
+        "Use the `analysis-kinds` input to configure different analysis kinds instead.",
+    );
+  }
+
+  // For backwards compatibility, add Code Quality to the enabled analysis kinds
+  // if an input to `quality-queries` was specified. We should remove this once
+  // `quality-queries` is no longer used.
+  if (
+    !cachedAnalysisKinds.includes(AnalysisKind.CodeQuality) &&
+    qualityQueriesInput !== undefined
+  ) {
+    cachedAnalysisKinds.push(AnalysisKind.CodeQuality);
+  }
+
+  return cachedAnalysisKinds;
+}
+
 /** The queries to use for Code Quality analyses. */
 export const codeQualityQueries: string[] = ["code-quality"];
 

src/analyze-action-env.test.ts

@@ -24,6 +24,9 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from environment variables", async (t) => {
+  // This test frequently times out on Windows with the default timeout, so we bump
+  // it a bit to 20s.
+  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

src/analyze-action-input.test.ts

@@ -24,6 +24,7 @@ setupTests(test);
 // but the first test would fail.
 
 test("analyze action with RAM & threads from action inputs", async (t) => {
+  t.timeout(1000 * 20);
   await util.withTmpDir(async (tmpDir) => {
     process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

src/analyze-action.ts

@@ -52,6 +52,7 @@ import {
 } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
+import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";
 
 interface AnalysisStatusReport
@@ -211,7 +212,9 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
 
 async function run() {
   const startedAt = new Date();
-  let uploadResult: UploadResult | undefined = undefined;
+  let uploadResults:
+    | Partial<Record<analyses.AnalysisKind, UploadResult>>
+    | undefined = undefined;
   let runStats: QueriesStatusReport | undefined = undefined;
   let config: Config | undefined = undefined;
   let trapCacheCleanupTelemetry: TrapCacheCleanupStatusReport | undefined =
@@ -341,31 +344,67 @@ async function run() {
     }
     core.setOutput("db-locations", dbLocations);
     core.setOutput("sarif-output", path.resolve(outputDir));
-    const uploadInput = actionsUtil.getOptionalInput("upload");
-    if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
-      if (isCodeScanningEnabled(config)) {
-        uploadResult = await uploadLib.uploadFiles(
-          outputDir,
-          actionsUtil.getRequiredInput("checkout_path"),
-          actionsUtil.getOptionalInput("category"),
-          features,
+    const uploadKind = actionsUtil.getUploadValue(
+      actionsUtil.getOptionalInput("upload"),
+    );
+    if (runStats) {
+      const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
+      const category = actionsUtil.getOptionalInput("category");
+
+      if (Math.random() > -1) {
+        uploadResults = await postProcessAndUploadSarif(
           logger,
-          analyses.CodeScanning,
+          features,
+          uploadKind,
+          checkoutPath,
+          outputDir,
+          category,
+          actionsUtil.getOptionalInput("post-processed-sarif-path"),
         );
-        core.setOutput("sarif-id", uploadResult.sarifID);
+      } else if (uploadKind === "always") {
+        uploadResults = {};
+
+        if (isCodeScanningEnabled(config)) {
+          uploadResults[analyses.AnalysisKind.CodeScanning] =
+            await uploadLib.uploadFiles(
+              outputDir,
+              checkoutPath,
+              category,
+              features,
+              logger,
+              analyses.CodeScanning,
+            );
+        }
+
+        if (isCodeQualityEnabled(config)) {
+          uploadResults[analyses.AnalysisKind.CodeQuality] =
+            await uploadLib.uploadFiles(
+              outputDir,
+              checkoutPath,
+              category,
+              features,
+              logger,
+              analyses.CodeQuality,
+            );
+        }
+      } else {
+        uploadResults = {};
+        logger.info("Not uploading results");
       }
 
-      if (isCodeQualityEnabled(config)) {
-        const analysis = analyses.CodeQuality;
-        const qualityUploadResult = await uploadLib.uploadFiles(
-          outputDir,
-          actionsUtil.getRequiredInput("checkout_path"),
-          actionsUtil.getOptionalInput("category"),
-          features,
-          logger,
-          analysis,
+      // Set the SARIF id outputs only if we have results for them, to avoid
+      // having keys with empty values in the action output.
+      if (uploadResults[analyses.AnalysisKind.CodeScanning] !== undefined) {
+        core.setOutput(
+          "sarif-id",
+          uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
+        );
+      }
+      if (uploadResults[analyses.AnalysisKind.CodeQuality] !== undefined) {
+        core.setOutput(
+          "quality-sarif-id",
+          uploadResults[analyses.AnalysisKind.CodeQuality].sarifID,
         );
-        core.setOutput("quality-sarif-id", qualityUploadResult.sarifID);
       }
     } else {
       logger.info("Not uploading results");
@@ -408,12 +447,12 @@ async function run() {
     if (util.isInTestMode()) {
       logger.debug("In test mode. Waiting for processing is disabled.");
     } else if (
-      uploadResult !== undefined &&
+      uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined &&
       actionsUtil.getRequiredInput("wait-for-processing") === "true"
     ) {
       await uploadLib.waitForProcessing(
         getRepositoryNwo(),
-        uploadResult.sarifID,
+        uploadResults[analyses.AnalysisKind.CodeScanning].sarifID,
         getActionsLogger(),
       );
     }
@@ -450,13 +489,16 @@ async function run() {
     return;
   }
 
-  if (runStats && uploadResult) {
+  if (
+    runStats !== undefined &&
+    uploadResults?.[analyses.AnalysisKind.CodeScanning] !== undefined
+  ) {
     await sendStatusReport(
       startedAt,
       config,
       {
         ...runStats,
-        ...uploadResult.statusReport,
+        ...uploadResults[analyses.AnalysisKind.CodeScanning].statusReport,
       },
       undefined,
       trapCacheUploadTime,
@@ -466,7 +508,7 @@ async function run() {
       dependencyCacheResults,
       logger,
     );
-  } else if (runStats) {
+  } else if (runStats !== undefined) {
     await sendStatusReport(
       startedAt,
       config,

src/api-client.ts

@@ -7,12 +7,12 @@ import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
+  asHTTPError,
   ConfigurationError,
   getRequiredEnvParam,
   GITHUB_DOTCOM_URL,
   GitHubVariant,
   GitHubVersion,
-  isHTTPError,
   parseGitHubUrl,
   parseMatrixInput,
 } from "./util";
@@ -280,22 +280,29 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
 }
 
 export function wrapApiConfigurationError(e: unknown) {
-  if (isHTTPError(e)) {
+  const httpError = asHTTPError(e);
+  if (httpError !== undefined) {
     if (
-      e.message.includes("API rate limit exceeded for installation") ||
-      e.message.includes("commit not found") ||
-      e.message.includes("Resource not accessible by integration") ||
-      /ref .* not found in this repository/.test(e.message)
+      [
+        /API rate limit exceeded/,
+        /commit not found/,
+        /Resource not accessible by integration/,
+        /ref .* not found in this repository/,
+      ].some((pattern) => pattern.test(httpError.message))
     ) {
-      return new ConfigurationError(e.message);
-    } else if (
-      e.message.includes("Bad credentials") ||
-      e.message.includes("Not Found")
+      return new ConfigurationError(httpError.message);
+    }
+    if (
+      httpError.message.includes("Bad credentials") ||
+      httpError.message.includes("Not Found")
     ) {
       return new ConfigurationError(
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
       );
     }
+    if (httpError.status === 429) {
+      return new ConfigurationError("API rate limit exceeded");
+    }
   }
   return e;
 }

src/cli-errors.test.ts

@@ -310,6 +310,20 @@ test("wrapCliConfigurationError - pack cannot be found", (t) => {
   t.true(wrappedError instanceof ConfigurationError);
 });
 
+test("wrapCliConfigurationError - unknown query file", (t) => {
+  const commandError = new CommandInvocationError(
+    "codeql",
+    ["database", "init"],
+    2,
+    "my-query-file is not a .ql file, .qls file, a directory, or a query pack specification. See the logs for more details.",
+  );
+  const cliError = new CliError(commandError);
+
+  const wrappedError = wrapCliConfigurationError(cliError);
+
+  t.true(wrappedError instanceof ConfigurationError);
+});
+
 test("wrapCliConfigurationError - pack missing auth", (t) => {
   const commandError = new CommandInvocationError(
     "codeql",

src/cli-errors.ts

@@ -264,6 +264,9 @@ export const cliErrorsConfig: Record<
       new RegExp(
         "Query pack .* cannot be found\\. Check the spelling of the pack\\.",
       ),
+      new RegExp(
+        "is not a .ql file, .qls file, a directory, or a query pack specification.",
+      ),
     ],
   },
   [CliConfigErrorCategory.PackMissingAuth]: {

src/codeql.test.ts

@@ -36,7 +36,6 @@ import {
   createTestConfig,
 } from "./testing-utils";
 import { ToolsDownloadStatusReport } from "./tools-download";
-import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import { initializeEnvironment } from "./util";
 
@@ -870,84 +869,6 @@ test("does not pass a qlconfig to the CLI when it is undefined", async (t: Execu
   });
 });
 
