Merge pull request #3419 from github/backport-v3.31.11-19b2f06db

.github/workflows/__all-platform-bundle.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   all-platform-bundle:
     strategy:

.github/workflows/__analyze-ref-input.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   analyze-ref-input:
     strategy:

.github/workflows/__autobuild-action.yml

@@ -38,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-action-${{github.ref}}-${{inputs.dotnet-version}}
 jobs:
   autobuild-action:
     strategy:

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -38,8 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}}
 jobs:
   autobuild-direct-tracing-with-working-dir:
     strategy:

.github/workflows/__autobuild-working-dir.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: autobuild-working-dir-${{github.ref}}
 jobs:
   autobuild-working-dir:
     strategy:

.github/workflows/__build-mode-autobuild.yml

@@ -38,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-autobuild-${{github.ref}}-${{inputs.java-version}}
 jobs:
   build-mode-autobuild:
     strategy:

.github/workflows/__build-mode-manual.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   build-mode-manual:
     strategy:

.github/workflows/__build-mode-none.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-none-${{github.ref}}
 jobs:
   build-mode-none:
     strategy:

.github/workflows/__build-mode-rollback.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: build-mode-rollback-${{github.ref}}
 jobs:
   build-mode-rollback:
     strategy:

.github/workflows/__bundle-from-toolcache.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-from-toolcache-${{github.ref}}
 jobs:
   bundle-from-toolcache:
     strategy:

.github/workflows/__bundle-toolcache.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-toolcache-${{github.ref}}
 jobs:
   bundle-toolcache:
     strategy:

.github/workflows/__bundle-zstd.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: bundle-zstd-${{github.ref}}
 jobs:
   bundle-zstd:
     strategy:

.github/workflows/__ccr.yml

@@ -0,0 +1,87 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pr-checks/sync.sh
+# to regenerate this file.
+
+name: PR Check - CCR
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch:
+    inputs: {}
+  workflow_call:
+    inputs: {}
+defaults:
+  run:
+    shell: bash
+concurrency:
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ccr-${{github.ref}}
+jobs:
+  ccr:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.19.4
+          - os: ubuntu-latest
+            version: stable-v2.20.7
+          - os: ubuntu-latest
+            version: stable-v2.21.4
+          - os: ubuntu-latest
+            version: stable-v2.22.4
+          - os: ubuntu-latest
+            version: default
+          - os: ubuntu-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: CCR
+    if: github.triggering_actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: read
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - uses: ./../action/analyze
+        id: analysis
+        with:
+          upload-database: false
+
+    env:
+      CODEQL_ACTION_ANALYSIS_KEY: dynamic/copilot-pull-request-reviewer/codeql-action-test
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cleanup-db-cluster-dir-${{github.ref}}
 jobs:
   cleanup-db-cluster-dir:
     strategy:

.github/workflows/__config-export.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-export-${{github.ref}}
 jobs:
   config-export:
     strategy:

.github/workflows/__config-input.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: config-input-${{github.ref}}
 jobs:
   config-input:
     strategy:

.github/workflows/__cpp-deptrace-disabled.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-disabled-${{github.ref}}
 jobs:
   cpp-deptrace-disabled:
     strategy:

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-on-macos-${{github.ref}}
 jobs:
   cpp-deptrace-enabled-on-macos:
     strategy:

.github/workflows/__cpp-deptrace-enabled.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: cpp-deptrace-enabled-${{github.ref}}
 jobs:
   cpp-deptrace-enabled:
     strategy:

.github/workflows/__diagnostics-export.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: diagnostics-export-${{github.ref}}
 jobs:
   diagnostics-export:
     strategy:

.github/workflows/__export-file-baseline-information.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   export-file-baseline-information:
     strategy:

.github/workflows/__extractor-ram-threads.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: extractor-ram-threads-${{github.ref}}
 jobs:
   extractor-ram-threads:
     strategy:

.github/workflows/__global-proxy.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: global-proxy-${{github.ref}}
 jobs:
   global-proxy:
     strategy:

.github/workflows/__go-custom-queries.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   go-custom-queries:
     strategy:

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -38,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-diagnostic-${{github.ref}}-${{inputs.go-version}}
 jobs:
   go-indirect-tracing-workaround-diagnostic:
     strategy:

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -38,8 +38,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}}
 jobs:
   go-indirect-tracing-workaround-no-file-program:
     strategy:

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -38,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-indirect-tracing-workaround-${{github.ref}}-${{inputs.go-version}}
 jobs:
   go-indirect-tracing-workaround:
     strategy:

.github/workflows/__go-tracing-autobuilder.yml

@@ -38,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-autobuilder-${{github.ref}}-${{inputs.go-version}}
 jobs:
   go-tracing-autobuilder:
     strategy:

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -38,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-custom-build-steps-${{github.ref}}-${{inputs.go-version}}
 jobs:
   go-tracing-custom-build-steps:
     strategy:

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -38,8 +38,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: go-tracing-legacy-workflow-${{github.ref}}-${{inputs.go-version}}
 jobs:
   go-tracing-legacy-workflow:
     strategy:

.github/workflows/__init-with-registries.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: init-with-registries-${{github.ref}}
 jobs:
   init-with-registries:
     strategy:

.github/workflows/__javascript-source-root.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: javascript-source-root-${{github.ref}}
 jobs:
   javascript-source-root:
     strategy:

.github/workflows/__job-run-uuid-sarif.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: job-run-uuid-sarif-${{github.ref}}
 jobs:
   job-run-uuid-sarif:
     strategy:

.github/workflows/__language-aliases.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: language-aliases-${{github.ref}}
 jobs:
   language-aliases:
     strategy:

.github/workflows/__local-bundle.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   local-bundle:
     strategy:

.github/workflows/__multi-language-autodetect.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   multi-language-autodetect:
     strategy:

.github/workflows/__overlay-init-fallback.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: overlay-init-fallback-${{github.ref}}
 jobs:
   overlay-init-fallback:
     strategy:

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   packaging-codescanning-config-inputs-js:
     strategy:

.github/workflows/__packaging-config-inputs-js.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   packaging-config-inputs-js:
     strategy:

.github/workflows/__packaging-config-js.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   packaging-config-js:
     strategy:

.github/workflows/__packaging-inputs-js.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   packaging-inputs-js:
     strategy:

.github/workflows/__quality-queries.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: quality-queries-${{github.ref}}
 jobs:
   quality-queries:
     strategy:

.github/workflows/__remote-config.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   remote-config:
     strategy:

.github/workflows/__resolve-environment-action.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: resolve-environment-action-${{github.ref}}
 jobs:
   resolve-environment-action:
     strategy:

