Merge pull request #3892 from github/mbg/analysis-kinds/warn-on-multiple

Log error and only enable `code-scanning` if multiple analysis kinds are specified

CHANGELOG.md

@@ -4,6 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892)
 - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880)
 
 ## 4.35.4 - 07 May 2026

lib/analyze-action-post.js

@@ -127358,65 +127358,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -127425,14 +127368,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -127453,7 +127396,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -127582,7 +127525,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -127719,17 +127662,22 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127948,6 +127896,63 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/autobuild-action.js

@@ -86171,59 +86171,10 @@ var fs5 = __toESM(require("fs"));
 var path6 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
 var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
@@ -86236,14 +86187,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -86264,7 +86215,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -86393,7 +86344,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -86530,7 +86481,7 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -86543,6 +86494,11 @@ var LINKED_CODEQL_VERSION = {
   tagName: bundleVersion
 };
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86928,7 +86884,7 @@ var GitHubFeatureFlags = class {
       DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
       f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
     ).replace(/_/g, ".");
-    if (!semver5.valid(version)) {
+    if (!semver4.valid(version)) {
       this.logger.warning(
         `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
       );
@@ -86945,7 +86901,7 @@ var GitHubFeatureFlags = class {
     const response = await this.getAllFeatures();
     const sortedCliVersions = Object.entries(response).map(
       ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0).sort(semver5.rcompare);
+    ).filter((f) => f !== void 0).sort(semver4.rcompare);
     if (sortedCliVersions.length === 0) {
       this.logger.warning(
         `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
@@ -87089,6 +87045,55 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
   }
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/init-action-post.js

@@ -130753,199 +130753,10 @@ var fs8 = __toESM(require("fs"));
 var path8 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-var CodeScanning = {
-  kind: "code-scanning" /* CodeScanning */,
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifExtension: ".sarif",
-  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
-  fixCategory: (_2, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
-  transformPayload: (payload) => payload
-};
-var CodeQuality = {
-  kind: "code-quality" /* CodeQuality */,
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifExtension: ".quality.sarif",
-  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
-  fixCategory: fixCodeQualityCategory,
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
-  transformPayload: (payload) => payload
-};
-function addAssessmentId(payload) {
-  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
-  const assessmentId = parseInt(rawAssessmentId, 10);
-  if (Number.isNaN(assessmentId)) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
-    );
-  }
-  if (assessmentId < 0) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
-    );
-  }
-  return { sarif: payload.sarif, assessment_id: assessmentId };
-}
-var RiskAssessment = {
-  kind: "risk-assessment" /* RiskAssessment */,
-  name: "code scanning risk assessment",
-  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
-  sarifExtension: ".csra.sarif",
-  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
-  fixCategory: (_2, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
-  transformPayload: addAssessmentId
-};
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/diagnostics.ts
-var import_fs = require("fs");
-var import_path = __toESM(require("path"));
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-function formatDuration(durationMs) {
-  if (durationMs < 1e3) {
-    return `${durationMs}ms`;
-  }
-  if (durationMs < 60 * 1e3) {
-    return `${(durationMs / 1e3).toFixed(1)}s`;
-  }
-  const minutes = Math.floor(durationMs / (60 * 1e3));
-  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
-  return `${minutes}m${seconds}s`;
-}
-
-// src/diagnostics.ts
-var unwrittenDiagnostics = [];
-var unwrittenDefaultLanguageDiagnostics = [];
-var diagnosticCounter = 0;
-function makeDiagnostic(id, name, data = void 0) {
-  return {
-    ...data,
-    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
-    source: { ...data?.source, id, name }
-  };
-}
-function addDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  if ((0, import_fs.existsSync)(databasePath)) {
-    writeDiagnostic(config, language, diagnostic);
-  } else {
-    logger.debug(
-      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
-    );
-    unwrittenDiagnostics.push({ diagnostic, language });
-  }
-}
-function addNoLanguageDiagnostic(config, diagnostic) {
-  if (config !== void 0) {
-    addDiagnostic(
-      config,
-      // Arbitrarily choose the first language. We could also choose all languages, but that
-      // increases the risk of misinterpreting the data.
-      config.languages[0],
-      diagnostic
-    );
-  } else {
-    unwrittenDefaultLanguageDiagnostics.push(diagnostic);
-  }
-}
-function writeDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  const diagnosticsPath = import_path.default.resolve(
-    databasePath,
-    "diagnostic",
-    "codeql-action"
-  );
-  try {
-    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = (diagnosticCounter++).toString();
-    const sanitizedTimestamp = diagnostic.timestamp.replace(
-      /[^a-zA-Z0-9.-]/g,
-      ""
-    );
-    const jsonPath = import_path.default.resolve(
-      diagnosticsPath,
-      `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json`
-    );
-    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
-  } catch (err) {
-    logger.warning(`Unable to write diagnostic message to database: ${err}`);
-    logger.debug(JSON.stringify(diagnostic));
-  }
-}
-function makeTelemetryDiagnostic(id, name, attributes) {
-  return makeDiagnostic(id, name, {
-    attributes,
-    visibility: {
-      cliSummaryTable: false,
-      statusPage: false,
-      telemetry: true
-    }
-  });
-}
-
-// src/diff-informed-analysis-utils.ts
-var fs6 = __toESM(require("fs"));
-
 // src/feature-flags.ts
 var fs5 = __toESM(require("fs"));
-var path6 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
+var path5 = __toESM(require("path"));
+var semver4 = __toESM(require_semver2());
 
 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
@@ -130953,19 +130764,19 @@ var cliVersion = "2.25.4";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
+var path4 = __toESM(require("path"));
 