-const NEW_ANALYSIS_SUMMARY_TEST_CASES = [
-  {
-    codeqlVersion: makeVersionInfo("2.15.0", {
-      [ToolsFeature.AnalysisSummaryV2IsDefault]: true,
-    }),
-    githubVersion: {
-      type: util.GitHubVariant.DOTCOM,
-    },
-    flagPassed: false,
-    negativeFlagPassed: false,
-  },
-  {
-    codeqlVersion: makeVersionInfo("2.15.0"),
-    githubVersion: {
-      type: util.GitHubVariant.DOTCOM,
-    },
-    flagPassed: true,
-    negativeFlagPassed: false,
-  },
-  {
-    codeqlVersion: makeVersionInfo("2.15.0"),
-    githubVersion: {
-      type: util.GitHubVariant.GHES,
-      version: "3.10.0",
-    },
-    flagPassed: true,
-    negativeFlagPassed: false,
-  },
-];
-
-for (const {
-  codeqlVersion,
-  flagPassed,
-  githubVersion,
-  negativeFlagPassed,
-} of NEW_ANALYSIS_SUMMARY_TEST_CASES) {
-  test(`database interpret-results passes ${
-    flagPassed
-      ? "--new-analysis-summary"
-      : negativeFlagPassed
-        ? "--no-new-analysis-summary"
-        : "nothing"
-  } for CodeQL version ${JSON.stringify(codeqlVersion)} and ${
-    util.GitHubVariant[githubVersion.type]
-  } ${githubVersion.version ? ` ${githubVersion.version}` : ""}`, async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves(codeqlVersion);
-    // io throws because of the test CodeQL object.
-    sinon.stub(io, "which").resolves("");
-    await codeqlObject.databaseInterpretResults(
-      "",
-      [],
-      "",
-      "",
-      "",
-      "-v",
-      undefined,
-      "",
-      Object.assign({}, stubConfig, { gitHubVersion: githubVersion }),
-      createFeatures([]),
-    );
-    const actualArgs = runnerConstructorStub.firstCall.args[1] as string[];
-    t.is(
-      actualArgs.includes("--new-analysis-summary"),
-      flagPassed,
-      `--new-analysis-summary should${flagPassed ? "" : "n't"} be passed`,
-    );
-    t.is(
-      actualArgs.includes("--no-new-analysis-summary"),
-      negativeFlagPassed,
-      `--no-new-analysis-summary should${
-        negativeFlagPassed ? "" : "n't"
-      } be passed`,
-    );
-  });
-}
-
 test("runTool summarizes several fatal errors", async (t) => {
   const heapError =
     "A fatal error occurred: Evaluator heap must be at least 384.00 MiB";

src/codeql.ts

@@ -3,7 +3,6 @@ import * as path from "path";
 
 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
-import { RequestError } from "@octokit/request-error";
 import * as yaml from "js-yaml";
 
 import {
@@ -268,7 +267,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
  * The version flags below can be used to conditionally enable certain features
  * on versions newer than this.
  */
-const CODEQL_MINIMUM_VERSION = "2.16.6";
+const CODEQL_MINIMUM_VERSION = "2.17.6";
 
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -371,11 +370,11 @@ export async function setupCodeQL(
       toolsVersion,
       zstdAvailability,
     };
-  } catch (e) {
+  } catch (rawError) {
+    const e = api.wrapApiConfigurationError(rawError);
     const ErrorClass =
       e instanceof util.ConfigurationError ||
-      (e instanceof Error && e.message.includes("ENOSPC")) || // out of disk space
-      (e instanceof RequestError && e.status === 429) // rate limited
+      (e instanceof Error && e.message.includes("ENOSPC")) // out of disk space
         ? util.ConfigurationError
         : Error;
 
@@ -861,14 +860,6 @@ export async function getCodeQLForCmd(
       } else {
         codeqlArgs.push("--no-sarif-include-diagnostics");
       }
-      if (
-        !isSupportedToolsFeature(
-          await this.getVersion(),
-          ToolsFeature.AnalysisSummaryV2IsDefault,
-        )
-      ) {
-        codeqlArgs.push("--new-analysis-summary");
-      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);

src/config-utils.test.ts

@@ -49,10 +49,9 @@ function createTestInitConfigInputs(
   return Object.assign(
     {},
     {
-      analysisKindsInput: "code-scanning",
+      analysisKinds: [AnalysisKind.CodeScanning],
       languagesInput: undefined,
       queriesInput: undefined,
-      qualityQueriesInput: undefined,
       packsInput: undefined,
       configFile: undefined,
       dbLocation: undefined,
@@ -149,6 +148,7 @@ test("load empty config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
@@ -188,8 +188,9 @@ test("load code quality config", async (t) => {
     });
 
     const config = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
-        analysisKindsInput: "code-quality",
+        analysisKinds: [AnalysisKind.CodeQuality],
         languagesInput: languages,
         repository: { owner: "github", repo: "example" },
         tempDir,
@@ -272,8 +273,9 @@ test("initActionState doesn't throw if there are queries configured in the repos
 
     await t.notThrowsAsync(async () => {
       const config = await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
-          analysisKindsInput: "code-quality",
+          analysisKinds: [AnalysisKind.CodeQuality],
           languagesInput: languages,
           repository: { owner: "github", repo: "example" },
           tempDir,
@@ -310,6 +312,7 @@ test("loading a saved config produces the same config", async (t) => {
     t.deepEqual(await configUtils.getConfig(tempDir, logger), undefined);
 
     const config1 = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
@@ -361,6 +364,7 @@ test("loading config with version mismatch throws", async (t) => {
       .returns("does-not-exist");
 
     const config = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput: "javascript,python",
         tempDir,
@@ -389,6 +393,7 @@ test("load input outside of workspace", async (t) => {
   return await withTmpDir(async (tempDir) => {
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile: "../input",
           tempDir,
@@ -416,6 +421,7 @@ test("load non-local input with invalid repo syntax", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile,
           tempDir,
@@ -444,6 +450,7 @@ test("load non-existent input", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           configFile,
@@ -527,6 +534,7 @@ test("load non-empty input", async (t) => {
     const configFilePath = createConfigFile(inputFileContents, tempDir);
 
     const actualConfig = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         buildModeInput: "none",
@@ -583,6 +591,7 @@ test("Using config input and file together, config input should be used.", async
     const languagesInput = "javascript";
 
     const config = await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         configFile: configFilePath,
@@ -633,6 +642,7 @@ test("API client used when reading remote config", async (t) => {
     const languagesInput = "javascript";
 
     await configUtils.initConfig(
+      createFeatures([]),
       createTestInitConfigInputs({
         languagesInput,
         configFile,
@@ -653,6 +663,7 @@ test("Remote config handles the case where a directory is provided", async (t) =
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
@@ -681,6 +692,7 @@ test("Invalid format of remote config handled correctly", async (t) => {
     const repoReference = "octo-org/codeql-config/config.yaml@main";
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           configFile: repoReference,
           tempDir,
@@ -710,6 +722,7 @@ test("No detected languages", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           tempDir,
           codeql,
@@ -732,6 +745,7 @@ test("Unknown languages", async (t) => {
 
     try {
       await configUtils.initConfig(
+        createFeatures([]),
         createTestInitConfigInputs({
           languagesInput,
           tempDir,

src/config-utils.ts

@@ -11,7 +11,6 @@ import {
   CodeQuality,
   codeQualityQueries,
   CodeScanning,
-  parseAnalysisKinds,
 } from "./analyses";
 import * as api from "./api-client";
 import { CachingKind, getCachingKind } from "./caching-utils";
@@ -20,6 +19,7 @@ import {
   calculateAugmentation,
   ExcludeQueryFilter,
   generateCodeScanningConfig,
+  parseUserConfig,
   UserConfig,
 } from "./config/db-config";
 import { shouldPerformDiffInformedAnalysis } from "./diff-informed-analysis-utils";
@@ -373,10 +373,8 @@ export async function getRawLanguages(
 
 /** Inputs required to initialize a configuration. */
 export interface InitConfigInputs {
-  analysisKindsInput: string;
   languagesInput: string | undefined;
   queriesInput: string | undefined;
-  qualityQueriesInput: string | undefined;
   packsInput: string | undefined;
   configFile: string | undefined;
   dbLocation: string | undefined;
@@ -396,6 +394,7 @@ export interface InitConfigInputs {
   apiDetails: api.GitHubApiCombinedDetails;
   features: FeatureEnablement;
   repositoryProperties: RepositoryProperties;
+  analysisKinds: AnalysisKind[];
   logger: Logger;
 }
 
@@ -405,10 +404,8 @@ export interface InitConfigInputs {
  */
 export async function initActionState(
   {
-    analysisKindsInput,
     languagesInput,
     queriesInput,
-    qualityQueriesInput,
     packsInput,
     buildModeInput,
     dbLocation,
@@ -424,22 +421,11 @@ export async function initActionState(
     githubVersion,
     features,
     repositoryProperties,
+    analysisKinds,
     logger,
   }: InitConfigInputs,
   userConfig: UserConfig,
 ): Promise<Config> {
-  const analysisKinds = await parseAnalysisKinds(analysisKindsInput);
-
-  // For backwards compatibility, add Code Quality to the enabled analysis kinds
-  // if an input to `quality-queries` was specified. We should remove this once
-  // `quality-queries` is no longer used.
-  if (
-    !analysisKinds.includes(AnalysisKind.CodeQuality) &&
-    qualityQueriesInput !== undefined
-  ) {
-    analysisKinds.push(AnalysisKind.CodeQuality);
-  }
-
   const languages = await getLanguages(
     codeql,
     languagesInput,
@@ -540,10 +526,12 @@ async function downloadCacheWithTime(
 }
 
 async function loadUserConfig(
+  logger: Logger,
   configFile: string,
   workspacePath: string,
   apiDetails: api.GitHubApiCombinedDetails,
   tempDir: string,
+  validateConfig: boolean,
 ): Promise<UserConfig> {
   if (isLocal(configFile)) {
     if (configFile !== userConfigFromActionPath(tempDir)) {
@@ -556,9 +544,14 @@ async function loadUserConfig(
         );
       }
     }
-    return getLocalConfig(configFile);
+    return getLocalConfig(logger, configFile, validateConfig);
   } else {
-    return await getRemoteConfig(configFile, apiDetails);
+    return await getRemoteConfig(
+      logger,
+      configFile,
+      apiDetails,
+      validateConfig,
+    );
   }
 }
 
@@ -794,7 +787,10 @@ function hasQueryCustomisation(userConfig: UserConfig): boolean {
  * This will parse the config from the user input if present, or generate
  * a default config. The parsed config is then stored to a known location.
  */
-export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
+export async function initConfig(
+  features: FeatureEnablement,
+  inputs: InitConfigInputs,
+): Promise<Config> {
   const { logger, tempDir } = inputs;
 
   // if configInput is set, it takes precedence over configFile
@@ -814,11 +810,14 @@ export async function initConfig(inputs: InitConfigInputs): Promise<Config> {
     logger.debug("No configuration file was provided");
   } else {
     logger.debug(`Using configuration file: ${inputs.configFile}`);
+    const validateConfig = await features.getValue(Feature.ValidateDbConfig);
     userConfig = await loadUserConfig(
+      logger,
       inputs.configFile,
       inputs.workspacePath,
       inputs.apiDetails,
       tempDir,
+      validateConfig,
     );
   }
 