.github/workflows/__rubocop-multi-language.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rubocop-multi-language-${{github.ref}}
 jobs:
   rubocop-multi-language:
     strategy:
@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@4c24fa5ec04b2e79eb40571b1cee2a0d2b705771 # v1.278.0
+        uses: ruby/setup-ruby@80740b3b13bf9857e28854481ca95a84e78a2bdf # v1.284.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__ruby.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: ruby-${{github.ref}}
 jobs:
   ruby:
     strategy:

.github/workflows/__rust.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: rust-${{github.ref}}
 jobs:
   rust:
     strategy:

.github/workflows/__split-workflow.yml

@@ -48,8 +48,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   split-workflow:
     strategy:

.github/workflows/__start-proxy.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: start-proxy-${{github.ref}}
 jobs:
   start-proxy:
     strategy:

.github/workflows/__submit-sarif-failure.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: submit-sarif-failure-${{github.ref}}
 jobs:
   submit-sarif-failure:
     strategy:

.github/workflows/__swift-autobuild.yml

@@ -28,8 +28,8 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group: swift-autobuild-${{github.ref}}
 jobs:
   swift-autobuild:
     strategy:

.github/workflows/__swift-custom-build.yml

@@ -48,8 +48,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
 jobs:
   swift-custom-build:
     strategy:

.github/workflows/__unset-environment.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   unset-environment:
     strategy:

.github/workflows/__upload-ref-sha-input.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   upload-ref-sha-input:
     strategy:

.github/workflows/__upload-sarif.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   upload-sarif:
     strategy:

.github/workflows/__with-checkout-path.yml

@@ -58,8 +58,9 @@ defaults:
   run:
     shell: bash
 concurrency:
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
+  group:
+    with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
 jobs:
   with-checkout-path:
     strategy:

.github/workflows/post-release-mergeback.yml

@@ -123,9 +123,8 @@ jobs:
       - name: Prepare partial Changelog
         env:
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ steps.getVersion.outputs.version }}"
         run: |
-          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md > $PARTIAL_CHANGELOG
 
           echo "::group::Partial CHANGELOG"
           cat $PARTIAL_CHANGELOG

.github/workflows/rollback-release.yml

@@ -127,9 +127,8 @@ jobs:
         env:
           NEW_CHANGELOG: "${{ runner.temp }}/new_changelog.md"
           PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
-          VERSION: "${{ needs.prepare.outputs.version }}"
         run: |
-          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG "$VERSION" > $PARTIAL_CHANGELOG
+          python .github/workflows/script/prepare_changelog.py $NEW_CHANGELOG > $PARTIAL_CHANGELOG
 
           echo "::group::Partial CHANGELOG"
           cat $PARTIAL_CHANGELOG

.github/workflows/script/bundle_changelog.py

@@ -1,9 +1,14 @@
+#!/usr/bin/env python3
 import os
 import re
 
+cli_version = os.environ['CLI_VERSION']
+
+# The GitHub Release for the new bundle version.
+bundle_release_url = f"https://github.com/github/codeql-action/releases/tag/codeql-bundle-v{cli_version}"
 # Get the PR number from the PR URL.
 pr_number = os.environ['PR_URL'].split('/')[-1]
-changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+changelog_note = f"- Update default CodeQL bundle version to [{cli_version}]({bundle_release_url}). [#{pr_number}]({os.environ['PR_URL']})"
 
 # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
 with open('CHANGELOG.md', 'r') as f:

.github/workflows/script/prepare_changelog.py

@@ -1,3 +1,4 @@
+#!/usr/bin/env python3
 import os
 import sys
 
@@ -6,7 +7,7 @@ EMPTY_CHANGELOG = 'No changes.\n\n'
 # Prepare the changelog for the new release
 # This function will extract the part of the changelog that
 # we want to include in the new release.
-def extract_changelog_snippet(changelog_file, version_tag):
+def extract_changelog_snippet(changelog_file):
   output = ''
   if (not os.path.exists(changelog_file)):
     output = EMPTY_CHANGELOG
@@ -15,23 +16,20 @@ def extract_changelog_snippet(changelog_file, version_tag):
     with open(changelog_file, 'r') as f:
       lines = f.readlines()
 
-      # Include everything up to, but excluding the second heading
+      # Include only the contents of the first section
       found_first_section = False
-      for i, line in enumerate(lines):
+      for line in lines:
         if line.startswith('## '):
           if found_first_section:
             break
           found_first_section = True
-        output += line
+        elif found_first_section:
+          output += line
 
-  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
-
-  return output
+  return output.strip()
 
 
-if len(sys.argv) < 3:
-  raise Exception('Expecting argument: changelog_file version_tag')
+if len(sys.argv) < 2:
+  raise Exception('Expecting argument: changelog_file')
 changelog_file = sys.argv[1]
-version_tag = sys.argv[2]
-
-print(extract_changelog_snippet(changelog_file, version_tag))
+print(extract_changelog_snippet(changelog_file))

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 3.31.11 - 23 Jan 2026
+
+- When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://github.com/github/codeql-action/pull/3409)
+- Improved error handling throughout the CodeQL Action. [#3415](https://github.com/github/codeql-action/pull/3415)
+- Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://github.com/github/codeql-action/pull/3318)
+- The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://github.com/github/codeql-action/pull/3403)
+
 ## 3.31.10 - 12 Jan 2026
 
 - Update default CodeQL bundle version to 2.23.9. [#3393](https://github.com/github/codeql-action/pull/3393)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.31.10",
+  "version": "3.31.11",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -24,16 +24,16 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "^5.0.1",
+    "@actions/artifact": "^5.0.2",
     "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
-    "@actions/cache": "^5.0.1",
-    "@actions/core": "^2.0.1",
+    "@actions/cache": "^5.0.3",
+    "@actions/core": "^2.0.2",
     "@actions/exec": "^2.0.0",
-    "@actions/github": "^6.0.1",
+    "@actions/github": "^7.0.0",
     "@actions/glob": "^0.5.0",
     "@actions/http-client": "^3.0.0",
     "@actions/io": "^2.0.0",
-    "@actions/tool-cache": "^2.0.2",
+    "@actions/tool-cache": "^3.0.0",
     "@octokit/plugin-retry": "^6.0.0",
     "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
@@ -49,7 +49,7 @@
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^2.0.0",
+    "@eslint/compat": "^2.0.1",
     "@eslint/eslintrc": "^3.3.3",
     "@eslint/js": "^9.39.2",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
@@ -61,7 +61,7 @@
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.52.0",
+    "@typescript-eslint/eslint-plugin": "^8.53.1",
     "@typescript-eslint/parser": "^8.48.0",
     "ava": "^6.4.1",
     "esbuild": "^0.27.2",
@@ -70,7 +70,7 @@
     "eslint-plugin-filenames": "^1.3.2",
     "eslint-plugin-github": "^5.1.8",
     "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "^61.5.0",
+    "eslint-plugin-jsdoc": "^62.2.0",
     "eslint-plugin-no-async-foreach": "^0.1.1",
     "glob": "^11.1.0",
     "nock": "^14.0.10",

pr-checks/checks/ccr.yml

@@ -0,0 +1,16 @@
+name: "CCR"
+description: "A standard analysis in CCR mode"
+env:
+  CODEQL_ACTION_ANALYSIS_KEY: "dynamic/copilot-pull-request-reviewer/codeql-action-test"
+steps:
+  - uses: ./../action/init
+    id: init
+    with:
+      languages: javascript
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - uses: ./../action/analyze
+    id: analysis
+    with:
+      upload-database: false
+