 // src/git-utils.ts
 var fs3 = __toESM(require("fs"));
-var path4 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var path3 = __toESM(require("path"));
+var core7 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core7.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -130986,7 +130797,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -131082,7 +130893,7 @@ var getGitRoot = async function(sourceRoot) {
   }
 };
 function hasSubmodules(gitRoot) {
-  return fs3.existsSync(path4.join(gitRoot, ".gitmodules"));
+  return fs3.existsSync(path3.join(gitRoot, ".gitmodules"));
 }
 var getFileOidsUnderPath = async function(basePath) {
   const gitRoot = await getGitRoot(basePath);
@@ -131149,7 +130960,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core7.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -131214,7 +131025,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) {
   const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger);
   const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])];
   const changedFilesJson = JSON.stringify({ changes: changedFiles });
-  const overlayChangesFile = path5.join(
+  const overlayChangesFile = path4.join(
     getTemporaryDirectory(),
     "overlay-changes.json"
   );
@@ -131280,19 +131091,19 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
     return [...new Set(diffRanges.map((r) => r.path))];
   }
   const relativePaths = diffRanges.map(
-    (r) => path5.relative(sourceRoot, path5.join(repoRoot, r.path)).replaceAll(path5.sep, "/")
+    (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/")
   ).filter((rel) => !rel.startsWith(".."));
   return [...new Set(relativePaths)];
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
@@ -131304,6 +131115,11 @@ var LINKED_CODEQL_VERSION = {
   tagName: bundleVersion
 };
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -131630,7 +131446,7 @@ var Features = class extends OfflineFeatures {
     super(logger);
     this.gitHubFeatureFlags = new GitHubFeatureFlags(
       repositoryNwo,
-      path6.join(tempDir, FEATURE_FLAGS_FILE_NAME),
+      path5.join(tempDir, FEATURE_FLAGS_FILE_NAME),
       logger
     );
   }
@@ -131689,7 +131505,7 @@ var GitHubFeatureFlags = class {
       DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
       f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
     ).replace(/_/g, ".");
-    if (!semver5.valid(version)) {
+    if (!semver4.valid(version)) {
       this.logger.warning(
         `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
       );
@@ -131706,7 +131522,7 @@ var GitHubFeatureFlags = class {
     const response = await this.getAllFeatures();
     const sortedCliVersions = Object.entries(response).map(
       ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0).sort(semver5.rcompare);
+    ).filter((f) => f !== void 0).sort(semver4.rcompare);
     if (sortedCliVersions.length === 0) {
       this.logger.warning(
         `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
@@ -131850,7 +131666,194 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
   }
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
+  fixCategory: (_2, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
+  transformPayload: (payload) => payload
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  fixCategory: fixCodeQualityCategory,
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
+  transformPayload: (payload) => payload
+};
+function addAssessmentId(payload) {
+  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
+  const assessmentId = parseInt(rawAssessmentId, 10);
+  if (Number.isNaN(assessmentId)) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
+    );
+  }
+  if (assessmentId < 0) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
+    );
+  }
+  return { sarif: payload.sarif, assessment_id: assessmentId };
+}
+var RiskAssessment = {
+  kind: "risk-assessment" /* RiskAssessment */,
+  name: "code scanning risk assessment",
+  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
+  sarifExtension: ".csra.sarif",
+  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
+  fixCategory: (_2, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
+  transformPayload: addAssessmentId
+};
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/diagnostics.ts
+var import_fs = require("fs");
+var import_path = __toESM(require("path"));
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+function formatDuration(durationMs) {
+  if (durationMs < 1e3) {
+    return `${durationMs}ms`;
+  }
+  if (durationMs < 60 * 1e3) {
+    return `${(durationMs / 1e3).toFixed(1)}s`;
+  }
+  const minutes = Math.floor(durationMs / (60 * 1e3));
+  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
+  return `${minutes}m${seconds}s`;
+}
+
+// src/diagnostics.ts
+var unwrittenDiagnostics = [];
+var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
+function makeDiagnostic(id, name, data = void 0) {
+  return {
+    ...data,
+    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    source: { ...data?.source, id, name }
+  };
+}
+function addDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  if ((0, import_fs.existsSync)(databasePath)) {
+    writeDiagnostic(config, language, diagnostic);
+  } else {
+    logger.debug(
+      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
+    );
+    unwrittenDiagnostics.push({ diagnostic, language });
+  }
+}
+function addNoLanguageDiagnostic(config, diagnostic) {
+  if (config !== void 0) {
+    addDiagnostic(
+      config,
+      // Arbitrarily choose the first language. We could also choose all languages, but that
+      // increases the risk of misinterpreting the data.
+      config.languages[0],
+      diagnostic
+    );
+  } else {
+    unwrittenDefaultLanguageDiagnostics.push(diagnostic);
+  }
+}
+function writeDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  const diagnosticsPath = import_path.default.resolve(
+    databasePath,
+    "diagnostic",
+    "codeql-action"
+  );
+  try {
+    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
+    const uniqueSuffix = (diagnosticCounter++).toString();
+    const sanitizedTimestamp = diagnostic.timestamp.replace(
+      /[^a-zA-Z0-9.-]/g,
+      ""
+    );
+    const jsonPath = import_path.default.resolve(
+      diagnosticsPath,
+      `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json`
+    );
+    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
+  } catch (err) {
+    logger.warning(`Unable to write diagnostic message to database: ${err}`);
+    logger.debug(JSON.stringify(diagnostic));
+  }
+}
+function makeTelemetryDiagnostic(id, name, attributes) {
+  return makeDiagnostic(id, name, {
+    attributes,
+    visibility: {
+      cliSummaryTable: false,
+      statusPage: false,
+      telemetry: true
+    }
+  });
+}
+
 // src/diff-informed-analysis-utils.ts
+var fs6 = __toESM(require("fs"));
 function readDiffRangesJsonFile(logger) {
   const jsonFilePath = getDiffRangesJsonFilePath();
   if (!fs6.existsSync(jsonFilePath)) {

lib/resolve-environment-action.js

@@ -86170,57 +86170,8 @@ var fs4 = __toESM(require("fs"));
 var path5 = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var fs3 = __toESM(require("fs"));
@@ -86229,14 +86180,14 @@ var path4 = __toESM(require("path"));
 // src/git-utils.ts
 var fs2 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -86257,7 +86208,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -86386,7 +86337,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -86523,13 +86474,18 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86748,6 +86704,55 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/setup-codeql-action.js

