Merge pull request #3161 from github/update-v3.30.5-0a67bd46a

Merge main into releases/v3
2026-05-07 14:20:19 +00:00 · 2025-09-26 18:30:21 +01:00
parent 303c0aef88 2ca0085e58
commit 0b1f0509b2
72 changed files with 246 additions and 449 deletions
@@ -48,6 +48,10 @@ jobs:
        include:
          - os: ubuntu-latest
            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
    name: All-platform bundle
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -48,10 +48,6 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
    name: "Analyze: 'ref' and 'sha' from inputs"
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -1,104 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pr-checks/sync.sh
-# to regenerate this file.
-
-name: PR Check - Autobuild direct tracing
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-on:
-  push:
-    branches:
-      - main
-      - releases/v*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-  schedule:
-    - cron: '0 5 * * *'
-  workflow_dispatch:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-  workflow_call:
-    inputs:
-      java-version:
-        type: string
-        description: The version of Java to install
-        required: false
-        default: '17'
-defaults:
-  run:
-    shell: bash
-concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
-jobs:
-  autobuild-direct-tracing:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            version: linked
-          - os: windows-latest
-            version: linked
-          - os: ubuntu-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
-    name: Autobuild direct tracing
-    if: github.triggering_actor != 'dependabot[bot]'
-    permissions:
-      contents: read
-      security-events: read
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v5
-      - name: Prepare test
-        id: prepare-test
-        uses: ./.github/actions/prepare-test
-        with:
-          version: ${{ matrix.version }}
-          use-all-platform-bundle: 'false'
-          setup-kotlin: 'true'
-      - name: Install Java
-        uses: actions/setup-java@v5
-        with:
-          java-version: ${{ inputs.java-version || '17' }}
-          distribution: temurin
-      - name: Set up Java test repo configuration
-        run: |
-          mv * .github ../action/tests/multi-language-repo/
-          mv ../action/tests/multi-language-repo/.github/workflows .github
-          mv ../action/tests/java-repo/* .
-
-      - uses: ./../action/init
-        id: init
-        with:
-          build-mode: autobuild
-          db-location: ${{ runner.temp }}/customDbLocation
-          languages: java
-          tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-      - name: Check that indirect tracing is disabled
-        run: |
-          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-            echo "Expected indirect tracing to be disabled, but the" \
-              "CODEQL_RUNNER environment variable is set."
-            exit 1
-          fi
-
-      - uses: ./../action/analyze
-    env:
-      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-      CODEQL_ACTION_TEST_MODE: true
@@ -31,7 +31,7 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  test-autobuild-working-dir:
+  autobuild-working-dir:
    strategy:
      fail-fast: false
      matrix:
@@ -21,9 +21,19 @@ on:
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch:
-    inputs: {}
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
  workflow_call:
-    inputs: {}
+    inputs:
+      java-version:
+        type: string
+        description: The version of Java to install
+        required: false
+        default: '17'
 defaults:
  run:
    shell: bash
@@ -37,6 +47,12 @@ jobs:
      matrix:
        include:
          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
            version: nightly-latest
    name: Build mode autobuild
    if: github.triggering_actor != 'dependabot[bot]'
@@ -55,6 +71,11 @@ jobs:
          version: ${{ matrix.version }}
          use-all-platform-bundle: 'false'
          setup-kotlin: 'true'
+      - name: Install Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ inputs.java-version || '17' }}
+          distribution: temurin
      - name: Set up Java test repo configuration
        run: |
          mv * .github ../action/tests/multi-language-repo/
@@ -69,6 +90,11 @@ jobs:
          languages: java
          tools: ${{ steps.prepare-test.outputs.tools-url }}

+      - name: Install yq
+        if: runner.os == 'Windows'
+        run: |
+          choco install yq -y
+
      - name: Validate database build mode
        run: |
          metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -78,6 +104,14 @@ jobs:
            exit 1
          fi