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@4c24fa5ec04b2e79eb40571b1cee2a0d2b705771 # v1.278.0
+    uses: ruby/setup-ruby@80740b3b13bf9857e28854481ca95a84e78a2bdf # v1.284.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

pr-checks/sync.py

@@ -271,6 +271,10 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
 
     raw_file = this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml.raw"
     with open(raw_file, 'w', newline='\n') as output_stream:
+        extraGroupName = ""
+        for inputName in workflowInputs.keys():
+            extraGroupName += "-${{inputs." + inputName + "}}"
+
         writeHeader(output_stream)
         yaml.dump({
             'name': f"PR Check - {checkSpecification['name']}",
@@ -305,9 +309,15 @@ for file in sorted((this_dir / 'checks').glob('*.yml')):
                 # For other events, the new workflows should wait until earlier ones have finished.
                 # This should help reduce the number of concurrent workflows on the repo, and
                 # consequently the number of concurrent API requests.
-                'cancel-in-progress': "${{ github.event_name == 'pull_request' }}",
-                # The group is determined by the workflow name + the ref
-                'group': "${{ github.workflow }}-${{ github.ref }}"
+                # Note, the `|| false` is intentional to rule out that this somehow ends up being
+                # `true` since we observed workflows for non-`pull_request` events getting cancelled.
+                'cancel-in-progress': "${{ github.event_name == 'pull_request' || false }}",
+                # The group is determined by the workflow name, the ref, and the input values.
+                # The base name is hard-coded to avoid issues when the workflow is triggered by
+                # a `workflow_call` event (where `github.workflow` would be the name of the caller).
+                # The input values are added, since they may result in different behaviour for a
+                # given workflow on the same ref.
+                'group': checkName + "-${{github.ref}}" + extraGroupName
             },
             'jobs': {
                 checkName: checkJob

src/actions-util.test.ts

@@ -5,6 +5,9 @@ import {
   fixCodeQualityCategory,
   getPullRequestBranches,
   isAnalyzingPullRequest,
+  isCCR,
+  isDefaultSetup,
+  isDynamicWorkflow,
 } from "./actions-util";
 import { computeAutomationID } from "./api-client";
 import { EnvVar } from "./environment";
@@ -246,3 +249,24 @@ test("fixCodeQualityCategory", (t) => {
     },
   );
 });
+
+test("isDynamicWorkflow() returns true if event name is `dynamic`", (t) => {
+  process.env.GITHUB_EVENT_NAME = "dynamic";
+  t.assert(isDynamicWorkflow());
+  process.env.GITHUB_EVENT_NAME = "push";
+  t.false(isDynamicWorkflow());
+});
+
+test("isCCR() returns true when expected", (t) => {
+  process.env.GITHUB_EVENT_NAME = "dynamic";
+  process.env[EnvVar.ANALYSIS_KEY] = "dynamic/copilot-pull-request-reviewer";
+  t.assert(isCCR());
+  t.false(isDefaultSetup());
+});
+
+test("isDefaultSetup() returns true when expected", (t) => {
+  process.env.GITHUB_EVENT_NAME = "dynamic";
+  process.env[EnvVar.ANALYSIS_KEY] = "dynamic/github-code-scanning";
+  t.assert(isDefaultSetup());
+  t.false(isCCR());
+});

src/actions-util.ts

@@ -8,6 +8,7 @@ import * as io from "@actions/io";
 import { JSONSchemaForNPMPackageJsonFiles } from "@schemastore/package";
 
 import type { Config } from "./config-utils";
+import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import {
   doesDirectoryExist,
@@ -254,7 +255,15 @@ export function isDynamicWorkflow(): boolean {
 
 /** Determines whether we are running in default setup. */
 export function isDefaultSetup(): boolean {
-  return isDynamicWorkflow();
+  return isDynamicWorkflow() && !isCCR();
+}
+
+/* The analysis key prefix used for CCR. */
+const CCR_KEY_PREFIX = "dynamic/copilot-pull-request-reviewer";
+
+/** Determines whether we are running in CCR. */
+export function isCCR(): boolean {
+  return process.env[EnvVar.ANALYSIS_KEY]?.startsWith(CCR_KEY_PREFIX) || false;
 }
 
 export function prettyPrintInvocation(cmd: string, args: string[]): string {

src/analyze-action-post.ts

@@ -21,6 +21,9 @@ import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
 
 async function runWrapper() {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   try {
     actionsUtil.restoreInputs();
     const logger = getActionsLogger();

src/analyze-action.ts

@@ -41,6 +41,7 @@ import {
   createStatusReportBase,
   DatabaseCreationTimings,
   getActionsStatus,
+  sendUnhandledErrorStatusReport,
   StatusReportBase,
 } from "./status-report";
 import {
@@ -208,8 +209,10 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
   await runAutobuild(config, KnownLanguage.go, logger);
 }
 
-async function run() {
-  const startedAt = new Date();
+async function run(startedAt: Date) {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   let uploadResults:
     | Partial<Record<analyses.AnalysisKind, UploadResult>>
     | undefined = undefined;
@@ -222,14 +225,15 @@ async function run() {
   let didUploadTrapCaches = false;
   let dependencyCacheResults: DependencyCacheUploadStatusReport | undefined;
   let databaseUploadResults: DatabaseUploadResult[] = [];
-  util.initializeEnvironment(actionsUtil.getActionVersion());
-
-  // Make inputs accessible in the `post` step, details at
-  // https://github.com/github/codeql-action/issues/2553
-  actionsUtil.persistInputs();
-
   const logger = getActionsLogger();
+
   try {
+    util.initializeEnvironment(actionsUtil.getActionVersion());
+
+    // Make inputs accessible in the `post` step, details at
+    // https://github.com/github/codeql-action/issues/2553
+    actionsUtil.persistInputs();
+
     const statusReportBase = await createStatusReportBase(
       ActionName.Analyze,
       "starting",
@@ -522,13 +526,22 @@ async function run() {
   }
 }
 