@@ -912,7 +911,11 @@ function isLocal(configPath: string): boolean {
   return configPath.indexOf("@") === -1;
 }
 
-function getLocalConfig(configFile: string): UserConfig {
+function getLocalConfig(
+  logger: Logger,
+  configFile: string,
+  validateConfig: boolean,
+): UserConfig {
   // Error if the file does not exist
   if (!fs.existsSync(configFile)) {
     throw new ConfigurationError(
@@ -920,12 +923,19 @@ function getLocalConfig(configFile: string): UserConfig {
     );
   }
 
-  return yaml.load(fs.readFileSync(configFile, "utf8")) as UserConfig;
+  return parseUserConfig(
+    logger,
+    configFile,
+    fs.readFileSync(configFile, "utf-8"),
+    validateConfig,
+  );
 }
 
 async function getRemoteConfig(
+  logger: Logger,
   configFile: string,
   apiDetails: api.GitHubApiCombinedDetails,
+  validateConfig: boolean,
 ): Promise<UserConfig> {
   // retrieve the various parts of the config location, and ensure they're present
   const format = new RegExp(
@@ -933,7 +943,7 @@ async function getRemoteConfig(
   );
   const pieces = format.exec(configFile);
   // 5 = 4 groups + the whole expression
-  if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
+  if (pieces?.groups === undefined || pieces.length < 5) {
     throw new ConfigurationError(
       errorMessages.getConfigFileRepoFormatInvalidMessage(configFile),
     );
@@ -961,9 +971,12 @@ async function getRemoteConfig(
     );
   }
 
-  return yaml.load(
+  return parseUserConfig(
+    logger,
+    configFile,
     Buffer.from(fileContents, "base64").toString("binary"),
-  ) as UserConfig;
+    validateConfig,
+  );
 }
 
 /**

src/config/db-config.test.ts

@@ -2,7 +2,13 @@ import test, { ExecutionContext } from "ava";
 
 import { RepositoryProperties } from "../feature-flags/properties";
 import { KnownLanguage, Language } from "../languages";
-import { prettyPrintPack } from "../util";
+import { getRunnerLogger } from "../logging";
+import {
+  checkExpectedLogMessages,
+  getRecordingLogger,
+  LoggedMessage,
+} from "../testing-utils";
+import { ConfigurationError, prettyPrintPack } from "../util";
 
 import * as dbConfig from "./db-config";
 
@@ -391,3 +397,111 @@ test(
   {},
   /"a-pack-without-a-scope" is not a valid pack/,
 );
+
+test("parseUserConfig - successfully parses valid YAML", (t) => {
+  const result = dbConfig.parseUserConfig(
+    getRunnerLogger(true),
+    "test",
+    `
+    paths-ignore:
+      - "some/path"
+    queries:
+      - uses: foo
+    some-unknown-option: true
+    `,
+    true,
+  );
+  t.truthy(result);
+  if (t.truthy(result["paths-ignore"])) {
+    t.is(result["paths-ignore"].length, 1);
+    t.is(result["paths-ignore"][0], "some/path");
+  }
+  if (t.truthy(result["queries"])) {
+    t.is(result["queries"].length, 1);
+    t.deepEqual(result["queries"][0], { uses: "foo" });
+  }
+});
+
+test("parseUserConfig - throws a ConfigurationError if the file is not valid YAML", (t) => {
+  t.throws(
+    () =>
+      dbConfig.parseUserConfig(
+        getRunnerLogger(true),
+        "test",
+        `
+        paths-ignore:
+         - "some/path"
+         queries:
+         - foo
+        `,
+        true,
+      ),
+    {
+      instanceOf: ConfigurationError,
+    },
+  );
+});
+
+test("parseUserConfig - validation isn't picky about `query-filters`", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.notThrows(() =>
+    dbConfig.parseUserConfig(
+      logger,
+      "test",
+      `
+        query-filters:
+          - something
+          - include: foo
+          - exclude: bar
+        `,
+      true,
+    ),
+  );
+});
+
+test("parseUserConfig - throws a ConfigurationError if validation fails", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.throws(
+    () =>
+      dbConfig.parseUserConfig(
+        logger,
+        "test",
+        `
+        paths-ignore:
+         - "some/path"
+        queries: true
+        `,
+        true,
+      ),
+    {
+      instanceOf: ConfigurationError,
+      message:
+        'The configuration file "test" is invalid: instance.queries is not of a type(s) array.',
+    },
+  );
+
+  const expectedMessages = ["instance.queries is not of a type(s) array"];
+  checkExpectedLogMessages(t, loggedMessages, expectedMessages);
+});
+
+test("parseUserConfig - throws no ConfigurationError if validation should fail, but feature is disabled", (t) => {
+  const loggedMessages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(loggedMessages);
+
+  t.notThrows(() =>
+    dbConfig.parseUserConfig(
+      logger,
+      "test",
+      `
+        paths-ignore:
+         - "some/path"
+        queries: true
+        `,
+      false,
+    ),
+  );
+});

src/config/db-config.ts

@@ -1,5 +1,7 @@
 import * as path from "path";
 
+import * as yaml from "js-yaml";
+import * as jsonschema from "jsonschema";
 import * as semver from "semver";
 
 import * as errorMessages from "../error-messages";
@@ -378,10 +380,7 @@ function combineQueries(
   const result: QuerySpec[] = [];
 
   // Query settings obtained from the repository properties have the highest precedence.
-  if (
-    augmentationProperties.repoPropertyQueries &&
-    augmentationProperties.repoPropertyQueries.input
-  ) {
+  if (augmentationProperties.repoPropertyQueries?.input) {
     logger.info(
       `Found query configuration in the repository properties (${RepositoryPropertyName.EXTRA_QUERIES}): ` +
         `${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}`,
@@ -474,3 +473,53 @@ export function generateCodeScanningConfig(
 
   return augmentedConfig;
 }
+
+/**
+ * Attempts to parse `contents` into a `UserConfig` value.
+ *
+ * @param logger The logger to use.
+ * @param pathInput The path to the file where `contents` was obtained from, for use in error messages.
+ * @param contents The string contents of a YAML file to try and parse as a `UserConfig`.
+ * @param validateConfig Whether to validate the configuration file against the schema.
+ * @returns The `UserConfig` corresponding to `contents`, if parsing was successful.
+ * @throws A `ConfigurationError` if parsing failed.
+ */
+export function parseUserConfig(
+  logger: Logger,
+  pathInput: string,
+  contents: string,
+  validateConfig: boolean,
+): UserConfig {
+  try {
+    const schema =
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      require("../../src/db-config-schema.json") as jsonschema.Schema;
+
+    const doc = yaml.load(contents);
+
+    if (validateConfig) {
+      const result = new jsonschema.Validator().validate(doc, schema);
+
+      if (result.errors.length > 0) {
+        for (const error of result.errors) {
+          logger.error(error.stack);
+        }
+        throw new ConfigurationError(
+          errorMessages.getInvalidConfigFileMessage(
+            pathInput,
+            result.errors.map((e) => e.stack),
+          ),
+        );
+      }
+    }
+
+    return doc as UserConfig;
+  } catch (error) {
+    if (error instanceof yaml.YAMLException) {
+      throw new ConfigurationError(
+        errorMessages.getConfigFileParseErrorMessage(pathInput, error.message),
+      );
+    }
+    throw error;
+  }
+}

src/database-upload.test.ts

@@ -5,6 +5,7 @@ import test from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import { GitHubApiDetails } from "./api-client";
 import * as apiClient from "./api-client";
 import { createStubCodeQL } from "./codeql";
@@ -108,6 +109,39 @@ test("Abort database upload if 'upload-database' input set to false", async (t)
   });
 });
 
+test("Abort database upload if 'analysis-kinds: code-scanning' is not enabled", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(actionsUtil, "getRequiredInput")
+      .withArgs("upload-database")
+      .returns("true");
+    sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
+
+    await mockHttpRequests(201);
+
+    const loggedMessages = [];
+    await uploadDatabases(
+      testRepoName,
+      getCodeQL(),
+      {
+        ...getTestConfig(tmpDir),
+        analysisKinds: [AnalysisKind.CodeQuality],
+      },
+      testApiDetails,
+      getRecordingLogger(loggedMessages),
+    );
+    t.assert(
+      loggedMessages.find(
+        (v: LoggedMessage) =>
+          v.type === "debug" &&
+          v.message ===
+            "Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
+      ) !== undefined,
+    );
+  });
+});
+
 test("Abort database upload if running against GHES", async (t) => {
   await withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);

src/database-upload.ts

@@ -1,6 +1,7 @@
 import * as fs from "fs";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import { getApiClient, GitHubApiDetails } from "./api-client";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
@@ -22,6 +23,13 @@ export async function uploadDatabases(
     return;
   }
 