+      - name: Check that indirect tracing is disabled
+        run: |
+          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+            echo "Expected indirect tracing to be disabled, but the" \
+              "CODEQL_RUNNER environment variable is set."
+            exit 1
+          fi
+
      - uses: ./../action/analyze
    env:
      CODEQL_ACTION_TEST_MODE: true
@@ -38,16 +38,8 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: Config export
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -38,16 +38,8 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: Diagnostic export
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -31,7 +31,7 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  test-proxy:
+  global-proxy:
    strategy:
      fail-fast: false
      matrix:
@@ -38,22 +38,10 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Download using registries'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -118,8 +106,6 @@ jobs:
          fi

      - name: Verify contents of qlconfig.yml
-    # yq is not available on windows
-        if: runner.os != 'Windows'
        run: |
          QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
          cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
@@ -41,7 +41,7 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
-  test-local-codeql:
+  local-bundle:
    strategy:
      fail-fast: false
      matrix:
@@ -48,22 +48,10 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -48,22 +48,10 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Config and input'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -48,22 +48,10 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Config file'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -48,22 +48,10 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: 'Packaging: Action input'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -45,24 +45,6 @@ jobs:
          - os: ubuntu-latest
            version: linked
            analysis-kinds: code-scanning,code-quality
-          - os: macos-latest
-            version: linked
-            analysis-kinds: code-scanning
-          - os: macos-latest
-            version: linked
-            analysis-kinds: code-quality
-          - os: macos-latest
-            version: linked
-            analysis-kinds: code-scanning,code-quality
-          - os: windows-latest
-            version: linked
-            analysis-kinds: code-scanning
-          - os: windows-latest
-            version: linked
-            analysis-kinds: code-quality
-          - os: windows-latest
-            version: linked
-            analysis-kinds: code-scanning,code-quality
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning
@@ -72,24 +54,6 @@ jobs:
          - os: ubuntu-latest
            version: nightly-latest
            analysis-kinds: code-scanning,code-quality
-          - os: macos-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning
-          - os: macos-latest
-            version: nightly-latest
-            analysis-kinds: code-quality
-          - os: macos-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning,code-quality
-          - os: windows-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning
-          - os: windows-latest
-            version: nightly-latest
-            analysis-kinds: code-quality
-          - os: windows-latest
-            version: nightly-latest
-            analysis-kinds: code-scanning,code-quality
    name: Quality queries input
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -38,22 +38,10 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
          - os: ubuntu-latest
            version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
    name: Resolve environment
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -48,10 +48,6 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
    name: 'Upload-sarif: code quality endpoint'
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -48,10 +48,6 @@ jobs:
        include:
          - os: ubuntu-latest
            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -48,10 +48,6 @@ jobs:
        include:
          - os: ubuntu-latest
            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
-            version: linked
    name: Use a custom `checkout_path`
    if: github.triggering_actor != 'dependabot[bot]'
    permissions:
@@ -42,16 +42,10 @@ jobs:
        include:
        - os: ubuntu-latest
          version: linked
-        - os: macos-latest
-          version: linked
        - os: ubuntu-latest
          version: default
-        - os: macos-latest
-          version: default
        - os: ubuntu-latest
          version: nightly-latest
-        - os: macos-latest
-          version: nightly-latest

    # Code-Scanning config not created because environment variable is not set
    name: Code Scanning Configuration tests
@@ -55,17 +55,20 @@ jobs:
        run: .github/workflows/script/check-js.sh

      - name: Verify PR checks up to date
+        if: always()
        run: .github/workflows/script/verify-pr-checks.sh

      - name: Run unit tests
+        if: always()
        run: npm test

      - name: Run pr-checks tests
+        if: always()
        working-directory: pr-checks
        run: python -m unittest discover

      - name: Lint
-        if: matrix.os != 'windows-latest'
+        if: always() && matrix.os != 'windows-latest'
        run: npm run lint-ci