-export const runPromise = run();
+// Module-level startedAt so it can be accessed by runWrapper for error reporting
+const startedAt = new Date();
+export const runPromise = run(startedAt);
 
 async function runWrapper() {
+  const logger = getActionsLogger();
   try {
     await runPromise;
   } catch (error) {
     core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
+    await sendUnhandledErrorStatusReport(
+      ActionName.Analyze,
+      startedAt,
+      error,
+      logger,
+    );
   }
   await util.checkForTimeout();
 }

src/api-client.ts

@@ -3,6 +3,7 @@ import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
+import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
@@ -189,9 +190,7 @@ export async function getWorkflowRelativePath(): Promise<string> {
  * the GitHub API, but after that the result will be cached.
  */
 export async function getAnalysisKey(): Promise<string> {
-  const analysisKeyEnvVar = "CODEQL_ACTION_ANALYSIS_KEY";
-
-  let analysisKey = process.env[analysisKeyEnvVar];
+  let analysisKey = process.env[EnvVar.ANALYSIS_KEY];
   if (analysisKey !== undefined) {
     return analysisKey;
   }
@@ -200,7 +199,7 @@ export async function getAnalysisKey(): Promise<string> {
   const jobName = getRequiredEnvParam("GITHUB_JOB");
 
   analysisKey = `${workflowPath}:${jobName}`;
-  core.exportVariable(analysisKeyEnvVar, analysisKey);
+  core.exportVariable(EnvVar.ANALYSIS_KEY, analysisKey);
   return analysisKey;
 }
 

src/autobuild-action.ts

@@ -17,6 +17,7 @@ import {
   getActionsStatus,
   createStatusReportBase,
   sendStatusReport,
+  sendUnhandledErrorStatusReport,
   ActionName,
 } from "./status-report";
 import { endTracingForCluster } from "./tracer-config";
@@ -68,8 +69,10 @@ async function sendCompletedStatusReport(
   }
 }
 
-async function run() {
-  const startedAt = new Date();
+async function run(startedAt: Date) {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   const logger = getActionsLogger();
   let config: Config | undefined;
   let currentLanguage: Language | undefined;
@@ -140,10 +143,18 @@ async function run() {
 }
 
 async function runWrapper() {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
   try {
-    await run();
+    await run(startedAt);
   } catch (error) {
     core.setFailed(`autobuild action failed. ${getErrorMessage(error)}`);
+    await sendUnhandledErrorStatusReport(
+      ActionName.Autobuild,
+      startedAt,
+      error,
+      logger,
+    );
   }
 }
 

src/codeql.ts

@@ -147,11 +147,20 @@ export interface CodeQL {
   ): Promise<void>;
   /**
    * Run 'codeql database bundle'.
+   *
+   * @param alsoIncludeRelativePaths Additional paths that should be included in the bundle if
+   * supported by the version of the CodeQL CLI.
+   *
+   * These paths are relative to the database root.
+   *
+   * Older versions of the CodeQL CLI do not support including additional paths in the bundle.
+   * In those cases, this parameter will be ignored.
    */
   databaseBundle(
     databasePath: string,
     outputFilePath: string,
     dbName: string,
+    alsoIncludeRelativePaths: string[],
   ): Promise<void>;
   /**
    * Run 'codeql database run-queries'. If no `queries` are specified, then the CLI
@@ -911,6 +920,7 @@ async function getCodeQLForCmd(
       databasePath: string,
       outputFilePath: string,
       databaseName: string,
+      alsoIncludeRelativePaths: string[],
     ): Promise<void> {
       const args = [
         "database",
@@ -920,6 +930,16 @@ async function getCodeQLForCmd(
         `--name=${databaseName}`,
         ...getExtraOptionsFromEnv(["database", "bundle"]),
       ];
+      if (
+        await this.supportsFeature(ToolsFeature.BundleSupportsIncludeOption)
+      ) {
+        args.push(
+          ...alsoIncludeRelativePaths.flatMap((relativePath) => [
+            "--include",
+            relativePath,
+          ]),
+        );
+      }
       await new toolrunner.ToolRunner(cmd, args).exec();
     },
     async databaseExportDiagnostics(

src/config-utils.ts

@@ -4,7 +4,11 @@ import { performance } from "perf_hooks";
 
 import * as yaml from "js-yaml";
 
-import { getActionVersion, isAnalyzingPullRequest } from "./actions-util";
+import {
+  getActionVersion,
+  isAnalyzingPullRequest,
+  isCCR,
+} from "./actions-util";
 import {
   AnalysisConfig,
   AnalysisKind,
@@ -29,6 +33,7 @@ import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { RepositoryProperties } from "./feature-flags/properties";
 import {
+  getGeneratedFiles,
   getGitRoot,
   getGitVersionOrThrow,
   GIT_MINIMUM_VERSION_FOR_OVERLAY,
@@ -55,6 +60,7 @@ import {
   getCodeQLMemoryLimit,
   getErrorMessage,
   isInTestMode,
+  joinAtMost,
 } from "./util";
 
 export * from "./config/db-config";
@@ -948,6 +954,39 @@ export async function initConfig(
     }
   }
 
+  // If we are in CCR or the corresponding FF is enabled, try to determine
+  // which files in the repository are marked as generated and add them to
+  // the `paths-ignore` configuration.
+  if ((await features.getValue(Feature.IgnoreGeneratedFiles)) && isCCR()) {
+    try {
+      const generatedFilesCheckStartedAt = performance.now();
+      const generatedFiles = await getGeneratedFiles(inputs.sourceRoot);
+      const generatedFilesDuration = Math.round(
+        performance.now() - generatedFilesCheckStartedAt,
+      );
+
+      if (generatedFiles.length > 0) {
+        config.computedConfig["paths-ignore"] ??= [];
+        config.computedConfig["paths-ignore"].push(...generatedFiles);
+        logger.info(
+          `Detected ${generatedFiles.length} generated file(s), which will be excluded from analysis: ${joinAtMost(generatedFiles, ", ", 10)}`,
+        );
+      } else {
+        logger.info(`Found no generated files.`);
+      }
+
+      await logGeneratedFilesTelemetry(
+        config,
+        generatedFilesDuration,
+        generatedFiles.length,
+      );
+    } catch (error) {
+      logger.info(`Cannot ignore generated files: ${getErrorMessage(error)}`);
+    }
+  } else {
+    logger.debug(`Skipping check for generated files.`);
+  }
+
   // The choice of overlay database mode depends on the selection of languages
   // and queries, which in turn depends on the user config and the augmentation
   // properties. So we need to calculate the overlay database mode after the
@@ -1385,3 +1424,32 @@ async function logGitVersionTelemetry(
     );
   }
 }
+
+/**
+ * Logs the time it took to identify generated files and how many were discovered as
+ * a telemetry diagnostic.
+ * */
+async function logGeneratedFilesTelemetry(
+  config: Config,
+  duration: number,
+  generatedFilesCount: number,
+): Promise<void> {
+  if (config.languages.length < 1) {
+    return;
+  }
+
+  addDiagnostic(
+    config,
+    // Arbitrarily choose the first language. We could also choose all languages, but that
+    // increases the risk of misinterpreting the data.
+    config.languages[0],
+    makeTelemetryDiagnostic(
+      "codeql-action/generated-files-telemetry",
+      "Generated files telemetry",
+      {
+        duration,
+        generatedFilesCount,
+      },
+    ),
+  );
+}

src/debug-artifacts.test.ts

@@ -24,6 +24,37 @@ test("sanitizeArtifactName", (t) => {
   );
 });
 