+  if (!config.analysisKinds.includes(AnalysisKind.CodeScanning)) {
+    logger.debug(
+      `Not uploading database because 'analysis-kinds: ${AnalysisKind.CodeScanning}' is not enabled.`,
+    );
+    return;
+  }
+
   if (util.isInTestMode()) {
     logger.debug("In test mode. Skipping database upload.");
     return;

src/db-config-schema.json

@@ -0,0 +1,145 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "CodeQL Database Configuration",
+  "description": "Format of the config file supplied by the user for CodeQL analysis",
+  "type": "object",
+  "properties": {
+    "name": {
+      "type": "string",
+      "description": "Name of the configuration"
+    },
+    "disable-default-queries": {
+      "type": "boolean",
+      "description": "Whether to disable default queries"
+    },
+    "queries": {
+      "type": "array",
+      "description": "List of additional queries to run",
+      "items": {
+        "$ref": "#/definitions/QuerySpec"
+      }
+    },
+    "paths-ignore": {
+      "type": "array",
+      "description": "Paths to ignore during analysis",
+      "items": {
+        "type": "string"
+      }
+    },
+    "paths": {
+      "type": "array",
+      "description": "Paths to include in analysis",
+      "items": {
+        "type": "string"
+      }
+    },
+    "packs": {
+      "description": "Query packs to include. Can be a simple array for single-language analysis or an object with language-specific arrays for multi-language analysis",
+      "oneOf": [
+        {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        }
+      ]
+    },
+    "query-filters": {
+      "type": "array",
+      "description": "Set of query filters to include and exclude extra queries based on CodeQL query suite include and exclude properties",
+      "items": {
+        "$ref": "#/definitions/QueryFilter"
+      }
+    }
+  },
+  "additionalProperties": true,
+  "definitions": {
+    "QuerySpec": {
+      "type": "object",
+      "description": "Detailed query specification object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Optional name for the query"
+        },
+        "uses": {
+          "type": "string",
+          "description": "The query or query suite to use"
+        }
+      },
+      "required": ["uses"],
+      "additionalProperties": false
+    },
+    "QueryFilter": {
+      "description": "Query filter that can either include or exclude queries",
+      "oneOf": [
+        {
+          "$ref": "#/definitions/ExcludeQueryFilter"
+        },
+        {
+          "$ref": "#/definitions/IncludeQueryFilter"
+        },
+        {}
+      ]
+    },
+    "ExcludeQueryFilter": {
+      "type": "object",
+      "description": "Filter to exclude queries",
+      "properties": {
+        "exclude": {
+          "type": "object",
+          "description": "Queries to exclude",
+          "additionalProperties": {
+            "oneOf": [
+              {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              },
+              {
+                "type": "string"
+              }
+            ]
+          }
+        }
+      },
+      "required": ["exclude"],
+      "additionalProperties": false
+    },
+    "IncludeQueryFilter": {
+      "type": "object",
+      "description": "Filter to include queries",
+      "properties": {
+        "include": {
+          "type": "object",
+          "description": "Queries to include",
+          "additionalProperties": {
+            "oneOf": [
+              {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              },
+              {
+                "type": "string"
+              }
+            ]
+          }
+        }
+      },
+      "required": ["include"],
+      "additionalProperties": false
+    }
+  }
+}

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.23.2",
-  "cliVersion": "2.23.2",
-  "priorBundleVersion": "codeql-bundle-v2.23.1",
-  "priorCliVersion": "2.23.1"
+  "bundleVersion": "codeql-bundle-v2.23.3",
+  "cliVersion": "2.23.3",
+  "priorBundleVersion": "codeql-bundle-v2.23.2",
+  "priorCliVersion": "2.23.2"
 }

src/environment.ts

@@ -47,6 +47,9 @@ export enum EnvVar {
   /** Whether the CodeQL Action has already warned the user about low disk space. */
   HAS_WARNED_ABOUT_DISK_SPACE = "CODEQL_ACTION_HAS_WARNED_ABOUT_DISK_SPACE",
 
+  /** Whether the `setup-codeql` action has been run. */
+  SETUP_CODEQL_ACTION_HAS_RUN = "CODEQL_ACTION_SETUP_CODEQL_HAS_RUN",
+
   /** Whether the init action has been run. */
   INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
 

src/error-messages.ts

@@ -14,6 +14,22 @@ export function getConfigFileDoesNotExistErrorMessage(
   return `The configuration file "${configFile}" does not exist`;
 }
 
+export function getConfigFileParseErrorMessage(
+  configFile: string,
+  message: string,
+): string {
+  return `Cannot parse "${configFile}": ${message}`;
+}
+
+export function getInvalidConfigFileMessage(
+  configFile: string,
+  messages: string[],
+): string {
+  const andMore =
+    messages.length > 10 ? `, and ${messages.length - 10} more.` : ".";
+  return `The configuration file "${configFile}" is invalid: ${messages.slice(0, 10).join(", ")}${andMore}`;
+}
+
 export function getConfigFileRepoFormatInvalidMessage(
   configFile: string,
 ): string {

src/feature-flags.ts

@@ -44,6 +44,7 @@ export interface FeatureEnablement {
  */
 export enum Feature {
   AllowToolcacheInput = "allow_toolcache_input",
+  AnalyzeUseNewUpload = "analyze_use_new_upload",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   DiffInformedQueries = "diff_informed_queries",
@@ -77,6 +78,7 @@ export enum Feature {
   QaTelemetryEnabled = "qa_telemetry_enabled",
   ResolveSupportedLanguagesUsingCli = "resolve_supported_languages_using_cli",
   UseRepositoryProperties = "use_repository_properties",
+  ValidateDbConfig = "validate_db_config",
 }
 
 export const featureConfig: Record<
@@ -115,6 +117,11 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
     minimumVersion: undefined,
   },
+  [Feature.AnalyzeUseNewUpload]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ANALYZE_USE_NEW_UPLOAD",
+    minimumVersion: undefined,
+  },
   [Feature.CleanupTrapCaches]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
@@ -287,6 +294,11 @@ export const featureConfig: Record<
     envVar: "CODEQL_ACTION_JAVA_MINIMIZE_DEPENDENCY_JARS",
     minimumVersion: "2.23.0",
   },
+  [Feature.ValidateDbConfig]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG",
+    minimumVersion: undefined,
+  },
 };
 
 /**
@@ -641,7 +653,7 @@ class GitHubFeatureFlags {
       }
 
       this.logger.debug(
-        "Loaded the following default values for the feature flags from the Code Scanning API:",
+        "Loaded the following default values for the feature flags from the CodeQL Action API:",
       );
       for (const [feature, value] of Object.entries(remoteFlags).sort(
         ([nameA], [nameB]) => nameA.localeCompare(nameB),
@@ -651,12 +663,13 @@ class GitHubFeatureFlags {
       this.hasAccessedRemoteFeatureFlags = true;
       return remoteFlags;
     } catch (e) {
-      if (util.isHTTPError(e) && e.status === 403) {
+      const httpError = util.asHTTPError(e);
+      if (httpError?.status === 403) {
         this.logger.warning(
-          "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
+          "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
             "As a result, it will not be opted into any experimental features. " +
             "This could be because the Action is running on a pull request from a fork. If not, " +
-            `please ensure the Action has the 'security-events: write' permission. Details: ${e.message}`,
+            `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
         );
         this.hasAccessedRemoteFeatureFlags = false;
         return {};

src/init-action-post-helper.test.ts

@@ -2,6 +2,7 @@ import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import * as codeql from "./codeql";
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
@@ -28,12 +29,13 @@ test("post: init action with debug mode off", async (t) => {
     const gitHubVersion: util.GitHubVersion = {
       type: util.GitHubVariant.DOTCOM,
     };
-    sinon.stub(configUtils, "getConfig").resolves({
-      debugMode: false,
-      gitHubVersion,
-      languages: [],
-      packs: [],
-    } as unknown as configUtils.Config);
+    sinon.stub(configUtils, "getConfig").resolves(
+      createTestConfig({
+        debugMode: false,
+        gitHubVersion,
+        languages: [],
+      }),
+    );
 
     const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
     const printDebugLogsSpy = sinon.spy();
@@ -295,6 +297,17 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
   t.truthy(result.upload_failed_run_stack_trace);
 });
 
+test("not uploading failed SARIF when `code-scanning` is not an enabled analysis kind", async (t) => {
+  const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
+    analysisKinds: [AnalysisKind.CodeQuality],
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_skipped_because,
+    "Code Scanning is not enabled.",
+  );
+});
+
 function createTestWorkflow(
   steps: workflow.WorkflowJobStep[],
 ): workflow.Workflow {
@@ -327,20 +340,22 @@ async function testFailedSarifUpload(
     expectUpload = true,
     exportDiagnosticsEnabled = false,
     matrix = {},
+    analysisKinds = [AnalysisKind.CodeScanning],
   }: {
     category?: string;
     databaseExists?: boolean;
     expectUpload?: boolean;
     exportDiagnosticsEnabled?: boolean;
     matrix?: { [key: string]: string };
+    analysisKinds?: AnalysisKind[];
   } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
-  const config = {
+  const config = createTestConfig({
+    analysisKinds,
     codeQLCmd: "codeql",
     debugMode: true,
     languages: [],
-    packs: [],
-  } as unknown as configUtils.Config;
+  });
   if (databaseExists) {
     config.dbLocation = "path/to/database";
   }

src/init-action-post-helper.ts

@@ -7,7 +7,7 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config } from "./config-utils";
+import { Config, isCodeScanningEnabled } from "./config-utils";
 import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -139,6 +139,15 @@ export async function tryUploadSarifIfRunFailed(
       EnvVar.JOB_STATUS,
       process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
     );
+
+    // If the only enabled analysis kind is `code-quality`, then we shouldn't
+    // upload the failed SARIF to Code Scanning.
+    if (!isCodeScanningEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Scanning is not enabled.",
+      };
+    }
+
     try {
       return await maybeUploadFailedSarif(
         config,

src/init-action.ts

@@ -15,6 +15,7 @@ import {
   getTemporaryDirectory,
   persistInputs,
 } from "./actions-util";
+import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import {
   getDependencyCachingEnabled,
@@ -56,6 +57,7 @@ import { ToolsSource } from "./setup-codeql";
 import {
   ActionName,
   InitStatusReport,
+  InitToolsDownloadFields,
   InitWithConfigStatusReport,
   createInitWithConfigStatusReport,
   createStatusReportBase,
@@ -86,14 +88,29 @@ import {
 } from "./util";
 import { validateWorkflow } from "./workflow";
 
-/** Fields of the init status report populated when the tools source is `download`. */
-interface InitToolsDownloadFields {
-  /** Time taken to download the bundle, in milliseconds. */
-  tools_download_duration_ms?: number;
-  /**
-   * Whether the relevant tools dotcom feature flags have been misconfigured.
-   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
-  tools_feature_flags_valid?: boolean;
+/**
+ * Sends a status report indicating that the `init` Action is starting.
+ *
+ * @param startedAt
+ * @param config
+ * @param logger
+ */
+async function sendStartingStatusReport(
+  startedAt: Date,
+  config: Partial<configUtils.Config> | undefined,
+  logger: Logger,
+) {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.Init,
+    "starting",
+    startedAt,
+    config,
+    await checkDiskUsage(logger),
+    logger,
+  );
+  if (statusReportBase !== undefined) {
+    await sendStatusReport(statusReportBase);
+  }
 }
 
 async function sendCompletedStatusReport(
@@ -210,6 +227,7 @@ async function run() {
     ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
     : {};
 