      - name: Upload sarif
@@ -10,6 +10,10 @@ on:
        required: true
  # Only for dry-runs of changes to the workflow.
  push:
+    # Don't run dry-run on release branches, to avoid an issue where the
+    # "new" tag determined by the "Prepare release" job already exists.
+    branches-ignore:
+      - releases/v*
    paths:
      - .github/workflows/rollback-release.yml
      - .github/actions/prepare-mergeback-branch/**
@@ -16,6 +16,18 @@ if [ ! -z "$(git status --porcelain)" ]; then
    # If we get a fail here then the PR needs attention
    >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update"
    git status
+
+    echo "### Transpiled JS diff" >> $GITHUB_STEP_SUMMARY
+    echo "" >> $GITHUB_STEP_SUMMARY
+    echo '```diff' >> $GITHUB_STEP_SUMMARY
+    git diff --output="$RUNNER_TEMP/js.diff"
+    cat "$RUNNER_TEMP/js.diff" >> $GITHUB_STEP_SUMMARY
+    echo '```' >> $GITHUB_STEP_SUMMARY
+
+    # Reset bundled files to allow other checks to test for changes
+    git checkout lib
+
+    # Fail this check
    exit 1
 fi
 echo "Success: JavaScript files are up to date"
@@ -20,6 +20,14 @@ if [ ! -z "$(git status --porcelain)" ]; then
    git diff
    git status
    >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
+
+    echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY
+    echo "" >> $GITHUB_STEP_SUMMARY
+    echo '```diff' >> $GITHUB_STEP_SUMMARY
+    git diff --output="$RUNNER_TEMP/workflows.diff"
+    cat "$RUNNER_TEMP/workflows.diff" >> $GITHUB_STEP_SUMMARY
+    echo '```' >> $GITHUB_STEP_SUMMARY
+
    exit 1
 fi
-echo "Success: PR checks are up to date"
+echo "Success: PR checks are up to date"
@@ -8,6 +8,11 @@
    "build": true,
    "lib": true,
  },
+  "search.exclude": {
+    "**/node_modules": true,
+    "build": true,
+    "lib": true,
+  },
  // Installing a new Node package often triggers VS Code's git limit warnings as there is typically
  // an intermediate stage where many files are modified. This setting suppresses these warnings.
  "git.ignoreLimitWarning": true,
@@ -2,6 +2,10 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## 3.30.5 - 26 Sep 2025
+
+- We fixed a bug that was introduced in `3.30.4` with `upload-sarif` which resulted in files without a `.sarif` extension not getting uploaded. [#3160](https://github.com/github/codeql-action/pull/3160)
+
 ## 3.30.4 - 25 Sep 2025

 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100)
@@ -20,6 +20,7 @@ Before you start, ensure that you have a recent version of node (16 or higher) i
 * Transpile the TypeScript to JavaScript: `npm run build`.  Note that the JavaScript files are committed to git.
 * Run tests: `npm run test`.  You’ll need to ensure that the JavaScript files are up-to-date first by running the command above.
 * Run the linter: `npm run lint`.
+* Run tests for a specific path: `npm run ava -- ./src/filename.test.ts` or `npm run ava -- ./src/feature-flags/`

 This project also includes configuration to run tests from VSCode (with support for breakpoints) - open the test file you wish to run and choose "Debug AVA test file" from the Run menu in the Run panel.

@@ -22,7 +22,7 @@ test: build

 # Run the tests for a single file
 test_file filename: build
-    npx ava --serial --verbose {{filename}}
+    npm run ava {{filename}}