+test("getArtifactSuffix", (t) => {
+  // No suffix if there's no `matrix` input, it is invalid, or has no keys.
+  t.is(debugArtifacts.getArtifactSuffix(undefined), "");
+  t.is(debugArtifacts.getArtifactSuffix(""), "");
+  t.is(debugArtifacts.getArtifactSuffix("invalid json"), "");
+  t.is(debugArtifacts.getArtifactSuffix("{}"), "");
+  t.is(debugArtifacts.getArtifactSuffix("null"), "");
+  t.is(debugArtifacts.getArtifactSuffix("123"), "");
+  t.is(debugArtifacts.getArtifactSuffix('"string"'), "");
+
+  // Suffixes for non-empty, valid `matrix` inputs.
+  const testMatrices = [
+    { matrix: { language: "go" }, expected: "-go" },
+    {
+      matrix: { language: "javascript", "build-mode": "none" },
+      expected: "-none-javascript",
+    },
+    {
+      matrix: { "build-mode": "none", language: "javascript" },
+      expected: "-none-javascript",
+    },
+  ];
+
+  for (const testMatrix of testMatrices) {
+    const suffix = debugArtifacts.getArtifactSuffix(
+      JSON.stringify(testMatrix.matrix),
+    );
+    t.is(suffix, testMatrix.expected);
+  }
+});
+
 // These next tests check the correctness of the logic to determine whether or not
 // artifacts are uploaded in debug mode. Since it's not easy to mock the actual
 // call to upload an artifact, we just check that we get an "upload-failed" result,

src/debug-artifacts.ts

@@ -246,6 +246,42 @@ export async function tryUploadAllAvailableDebugArtifacts(
   }
 }
 
+/**
+ * When a build matrix is used, multiple different jobs arising from the matrix may attempt to upload
+ * workflow artifacts with the same base name. In that case, only one of the uploads will succeed and
+ * the others will fail. This function inspects the matrix object to compute a suffix for the artifact
+ * name that uniquely identifies the matrix values of the current job to avoid name clashes.
+ *
+ * @param matrix A stringified JSON value, usually the value of the `matrix` input.
+ * @returns A suffix that uniquely identifies the `matrix` value for the current job, or `""` if there
+ * is no matrix value.
+ */
+export function getArtifactSuffix(matrix: string | undefined): string {
+  let suffix = "";
+  if (matrix) {
+    try {
+      const matrixObject = JSON.parse(matrix);
+      if (matrixObject !== null && typeof matrixObject === "object") {
+        for (const matrixKey of Object.keys(matrixObject as object).sort())
+          suffix += `-${matrixObject[matrixKey]}`;
+      } else {
+        core.warning("User-specified `matrix` input is not an object.");
+      }
+    } catch {
+      core.warning(
+        "Could not parse user-specified `matrix` input into JSON. The debug artifact will not be named with the user's `matrix` input.",
+      );
+    }
+  }
+  return suffix;
+}
+
+// Enumerates different, possible outcomes for artifact uploads.
+export type UploadArtifactsResult =
+  | "no-artifacts-to-upload"
+  | "upload-successful"
+  | "upload-failed";
+
 export async function uploadDebugArtifacts(
   logger: Logger,
   toUpload: string[],
@@ -253,15 +289,7 @@ export async function uploadDebugArtifacts(
   artifactName: string,
   ghVariant: GitHubVariant,
   codeQlVersion: string | undefined,
-): Promise<
-  | "no-artifacts-to-upload"
-  | "upload-successful"
-  | "upload-failed"
-  | "upload-not-supported"
-> {
-  if (toUpload.length === 0) {
-    return "no-artifacts-to-upload";
-  }
+): Promise<UploadArtifactsResult | "upload-not-supported"> {
   const uploadSupported = isSafeArtifactUpload(codeQlVersion);
 
   if (!uploadSupported) {
@@ -271,6 +299,31 @@ export async function uploadDebugArtifacts(
     return "upload-not-supported";
   }
 
+  return uploadArtifacts(logger, toUpload, rootDir, artifactName, ghVariant);
+}
+
+/**
+ * Uploads the specified files as a single workflow artifact.
+ *
+ * @param logger The logger to use.
+ * @param toUpload The list of paths to include in the artifact.
+ * @param rootDir The root directory of the paths to include.
+ * @param artifactName The base name for the artifact.
+ * @param ghVariant The GitHub variant.
+ *
+ * @returns The outcome of the attempt to create and upload the artifact.
+ */
+export async function uploadArtifacts(
+  logger: Logger,
+  toUpload: string[],
+  rootDir: string,
+  artifactName: string,
+  ghVariant: GitHubVariant,
+): Promise<UploadArtifactsResult> {
+  if (toUpload.length === 0) {
+    return "no-artifacts-to-upload";
+  }
+
   // When running in test mode, perform a best effort scan of the debug artifacts. The artifact
   // scanner is basic and not reliable or fast enough for production use, but it can help catch
   // some issues early.
@@ -279,21 +332,7 @@ export async function uploadDebugArtifacts(
     core.exportVariable("CODEQL_ACTION_ARTIFACT_SCAN_FINISHED", "true");
   }
 
-  let suffix = "";
-  const matrix = getOptionalInput("matrix");
-  if (matrix) {
-    try {
-      for (const [, matrixVal] of Object.entries(
-        JSON.parse(matrix) as any[][],
-      ).sort())
-        suffix += `-${matrixVal}`;
-    } catch {
-      core.info(
-        "Could not parse user-specified `matrix` input into JSON. The debug artifact will not be named with the user's `matrix` input.",
-      );
-    }
-  }
-
+  const suffix = getArtifactSuffix(getOptionalInput("matrix"));
   const artifactUploader = await getArtifactUploaderClient(logger, ghVariant);
 
   try {

src/environment.ts

@@ -135,4 +135,10 @@ export enum EnvVar {
    * Intended for use in environments where git may not be installed, such as Docker containers.
    */
   TOLERATE_MISSING_GIT_VERSION = "CODEQL_ACTION_TOLERATE_MISSING_GIT_VERSION",
+
+  /**
+   * Used to store the analysis key used by the CodeQL Action. This is normally populated by
+   * `getAnalysisKey`, but can also be set manually for testing and non-standard applications.
+   */
+  ANALYSIS_KEY = "CODEQL_ACTION_ANALYSIS_KEY",
 }