+  // Create a unique identifier for this run.
   const jobRunUuid = uuidV4();
   logger.info(`Job run UUID is ${jobRunUuid}.`);
   core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
@@ -227,17 +245,30 @@ async function run() {
   );
 
   try {
-    const statusReportBase = await createStatusReportBase(
-      ActionName.Init,
-      "starting",
-      startedAt,
-      config,
-      await checkDiskUsage(logger),
-      logger,
-    );
-    if (statusReportBase !== undefined) {
-      await sendStatusReport(statusReportBase);
+    // Parsing the `analysis-kinds` input may throw a `ConfigurationError`, which we don't want before
+    // we have called `sendStartingStatusReport` below. However, we want the analysis kinds for that status
+    // report. To work around this, we ignore exceptions that are thrown here and then call `getAnalysisKinds`
+    // a second time later. The second call will then throw the exception again. If `getAnalysisKinds` is
+    // successful, the results are cached so that we don't duplicate the work in normal runs.
+    let analysisKinds: AnalysisKind[] | undefined;
+    try {
+      analysisKinds = await getAnalysisKinds(logger);
+    } catch (err) {
+      logger.debug(
+        `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
+      );
     }
+
+    // Send a status report indicating that an analysis is starting.
+    await sendStartingStatusReport(startedAt, { analysisKinds }, logger);
+
+    // Throw a `ConfigurationError` if the `setup-codeql` action has been run.
+    if (process.env[EnvVar.SETUP_CODEQL_ACTION_HAS_RUN] === "true") {
+      throw new ConfigurationError(
+        `The 'init' action should not be run in the same workflow as 'setup-codeql'.`,
+      );
+    }
+
     const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
       gitHubVersion.type,
     );
@@ -293,21 +324,11 @@ async function run() {
       }
     }
 
-    // Warn that `quality-queries` is deprecated if there is an argument for it.
-    const qualityQueriesInput = getOptionalInput("quality-queries");
-
-    if (qualityQueriesInput !== undefined) {
-      logger.warning(
-        "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. " +
-          "Use the `analysis-kinds` input to configure different analysis kinds instead.",
-      );
-    }
-
-    config = await initConfig({
-      analysisKindsInput: getRequiredInput("analysis-kinds"),
+    analysisKinds = await getAnalysisKinds(logger);
+    config = await initConfig(features, {
+      analysisKinds,
       languagesInput: getOptionalInput("languages"),
       queriesInput: getOptionalInput("queries"),
-      qualityQueriesInput,
       packsInput: getOptionalInput("packs"),
       buildModeInput: getOptionalInput("build-mode"),
       configFile,

src/init.ts

@@ -61,10 +61,11 @@ export async function initCodeQL(
 }
 
 export async function initConfig(
+  features: FeatureEnablement,
   inputs: configUtils.InitConfigInputs,
 ): Promise<configUtils.Config> {
   return await withGroupAsync("Load language configuration", async () => {
-    return await configUtils.initConfig(inputs);
+    return await configUtils.initConfig(features, inputs);
   });
 }
 

src/overlay-database-utils.ts

@@ -34,15 +34,10 @@ export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.4";
  * Actions Cache client library. Instead we place a limit on the uncompressed
  * size of the overlay-base database.
  *
- * Assuming 2.5:1 compression ratio, the 15 GB limit on uncompressed data would
- * translate to a limit of around 6 GB after compression. This is a high limit
- * compared to the default 10GB Actions Cache capacity, but enforcement of Actions
- * Cache quotas is not immediate.
- *
- * TODO: revisit this limit before removing the restriction for overlay analysis
- * to the `github` and `dsp-testing` orgs.
+ * Assuming 2.5:1 compression ratio, the 7.5 GB limit on uncompressed data would
+ * translate to a limit of around 3 GB after compression.
  */
-const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 15000;
+const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
 const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES =
   OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1_000_000;
 

src/setup-codeql-action.ts

@@ -0,0 +1,196 @@
+import * as core from "@actions/core";
+import { v4 as uuidV4 } from "uuid";
+
+import {
+  getActionVersion,
+  getOptionalInput,
+  getRequiredInput,
+  getTemporaryDirectory,
+} from "./actions-util";
+import { getGitHubVersion } from "./api-client";
+import { CodeQL } from "./codeql";
+import { EnvVar } from "./environment";
+import { Features } from "./feature-flags";
+import { initCodeQL } from "./init";
+import { getActionsLogger, Logger } from "./logging";
+import { getRepositoryNwo } from "./repository";
+import { ToolsSource } from "./setup-codeql";
+import {
+  ActionName,
+  InitStatusReport,
+  InitToolsDownloadFields,
+  createStatusReportBase,
+  getActionsStatus,
+  sendStatusReport,
+} from "./status-report";
+import { ToolsDownloadStatusReport } from "./tools-download";
+import {
+  checkDiskUsage,
+  checkForTimeout,
+  checkGitHubVersionInRange,
+  getRequiredEnvParam,
+  initializeEnvironment,
+  ConfigurationError,
+  wrapError,
+  checkActionVersion,
+  getErrorMessage,
+} from "./util";
+
+/**
+ * Helper function to send a full status report for this action.
+ */
+async function sendCompletedStatusReport(
+  startedAt: Date,
+  toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined,
+  toolsFeatureFlagsValid: boolean | undefined,
+  toolsSource: ToolsSource,
+  toolsVersion: string,
+  logger: Logger,
+  error?: Error,
+): Promise<void> {
+  const statusReportBase = await createStatusReportBase(
+    ActionName.SetupCodeQL,
+    getActionsStatus(error),
+    startedAt,
+    undefined,
+    await checkDiskUsage(logger),
+    logger,
+    error?.message,
+    error?.stack,
+  );
+
+  if (statusReportBase === undefined) {
+    return;
+  }
+
+  const initStatusReport: InitStatusReport = {
+    ...statusReportBase,
+    tools_input: getOptionalInput("tools") || "",
+    tools_resolved_version: toolsVersion,
+    tools_source: toolsSource || ToolsSource.Unknown,
+    workflow_languages: "",
+  };
+
+  const initToolsDownloadFields: InitToolsDownloadFields = {};
+
+  if (toolsDownloadStatusReport?.downloadDurationMs !== undefined) {
+    initToolsDownloadFields.tools_download_duration_ms =
+      toolsDownloadStatusReport.downloadDurationMs;
+  }
+  if (toolsFeatureFlagsValid !== undefined) {
+    initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
+  }
+
+  await sendStatusReport({ ...initStatusReport, ...initToolsDownloadFields });
+}
+
+/** The main behaviour of this action. */
+async function run(): Promise<void> {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
+  initializeEnvironment(getActionVersion());
+
+  let codeql: CodeQL;
+  let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
+  let toolsFeatureFlagsValid: boolean | undefined;
+  let toolsSource: ToolsSource;
+  let toolsVersion: string;
+
+  const apiDetails = {
+    auth: getRequiredInput("token"),
+    externalRepoAuth: getOptionalInput("external-repository-token"),
+    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
+    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+  };
+
+  const gitHubVersion = await getGitHubVersion();
+  checkGitHubVersionInRange(gitHubVersion, logger);
+  checkActionVersion(getActionVersion(), gitHubVersion);
+
+  const repositoryNwo = getRepositoryNwo();
+
+  const features = new Features(
+    gitHubVersion,
+    repositoryNwo,
+    getTemporaryDirectory(),
+    logger,
+  );
+
+  const jobRunUuid = uuidV4();
+  logger.info(`Job run UUID is ${jobRunUuid}.`);
+  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+
+  try {
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      "starting",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(
+      gitHubVersion.type,
+    );
+    toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
+    const initCodeQLResult = await initCodeQL(
+      getOptionalInput("tools"),
+      apiDetails,
+      getTemporaryDirectory(),
+      gitHubVersion.type,
+      codeQLDefaultVersionInfo,
+      features,
+      logger,
+    );
+    codeql = initCodeQLResult.codeql;
+    toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
+    toolsVersion = initCodeQLResult.toolsVersion;
+    toolsSource = initCodeQLResult.toolsSource;
+
+    core.setOutput("codeql-path", codeql.getPath());
+    core.setOutput("codeql-version", (await codeql.getVersion()).version);
+
+    core.exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
+  } catch (unwrappedError) {
+    const error = wrapError(unwrappedError);
+    core.setFailed(error.message);
+    const statusReportBase = await createStatusReportBase(
+      ActionName.SetupCodeQL,
+      error instanceof ConfigurationError ? "user-error" : "failure",
+      startedAt,
+      undefined,
+      await checkDiskUsage(logger),
+      logger,
+      error.message,
+      error.stack,
+    );
+    if (statusReportBase !== undefined) {
+      await sendStatusReport(statusReportBase);
+    }
+    return;
+  }
+
+  await sendCompletedStatusReport(
+    startedAt,
+    toolsDownloadStatusReport,
+    toolsFeatureFlagsValid,
+    toolsSource,
+    toolsVersion,
+    logger,
+  );
+}
+
+/** Run the action and catch any unhandled errors. */
+async function runWrapper(): Promise<void> {
+  try {
+    await run();
+  } catch (error) {
+    core.setFailed(`setup-codeql action failed: ${getErrorMessage(error)}`);
+  }
+  await checkForTimeout();
+}
+
+void runWrapper();

src/setup-codeql.ts

@@ -168,7 +168,7 @@ export function tryGetTagNameFromUrl(
   // assumes less about the structure of the URL.
   const match = matches[matches.length - 1];
 
-  if (match === null || match.length !== 2) {
+  if (match?.length !== 2) {
     logger.debug(
       `Could not determine tag name for URL ${url}. Matched ${JSON.stringify(
         match,

src/start-proxy-action-post.ts

@@ -30,7 +30,7 @@ async function runWrapper() {
       logger,
     );
 