 [doc("Refresh the .js build artefacts in the lib directory")]
 [confirm]
@@ -26438,16 +26438,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -32287,16 +32287,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -92265,17 +92266,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
      toolsVersion: "local"
    };
  }
-  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
-  if (forceShippedTools) {
-    logger.info(
-      `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`
-    );
-    if (toolsInput === "latest") {
-      logger.warning(
-        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
-      );
-    }
-  }
  let cliVersion2;
  let tagName;
  let url2;
@@ -92285,9 +92275,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
    );
    toolsInput = await getNightlyToolsUrl(logger);
  }
+  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
+    logger.info(
+      `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.`
+    );
+    if (toolsInput === "latest") {
+      logger.warning(
+        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
+      );
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -26438,16 +26438,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -32287,16 +32287,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -130208,17 +130209,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
      toolsVersion: "local"
    };
  }
-  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
-  if (forceShippedTools) {
-    logger.info(
-      `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`
-    );
-    if (toolsInput === "latest") {
-      logger.warning(
-        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
-      );
-    }
-  }
  let cliVersion2;
  let tagName;
  let url2;
@@ -130228,9 +130218,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
    );
    toolsInput = await getNightlyToolsUrl(logger);
  }
+  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
+    logger.info(
+      `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.`
+    );
+    if (toolsInput === "latest") {
+      logger.warning(
+        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
+      );
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -32287,16 +32287,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -89037,17 +89038,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
      toolsVersion: "local"
    };
  }
-  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
-  if (forceShippedTools) {
-    logger.info(
-      `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`
-    );
-    if (toolsInput === "latest") {
-      logger.warning(
-        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
-      );
-    }
-  }
  let cliVersion2;
  let tagName;
  let url;
@@ -89057,9 +89047,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
    );
    toolsInput = await getNightlyToolsUrl(logger);
  }
+  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
+    logger.info(
+      `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.`
+    );
+    if (toolsInput === "latest") {
+      logger.warning(
+        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
+      );
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url = toolsInput;
@@ -26438,16 +26438,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -26438,16 +26438,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -44966,16 +44966,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -33584,16 +33584,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -90036,17 +90037,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
      toolsVersion: "local"
    };
  }
-  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
-  if (forceShippedTools) {
-    logger.info(
-      `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`
-    );
-    if (toolsInput === "latest") {
-      logger.warning(
-        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
-      );
-    }
-  }
  let cliVersion2;
  let tagName;
  let url2;
@@ -90056,9 +90046,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
    );
    toolsInput = await getNightlyToolsUrl(logger);
  }
+  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
+    logger.info(
+      `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.`
+    );
+    if (toolsInput === "latest") {
+      logger.warning(
+        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
+      );
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -26438,16 +26438,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -32287,16 +32287,17 @@ var require_package = __commonJS({
  "package.json"(exports2, module2) {
    module2.exports = {
      name: "codeql",
-      version: "3.30.4",
+      version: "3.30.5",
      private: true,
      description: "CodeQL action",
      scripts: {
        _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-        build: "npm run transpile && node build.mjs",
+        build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