@@ -85857,65 +85857,10 @@ function isAnalyzingPullRequest() {
   return getPullRequestBranches() !== void 0;
 }
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var compatibilityMatrix = {
-  ["code-scanning" /* CodeScanning */]: /* @__PURE__ */ new Set(["code-quality" /* CodeQuality */]),
-  ["code-quality" /* CodeQuality */]: /* @__PURE__ */ new Set(["code-scanning" /* CodeScanning */]),
-  ["risk-assessment" /* RiskAssessment */]: /* @__PURE__ */ new Set()
-};
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-async function parseAnalysisKinds(input) {
-  const components = input.split(",");
-  if (components.length < 1) {
-    throw new ConfigurationError(
-      "At least one analysis kind must be configured."
-    );
-  }
-  for (const component of components) {
-    if (!supportedAnalysisKinds.has(component)) {
-      throw new ConfigurationError(`Unknown analysis kind: ${component}`);
-    }
-  }
-  return Array.from(
-    new Set(components.map((component) => component))
-  );
-}
-var cachedAnalysisKinds;
-async function getAnalysisKinds(logger, skipCache = false) {
-  if (!skipCache && cachedAnalysisKinds !== void 0) {
-    return cachedAnalysisKinds;
-  }
-  const analysisKinds = await parseAnalysisKinds(
-    getRequiredInput("analysis-kinds")
-  );
-  const qualityQueriesInput = getOptionalInput("quality-queries");
-  if (qualityQueriesInput !== void 0) {
-    logger.warning(
-      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead."
-    );
-  }
-  if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) {
-    analysisKinds.push("code-quality" /* CodeQuality */);
-  }
-  for (const analysisKind of analysisKinds) {
-    for (const otherAnalysisKind of analysisKinds) {
-      if (analysisKind === otherAnalysisKind) continue;
-      if (!compatibilityMatrix[analysisKind].has(otherAnalysisKind)) {
-        throw new ConfigurationError(
-          `${analysisKind} and ${otherAnalysisKind} cannot be enabled at the same time`
-        );
-      }
-    }
-  }
-  cachedAnalysisKinds = analysisKinds;
-  return cachedAnalysisKinds;
-}
+// src/feature-flags.ts
+var fs5 = __toESM(require("fs"));
+var path5 = __toESM(require("path"));
+var semver4 = __toESM(require_semver2());
 
 // src/api-client.ts
 var core5 = __toESM(require_core());
@@ -86184,166 +86129,25 @@ function wrapApiConfigurationError(e) {
   return e;
 }
 
-// src/config-utils.ts
-var core9 = __toESM(require_core());
-
-// src/caching-utils.ts
-var crypto2 = __toESM(require("crypto"));
-var core6 = __toESM(require_core());
-var cacheKeyHashLength = 16;
-function createCacheKeyHash(components) {
-  const componentsJson = JSON.stringify(components);
-  return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength);
-}
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/diagnostics.ts
-var import_fs = require("fs");
-var import_path = __toESM(require("path"));
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function formatDuration(durationMs) {
-  if (durationMs < 1e3) {
-    return `${durationMs}ms`;
-  }
-  if (durationMs < 60 * 1e3) {
-    return `${(durationMs / 1e3).toFixed(1)}s`;
-  }
-  const minutes = Math.floor(durationMs / (60 * 1e3));
-  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
-  return `${minutes}m${seconds}s`;
-}
-
-// src/diagnostics.ts
-var unwrittenDiagnostics = [];
-var unwrittenDefaultLanguageDiagnostics = [];
-var diagnosticCounter = 0;
-function makeDiagnostic(id, name, data = void 0) {
-  return {
-    ...data,
-    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
-    source: { ...data?.source, id, name }
-  };
-}
-function addDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  if ((0, import_fs.existsSync)(databasePath)) {
-    writeDiagnostic(config, language, diagnostic);
-  } else {
-    logger.debug(
-      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
-    );
-    unwrittenDiagnostics.push({ diagnostic, language });
-  }
-}
-function addNoLanguageDiagnostic(config, diagnostic) {
-  if (config !== void 0) {
-    addDiagnostic(
-      config,
-      // Arbitrarily choose the first language. We could also choose all languages, but that
-      // increases the risk of misinterpreting the data.
-      config.languages[0],
-      diagnostic
-    );
-  } else {
-    unwrittenDefaultLanguageDiagnostics.push(diagnostic);
-  }
-}
-function writeDiagnostic(config, language, diagnostic) {
-  const logger = getActionsLogger();
-  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
-  const diagnosticsPath = import_path.default.resolve(
-    databasePath,
-    "diagnostic",
-    "codeql-action"
-  );
-  try {
-    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
-    const uniqueSuffix = (diagnosticCounter++).toString();
-    const sanitizedTimestamp = diagnostic.timestamp.replace(
-      /[^a-zA-Z0-9.-]/g,
-      ""
-    );
-    const jsonPath = import_path.default.resolve(
-      diagnosticsPath,
-      `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json`
-    );
-    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
-  } catch (err) {
-    logger.warning(`Unable to write diagnostic message to database: ${err}`);
-    logger.debug(JSON.stringify(diagnostic));
-  }
-}
-function makeTelemetryDiagnostic(id, name, attributes) {
-  return makeDiagnostic(id, name, {
-    attributes,
-    visibility: {
-      cliSummaryTable: false,
-      statusPage: false,
-      telemetry: true
-    }
-  });
-}
-
-// src/feature-flags.ts
-var fs5 = __toESM(require("fs"));
-var path6 = __toESM(require("path"));
-var semver5 = __toESM(require_semver2());
-
 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
 var cliVersion = "2.25.4";
 
 // src/overlay/index.ts
 var fs4 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
+var path4 = __toESM(require("path"));
 