-    if ((config && config.debugMode) || core.isDebug()) {
+    if (config?.debugMode || core.isDebug()) {
       const logFilePath = core.getState("proxy-log-file");
       logger.info(
         "Debug mode is on. Uploading proxy log as Actions debugging artifact...",

src/status-report.ts

@@ -23,7 +23,6 @@ import { getRepositoryNwo } from "./repository";
 import { ToolsSource } from "./setup-codeql";
 import {
   ConfigurationError,
-  isHTTPError,
   getRequiredEnvParam,
   getCachedCodeQlVersion,
   isInTestMode,
@@ -33,6 +32,7 @@ import {
   BuildMode,
   getErrorMessage,
   getTestingEnvironment,
+  asHTTPError,
 } from "./util";
 
 export enum ActionName {
@@ -41,6 +41,7 @@ export enum ActionName {
   Init = "init",
   InitPost = "init-post",
   ResolveEnvironment = "resolve-environment",
+  SetupCodeQL = "setup-codeql",
   StartProxy = "start-proxy",
   UploadSarif = "upload-sarif",
 }
@@ -386,9 +387,9 @@ export async function createStatusReportBase(
 }
 
 const OUT_OF_DATE_MSG =
-  "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+  "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
 const INCOMPATIBLE_MSG =
-  "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
+  "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
 
 /**
  * Send a status report to the code_scanning/analysis/status endpoint.
@@ -428,8 +429,9 @@ export async function sendStatusReport<S extends StatusReportBase>(
       },
     );
   } catch (e) {
-    if (isHTTPError(e)) {
-      switch (e.status) {
+    const httpError = asHTTPError(e);
+    if (httpError !== undefined) {
+      switch (httpError.status) {
         case 403:
           if (
             getWorkflowEventName() === "push" &&
@@ -437,16 +439,20 @@ export async function sendStatusReport<S extends StatusReportBase>(
           ) {
             core.warning(
               'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
-                "Uploading Code Scanning results requires write access. " +
-                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "Uploading CodeQL results requires write access. " +
+                'To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
                 `See ${DocUrl.SCANNING_ON_PUSH} for more information on how to configure these events.`,
             );
           } else {
-            core.warning(e.message);
+            core.warning(
+              "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
+                "This could be because the Action is running on a pull request from a fork. If not, " +
+                `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
+            );
           }
           return;
         case 404:
-          core.warning(e.message);
+          core.warning(httpError.message);
           return;
         case 422:
           // schema incompatibility when reporting status
@@ -464,7 +470,7 @@ export async function sendStatusReport<S extends StatusReportBase>(
     // something else has gone wrong and the request/response will be logged by octokit
     // it's possible this is a transient error and we should continue scanning
     core.warning(
-      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
+      `An unexpected error occurred when sending a status report: ${getErrorMessage(
         e,
       )}`,
     );
@@ -516,6 +522,16 @@ export interface InitWithConfigStatusReport extends InitStatusReport {
   config_file: string;
 }
 
+/** Fields of the init status report populated when the tools source is `download`. */
+export interface InitToolsDownloadFields {
+  /** Time taken to download the bundle, in milliseconds. */
+  tools_download_duration_ms?: number;
+  /**
+   * Whether the relevant tools dotcom feature flags have been misconfigured.
+   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
+  tools_feature_flags_valid?: boolean;
+}
+
 /**
  * Composes a `InitWithConfigStatusReport` from the given values.
  *

src/tar.ts

@@ -35,14 +35,14 @@ async function getTarVersion(): Promise<TarVersion> {
   // Return whether this is GNU tar or BSD tar, and the version number
   if (stdout.includes("GNU tar")) {
     const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
       throw new Error("Failed to parse output of tar --version.");
     }
 
     return { type: "gnu", version: match[1] };
   } else if (stdout.includes("bsdtar")) {
     const match = stdout.match(/bsdtar ([0-9.]+)/);
-    if (!match || !match[1]) {
+    if (!match?.[1]) {
       throw new Error("Failed to parse output of tar --version.");
     }
 

src/testing-utils.ts

@@ -2,7 +2,7 @@ import { TextDecoder } from "node:util";
 import path from "path";
 
 import * as github from "@actions/github";
-import { TestFn } from "ava";
+import { ExecutionContext, TestFn } from "ava";
 import nock from "nock";
 import * as sinon from "sinon";
 
@@ -180,6 +180,23 @@ export function getRecordingLogger(messages: LoggedMessage[]): Logger {
   };
 }
 
+export function checkExpectedLogMessages(
+  t: ExecutionContext<any>,
+  messages: LoggedMessage[],
+  expectedMessages: string[],
+) {
+  for (const expectedMessage of expectedMessages) {
+    t.assert(
+      messages.some(
+        (msg) =>
+          typeof msg.message === "string" &&
+          msg.message.includes(expectedMessage),
+      ),
+      `Expected '${expectedMessage}' in the logger output, but didn't find it in:\n ${messages.map((m) => ` - '${m.message}'`).join("\n")}`,
+    );
+  }
+}
+
 /** Mock the HTTP request to the feature flags enablement API endpoint. */
 export function mockFeatureFlagApiEndpoint(
   responseStatusCode: number,

src/tools-features.ts

@@ -3,13 +3,11 @@ import * as semver from "semver";
 import type { VersionInfo } from "./codeql";
 
 export enum ToolsFeature {
-  AnalysisSummaryV2IsDefault = "analysisSummaryV2Default",
   BuiltinExtractorsSpecifyDefaultQueries = "builtinExtractorsSpecifyDefaultQueries",
   DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
   ForceOverwrite = "forceOverwrite",
   IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
   PythonDefaultIsToNotExtractStdlib = "pythonDefaultIsToNotExtractStdlib",
-  SarifMergeRunsFromEqualCategory = "sarifMergeRunsFromEqualCategory",
 }
 
 /**

src/trap-caching.ts

@@ -13,8 +13,8 @@ import * as gitUtils from "./git-utils";
 import { Language } from "./languages";
 import { Logger } from "./logging";
 import {
+  asHTTPError,
   getErrorMessage,
-  isHTTPError,
   tryGetFolderBytes,
   waitForResultWithTimeLimit,
 } from "./util";
@@ -236,7 +236,7 @@ export async function cleanupTrapCaches(
     }
     return { trap_cache_cleanup_size_bytes: totalBytesCleanedUp };
   } catch (e) {
-    if (isHTTPError(e) && e.status === 403) {
+    if (asHTTPError(e)?.status === 403) {
       logger.warning(
         "Could not cleanup TRAP caches as the token did not have the required permissions. " +
           'To clean up TRAP caches, ensure the token has the "actions:write" permission. ' +

src/upload-lib.ts

@@ -21,7 +21,6 @@ import * as gitUtils from "./git-utils";
 import { initCodeQL } from "./init";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
-import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import {
   ConfigurationError,
@@ -269,32 +268,6 @@ async function combineSarifFilesUsingCLI(
     codeQL = initCodeQLResult.codeql;
   }
 
-  if (
-    !(await codeQL.supportsFeature(
-      ToolsFeature.SarifMergeRunsFromEqualCategory,
-    ))
-  ) {
-    await throwIfCombineSarifFilesDisabled(sarifObjects, gitHubVersion);
-
-    logger.warning(
-      "The CodeQL CLI does not support merging SARIF files. Merging files in the action.",
-    );
-
-    if (
-      await shouldShowCombineSarifFilesDeprecationWarning(
-        sarifObjects,
-        gitHubVersion,
-      )
-    ) {
-      logger.warning(
-        `Uploading multiple CodeQL runs with the same category is deprecated ${deprecationWarningMessage} for CodeQL CLI 2.16.6 and earlier. Please update your CodeQL CLI version or update your workflow to set a distinct category for each CodeQL run. ${deprecationMoreInformationMessage}`,
-      );
-      core.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
-    }
-
-    return combineSarifFiles(sarifFiles, logger);
-  }
-
   const baseTempDir = path.resolve(tempDir, "combined-sarif");
   fs.mkdirSync(baseTempDir, { recursive: true });
   const outputDirectory = fs.mkdtempSync(path.resolve(baseTempDir, "output-"));
@@ -386,16 +359,17 @@ export async function uploadPayload(
     logger.info("Successfully uploaded results");
     return response.data.id as string;
   } catch (e) {
-    if (util.isHTTPError(e)) {
-      switch (e.status) {
+    const httpError = util.asHTTPError(e);
+    if (httpError !== undefined) {
+      switch (httpError.status) {
         case 403:
-          core.warning(e.message || GENERIC_403_MSG);
+          core.warning(httpError.message || GENERIC_403_MSG);
           break;
         case 404:
-          core.warning(e.message || GENERIC_404_MSG);
+          core.warning(httpError.message || GENERIC_404_MSG);
           break;
         default:
-          core.warning(e.message);
+          core.warning(httpError.message);
           break;
       }
     }
@@ -687,51 +661,39 @@ export function buildPayload(
   return payloadObj;
 }
 
-/**
- * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
- * to.
- */
-export async function uploadFiles(
-  inputSarifPath: string,
-  checkoutPath: string,
-  category: string | undefined,
-  features: FeatureEnablement,
-  logger: Logger,
-  uploadTarget: analyses.AnalysisConfig,
-): Promise<UploadResult> {
-  const sarifPaths = getSarifFilePaths(
-    inputSarifPath,
-    uploadTarget.sarifPredicate,
-  );
-
-  return uploadSpecifiedFiles(
-    sarifPaths,
-    checkoutPath,
-    category,
-    features,
-    logger,
-    uploadTarget,
-  );
+export interface PostProcessingResults {
+  sarif: util.SarifFile;
+  analysisKey: string;
+  environment: string;
 }
 
 /**
- * Uploads the given array of SARIF files.
+ * Performs post-processing of the SARIF files given by `sarifPaths`.
+ *
+ * @param logger The logger to use.
+ * @param features Information about enabled features.
+ * @param checkoutPath The path where the repo was checked out at.
+ * @param sarifPaths The paths of the SARIF files to post-process.
+ * @param category The analysis category.
+ * @param analysis The analysis configuration.
+ *
+ * @returns Returns the results of post-processing the SARIF files,
+ *          including the resulting SARIF file.
  */
-export async function uploadSpecifiedFiles(
-  sarifPaths: string[],
-  checkoutPath: string,
-  category: string | undefined,
-  features: FeatureEnablement,
+export async function postProcessSarifFiles(
   logger: Logger,
-  uploadTarget: analyses.AnalysisConfig,
-): Promise<UploadResult> {
-  logger.startGroup(`Uploading ${uploadTarget.name} results`);
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
+  features: FeatureEnablement,
+  checkoutPath: string,
+  sarifPaths: string[],
+  category: string | undefined,
+  analysis: analyses.AnalysisConfig,
+): Promise<PostProcessingResults> {
+  logger.info(`Post-processing sarif files: ${JSON.stringify(sarifPaths)}`);
 
   const gitHubVersion = await getGitHubVersion();
 
   let sarif: SarifFile;
-  category = uploadTarget.fixCategory(logger, category);
+  category = analysis.fixCategory(logger, category);
 
   if (sarifPaths.length > 1) {
     // Validate that the files we were asked to upload are all valid SARIF files
@@ -767,6 +729,113 @@ export async function uploadSpecifiedFiles(
     environment,
   );
 