        lint: "eslint --report-unused-disable-directives --max-warnings=0 .",
        "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
        "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-        test: "npm run transpile && ava src/ --serial --verbose",
+        ava: "npm run transpile && ava --serial --verbose",
+        test: "npm run ava -- src/",
        "test-debug": "npm run test -- --timeout=20m",
        transpile: "tsc --build --verbose"
      },
@@ -90737,17 +90738,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
      toolsVersion: "local"
    };
  }
-  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
-  if (forceShippedTools) {
-    logger.info(
-      `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`
-    );
-    if (toolsInput === "latest") {
-      logger.warning(
-        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
-      );
-    }
-  }
  let cliVersion2;
  let tagName;
  let url2;
@@ -90757,9 +90747,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
    );
    toolsInput = await getNightlyToolsUrl(logger);
  }
+  const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
  if (forceShippedTools) {
    cliVersion2 = cliVersion;
    tagName = bundleVersion;
+    logger.info(
+      `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.`
+    );
+    if (toolsInput === "latest") {
+      logger.warning(
+        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required."
+      );
+    }
  } else if (toolsInput !== void 0) {
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
    url2 = toolsInput;
@@ -93425,7 +93424,7 @@ async function findAndUpload(logger, features, sarifPath, pathStats, checkoutPat
      sarifPath,
      analysis.sarifPredicate
    );
-  } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) {
+  } else if (pathStats.isFile() && (analysis.sarifPredicate(sarifPath) || analysis.kind === "code-scanning" /* CodeScanning */ && !CodeQuality.sarifPredicate(sarifPath))) {
    sarifFiles = [sarifPath];
  } else {
    return void 0;
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "3.30.4",
+  "version": "3.30.5",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "3.30.4",
+      "version": "3.30.5",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^2.3.1",
@@ -1,15 +1,16 @@
 {
  "name": "codeql",
-  "version": "3.30.4",
+  "version": "3.30.5",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
    "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-    "build": "npm run transpile && node build.mjs",
+    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
    "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
    "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
-    "test": "npm run transpile && ava src/ --serial --verbose",
+    "ava": "npm run transpile && ava --serial --verbose",
+    "test": "npm run ava -- src/",
    "test-debug": "npm run test -- --timeout=20m",
    "transpile": "tsc --build --verbose"
  },
@@ -1,7 +1,7 @@
 name: "All-platform bundle"
 description: "Tests using an all-platform CodeQL Bundle"
+operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
-operatingSystems: ["ubuntu"]
 useAllPlatformBundle: "true"
 installGo: true
 steps:
@@ -1,5 +1,6 @@
 name: "autobuild-action"
 description: "Tests that the C# autobuild action works"
+operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["linked"]
 steps:
  - uses: ./../action/init
@@ -1,31 +0,0 @@
-name: "Autobuild direct tracing"
-description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild', with direct tracing enabled"
-operatingSystems: ["ubuntu", "windows"]
-versions: ["linked", "nightly-latest"]
-installJava: "true"
-env:
-  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
-steps:
-  - name: Set up Java test repo configuration
-    run: |
-      mv * .github ../action/tests/multi-language-repo/
-      mv ../action/tests/multi-language-repo/.github/workflows .github
-      mv ../action/tests/java-repo/* .
-
-  - uses: ./../action/init
-    id: init
-    with:
-      build-mode: autobuild
-      db-location: "${{ runner.temp }}/customDbLocation"
-      languages: java
-      tools: ${{ steps.prepare-test.outputs.tools-url }}
-
-  - name: Check that indirect tracing is disabled
-    run: |
-      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
-        echo "Expected indirect tracing to be disabled, but the" \
-          "CODEQL_RUNNER environment variable is set."
-        exit 1
-      fi
-
-  - uses: ./../action/analyze
@@ -1,7 +1,6 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
 versions: ["linked"]
-operatingSystems: ["ubuntu"]
 steps:
  - name: Test setup
    run: |
@@ -1,7 +1,8 @@
 name: "Build mode autobuild"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
-operatingSystems: ["ubuntu"]
-versions: ["nightly-latest"]
+operatingSystems: ["ubuntu", "windows"]
+versions: ["linked", "nightly-latest"]
+installJava: "true"
 steps:
  - name: Set up Java test repo configuration
    run: |
@@ -17,6 +18,11 @@ steps:
      languages: java
      tools: ${{ steps.prepare-test.outputs.tools-url }}