 // src/git-utils.ts
 var fs3 = __toESM(require("fs"));
-var path4 = __toESM(require("path"));
-var core8 = __toESM(require_core());
+var path3 = __toESM(require("path"));
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) {
   let stdout = "";
   let stderr = "";
-  core8.debug(`Running git command: git ${args.join(" ")}`);
+  core6.debug(`Running git command: git ${args.join(" ")}`);
   try {
     await new toolrunner2.ToolRunner(await io3.which("git", true), args, {
       silent: true,
@@ -86364,7 +86168,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o
     if (stderr.includes("not a git repository")) {
       reason = "The checkout path provided to the action does not appear to be a git repository.";
     }
-    core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+    core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
     throw error3;
   }
 };
@@ -86426,7 +86230,7 @@ var getGitRoot = async function(sourceRoot) {
   }
 };
 function hasSubmodules(gitRoot) {
-  return fs3.existsSync(path4.join(gitRoot, ".gitmodules"));
+  return fs3.existsSync(path3.join(gitRoot, ".gitmodules"));
 }
 var getFileOidsUnderPath = async function(basePath) {
   const gitRoot = await getGitRoot(basePath);
@@ -86493,7 +86297,7 @@ async function getRef() {
   ) !== head;
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
-    core8.debug(
+    core6.debug(
       `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
     );
     return newRef;
@@ -86558,7 +86362,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) {
   const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger);
   const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])];
   const changedFilesJson = JSON.stringify({ changes: changedFiles });
-  const overlayChangesFile = path5.join(
+  const overlayChangesFile = path4.join(
     getTemporaryDirectory(),
     "overlay-changes.json"
   );
@@ -86624,13 +86428,13 @@ async function getDiffRangeFilePaths(sourceRoot, logger) {
     return [...new Set(diffRanges.map((r) => r.path))];
   }
   const relativePaths = diffRanges.map(
-    (r) => path5.relative(sourceRoot, path5.join(repoRoot, r.path)).replaceAll(path5.sep, "/")
+    (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/")
   ).filter((rel) => !rel.startsWith(".."));
   return [...new Set(relativePaths)];
 }
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 function isSupportedToolsFeature(versionInfo, feature) {
   return !!versionInfo.features && versionInfo.features[feature];
 }
@@ -86644,6 +86448,11 @@ var LINKED_CODEQL_VERSION = {
   tagName: bundleVersion
 };
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -86970,7 +86779,7 @@ var Features = class extends OfflineFeatures {
     super(logger);
     this.gitHubFeatureFlags = new GitHubFeatureFlags(
       repositoryNwo,
-      path6.join(tempDir, FEATURE_FLAGS_FILE_NAME),
+      path5.join(tempDir, FEATURE_FLAGS_FILE_NAME),
       logger
     );
   }
@@ -87029,7 +86838,7 @@ var GitHubFeatureFlags = class {
       DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length,
       f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length
     ).replace(/_/g, ".");
-    if (!semver5.valid(version)) {
+    if (!semver4.valid(version)) {
       this.logger.warning(
         `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.`
       );
@@ -87046,7 +86855,7 @@ var GitHubFeatureFlags = class {
     const response = await this.getAllFeatures();
     const sortedCliVersions = Object.entries(response).map(
       ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0
-    ).filter((f) => f !== void 0).sort(semver5.rcompare);
+    ).filter((f) => f !== void 0).sort(semver4.rcompare);
     if (sortedCliVersions.length === 0) {
       this.logger.warning(
         `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.`
@@ -87190,6 +86999,209 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
   }
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var compatibilityMatrix = {
+  ["code-scanning" /* CodeScanning */]: /* @__PURE__ */ new Set(["code-quality" /* CodeQuality */]),
+  ["code-quality" /* CodeQuality */]: /* @__PURE__ */ new Set(["code-scanning" /* CodeScanning */]),
+  ["risk-assessment" /* RiskAssessment */]: /* @__PURE__ */ new Set()
+};
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+async function parseAnalysisKinds(input) {
+  const components = input.split(",");
+  if (components.length < 1) {
+    throw new ConfigurationError(
+      "At least one analysis kind must be configured."
+    );
+  }
+  for (const component of components) {
+    if (!supportedAnalysisKinds.has(component)) {
+      throw new ConfigurationError(`Unknown analysis kind: ${component}`);
+    }
+  }
+  return Array.from(
+    new Set(components.map((component) => component))
+  );
+}
+var cachedAnalysisKinds;
+async function getAnalysisKinds(logger, features, skipCache = false) {
+  if (!skipCache && cachedAnalysisKinds !== void 0) {
+    return cachedAnalysisKinds;
+  }
+  const analysisKinds = await parseAnalysisKinds(
+    getRequiredInput("analysis-kinds")
+  );
+  const qualityQueriesInput = getOptionalInput("quality-queries");
+  if (qualityQueriesInput !== void 0) {
+    logger.warning(
+      "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead."
+    );
+  }
+  if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) {
+    analysisKinds.push("code-quality" /* CodeQuality */);
+  }
+  for (const analysisKind of analysisKinds) {
+    for (const otherAnalysisKind of analysisKinds) {
+      if (analysisKind === otherAnalysisKind) continue;
+      if (!compatibilityMatrix[analysisKind].has(otherAnalysisKind)) {
+        throw new ConfigurationError(
+          `${analysisKind} and ${otherAnalysisKind} cannot be enabled at the same time`
+        );
+      }
+    }
+  }
+  if (!isInTestMode() && analysisKinds.length > 1 && !await features.getValue("allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */)) {
+    logger.error(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. Specifying multiple values as input is no longer supported. Continuing with only `analysis-kinds: code-scanning`."
+    );
+    cachedAnalysisKinds = ["code-scanning" /* CodeScanning */];
+    return cachedAnalysisKinds;
+  }
+  cachedAnalysisKinds = analysisKinds;
+  return cachedAnalysisKinds;
+}
+
+// src/config-utils.ts
+var core9 = __toESM(require_core());
+
+// src/caching-utils.ts
+var crypto2 = __toESM(require("crypto"));
+var core7 = __toESM(require_core());
+var cacheKeyHashLength = 16;
+function createCacheKeyHash(components) {
+  const componentsJson = JSON.stringify(components);
+  return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength);
+}
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/diagnostics.ts
+var import_fs = require("fs");
+var import_path = __toESM(require("path"));
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function formatDuration(durationMs) {
+  if (durationMs < 1e3) {
+    return `${durationMs}ms`;
+  }
+  if (durationMs < 60 * 1e3) {
+    return `${(durationMs / 1e3).toFixed(1)}s`;
+  }
+  const minutes = Math.floor(durationMs / (60 * 1e3));
+  const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3);
+  return `${minutes}m${seconds}s`;
+}
+
+// src/diagnostics.ts
+var unwrittenDiagnostics = [];
+var unwrittenDefaultLanguageDiagnostics = [];
+var diagnosticCounter = 0;
+function makeDiagnostic(id, name, data = void 0) {
+  return {
+    ...data,
+    timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(),
+    source: { ...data?.source, id, name }
+  };
+}
+function addDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  if ((0, import_fs.existsSync)(databasePath)) {
+    writeDiagnostic(config, language, diagnostic);
+  } else {
+    logger.debug(
+      `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.`
+    );
+    unwrittenDiagnostics.push({ diagnostic, language });
+  }
+}
+function addNoLanguageDiagnostic(config, diagnostic) {
+  if (config !== void 0) {
+    addDiagnostic(
+      config,
+      // Arbitrarily choose the first language. We could also choose all languages, but that
+      // increases the risk of misinterpreting the data.
+      config.languages[0],
+      diagnostic
+    );
+  } else {
+    unwrittenDefaultLanguageDiagnostics.push(diagnostic);
+  }
+}
+function writeDiagnostic(config, language, diagnostic) {
+  const logger = getActionsLogger();
+  const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation;
+  const diagnosticsPath = import_path.default.resolve(
+    databasePath,
+    "diagnostic",
+    "codeql-action"
+  );
+  try {
+    (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true });
+    const uniqueSuffix = (diagnosticCounter++).toString();
+    const sanitizedTimestamp = diagnostic.timestamp.replace(
+      /[^a-zA-Z0-9.-]/g,
+      ""
+    );
+    const jsonPath = import_path.default.resolve(
+      diagnosticsPath,
+      `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json`
+    );
+    (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
+  } catch (err) {
+    logger.warning(`Unable to write diagnostic message to database: ${err}`);
+    logger.debug(JSON.stringify(diagnostic));
+  }
+}
+function makeTelemetryDiagnostic(id, name, attributes) {
+  return makeDiagnostic(id, name, {
+    attributes,
+    visibility: {
+      cliSummaryTable: false,
+      statusPage: false,
+      telemetry: true
+    }
+  });
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [
@@ -89525,7 +89537,7 @@ async function run(startedAt) {
     const rawLanguages = getRawLanguagesNoAutodetect(
       getOptionalInput("languages")
     );
-    const analysisKinds = await getAnalysisKinds(logger);
+    const analysisKinds = await getAnalysisKinds(logger, features);
     const initCodeQLResult = await initCodeQL(
       getOptionalInput("tools"),
       apiDetails,