+  return { sarif, analysisKey, environment };
+}
+
+/**
+ * Writes the post-processed SARIF file to disk, if needed based on `pathInput` or the `SARIF_DUMP_DIR`.
+ *
+ * @param logger The logger to use.
+ * @param pathInput The input provided for `post-processed-sarif-path`.
+ * @param uploadTarget The upload target.
+ * @param processingResults The results of post-processing SARIF files.
+ */
+export async function writePostProcessedFiles(
+  logger: Logger,
+  pathInput: string | undefined,
+  uploadTarget: analyses.AnalysisConfig,
+  postProcessingResults: PostProcessingResults,
+) {
+  // If there's an explicit input, use that. Otherwise, use the value from the environment variable.
+  const outputPath = pathInput || util.getOptionalEnvVar(EnvVar.SARIF_DUMP_DIR);
+  logger.info(`Post-processed SARIF output path: ${outputPath}`);
+  // If we have a non-empty output path, write the SARIF file to it.
+  if (outputPath !== undefined) {
+    dumpSarifFile(
+      JSON.stringify(postProcessingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget,
+    );
+  } else {
+    logger.debug(`Not writing post-processed SARIF files.`);
+  }
+}
+
+/**
+ * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
+ * to.
+ */
+export async function uploadFiles(
+  inputSarifPath: string,
+  checkoutPath: string,
+  category: string | undefined,
+  features: FeatureEnablement,
+  logger: Logger,
+  uploadTarget: analyses.AnalysisConfig,
+): Promise<UploadResult> {
+  const sarifPaths = getSarifFilePaths(
+    inputSarifPath,
+    uploadTarget.sarifPredicate,
+  );
+
+  return uploadSpecifiedFiles(
+    sarifPaths,
+    checkoutPath,
+    category,
+    features,
+    logger,
+    uploadTarget,
+  );
+}
+
+/**
+ * Uploads the given array of SARIF files.
+ */
+async function uploadSpecifiedFiles(
+  sarifPaths: string[],
+  checkoutPath: string,
+  category: string | undefined,
+  features: FeatureEnablement,
+  logger: Logger,
+  uploadTarget: analyses.AnalysisConfig,
+): Promise<UploadResult> {
+  const processingResults: PostProcessingResults = await postProcessSarifFiles(
+    logger,
+    features,
+    checkoutPath,
+    sarifPaths,
+    category,
+    uploadTarget,
+  );
+
+  return uploadPostProcessedFiles(
+    logger,
+    checkoutPath,
+    uploadTarget,
+    processingResults,
+  );
+}
+
+/**
+ * Uploads the results of post-processing SARIF files to the specified upload target.
+ *
+ * @param logger The logger to use.
+ * @param checkoutPath The path at which the repository was checked out.
+ * @param uploadTarget The analysis configuration.
+ * @param postProcessingResults The results of post-processing SARIF files.
+ *
+ * @returns The results of uploading the `postProcessingResults` to `uploadTarget`.
+ */
+export async function uploadPostProcessedFiles(
+  logger: Logger,
+  checkoutPath: string,
+  uploadTarget: analyses.AnalysisConfig,
+  postProcessingResults: PostProcessingResults,
+): Promise<UploadResult> {
+  logger.startGroup(`Uploading ${uploadTarget.name} results`);
+
+  const sarif = postProcessingResults.sarif;
   const toolNames = util.getToolNames(sarif);
 
   logger.debug(`Validating that each SARIF run has a unique category`);
@@ -774,11 +843,6 @@ export async function uploadSpecifiedFiles(
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
 
-  const dumpDir = process.env[EnvVar.SARIF_DUMP_DIR];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
-
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -786,13 +850,13 @@ export async function uploadSpecifiedFiles(
   const payload = buildPayload(
     await gitUtils.getCommitOid(checkoutPath),
     await gitUtils.getRef(),
-    analysisKey,
+    postProcessingResults.analysisKey,
     util.getRequiredEnvParam("GITHUB_WORKFLOW"),
     zippedSarif,
     actionsUtil.getWorkflowRunID(),
     actionsUtil.getWorkflowRunAttempt(),
     checkoutURI,
-    environment,
+    postProcessingResults.environment,
     toolNames,
     await gitUtils.determineBaseBranchHeadCommitOid(),
   );
@@ -838,14 +902,14 @@ function dumpSarifFile(
     fs.mkdirSync(outputDir, { recursive: true });
   } else if (!fs.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the ${EnvVar.SARIF_DUMP_DIR} environment variable exists and is not a directory: ${outputDir}`,
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`,
     );
   }
   const outputFile = path.resolve(
     outputDir,
     `upload${uploadTarget.sarifExtension}`,
   );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
   fs.writeFileSync(outputFile, sarifPayload);
 }
 

src/upload-sarif-action.ts

@@ -16,7 +16,7 @@ import {
   isThirdPartyAnalysis,
 } from "./status-report";
 import * as upload_lib from "./upload-lib";
-import { uploadSarif } from "./upload-sarif";
+import { postProcessAndUploadSarif } from "./upload-sarif";
 import {
   ConfigurationError,
   checkActionVersion,
@@ -90,9 +90,10 @@ async function run() {
     const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
     const category = actionsUtil.getOptionalInput("category");
 
-    const uploadResults = await uploadSarif(
+    const uploadResults = await postProcessAndUploadSarif(
       logger,
       features,
+      "always",
       checkoutPath,
       sarifPath,
       category,

src/upload-sarif.test.ts

@@ -9,7 +9,7 @@ import { getRunnerLogger } from "./logging";
 import { createFeatures, setupTests } from "./testing-utils";
 import { UploadResult } from "./upload-lib";
 import * as uploadLib from "./upload-lib";
-import { uploadSarif } from "./upload-sarif";
+import { postProcessAndUploadSarif } from "./upload-sarif";
 import * as util from "./util";
 
 setupTests(test);
@@ -19,7 +19,27 @@ interface UploadSarifExpectedResult {
   expectedFiles?: string[];
 }
 
-const uploadSarifMacro = test.macro({
+function mockPostProcessSarifFiles() {
+  const postProcessSarifFiles = sinon.stub(uploadLib, "postProcessSarifFiles");
+
+  for (const analysisKind of Object.values(AnalysisKind)) {
+    const analysisConfig = getAnalysisConfig(analysisKind);
+    postProcessSarifFiles
+      .withArgs(
+        sinon.match.any,
+        sinon.match.any,
+        sinon.match.any,
+        sinon.match.any,
+        sinon.match.any,
+        analysisConfig,
+      )
+      .resolves({ sarif: { runs: [] }, analysisKey: "", environment: "" });
+  }
+
+  return postProcessSarifFiles;
+}
+
+const postProcessAndUploadSarifMacro = test.macro({
   exec: async (
     t: ExecutionContext<unknown>,
     sarifFiles: string[],
@@ -33,21 +53,16 @@ const uploadSarifMacro = test.macro({
 
       const toFullPath = (filename: string) => path.join(tempDir, filename);
 
-      const uploadSpecifiedFiles = sinon.stub(
+      const postProcessSarifFiles = mockPostProcessSarifFiles();
+      const uploadPostProcessedFiles = sinon.stub(
         uploadLib,
-        "uploadSpecifiedFiles",
+        "uploadPostProcessedFiles",
       );
 
       for (const analysisKind of Object.values(AnalysisKind)) {
-        uploadSpecifiedFiles
-          .withArgs(
-            sinon.match.any,
-            sinon.match.any,
-            sinon.match.any,
-            features,
-            logger,
-            getAnalysisConfig(analysisKind),
-          )
+        const analysisConfig = getAnalysisConfig(analysisKind);
+        uploadPostProcessedFiles
+          .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any)
           .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult);
       }
 
@@ -56,53 +71,57 @@ const uploadSarifMacro = test.macro({
         fs.writeFileSync(sarifFile, "");
       }
 
-      const actual = await uploadSarif(logger, features, "", testPath);
+      const actual = await postProcessAndUploadSarif(
+        logger,
+        features,
+        "always",
+        "",
+        testPath,
+      );
 
       for (const analysisKind of Object.values(AnalysisKind)) {
         const analysisKindResult = expectedResult[analysisKind];
         if (analysisKindResult) {
           // We are expecting a result for this analysis kind, check that we have it.
           t.deepEqual(actual[analysisKind], analysisKindResult.uploadResult);
-          // Additionally, check that the mocked `uploadSpecifiedFiles` was called with only the file paths
+          // Additionally, check that the mocked `postProcessSarifFiles` was called with only the file paths
           // that we expected it to be called with.
           t.assert(
-            uploadSpecifiedFiles.calledWith(
+            postProcessSarifFiles.calledWith(
+              logger,
+              features,
+              sinon.match.any,
               analysisKindResult.expectedFiles?.map(toFullPath) ??
                 fullSarifPaths,
               sinon.match.any,
-              sinon.match.any,
-              features,
-              logger,
               getAnalysisConfig(analysisKind),
             ),
           );
         } else {
           // Otherwise, we are not expecting a result for this analysis kind. However, note that `undefined`
-          // is also returned by our mocked `uploadSpecifiedFiles` when there is no expected result for this
+          // is also returned by our mocked `uploadProcessedFiles` when there is no expected result for this
           // analysis kind.
           t.is(actual[analysisKind], undefined);
-          // Therefore, we also check that the mocked `uploadSpecifiedFiles` was not called for this analysis kind.
+          // Therefore, we also check that the mocked `uploadProcessedFiles` was not called for this analysis kind.
           t.assert(
-            !uploadSpecifiedFiles.calledWith(
-              sinon.match.any,
-              sinon.match.any,
-              sinon.match.any,
-              features,
+            !uploadPostProcessedFiles.calledWith(
               logger,
+              sinon.match.any,
               getAnalysisConfig(analysisKind),
+              sinon.match.any,
             ),
-            `uploadSpecifiedFiles was called for ${analysisKind}, but should not have been.`,
+            `uploadProcessedFiles was called for ${analysisKind}, but should not have been.`,
           );
         }
       }
     });
   },
-  title: (providedTitle = "") => `uploadSarif - ${providedTitle}`,
+  title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`,
 });
 