+  - name: Install yq
+    if: runner.os == 'Windows'
+    run: |
+      choco install yq -y
+
  - name: Validate database build mode
    run: |
      metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
@@ -26,4 +32,12 @@ steps:
        exit 1
      fi

+  - name: Check that indirect tracing is disabled
+    run: |
+      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+        echo "Expected indirect tracing to be disabled, but the" \
+          "CODEQL_RUNNER environment variable is set."
+        exit 1
+      fi
+
  - uses: ./../action/analyze
@@ -1,6 +1,5 @@
 name: "Build mode manual"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
-operatingSystems: ["ubuntu"]
 versions: ["nightly-latest"]
 installGo: true
 steps:
@@ -1,6 +1,5 @@
 name: "Build mode none"
 description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
-operatingSystems: ["ubuntu"]
 versions: ["linked", "nightly-latest"]
 steps:
  - uses: ./../action/init
@@ -1,6 +1,5 @@
 name: "Build mode rollback"
 description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
-operatingSystems: ["ubuntu"]
 versions: ["nightly-latest"]
 env:
  CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
@@ -1,6 +1,5 @@
 name: "Clean up database cluster directory"
 description: "The database cluster directory is cleaned up if it is not empty."
-operatingSystems: ["ubuntu"]
 versions: ["linked"]
 steps:
  - name: Add a file to the database cluster directory
@@ -1,7 +1,6 @@
 name: "Config input"
 description: "Tests specifying configuration using the config input"
 installNode: true
-operatingSystems: ["ubuntu"]
 versions: ["linked"]
 steps:
  - name: Copy queries into workspace
@@ -1,6 +1,5 @@
 name: "C/C++: disabling autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
-operatingSystems: ["ubuntu"]
 versions: ["linked", "default", "nightly-latest"]
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
@@ -1,6 +1,5 @@
 name: "C/C++: autoinstalling dependencies (Linux)"
 description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
-operatingSystems: ["ubuntu"]
 versions: ["linked", "default", "nightly-latest"]
 env:
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
@@ -1,5 +1,6 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
+operatingSystems: ["ubuntu", "macos", "windows"]
 versions: ["nightly-latest"]
 installGo: true
 env:
@@ -1,7 +1,6 @@
 name: "Extractor ram and threads options test"
 description: "Tests passing RAM and threads limits to extractors"
 versions: ["linked"]
-operatingSystems: ["ubuntu"]
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,6 @@
 name: "Proxy test"
 description: "Tests using a proxy specified by the https_proxy environment variable"
 versions: ["linked", "nightly-latest"]
-operatingSystems: ["ubuntu"]
 container:
  image: ubuntu:22.04
 container-init-steps:
@@ -1,7 +1,6 @@
 name: "Go: diagnostic when Go is changed after init step"
 description: "Checks that we emit a diagnostic if Go is changed after the init step"
 # only Linux is affected
-operatingSystems: ["ubuntu"]
 # pinned to a version which does not support statically linked binaries for indirect tracing
 versions: ["default"]
 installGo: true
@@ -1,7 +1,6 @@
 name: "Go: diagnostic when `file` is not installed"
 description: "Checks that we emit a diagnostic if the `file` program is not installed"
 # only Linux is affected
-operatingSystems: ["ubuntu"]
 # pinned to a version which does not support statically linked binaries for indirect tracing
 versions: ["default"]
 installGo: true
@@ -1,7 +1,6 @@
 name: "Go: workaround for indirect tracing"
 description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works"
 # only Linux is affected
-operatingSystems: ["ubuntu"]
 # pinned to a version which does not support statically linked binaries for indirect tracing
 versions: ["default"]
 installGo: true
@@ -62,8 +62,6 @@ steps:
      fi

  - name: Verify contents of qlconfig.yml
-    # yq is not available on windows
-    if: runner.os != 'Windows'
    run: |
      QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
      cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
@@ -1,7 +1,6 @@
 name: "Custom source root"
 description: "Checks that the argument specifying a non-default source root works"
 versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
-operatingSystems: ["ubuntu"]
 steps:
  - name: Move codeql-action
    run: |
@@ -1,6 +1,5 @@
 name: "Job run UUID added to SARIF"
 description: "Tests that the job run UUID is added to the SARIF output"
-operatingSystems: ["ubuntu"]
 versions: ["nightly-latest"]
 steps:
  - uses: ./../action/init
@@ -1,7 +1,6 @@
 name: "Language aliases"
 description: "Tests that language aliases are resolved correctly"
 versions: ["linked"]
-operatingSystems: ["ubuntu"]
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,6 @@
 name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["linked"]
-operatingSystems: ["ubuntu"]
 installGo: true
 steps:
  - name: Fetch latest CodeQL bundle
@@ -1,7 +1,6 @@
 name: "Overlay database init fallback"
 description: "Tests that overlay init action succeeds with non-overlay packs"
 versions: ["linked", "nightly-latest"]
-operatingSystems: ["ubuntu"]
 steps:
  - uses: ./../action/init
    with:
@@ -1,6 +1,5 @@
 name: "RuboCop multi-language"
 description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF"
-operatingSystems: ["ubuntu"]
 # This check doesn't use CodeQL, so the `version` matrix variable is unused.
 versions: ["default"]
 steps:
@@ -8,7 +8,6 @@ versions:
  - linked
  - default
  - nightly-latest
-operatingSystems: ["ubuntu"]
 steps:
  - uses: ./../action/init
    with:
@@ -1,7 +1,6 @@
 name: Submit SARIF after failure
 description: Check that a SARIF file is submitted for the workflow run if it fails
 versions: ["linked", "default", "nightly-latest"]
-operatingSystems: ["ubuntu"]

 env:
  # Internal-only environment variable used to indicate that the post-init Action
@@ -29,12 +29,6 @@ defaultTestVersions = [
    "nightly-latest"
 ]