lib/start-proxy-action-post.js

@@ -126977,63 +126977,14 @@ var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
 var core9 = __toESM(require_core());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib2());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
@@ -127046,10 +126997,15 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
 var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127268,6 +127224,55 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib2());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/start-proxy-action.js

@@ -103182,6 +103182,11 @@ var LINKED_CODEQL_VERSION = {
   tagName: bundleVersion
 };
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",

lib/upload-sarif-action-post.js

@@ -126983,223 +126983,14 @@ var import_archiver = __toESM(require_archiver());
 // src/analyze.ts
 var io5 = __toESM(require_io());
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-
-// src/autobuild.ts
-var core12 = __toESM(require_core());
-
-// src/codeql.ts
-var core11 = __toESM(require_core());
-var toolrunner3 = __toESM(require_toolrunner());
-
-// src/cli-errors.ts
-var cliErrorsConfig = {
-  ["AutobuildError" /* AutobuildError */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("We were unable to automatically build your code")
-    ]
-  },
-  ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: {
-    cliErrorMessageCandidates: [new RegExp("Could not create temp directory")]
-  },
-  ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Failed to clone external Git repository")
-    ]
-  },
-  ["GradleBuildFailed" /* GradleBuildFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.")
-    ]
-  },
-  // Version of CodeQL CLI is incompatible with this version of the CodeQL Action
-  ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("is not compatible with this CodeQL CLI")
-    ]
-  },
-  ["InitCalledTwice" /* InitCalledTwice */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "Refusing to create databases .* but could not process any of it"
-      )
-    ],
-    additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?`
-  },
-  ["InvalidConfigFile" /* InvalidConfigFile */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Config file .* is not valid"),
-      new RegExp("The supplied config file is empty")
-    ]
-  },
-  ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Specifier for external repository is invalid")
-    ]
-  },
-  // Expected source location for database creation does not exist
-  ["InvalidSourceRoot" /* InvalidSourceRoot */]: {
-    cliErrorMessageCandidates: [new RegExp("Invalid source root")]
-  },
-  ["MavenBuildFailed" /* MavenBuildFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal")
-    ]
-  },
-  ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("Could not auto-detect a suitable build method")
-    ]
-  },
-  ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "Could not detect a suitable build command for the source checkout"
-      )
-    ]
-  },
-  // Usually when a manual build script has failed, or if an autodetected language
-  // was unintended to have CodeQL analysis run on it.
-  ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: {
-    exitCode: 32,
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "CodeQL detected code written in .* but could not process any of it"
-      ),
-      new RegExp(
-        "CodeQL did not detect any code written in languages supported by CodeQL"
-      )
-    ]
-  },
-  ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("No supported build command succeeded")
-    ]
-  },
-  ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("No supported build system detected")
-    ]
-  },
-  ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("CodeQL is out of memory."),
-      new RegExp("out of disk"),
-      new RegExp("No space left on device")
-    ],
-    additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory"
-  },
-  ["PackCannotBeFound" /* PackCannotBeFound */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "Query pack .* cannot be found\\. Check the spelling of the pack\\."
-      ),
-      new RegExp(
-        "is not a .ql file, .qls file, a directory, or a query pack specification."
-      )
-    ]
-  },
-  ["PackMissingAuth" /* PackMissingAuth */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("GitHub Container registry .* 403 Forbidden"),
-      new RegExp(
-        "Do you need to specify a token to authenticate to the registry?"
-      )
-    ]
-  },
-  ["SwiftBuildFailed" /* SwiftBuildFailed */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command"
-      )
-    ]
-  },
-  ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("\\[incompatible-os\\]"),
-      new RegExp("Swift analysis is only supported on macOS")
-    ]
-  },
-  ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: {
-    cliErrorMessageCandidates: [
-      new RegExp(
-        "does not support the .* build mode. Please try using one of the following build modes instead"
-      )
-    ]
-  },
-  ["NotFoundInRegistry" /* NotFoundInRegistry */]: {
-    cliErrorMessageCandidates: [
-      new RegExp("'.*' not found in the registry '.*'")
-    ]
-  }
-};
-
-// src/config-utils.ts
-var core9 = __toESM(require_core());
-
-// src/caching-utils.ts
-var core6 = __toESM(require_core());
-
-// src/config/db-config.ts
-var jsonschema = __toESM(require_lib5());
-var semver2 = __toESM(require_semver2());
-
-// src/feature-flags/properties.ts
-var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
-  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
-  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
-  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
-  return RepositoryPropertyName2;
-})(RepositoryPropertyName || {});
-var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
-  Object.values(RepositoryPropertyName)
-);
-
-// src/config/db-config.ts
-var PACK_IDENTIFIER_PATTERN = (function() {
-  const alphaNumeric = "[a-z0-9]";
-  const alphaNumericDash = "[a-z0-9-]";
-  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
-  return new RegExp(`^${component}/${component}$`);
-})();
-
-// src/logging.ts
-var core7 = __toESM(require_core());
-function getActionsLogger() {
-  return {
-    debug: core7.debug,
-    info: core7.info,
-    warning: core7.warning,
-    error: core7.error,
-    isDebug: core7.isDebug,
-    startGroup: core7.startGroup,
-    endGroup: core7.endGroup
-  };
-}
-function withGroup(groupName, f) {
-  core7.startGroup(groupName);
-  try {
-    return f();
-  } finally {
-    core7.endGroup();
-  }
-}
-
 // src/feature-flags.ts
-var semver5 = __toESM(require_semver2());
+var semver4 = __toESM(require_semver2());
 
