From 2c9cd778370535d5d5cb8eb04a4ba7d34890717a Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Wed, 6 May 2026 18:45:24 +0100
Subject: [PATCH 1/3] Tests: Run slow `scanArtifactsForTokens` test in CI only
 by default

---
 src/artifact-scanner.test.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/artifact-scanner.test.ts b/src/artifact-scanner.test.ts
index d2ecd18e2..6f68e647d 100644
--- a/src/artifact-scanner.test.ts
+++ b/src/artifact-scanner.test.ts
@@ -141,7 +141,12 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => {
   }
 });
 
-if (os.platform() !== "win32") {
+// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set
+// RUN_SLOW_TESTS=1 to run it locally.
+if (
+  os.platform() !== "win32" &&
+  (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1")
+) {
   test("scanArtifactsForTokens finds token in debug artifacts", async (t) => {
     t.timeout(15000); // 15 seconds
     const messages: LoggedMessage[] = [];

From d032ee8c476a34c29f935e35e654c48d0fa90b68 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Fri, 10 Apr 2026 12:18:17 +0100
Subject: [PATCH 2/3] Do not run `bundle-metadata.ts` as part of `npm run
 build`

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index d32144614..32ce693fd 100644
--- a/package.json
+++ b/package.json
@@ -5,7 +5,7 @@
   "description": "CodeQL action",
   "scripts": {
     "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
-    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts",
+    "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
     "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
     "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
     "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",

From 0c80cee8061e24785c6ad1b079c5f4314b827b75 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Thu, 7 May 2026 15:39:42 +0100
Subject: [PATCH 3/3] Add explicit error on Windows

---
 lib/analyze-action-post.js      | 3 +++
 lib/init-action-post.js         | 3 +++
 lib/start-proxy-action-post.js  | 3 +++
 lib/upload-sarif-action-post.js | 3 +++
 src/artifact-scanner.ts         | 4 ++++
 5 files changed, 16 insertions(+)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index fe47faa57..b7ee97d89 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -128728,6 +128728,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
     );
   }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
   const result = {
     scannedFiles: 0,
     findings: []
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 2794b130e..57b06ab2f 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -133650,6 +133650,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
     );
   }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
   const result = {
     scannedFiles: 0,
     findings: []
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 9c40cb5e6..414118377 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -127590,6 +127590,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
     );
   }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
   const result = {
     scannedFiles: 0,
     findings: []
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 12d1b216c..cce51af70 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -127577,6 +127577,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log
       `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}`
     );
   }
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
   const result = {
     scannedFiles: 0,
     findings: []
diff --git a/src/artifact-scanner.ts b/src/artifact-scanner.ts
index 90c424197..5f238811a 100644
--- a/src/artifact-scanner.ts
+++ b/src/artifact-scanner.ts
@@ -156,6 +156,10 @@ async function scanArchiveFile(
     );
   }
 
+  if (process.platform === "win32") {
+    throw new Error("Scanning archives is not supported on Windows.");
+  }
+
   const result: ScanResult = {
     scannedFiles: 0,
     findings: [],