src/feature-flags.ts

@@ -45,6 +45,7 @@ export enum Feature {
   DisableJavaBuildlessEnabled = "disable_java_buildless_enabled",
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
+  IgnoreGeneratedFiles = "ignore_generated_files",
   OverlayAnalysis = "overlay_analysis",
   OverlayAnalysisActions = "overlay_analysis_actions",
   OverlayAnalysisCodeScanningActions = "overlay_analysis_code_scanning_actions",
@@ -158,6 +159,11 @@ export const featureConfig = {
     legacyApi: true,
     minimumVersion: undefined,
   },
+  [Feature.IgnoreGeneratedFiles]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
+    minimumVersion: undefined,
+  },
   [Feature.OverlayAnalysis]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

src/git-utils.test.ts

@@ -435,3 +435,42 @@ test("GitVersionInfo.isAtLeast correctly compares versions", async (t) => {
   t.false(version.isAtLeast("2.41.0"));
   t.false(version.isAtLeast("3.0.0"));
 });
+
+test("listFiles returns array of file paths", async (t) => {
+  sinon
+    .stub(gitUtils, "runGitCommand")
+    .resolves(["dir/file.txt", "README.txt", ""].join(os.EOL));
+
+  await t.notThrowsAsync(async () => {
+    const result = await gitUtils.listFiles("/some/path");
+    t.is(result.length, 2);
+    t.is(result[0], "dir/file.txt");
+  });
+});
+
+test("getGeneratedFiles returns generated files only", async (t) => {
+  const runGitCommandStub = sinon.stub(gitUtils, "runGitCommand");
+
+  runGitCommandStub
+    .onFirstCall()
+    .resolves(["dir/file.txt", "test.json", "README.txt", ""].join(os.EOL));
+  runGitCommandStub
+    .onSecondCall()
+    .resolves(
+      [
+        "dir/file.txt: linguist-generated: unspecified",
+        "test.json: linguist-generated: true",
+        "README.txt: linguist-generated: false",
+        "",
+      ].join(os.EOL),
+    );
+
+  await t.notThrowsAsync(async () => {
+    const result = await gitUtils.getGeneratedFiles("/some/path");
+
+    t.assert(runGitCommandStub.calledTwice);
+
+    t.is(result.length, 1);
+    t.is(result[0], "test.json");
+  });
+});

src/git-utils.ts

@@ -1,4 +1,7 @@
+import * as os from "os";
+
 import * as core from "@actions/core";
+import { ExecOptions } from "@actions/exec";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
 import * as semver from "semver";
@@ -60,6 +63,7 @@ export const runGitCommand = async function (
   workingDirectory: string | undefined,
   args: string[],
   customErrorMessage: string,
+  options?: ExecOptions,
 ): Promise<string> {
   let stdout = "";
   let stderr = "";
@@ -76,6 +80,7 @@ export const runGitCommand = async function (
         },
       },
       cwd: workingDirectory,
+      ...options,
     }).exec();
     return stdout;
   } catch (error) {
@@ -394,3 +399,45 @@ export async function isAnalyzingDefaultBranch(): Promise<boolean> {
 
   return currentRef === defaultBranch;
 }
+
+/**
+ * Gets a list of all tracked files in the repository.
+ *
+ * @param workingDirectory The working directory, which is part of a Git repository.
+ */
+export async function listFiles(workingDirectory: string): Promise<string[]> {
+  const stdout = await runGitCommand(
+    workingDirectory,
+    ["ls-files"],
+    "Unable to list tracked files.",
+  );
+  return stdout.split(os.EOL).filter((line) => line.trim().length > 0);
+}
+
+/**
+ * Gets a list of files that have the `linguist-generated: true` attribute.
+ *
+ * @param workingDirectory The working directory, which is part of a Git repository.
+ */
+export async function getGeneratedFiles(
+  workingDirectory: string,
+): Promise<string[]> {
+  const files = await listFiles(workingDirectory);
+  const stdout = await runGitCommand(
+    workingDirectory,
+    ["check-attr", "linguist-generated", "--stdin"],
+    "Unable to check attributes of files.",
+    { input: Buffer.from(files.join(os.EOL)) },
+  );
+
+  const generatedFiles: string[] = [];
+  const regex = /^([^:]+): linguist-generated: true$/;
+  for (const result of stdout.split(os.EOL)) {
+    const match = result.match(regex);
+    if (match && match[1].trim().length > 0) {
+      generatedFiles.push(match[1].trim());
+    }
+  }
+
+  return generatedFiles;
+}

src/init-action-post.ts

@@ -28,6 +28,7 @@ import { getRepositoryNwo } from "./repository";
 import {
   StatusReportBase,
   sendStatusReport,
+  sendUnhandledErrorStatusReport,
   createStatusReportBase,
   getActionsStatus,
   ActionName,
@@ -41,9 +42,11 @@ interface InitPostStatusReport
     initActionPostHelper.JobStatusReport,
     initActionPostHelper.DependencyCachingUsageReport {}
 
-async function runWrapper() {
+async function run(startedAt: Date) {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   const logger = getActionsLogger();
-  const startedAt = new Date();
   let config: Config | undefined;
   let uploadFailedSarifResult:
     | initActionPostHelper.UploadFailedSarifResult
@@ -136,4 +139,20 @@ async function runWrapper() {
   }
 }
 
+async function runWrapper() {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
+  try {
+    await run(startedAt);
+  } catch (error) {
+    core.setFailed(`init post action failed: ${wrapError(error).message}`);
+    await sendUnhandledErrorStatusReport(
+      ActionName.InitPost,
+      startedAt,
+      error,
+      logger,
+    );
+  }
+}
+
 void runWrapper();

src/init-action.ts

@@ -16,7 +16,7 @@ import {
   persistInputs,
 } from "./actions-util";
 import { AnalysisKind, getAnalysisKinds } from "./analyses";
-import { getGitHubVersion } from "./api-client";
+import { getGitHubVersion, GitHubApiCombinedDetails } from "./api-client";
 import {
   getDependencyCachingEnabled,
   getTotalCacheSize,
@@ -64,6 +64,7 @@ import {
   createStatusReportBase,
   getActionsStatus,
   sendStatusReport,
+  sendUnhandledErrorStatusReport,
 } from "./status-report";
 import { ZstdAvailability } from "./tar";
 import { ToolsDownloadStatusReport } from "./tools-download";
@@ -191,68 +192,75 @@ async function sendCompletedStatusReport(
   }
 }
 
-async function run() {
-  const startedAt = new Date();
+async function run(startedAt: Date) {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   const logger = getActionsLogger();
-  initializeEnvironment(getActionVersion());
-
-  // Make inputs accessible in the `post` step.
-  persistInputs();
 
+  let apiDetails: GitHubApiCombinedDetails;
   let config: configUtils.Config | undefined;
+  let configFile: string | undefined;
   let codeql: CodeQL;
+  let features: Features;
+  let sourceRoot: string;
   let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
   let toolsFeatureFlagsValid: boolean | undefined;
   let toolsSource: ToolsSource;
   let toolsVersion: string;
   let zstdAvailability: ZstdAvailability | undefined;
 