 // src/git-utils.ts
-var core8 = __toESM(require_core());
+var core6 = __toESM(require_core());
 var toolrunner2 = __toESM(require_toolrunner());
 var io3 = __toESM(require_io());
-var semver3 = __toESM(require_semver2());
+var semver2 = __toESM(require_semver2());
 
 // src/overlay/index.ts
 var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
@@ -127212,14 +127003,19 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
 var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
 
 // src/tools-features.ts
-var semver4 = __toESM(require_semver2());
+var semver3 = __toESM(require_semver2());
 var SafeArtifactUploadVersion = "2.20.3";
 function isSafeArtifactUpload(codeQlVersion) {
-  return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion);
+  return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion);
 }
 
 // src/feature-flags.ts
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -127438,6 +127234,215 @@ var featureConfig = {
   }
 };
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+
+// src/autobuild.ts
+var core12 = __toESM(require_core());
+
+// src/codeql.ts
+var core11 = __toESM(require_core());
+var toolrunner3 = __toESM(require_toolrunner());
+
+// src/cli-errors.ts
+var cliErrorsConfig = {
+  ["AutobuildError" /* AutobuildError */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("We were unable to automatically build your code")
+    ]
+  },
+  ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: {
+    cliErrorMessageCandidates: [new RegExp("Could not create temp directory")]
+  },
+  ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Failed to clone external Git repository")
+    ]
+  },
+  ["GradleBuildFailed" /* GradleBuildFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.")
+    ]
+  },
+  // Version of CodeQL CLI is incompatible with this version of the CodeQL Action
+  ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("is not compatible with this CodeQL CLI")
+    ]
+  },
+  ["InitCalledTwice" /* InitCalledTwice */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "Refusing to create databases .* but could not process any of it"
+      )
+    ],
+    additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?`
+  },
+  ["InvalidConfigFile" /* InvalidConfigFile */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Config file .* is not valid"),
+      new RegExp("The supplied config file is empty")
+    ]
+  },
+  ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Specifier for external repository is invalid")
+    ]
+  },
+  // Expected source location for database creation does not exist
+  ["InvalidSourceRoot" /* InvalidSourceRoot */]: {
+    cliErrorMessageCandidates: [new RegExp("Invalid source root")]
+  },
+  ["MavenBuildFailed" /* MavenBuildFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal")
+    ]
+  },
+  ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("Could not auto-detect a suitable build method")
+    ]
+  },
+  ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "Could not detect a suitable build command for the source checkout"
+      )
+    ]
+  },
+  // Usually when a manual build script has failed, or if an autodetected language
+  // was unintended to have CodeQL analysis run on it.
+  ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: {
+    exitCode: 32,
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "CodeQL detected code written in .* but could not process any of it"
+      ),
+      new RegExp(
+        "CodeQL did not detect any code written in languages supported by CodeQL"
+      )
+    ]
+  },
+  ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("No supported build command succeeded")
+    ]
+  },
+  ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("No supported build system detected")
+    ]
+  },
+  ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("CodeQL is out of memory."),
+      new RegExp("out of disk"),
+      new RegExp("No space left on device")
+    ],
+    additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory"
+  },
+  ["PackCannotBeFound" /* PackCannotBeFound */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "Query pack .* cannot be found\\. Check the spelling of the pack\\."
+      ),
+      new RegExp(
+        "is not a .ql file, .qls file, a directory, or a query pack specification."
+      )
+    ]
+  },
+  ["PackMissingAuth" /* PackMissingAuth */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("GitHub Container registry .* 403 Forbidden"),
+      new RegExp(
+        "Do you need to specify a token to authenticate to the registry?"
+      )
+    ]
+  },
+  ["SwiftBuildFailed" /* SwiftBuildFailed */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command"
+      )
+    ]
+  },
+  ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("\\[incompatible-os\\]"),
+      new RegExp("Swift analysis is only supported on macOS")
+    ]
+  },
+  ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "does not support the .* build mode. Please try using one of the following build modes instead"
+      )
+    ]
+  },
+  ["NotFoundInRegistry" /* NotFoundInRegistry */]: {
+    cliErrorMessageCandidates: [
+      new RegExp("'.*' not found in the registry '.*'")
+    ]
+  }
+};
+
+// src/config-utils.ts
+var core9 = __toESM(require_core());
+
+// src/caching-utils.ts
+var core7 = __toESM(require_core());
+
+// src/config/db-config.ts
+var jsonschema = __toESM(require_lib5());
+var semver5 = __toESM(require_semver2());
+
+// src/feature-flags/properties.ts
+var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
+  RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
+  RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
+  RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
+  return RepositoryPropertyName2;
+})(RepositoryPropertyName || {});
+var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
+  Object.values(RepositoryPropertyName)
+);
+
+// src/config/db-config.ts
+var PACK_IDENTIFIER_PATTERN = (function() {
+  const alphaNumeric = "[a-z0-9]";
+  const alphaNumericDash = "[a-z0-9-]";
+  const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`;
+  return new RegExp(`^${component}/${component}$`);
+})();
+
+// src/logging.ts
+var core8 = __toESM(require_core());
+function getActionsLogger() {
+  return {
+    debug: core8.debug,
+    info: core8.info,
+    warning: core8.warning,
+    error: core8.error,
+    isDebug: core8.isDebug,
+    startGroup: core8.startGroup,
+    endGroup: core8.endGroup
+  };
+}
+function withGroup(groupName, f) {
+  core8.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core8.endGroup();
+  }
+}
+
 // src/languages/builtin.json
 var builtin_default = {
   languages: [

lib/upload-sarif-action.js

@@ -88719,74 +88719,10 @@ function fixCodeQualityCategory(logger, category) {
   return category;
 }
 