 test(
   "SARIF file",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
   ["test.sarif"],
   (tempDir) => path.join(tempDir, "test.sarif"),
   {
@@ -117,7 +136,7 @@ test(
 
 test(
   "JSON file",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
   ["test.json"],
   (tempDir) => path.join(tempDir, "test.json"),
   {
@@ -132,7 +151,7 @@ test(
 
 test(
   "Code Scanning files",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
   ["test.json", "test.sarif"],
   undefined,
   {
@@ -148,7 +167,7 @@ test(
 
 test(
   "Code Quality file",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
   ["test.quality.sarif"],
   (tempDir) => path.join(tempDir, "test.quality.sarif"),
   {
@@ -163,7 +182,7 @@ test(
 
 test(
   "Mixed files",
-  uploadSarifMacro,
+  postProcessAndUploadSarifMacro,
   ["test.sarif", "test.quality.sarif"],
   undefined,
   {
@@ -183,3 +202,65 @@ test(
     },
   },
 );
+
+test("postProcessAndUploadSarif doesn't upload if upload is disabled", async (t) => {
+  await util.withTmpDir(async (tempDir) => {
+    const logger = getRunnerLogger(true);
+    const features = createFeatures([]);
+
+    const toFullPath = (filename: string) => path.join(tempDir, filename);
+
+    const postProcessSarifFiles = mockPostProcessSarifFiles();
+    const uploadPostProcessedFiles = sinon.stub(
+      uploadLib,
+      "uploadPostProcessedFiles",
+    );
+
+    fs.writeFileSync(toFullPath("test.sarif"), "");
+    fs.writeFileSync(toFullPath("test.quality.sarif"), "");
+
+    const actual = await postProcessAndUploadSarif(
+      logger,
+      features,
+      "never",
+      "",
+      tempDir,
+    );
+
+    t.truthy(actual);
+    t.assert(postProcessSarifFiles.calledTwice);
+    t.assert(uploadPostProcessedFiles.notCalled);
+  });
+});
+
+test("postProcessAndUploadSarif writes post-processed SARIF files if output directory is provided", async (t) => {
+  await util.withTmpDir(async (tempDir) => {
+    const logger = getRunnerLogger(true);
+    const features = createFeatures([]);
+
+    const toFullPath = (filename: string) => path.join(tempDir, filename);
+
+    const postProcessSarifFiles = mockPostProcessSarifFiles();
+
+    fs.writeFileSync(toFullPath("test.sarif"), "");
+    fs.writeFileSync(toFullPath("test.quality.sarif"), "");
+
+    const postProcessedOutPath = path.join(tempDir, "post-processed");
+    const actual = await postProcessAndUploadSarif(
+      logger,
+      features,
+      "never",
+      "",
+      tempDir,
+      "",
+      postProcessedOutPath,
+    );
+
+    t.truthy(actual);
+    t.assert(postProcessSarifFiles.calledTwice);
+    t.assert(fs.existsSync(path.join(postProcessedOutPath, "upload.sarif")));
+    t.assert(
+      fs.existsSync(path.join(postProcessedOutPath, "upload.quality.sarif")),
+    );
+  });
+});

src/upload-sarif.ts

@@ -1,3 +1,4 @@
+import { UploadKind } from "./actions-util";
 import * as analyses from "./analyses";
 import { FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
@@ -10,23 +11,28 @@ export type UploadSarifResults = Partial<
 >;
 
 /**
- * Finds SARIF files in `sarifPath` and uploads them to the appropriate services.
+ * Finds SARIF files in `sarifPath`, post-processes them, and uploads them to the appropriate services.
  *
  * @param logger The logger to use.
  * @param features Information about enabled features.
+ * @param uploadKind The kind of upload that is requested.
  * @param checkoutPath The path where the repository was checked out at.
  * @param sarifPath The path to the file or directory to upload.
  * @param category The analysis category.
+ * @param postProcessedOutputPath The path to a directory to which the post-processed SARIF files should be written to.
  *
  * @returns A partial mapping from analysis kinds to the upload results.
  */
-export async function uploadSarif(
+export async function postProcessAndUploadSarif(
   logger: Logger,
   features: FeatureEnablement,
+  uploadKind: UploadKind,
   checkoutPath: string,
   sarifPath: string,
   category?: string,
+  postProcessedOutputPath?: string,
 ): Promise<UploadSarifResults> {
+  logger.info("XXX at upload-sarif.ts|postProcessAndUploadSarif");
   const sarifGroups = await upload_lib.getGroupedSarifFilePaths(
     logger,
     sarifPath,
@@ -36,15 +42,38 @@ export async function uploadSarif(
   for (const [analysisKind, sarifFiles] of unsafeEntriesInvariant(
     sarifGroups,
   )) {
+    logger.info(
+      `XXX at upload-sarif.ts|postProcessAndUploadSarif loop for analysisKind: ${analysisKind}`,
+    );
+
     const analysisConfig = analyses.getAnalysisConfig(analysisKind);
-    uploadResults[analysisKind] = await upload_lib.uploadSpecifiedFiles(
-      sarifFiles,
-      checkoutPath,
-      category,
-      features,
+    const postProcessingResults = await upload_lib.postProcessSarifFiles(
       logger,
+      features,
+      checkoutPath,
+      sarifFiles,
+      category,
       analysisConfig,
     );
+
+    // Write the post-processed SARIF files to disk. This will only write them if needed based on user inputs
+    // or environment variables.
+    await upload_lib.writePostProcessedFiles(
+      logger,
+      postProcessedOutputPath,
+      analysisConfig,
+      postProcessingResults,
+    );
+
+    // Only perform the actual upload of the post-processed files if `uploadKind` is `always`.
+    if (uploadKind === "always") {
+      uploadResults[analysisKind] = await upload_lib.uploadPostProcessedFiles(
+        logger,
+        checkoutPath,
+        analysisConfig,
+        postProcessingResults,
+      );
+    }
   }
 
   return uploadResults;

src/util.test.ts

@@ -252,6 +252,35 @@ test("allowed API versions", async (t) => {
   );
 });
 
+test("getRequiredEnvParam - gets environment variables", (t) => {
+  process.env.SOME_UNIT_TEST_VAR = "foo";
+  const result = util.getRequiredEnvParam("SOME_UNIT_TEST_VAR");
+  t.is(result, "foo");
+});
+
+test("getRequiredEnvParam - throws if an environment variable isn't set", (t) => {
+  t.throws(() => util.getRequiredEnvParam("SOME_UNIT_TEST_VAR"));
+});
+
+test("getOptionalEnvVar - gets environment variables", (t) => {
+  process.env.SOME_UNIT_TEST_VAR = "foo";
+  const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
+  t.is(result, "foo");
+});
+
+test("getOptionalEnvVar - gets undefined for empty environment variables", (t) => {
+  process.env.SOME_UNIT_TEST_VAR = "";
+  const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
+  t.is(result, undefined);
+});
+
+test("getOptionalEnvVar - doesn't throw for undefined environment variables", (t) => {
+  t.notThrows(() => {
+    const result = util.getOptionalEnvVar("SOME_UNIT_TEST_VAR");
+    t.is(result, undefined);
+  });
+});
+
 test("doesDirectoryExist", async (t) => {
   // Returns false if no file/dir of this name exists
   t.false(util.doesDirectoryExist("non-existent-file.txt"));

src/util.ts

@@ -673,6 +673,17 @@ export function getRequiredEnvParam(paramName: string): string {
   return value;
 }
 
+/**
+ * Get an environment variable, but return `undefined` if it is not set or empty.
+ */
+export function getOptionalEnvVar(paramName: string): string | undefined {
+  const value = process.env[paramName];
+  if (value?.trim().length === 0) {
+    return undefined;
+  }
+  return value;
+}
+
 export class HTTPError extends Error {
   public status: number;
 
@@ -692,8 +703,22 @@ export class ConfigurationError extends Error {
   }
 }
 
-export function isHTTPError(arg: any): arg is HTTPError {
-  return arg?.status !== undefined && Number.isInteger(arg.status);
+export function asHTTPError(arg: any): HTTPError | undefined {
+  if (
+    typeof arg !== "object" ||
+    arg === null ||
+    typeof arg.message !== "string"
+  ) {
+    return undefined;
+  }
+  if (Number.isInteger(arg.status)) {
+    return new HTTPError(arg.message as string, arg.status as number);
+  }
+  // See https://github.com/actions/toolkit/blob/acb230b99a46ed33a3f04a758cd68b47b9a82908/packages/tool-cache/src/tool-cache.ts#L19
+  if (Number.isInteger(arg.httpStatusCode)) {
+    return new HTTPError(arg.message as string, arg.httpStatusCode as number);
+  }
+  return undefined;
 }
 
 let cachedCodeQlVersion: undefined | VersionInfo = undefined;

src/workflow.ts

@@ -371,7 +371,7 @@ function getInputOrThrow(
       input = input.replace(`\${{matrix.${key}}}`, value);
     }
   }
-  if (input !== undefined && input.includes("${{")) {
+  if (input?.includes("${{")) {
     throw new Error(
       `Could not get ${inputName} input to ${actionName} since it contained an unrecognized dynamic value.`,
     );

start-proxy/action.yml

@@ -29,6 +29,6 @@ outputs:
   proxy_urls:
     description: A stringified JSON array of objects containing the types and URLs of the configured registries.
 runs:
-  using: node20
+  using: node24
   main: "../lib/start-proxy-action.js"
   post: "../lib/start-proxy-action-post.js"