-  const apiDetails = {
-    auth: getRequiredInput("token"),
-    externalRepoAuth: getOptionalInput("external-repository-token"),
-    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
-    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
-  };
-
-  const gitHubVersion = await getGitHubVersion();
-  checkGitHubVersionInRange(gitHubVersion, logger);
-  checkActionVersion(getActionVersion(), gitHubVersion);
-
-  const repositoryNwo = getRepositoryNwo();
-
-  const features = new Features(
-    gitHubVersion,
-    repositoryNwo,
-    getTemporaryDirectory(),
-    logger,
-  );
-
-  // Fetch the values of known repository properties that affect us.
-  const enableRepoProps = await features.getValue(
-    Feature.UseRepositoryProperties,
-  );
-  const repositoryProperties = enableRepoProps
-    ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
-    : {};
-
-  // Create a unique identifier for this run.
-  const jobRunUuid = uuidV4();
-  logger.info(`Job run UUID is ${jobRunUuid}.`);
-  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
-
-  core.exportVariable(EnvVar.INIT_ACTION_HAS_RUN, "true");
-
-  const configFile = getOptionalInput("config-file");
-
-  // path.resolve() respects the intended semantics of source-root. If
-  // source-root is relative, it is relative to the GITHUB_WORKSPACE. If
-  // source-root is absolute, it is used as given.
-  const sourceRoot = path.resolve(
-    getRequiredEnvParam("GITHUB_WORKSPACE"),
-    getOptionalInput("source-root") || "",
-  );
-
   try {
+    initializeEnvironment(getActionVersion());
+
+    // Make inputs accessible in the `post` step.
+    persistInputs();
+
+    apiDetails = {
+      auth: getRequiredInput("token"),
+      externalRepoAuth: getOptionalInput("external-repository-token"),
+      url: getRequiredEnvParam("GITHUB_SERVER_URL"),
+      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+    };
+
+    const gitHubVersion = await getGitHubVersion();
+    checkGitHubVersionInRange(gitHubVersion, logger);
+    checkActionVersion(getActionVersion(), gitHubVersion);
+
+    const repositoryNwo = getRepositoryNwo();
+
+    features = new Features(
+      gitHubVersion,
+      repositoryNwo,
+      getTemporaryDirectory(),
+      logger,
+    );
+
+    // Fetch the values of known repository properties that affect us.
+    const enableRepoProps = await features.getValue(
+      Feature.UseRepositoryProperties,
+    );
+    const repositoryProperties = enableRepoProps
+      ? await loadPropertiesFromApi(gitHubVersion, logger, repositoryNwo)
+      : {};
+
+    // Create a unique identifier for this run.
+    const jobRunUuid = uuidV4();
+    logger.info(`Job run UUID is ${jobRunUuid}.`);
+    core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+
+    core.exportVariable(EnvVar.INIT_ACTION_HAS_RUN, "true");
+
+    configFile = getOptionalInput("config-file");
+
+    // path.resolve() respects the intended semantics of source-root. If
+    // source-root is relative, it is relative to the GITHUB_WORKSPACE. If
+    // source-root is absolute, it is used as given.
+    sourceRoot = path.resolve(
+      getRequiredEnvParam("GITHUB_WORKSPACE"),
+      getOptionalInput("source-root") || "",
+    );
+
     // Parsing the `analysis-kinds` input may throw a `ConfigurationError`, which we don't want before
     // we have called `sendStartingStatusReport` below. However, we want the analysis kinds for that status
     // report. To work around this, we ignore exceptions that are thrown here and then call `getAnalysisKinds`
@@ -725,6 +733,12 @@ async function run() {
     // did not exist until now.
     flushDiagnostics(config);
 
+    // We save the config here instead of at the end of `initConfig` because we
+    // may have updated the config returned from `initConfig`, e.g. to revert to
+    // `OverlayDatabaseMode.None` if we failed to download an overlay-base
+    // database.
+    await configUtils.saveConfig(config, logger);
+
     core.setOutput("codeql-path", config.codeQLCmd);
     core.setOutput("codeql-version", (await codeql.getVersion()).version);
   } catch (unwrappedError) {
@@ -747,12 +761,6 @@ async function run() {
   } finally {
     logUnwrittenDiagnostics();
   }
-
-  // We save the config here instead of at the end of `initConfig` because we
-  // may have updated the config returned from `initConfig`, e.g. to revert to
-  // `OverlayDatabaseMode.None` if we failed to download an overlay-base
-  // database.
-  await configUtils.saveConfig(config, logger);
   await sendCompletedStatusReport(
     startedAt,
     config,
@@ -797,10 +805,18 @@ async function recordZstdAvailability(
 }
 
 async function runWrapper() {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
   try {
-    await run();
+    await run(startedAt);
   } catch (error) {
     core.setFailed(`init action failed: ${getErrorMessage(error)}`);
+    await sendUnhandledErrorStatusReport(
+      ActionName.Init,
+      startedAt,
+      error,
+      logger,
+    );
   }
   await checkForTimeout();
 }

src/overlay-database-utils.ts

@@ -17,6 +17,7 @@ import { getCommitOid, getFileOidsUnderPath } from "./git-utils";
 import { Logger, withGroupAsync } from "./logging";
 import {
   CleanupLevel,
+  getBaseDatabaseOidsFilePath,
   getCodeQLDatabasePath,
   getErrorMessage,
   isInTestMode,
@@ -98,10 +99,6 @@ async function readBaseDatabaseOidsFile(
   }
 }
 
-function getBaseDatabaseOidsFilePath(config: Config): string {
-  return path.join(config.dbLocation, "base-database-oids.json");
-}
-
 /**
  * Writes a JSON file containing the source-root-relative paths of files under
  * `sourceRoot` that have changed (added, removed, or modified) from the overlay

src/resolve-environment-action.ts

@@ -13,6 +13,7 @@ import { getActionsLogger } from "./logging";
 import { runResolveBuildEnvironment } from "./resolve-environment";
 import {
   sendStatusReport,
+  sendUnhandledErrorStatusReport,
   createStatusReportBase,
   getActionsStatus,
   ActionName,
@@ -29,8 +30,10 @@ import {
 
 const ENVIRONMENT_OUTPUT_NAME = "environment";
 
-async function run() {
-  const startedAt = new Date();
+async function run(startedAt: Date) {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   const logger = getActionsLogger();
 
   let config: Config | undefined;
@@ -115,14 +118,22 @@ async function run() {
 }
 
 async function runWrapper() {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
   try {
-    await run();
+    await run(startedAt);
   } catch (error) {
     core.setFailed(
       `${ActionName.ResolveEnvironment} action failed: ${getErrorMessage(
         error,
       )}`,
     );
+    await sendUnhandledErrorStatusReport(
+      ActionName.ResolveEnvironment,
+      startedAt,
+      error,
+      logger,
+    );
   }
   await checkForTimeout();
 }

src/setup-codeql-action.ts

@@ -22,6 +22,7 @@ import {
   createStatusReportBase,
   getActionsStatus,
   sendStatusReport,
+  sendUnhandledErrorStatusReport,
 } from "./status-report";
 import { ToolsDownloadStatusReport } from "./tools-download";
 import {
@@ -85,10 +86,11 @@ async function sendCompletedStatusReport(
 }
 