-// src/analyses.ts
-var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
-  AnalysisKind2["CodeScanning"] = "code-scanning";
-  AnalysisKind2["CodeQuality"] = "code-quality";
-  AnalysisKind2["RiskAssessment"] = "risk-assessment";
-  return AnalysisKind2;
-})(AnalysisKind || {});
-var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
-var CodeScanning = {
-  kind: "code-scanning" /* CodeScanning */,
-  name: "code scanning",
-  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
-  sarifExtension: ".sarif",
-  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
-  fixCategory: (_, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
-  transformPayload: (payload) => payload
-};
-var CodeQuality = {
-  kind: "code-quality" /* CodeQuality */,
-  name: "code quality",
-  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
-  sarifExtension: ".quality.sarif",
-  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
-  fixCategory: fixCodeQualityCategory,
-  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
-  transformPayload: (payload) => payload
-};
-function addAssessmentId(payload) {
-  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
-  const assessmentId = parseInt(rawAssessmentId, 10);
-  if (Number.isNaN(assessmentId)) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
-    );
-  }
-  if (assessmentId < 0) {
-    throw new Error(
-      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
-    );
-  }
-  return { sarif: payload.sarif, assessment_id: assessmentId };
-}
-var RiskAssessment = {
-  kind: "risk-assessment" /* RiskAssessment */,
-  name: "code scanning risk assessment",
-  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
-  sarifExtension: ".csra.sarif",
-  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
-  fixCategory: (_, category) => category,
-  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
-  transformPayload: addAssessmentId
-};
-function getAnalysisConfig(kind) {
-  switch (kind) {
-    case "code-scanning" /* CodeScanning */:
-      return CodeScanning;
-    case "code-quality" /* CodeQuality */:
-      return CodeQuality;
-    case "risk-assessment" /* RiskAssessment */:
-      return RiskAssessment;
-  }
-}
-var SarifScanOrder = [
-  RiskAssessment,
-  CodeQuality,
-  CodeScanning
-];
+// src/feature-flags.ts
+var fs5 = __toESM(require("fs"));
+var path5 = __toESM(require("path"));
+var semver4 = __toESM(require_semver2());
 
 // src/api-client.ts
 var core5 = __toESM(require_core());
@@ -89055,11 +88991,6 @@ function wrapApiConfigurationError(e) {
   return e;
 }
 
-// src/feature-flags.ts
-var fs5 = __toESM(require("fs"));
-var path5 = __toESM(require("path"));
-var semver4 = __toESM(require_semver2());
-
 // src/defaults.json
 var bundleVersion = "codeql-bundle-v2.25.4";
 var cliVersion = "2.25.4";
@@ -89413,6 +89344,11 @@ var LINKED_CODEQL_VERSION = {
   tagName: bundleVersion
 };
 var featureConfig = {
+  ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: void 0
+  },
   ["allow_toolcache_input" /* AllowToolcacheInput */]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",
@@ -89959,6 +89895,75 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
   }
 }
 
+// src/analyses.ts
+var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => {
+  AnalysisKind2["CodeScanning"] = "code-scanning";
+  AnalysisKind2["CodeQuality"] = "code-quality";
+  AnalysisKind2["RiskAssessment"] = "risk-assessment";
+  return AnalysisKind2;
+})(AnalysisKind || {});
+var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
+var CodeScanning = {
+  kind: "code-scanning" /* CodeScanning */,
+  name: "code scanning",
+  target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */,
+  sarifExtension: ".sarif",
+  sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name),
+  fixCategory: (_, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_SARIF_",
+  transformPayload: (payload) => payload
+};
+var CodeQuality = {
+  kind: "code-quality" /* CodeQuality */,
+  name: "code quality",
+  target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */,
+  sarifExtension: ".quality.sarif",
+  sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension),
+  fixCategory: fixCodeQualityCategory,
+  sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_",
+  transformPayload: (payload) => payload
+};
+function addAssessmentId(payload) {
+  const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */);
+  const assessmentId = parseInt(rawAssessmentId, 10);
+  if (Number.isNaN(assessmentId)) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}`
+    );
+  }
+  if (assessmentId < 0) {
+    throw new Error(
+      `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}`
+    );
+  }
+  return { sarif: payload.sarif, assessment_id: assessmentId };
+}
+var RiskAssessment = {
+  kind: "risk-assessment" /* RiskAssessment */,
+  name: "code scanning risk assessment",
+  target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */,
+  sarifExtension: ".csra.sarif",
+  sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension),
+  fixCategory: (_, category) => category,
+  sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_",
+  transformPayload: addAssessmentId
+};
+function getAnalysisConfig(kind) {
+  switch (kind) {
+    case "code-scanning" /* CodeScanning */:
+      return CodeScanning;
+    case "code-quality" /* CodeQuality */:
+      return CodeQuality;
+    case "risk-assessment" /* RiskAssessment */:
+      return RiskAssessment;
+  }
+}
+var SarifScanOrder = [
+  RiskAssessment,
+  CodeQuality,
+  CodeScanning
+];
+
 // src/logging.ts
 var core7 = __toESM(require_core());
 function getActionsLogger() {

src/analyses.test.ts

@@ -16,7 +16,7 @@ import {
 } from "./analyses";
 import { EnvVar } from "./environment";
 import { getRunnerLogger } from "./logging";
-import { setupTests } from "./testing-utils";
+import { createFeatures, RecordingLogger, setupTests } from "./testing-utils";
 import { AssessmentPayload } from "./upload-lib/types";
 import { ConfigurationError } from "./util";
 
@@ -53,24 +53,56 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) =>
 test.serial(
   "getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input",
   async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
     const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
     requiredInputStub
       .withArgs("analysis-kinds")
       .returns("code-scanning,code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
     t.assert(result.includes(AnalysisKind.CodeScanning));
     t.assert(result.includes(AnalysisKind.CodeQuality));
   },
 );
 