-def is_os_and_version_excluded(os, version, exclude_params):
-    for exclude_param in exclude_params:
-        if exclude_param[0] == os and exclude_param[1] == version:
-            return True
-    return False
-
 # When updating the ruamel.yaml version here, update the PR check in
 # `.github/workflows/pr-checks.yml` too.
 header = """# Warning: This file is generated automatically, and should not be modified.
@@ -78,22 +72,17 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
    if 'inputs' in checkSpecification:
        workflowInputs = checkSpecification['inputs']

-    excludedOsesAndVersions = checkSpecification.get('excludeOsAndVersionCombination', [])
    for version in checkSpecification.get('versions', defaultTestVersions):
        if version == "latest":
            raise ValueError('Did not recognize "version: latest". Did you mean "version: linked"?')

        runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"]
-        operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu", "macos", "windows"])
+        operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu"])

        for operatingSystem in operatingSystems:
            runnerImagesForOs = [image for image in runnerImages if image.startswith(operatingSystem)]

            for runnerImage in runnerImagesForOs:
-                # Skip appending this combination to the matrix if it is explicitly excluded.
-                if is_os_and_version_excluded(operatingSystem, version, excludedOsesAndVersions):
-                    continue
-
                matrix.append({
                    'os': runnerImage,
                    'version': version
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+# Check if running in GitHub Actions
+if [ "$GITHUB_ACTIONS" = "true" ]; then
+  echo "Running in a GitHub Actions workflow; not running 'npm install'"
+  exit 0
+fi
+
+# Check if npm install is likely needed before proceeding
+if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
+  npm install
+else
+  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
+fi
@@ -298,31 +298,6 @@ export async function getCodeQLSource(
    };
  }

-  /**
-   * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced.
-   *
-   * We use the special value of 'linked' to prioritize the version in `defaults.json` over the
-   * version specified by the feature flags on Dotcom and over any pinned cached version on
-   * Enterprise Server.
-   *
-   * Previously we have been using 'latest' to force the shipped tools, but this was not clear
-   * enough for the users, so it has been changed to `linked`. We're keeping around `latest` for
-   * backwards compatibility.
-   */
-  const forceShippedTools =
-    toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
-  if (forceShippedTools) {
-    logger.info(
-      `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`,
-    );
-
-    if (toolsInput === "latest") {
-      logger.warning(
-        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.",
-      );
-    }
-  }
-
  /** CLI version number, for example 2.12.6. */
  let cliVersion: string | undefined;
  /** Tag name of the CodeQL bundle, for example `codeql-bundle-20230120`. */
@@ -344,9 +319,33 @@ export async function getCodeQLSource(
    toolsInput = await getNightlyToolsUrl(logger);
  }

+  /**
+   * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced.
+   *
+   * We use the special value of 'linked' to prioritize the version in `defaults.json` over the
+   * version specified by the feature flags on Dotcom and over any pinned cached version on
+   * Enterprise Server.
+   *
+   * Previously we have been using 'latest' to force the shipped tools, but this was not clear
+   * enough for the users, so it has been changed to `linked`. We're keeping around `latest` for
+   * backwards compatibility.
+   */
+  const forceShippedTools =
+    toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
+
  if (forceShippedTools) {
    cliVersion = defaults.cliVersion;
    tagName = defaults.bundleVersion;
+
+    logger.info(
+      `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion}, the version shipped with the Action.`,
+    );
+
+    if (toolsInput === "latest") {
+      logger.warning(
+        "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.",
+      );
+    }
  } else if (toolsInput !== undefined) {
    // If a tools URL was provided, then use that.
    tagName = tryGetTagNameFromUrl(toolsInput, logger);
@@ -61,7 +61,12 @@ async function findAndUpload(
      sarifPath,
      analysis.sarifPredicate,
    );
-  } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) {
+  } else if (
+    pathStats.isFile() &&
+    (analysis.sarifPredicate(sarifPath) ||
+      (analysis.kind === analyses.AnalysisKind.CodeScanning &&
+        !analyses.CodeQuality.sarifPredicate(sarifPath)))
+  ) {
    sarifFiles = [sarifPath];
  } else {
    return undefined;