 /** The main behaviour of this action. */
-async function run(): Promise<void> {
-  const startedAt = new Date();
+async function run(startedAt: Date): Promise<void> {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   const logger = getActionsLogger();
-  initializeEnvironment(getActionVersion());
 
   let codeql: CodeQL;
   let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
@@ -96,31 +98,33 @@ async function run(): Promise<void> {
   let toolsSource: ToolsSource;
   let toolsVersion: string;
 
-  const apiDetails = {
-    auth: getRequiredInput("token"),
-    externalRepoAuth: getOptionalInput("external-repository-token"),
-    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
-    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
-  };
-
-  const gitHubVersion = await getGitHubVersion();
-  checkGitHubVersionInRange(gitHubVersion, logger);
-  checkActionVersion(getActionVersion(), gitHubVersion);
-
-  const repositoryNwo = getRepositoryNwo();
-
-  const features = new Features(
-    gitHubVersion,
-    repositoryNwo,
-    getTemporaryDirectory(),
-    logger,
-  );
-
-  const jobRunUuid = uuidV4();
-  logger.info(`Job run UUID is ${jobRunUuid}.`);
-  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
-
   try {
+    initializeEnvironment(getActionVersion());
+
+    const apiDetails = {
+      auth: getRequiredInput("token"),
+      externalRepoAuth: getOptionalInput("external-repository-token"),
+      url: getRequiredEnvParam("GITHUB_SERVER_URL"),
+      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+    };
+
+    const gitHubVersion = await getGitHubVersion();
+    checkGitHubVersionInRange(gitHubVersion, logger);
+    checkActionVersion(getActionVersion(), gitHubVersion);
+
+    const repositoryNwo = getRepositoryNwo();
+
+    const features = new Features(
+      gitHubVersion,
+      repositoryNwo,
+      getTemporaryDirectory(),
+      logger,
+    );
+
+    const jobRunUuid = uuidV4();
+    logger.info(`Job run UUID is ${jobRunUuid}.`);
+    core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+
     const statusReportBase = await createStatusReportBase(
       ActionName.SetupCodeQL,
       "starting",
@@ -185,10 +189,18 @@ async function run(): Promise<void> {
 
 /** Run the action and catch any unhandled errors. */
 async function runWrapper(): Promise<void> {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
   try {
-    await run();
+    await run(startedAt);
   } catch (error) {
     core.setFailed(`setup-codeql action failed: ${getErrorMessage(error)}`);
+    await sendUnhandledErrorStatusReport(
+      ActionName.SetupCodeQL,
+      startedAt,
+      error,
+      logger,
+    );
   }
   await checkForTimeout();
 }

src/start-proxy-action-post.ts

@@ -8,11 +8,14 @@ import * as core from "@actions/core";
 import * as actionsUtil from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import * as configUtils from "./config-utils";
-import { getArtifactUploaderClient } from "./debug-artifacts";
+import { uploadArtifacts } from "./debug-artifacts";
 import { getActionsLogger } from "./logging";
 import { checkGitHubVersionInRange, getErrorMessage } from "./util";
 
 async function runWrapper() {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
+
   const logger = getActionsLogger();
 
   try {
@@ -44,19 +47,12 @@ async function runWrapper() {
       const gitHubVersion = await getGitHubVersion();
       checkGitHubVersionInRange(gitHubVersion, logger);
 
-      const artifactUploader = await getArtifactUploaderClient(
+      await uploadArtifacts(
         logger,
-        gitHubVersion.type,
-      );
-
-      await artifactUploader.uploadArtifact(
-        "proxy-log-file",
         [logFilePath],
         actionsUtil.getTemporaryDirectory(),
-        {
-          // ensure we don't keep the debug artifacts around for too long since they can be large.
-          retentionDays: 7,
-        },
+        "proxy-log-file",
+        gitHubVersion.type,
       );
     }
   } catch (error) {

src/start-proxy-action.ts

@@ -22,6 +22,7 @@ import {
   createStatusReportBase,
   getActionsStatus,
   sendStatusReport,
+  sendUnhandledErrorStatusReport,
   StatusReportBase,
 } from "./status-report";
 import * as util from "./util";
@@ -122,16 +123,17 @@ async function sendSuccessStatusReport(
   }
 }
 
-async function runWrapper() {
-  const startedAt = new Date();
-
-  // Make inputs accessible in the `post` step.
-  actionsUtil.persistInputs();
+async function run(startedAt: Date) {
+  // To capture errors appropriately, keep as much code within the try-catch as
+  // possible, and only use safe functions outside.
 
   const logger = getActionsLogger();
   let language: KnownLanguage | undefined;
 
   try {
+    // Make inputs accessible in the `post` step.
+    actionsUtil.persistInputs();
+
     // Setup logging for the proxy
     const tempDir = actionsUtil.getTemporaryDirectory();
     const proxyLogFilePath = path.resolve(tempDir, "proxy.log");
@@ -193,6 +195,7 @@ async function runWrapper() {
       },
       await util.checkDiskUsage(logger),
       logger,
+      "Error from start-proxy Action omitted",
     );
     if (errorStatusReportBase !== undefined) {
       await sendStatusReport(errorStatusReportBase);
@@ -200,6 +203,23 @@ async function runWrapper() {
   }
 }
 
+async function runWrapper() {
+  const startedAt = new Date();
+  const logger = getActionsLogger();
+
+  try {
+    await run(startedAt);
+  } catch (error) {
+    core.setFailed(`start-proxy action failed: ${util.getErrorMessage(error)}`);
+    await sendUnhandledErrorStatusReport(
+      ActionName.StartProxy,
+      startedAt,
+      new Error("Error from start-proxy Action omitted"),
+      logger,
+    );
+  }
+}
+
 async function startProxy(
   binPath: string,
   config: ProxyConfig,

src/status-report.test.ts

@@ -27,7 +27,7 @@ setupTests(test);
 function setupEnvironmentAndStub(tmpDir: string) {
   setupActionsVars(tmpDir, tmpDir);
 
-  process.env["CODEQL_ACTION_ANALYSIS_KEY"] = "analysis-key";
+  process.env[EnvVar.ANALYSIS_KEY] = "analysis-key";
   process.env["GITHUB_EVENT_NAME"] = "dynamic";
   process.env["GITHUB_REF"] = "refs/heads/main";
   process.env["GITHUB_REPOSITORY"] = "octocat/HelloWorld";