+test.serial(
+  "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode",
+  async (t) => {
+    process.env[EnvVar.TEST_MODE] = "false";
+    const features = createFeatures([]);
+    const logger = new RecordingLogger();
+    const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
+    requiredInputStub
+      .withArgs("analysis-kinds")
+      .returns("code-scanning,code-quality");
+    const result = await getAnalysisKinds(logger, features, true);
+    t.deepEqual(result, [AnalysisKind.CodeScanning]);
+    t.assert(
+      logger.hasMessage(
+        "Continuing with only `analysis-kinds: code-scanning`.",
+      ),
+    );
+  },
+);
+
 test.serial(
   "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used",
   async (t) => {
+    process.env[EnvVar.TEST_MODE] = "true";
+    const features = createFeatures([]);
     const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
     requiredInputStub.withArgs("analysis-kinds").returns("code-scanning");
     const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput");
     optionalInputStub.withArgs("quality-queries").returns("code-quality");
-    const result = await getAnalysisKinds(getRunnerLogger(true), true);
+    const result = await getAnalysisKinds(
+      getRunnerLogger(true),
+      features,
+      true,
+    );
     t.assert(result.includes(AnalysisKind.CodeScanning));
     t.assert(result.includes(AnalysisKind.CodeQuality));
   },
@@ -79,9 +111,12 @@ test.serial(
 test.serial(
   "getAnalysisKinds - throws if `analysis-kinds` input is invalid",
   async (t) => {
+    const features = createFeatures([]);
     const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
     requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing");
-    await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true));
+    await t.throwsAsync(
+      getAnalysisKinds(getRunnerLogger(true), features, true),
+    );
   },
 );
 
@@ -98,11 +133,17 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`,
         async (t) => {
+          process.env[EnvVar.TEST_MODE] = "true";
+          const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
           requiredInputStub
             .withArgs("analysis-kinds")
             .returns([analysisKind, otherAnalysis].join(","));
-          const result = await getAnalysisKinds(getRunnerLogger(true), true);
+          const result = await getAnalysisKinds(
+            getRunnerLogger(true),
+            features,
+            true,
+          );
           t.is(result.length, 2);
         },
       );
@@ -110,14 +151,18 @@ for (let i = 0; i < analysisKinds.length; i++) {
       test.serial(
         `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`,
         async (t) => {
+          const features = createFeatures([]);
           const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
           requiredInputStub
             .withArgs("analysis-kinds")
             .returns([analysisKind, otherAnalysis].join(","));
-          await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true), {
-            instanceOf: ConfigurationError,
-            message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
-          });
+          await t.throwsAsync(
+            getAnalysisKinds(getRunnerLogger(true), features, true),
+            {
+              instanceOf: ConfigurationError,
+              message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`,
+            },
+          );
         },
       );
     }

src/analyses.ts

@@ -4,13 +4,14 @@ import {
   getRequiredInput,
 } from "./actions-util";
 import { EnvVar } from "./environment";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
 import {
   AssessmentPayload,
   BasePayload,
   UploadPayload,
 } from "./upload-lib/types";
-import { ConfigurationError, getRequiredEnvParam } from "./util";
+import { ConfigurationError, getRequiredEnvParam, isInTestMode } from "./util";
 
 export enum AnalysisKind {
   CodeScanning = "code-scanning",
@@ -77,6 +78,7 @@ let cachedAnalysisKinds: AnalysisKind[] | undefined;
  */
 export async function getAnalysisKinds(
   logger: Logger,
+  features: FeatureEnablement,
   skipCache: boolean = false,
 ): Promise<AnalysisKind[]> {
   if (!skipCache && cachedAnalysisKinds !== undefined) {
@@ -120,6 +122,25 @@ export async function getAnalysisKinds(
     }
   }
 
+  // Log an error if we have multiple inputs for `analysis-kinds` outside of test mode,
+  // and enable only `code-scanning`.
+  if (
+    !isInTestMode() &&
+    analysisKinds.length > 1 &&
+    !(await features.getValue(Feature.AllowMultipleAnalysisKinds))
+  ) {
+    logger.error(
+      "The `analysis-kinds` input is experimental and for GitHub-internal use only. " +
+        "Its behaviour may change at any time or be removed entirely. " +
+        "Specifying multiple values as input is no longer supported. " +
+        "Continuing with only `analysis-kinds: code-scanning`.",
+    );
+
+    // Only enable Code Scanning.
+    cachedAnalysisKinds = [AnalysisKind.CodeScanning];
+    return cachedAnalysisKinds;
+  }
+
   // Cache the analysis kinds and return them.
   cachedAnalysisKinds = analysisKinds;
   return cachedAnalysisKinds;

src/feature-flags.ts

@@ -67,6 +67,8 @@ export interface CodeQLDefaultVersionInfo {
  * Legacy features should end with `_enabled`.
  */
 export enum Feature {
+  /** Controls whether we allow multiple values for the `analysis-kinds` input. */
+  AllowMultipleAnalysisKinds = "allow_multiple_analysis_kinds",
   AllowToolcacheInput = "allow_toolcache_input",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
@@ -160,6 +162,11 @@ export type FeatureConfig = {
 };
 
 export const featureConfig = {
+  [Feature.AllowMultipleAnalysisKinds]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS",
+    minimumVersion: undefined,
+  },
   [Feature.AllowToolcacheInput]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT",

src/init-action.ts

@@ -281,7 +281,7 @@ async function run(startedAt: Date) {
     // successful, the results are cached so that we don't duplicate the work in normal runs.
     let analysisKinds: AnalysisKind[] | undefined;
     try {
-      analysisKinds = await getAnalysisKinds(logger);
+      analysisKinds = await getAnalysisKinds(logger, features);
     } catch (err) {
       logger.debug(
         `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`,
@@ -353,7 +353,7 @@ async function run(startedAt: Date) {
       }
     }
 
-    analysisKinds = await getAnalysisKinds(logger);
+    analysisKinds = await getAnalysisKinds(logger, features);
     const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
     const repositoryProperties = repositoryPropertiesResult.orElse({});
     const fileCoverageResult = await getFileCoverageInformationEnabled(

src/setup-codeql-action.ts

@@ -144,7 +144,7 @@ async function run(startedAt: Date): Promise<void> {
     const rawLanguages = getRawLanguagesNoAutodetect(
       getOptionalInput("languages"),
     );
-    const analysisKinds = await getAnalysisKinds(logger);
+    const analysisKinds = await getAnalysisKinds(logger, features);
     const initCodeQLResult = await initCodeQL(
       getOptionalInput("tools"),
       apiDetails,